Pseudorandom functions and permutations
|
|
- Gwenda Carpenter
- 6 years ago
- Views:
Transcription
1 Introduction Pseudorandom functions and permutations I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs are enormously useful for cryptography But they are also useful for several algorithmic applications We ll show two equivalent characterizations of PRFs, and give a construction of a PRF from a secure PRG (Thus we will have that if OWFs exist, then PRFs exist Notations PRFs: Statistical Test formulation A collection of functions is a set {ƒ s } s {0,1}* where each ƒ s :{0,1} p( s {0,1} q( s, for polynomials p(, q( ƒ is efficiently computable if there exists a PPT F such that F(s,x = ƒ s (x for all s, x {0,1} p( s We denote by F p,q the set of all functions from {0,1} p {0,1} q Given a PRG G: {0,1} k {0,1} 2k we define G 0, G 1 : {0,1} k {0,1} k so that G(x = G 0 (x,g 1 (x An efficiently computable collection ƒ s is statistical-test pseudorandom if for every probabilistic polynomial time oracle TM T, Adv(T,k = Pr[T f (1 k = 1] Pr[T g (1 k = 1] is negligible, where f denotes an oracle for ƒ s for s U k and g denotes an oracle drawn uniformly from F p(k,q(k We call Adv(T,k the advantage of T PRFs: Polynomial inference formulation Consider an experiment with t+1 stages: First, choose s U k Stage 1: A produces a query x 1 Stage j, 1<j<t+1: A is given x i,ƒ s (x i, for 0 < i < j, and produces query x j x i Stage t+1: Choose b U 1 Choose y 1-b U q(k Let y b = ƒ s (x t A is given x i, ƒ s (x i, x t,y 0 We say that PPTM A Q(k-infers ƒif Pr[A(ƒ s (x 1,,ƒ s (x t,y 0 = b] > ½ + 1/Q(k Equivalence Theorem: ƒ cannot be polynomially inferred if and only if it is statistical-test pseudorandom Proof: both directions in the contrapositive: (a if ƒ can be Q(k inferred, then there is a statistical test T which distinguishes between ƒ S and F p,q with advantage 1/Q(k (b if there is a statistical test T for ƒ that has advantage 1/Q(k and makes P(k queries then ƒ can be 2P(kQ(k inferred
2 Proof of (a Proof of (b Let A be the algorithm that Q-infers ƒ Then the oracle PPTM T AO works as follows: Stage 1: run A to get query x 1, respond with O(x 1 Stage j: Let x j = A(O(x 1 O(x j Stage t+1: Choose b U 1, let y b =O(x t, draw y 1-b U q(k If A(O(x 1 O(x t,y 0 = b, output 1, else output 0 Notice that Pr[T Ag (1 k = 1] = ½ But since A Q(k-infers ƒ, Pr[T Af (1 k =1] > ½ + 1/Q(k So T A has advantage 1/Q(k as claimed Suppose there is a statistical test T that has advantage 1/Q(k against ƒ and makes P(k (wlog, distinct oracle queries We will construct an algorithm A T that 2P(kQ(k infers ƒ Definition of A T Proof that this works: Choose j U {0,1, P(k} Stage i < j: Respond to T s query q i with ƒ s (x i ; run T until it makes query q i and return x i =q i Stage j: Respond to T s query q j with ƒ s (x i Run T to get query q j Return x j U p(k Stage i, j<i<p(k: Return x i U p( s Stage P(k: Return x P(k = q j Stage P(k+1: Run T with y 0 as O(q j Respond to additional queries from T with uniform bits, until T outputs bit b Return 1-b Consider doing an (k,j,ƒ s experiment: Run T, and on query q i, respond with: ƒ s (q i, if i < j y i U q(k otherwise Let p j (k denote the probability that T outputs 1 in an (k,j,ƒ s experiment Then p 0 (k = Pr[T g (1 k = 1] and p P(k (k = Pr[T f (1 k = 1] So we also have Σ j (p j (k p j (k = Adv(T,k Recap Then Pr[1-b = b] = Σ i Pr[j=i]Pr[1-b = b j=i] = 1/P(k Σ i Pr[1-b = b j=i] = 1/P(k Σ i (Pr[b=1 j=i] Pr[b =0 y 0 U q(k &j=i] + Pr[b=0 j=i] Pr[b =1 y 0 =ƒ s (q i &j=i] = 1/P(k Σ i (½ Pr[T outputs 0 in (k,i,ƒ s exp] +½ Pr[T outputs 1 in (k,i+1,ƒ s exp] = 1/2P(k Σ i ((1-p i (k + p i+1 (k = ½ + 1/2P(kQ(k, QED So a function family is statistical test pseudorandom iff it is polynomially uninferrable (Proof by Hybrid method! From now on, we will just say that a function family is pseudorandom if it is statistical test pseudorandom That is, a pseudorandom function family (PRF is a function family which is statistical test pseudorandom
3 Constructing PRFs from PRGs Let G:{0,1} k {0,1} 2k be a PRG Define ƒ s : {0,1} k {0,1} k by ƒ s (x 1 x 2 x k = G xk (G xk ( (G x2 (G x1 (s Theorem: ƒ s is a PRF Proof: Suppose that there is a statistical test T that makes Q(k queries and has Adv(T,k = 1/P(k We will construct a distinguisher for G with advantage 1/kQ(kP(k Proof of Theorem Define a sequence of PPTs A 0 A k A i : Let L be an associative array Run T, responding to queries (y 1 y k : If (y 1 L, let r = L(y 1 Else choose r U k and set L(y 1 = r respond with ƒ r (y i+1 y k Return output of T Notice: Pr[A 0 = 1] = Pr[T f (1 k = 1], Pr[A k = 1] = Pr[T g (1 k = 1]; E i [A i A i ] = 1/kP(k Proof, continued Properties of A T Construct adversary A T (r 1, r Q(k (r i {0,1} 2k : A T (r 1,,r Q(k = Choose i U {0, k} Let L be as in A j Set j = 0 Run T, responding to queries (y 1,,y k : If (y 1 +1 L, Let r = L(y 1 +1 Else: increment j; L(y 1 0 = Left-Half(r j ;L(y 1 1 = Right-Half(r j r = L(y 1 +1 Respond with ƒ r (y i+2 y k Return output of T Notice that Pr[A T (U 2kq(k = 1] Pr[A T (G(U kq(k ] = E i [A i -A i ] = 1/kP(k That is, if T distinguishes ƒ s from F p,q with advantage 1/P(k, A T distinguishes Q(k samples of G(U k from q(k samples of U 2k with advantage at least 1/kP(k But then A T can distinguish between a single sample of G(U k and U 2k with advantage 1/kQ(kP(k, QED Pseudorandom permutations Notation, definitions A Pseudorandom Permutation family (PRP is a PRF where every element ƒ s is a bijection on {0,1} p( s (PRPs have inverses Typically for P: {0,1} k {0,1} L(k {0,1} L(k there is an efficient algorithm to compute P K (x, given K A Strong Pseudorandom Permutation family (SPRP is a PRP which remains pseudorandom even when the adversary is given access to an oracle for P K and P K Naor and Reingold show that given a PRF ƒ s : {0,1} k {0,1} k we can construct a SPRP P ƒ on {0,1} 2k Let Π L denote the uniform distribution on permutations on {0,1} L Define the Advantage of A against permutation family P on {0,1} l(k by: Adv(A,k = Pr[A P(K, (1 k = 1] Pr[A Π l(k(1 k =1] For any function f: {0,1} k {0,1} k, define the permutation D f : {0,1} 2k by D f (l,r = (r, l f(r Note that D f is easy to compute
4 Intuition behind construction Let ƒ 1, ƒ 2 be chosen from a PRF family on {0,1} k Then P = D ƒ2 D ƒ1 is indistinguishable from a random permutation on uniformly chosen inputs There is a distinguisher for P on chosen inputs: Left-half(P(L 1,R P(L 2,R = L 1 L 2 whereas this holds with probability only 2 -n for a random permutation But if we can insure that the inputs to P, P are unique (whp, then we get what we need Construction: SPRP Let h 1,h 2 be chosen from a pairwiseindependent family of permutations on {0,1} 2k Let ƒ 1, ƒ 2 :{0,1} k {0,1} k be chosen from a PRF family Define the permutation P = h 2 D ƒ2 D ƒ1 h 1 SPRP Lemma: If ƒ 1, ƒ 2 are chosen according to F k,k, then P is statistically close to a random permutation SPRP Theorem: P is a SPRP Proof tools Proof tools, cont d Let M be a deterministic, unbounded oracle machine M makes two types of queries: (+,x: Querying G(x (-, y: Querying G (y Denote the i th query-answer pair of M by (x i,y i Wlog, assume M makes exactly m queries Denote by {(x 1,,(x m } the transcript of M with oracle G Denote by C M [{(x 1,,(x i,y j }] the deterministic function for the i th query of M, and let C M [{(x 1 (x m }] the output of M Call σ = {(x 1 (x m } a possible M transcript if for every 1< i < m, C M [{(x 1,,(x i,y i }] {(+,x i,(-,y i } Let T P be a random variable denoting the transcript of M with an oracle for P Let T Π be a random variable denoting the transcript of M with an oracle chosen from Π 2k More Proof Tools Lemma 1 Let T R be a random variable denoting transcripts from a random process which responds to M s i th query as follows: If the query is (+,x and for some j < i there is a queryanswer pair (x,y j, return y j If the query is (-,y and for some j < i there is a queryanswer pair (x j,y return x j Otherwise, return a uniformly chosen 2k-bit string T R might contain responses inconsistent with a permutation: Call a possible M-transcript σ = {(x 1, (x m } inconsistent if for some 1 < j < i < m, x i =x j and y i y j or y i =y j and x i x j Pr[C M (T R = 1] Pr[C M (T Π = 1] m 2 /2 2k+1 Proof: Pr[T R = σ T R is consistent] = Pr[T Π =σ] (because a consistent transcript is a permutation, and T R chooses uniformly from transcripts So Pr[C M (T R = 1] Pr[C M (T Π = 1] Pr[T R is inconsistent] Pr[T R is inconsistent] Σ i,j Pr[x i =x j and y i y j or y i =y j and x i x j ] = (m(m/22-2k m 2 /2 2k+1
5 BAD set Lemma 2 proof For a fixed h 1,h 2, define the set BAD(h 1,h 2 to be the set of possible and consistent M- transcripts {(x 1,,(x m } such that: There exist i<j with h 1 (x i R = h 1 (x j R OR There exist i<j with h 2 (y i L = h 2 (y j L Lemma 2 Fix a possible, consistent M- transcript σ Then Pr h1,h2 [σ BAD(h 1,h 2 ] < m 2 /2 k σ BAD(h 1,h 2 if there exist i < j with h 1 (x i R = h 2 (x j R (R i,j or h 2 (y i L = h 2 (y j L (L i,j So Pr[σ BAD(h 1,h 2 ] Σ i<j (Pr[R i,j ] + Pr[L i,j ] Σ i<j (2 -k +2 -k <m 2 /2 k, QED Key Lemma Lemma Proof, Cont d Lemma 3: Let σ = {(x 1,,(x m } be possible and consistent Then Pr[T P = σ σ BAD(h 1,h 2 ] = Pr[T R = σ] Proof: Given σ is consistent, Pr[T R = σ] = 2-2km But suppose σ BAD(h 1,h 2 Then for the i th queryanswer pair, y i = P(x i exactly when: h 1 (x i = (L i0,r i0, L i2 = L i0 ƒ 1 (R i0, R i2 = R i 0 ƒ 2 (L i2, and L i2,r i2 = h 2 (y i ie, when ƒ 1 (R i0 = L i0 L i2, and ƒ 2 (L i2 = R i0 R i 2 We get y i = P(x i when ƒ 1 (R i0 = L i0 L i2, and ƒ 2 (L i2 = R i0 R i2 But since we never have L i2 = L j2 or R i0 =R j 0 (otherwise σ is bad, these probabilities are independent And since ƒ 1,ƒ 2 are chosen randomly we get that Pr[T P = σ σ BAD(h 1,h 2 ] = 2-2km, QED SPRP Lemma: Proof SPRP Theorem: Proof SPRP Lemma: if ƒ 1,ƒ 2 F k,k then for any oracle adversary M which makes at most m queries, Pr[M P (1 k = 1] Pr[M Π 2k(1 k = 1] m 2 /2 2k+1 +m 2 /2 k Proof: composition of previous three lemmas SPRP Theorem: If ƒ 1,ƒ 2 ƒ s, where ƒ s is a PRF, then P is a SPRP Proof: Assume not Let M be an efficient oracle machine distinguishing P from a randomly chosen permutation Consider the hybrid distribution H where ƒ 1 F k,k, and ƒ 2 ƒ s Recall Pr[M P =1] Pr[M Π =1] > 1/poly(k
6 SPRP proof Then we must have either: (a Pr[M P =1] Pr[M H =1] > 1/poly; OR (b Pr[M H =1] Pr[M Π =1] > 1/poly This gives a statistical test against ƒ s : run M, answering queries using P with either : (a a random function; or (b a pseudrandom function for ƒ 1, and the function oracle for ƒ 2 Then in either case, we distinguish ƒ s with the same gap as M in distinguishing H from P or Π
Homework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationLecture 5: Pseudo-Random Generators and Pseudo-Random Functions
CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationWe begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.
CS276: Cryptography September 16, 2015 PRGs ) PRFs, Pseudorandom Permutations, and Feistel Permutations Instructor: Alessandro Chiesa Scribe: Brian Gluzman 1 Introduction Today we will constuct PRFs (Pseudorandom
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationFoundation of Cryptography ( ), Lecture 1
Foundation of Cryptography (0368-4162-01), Lecture 1 Iftach Haitner, Tel Aviv University November 1-8, 2011 Section 1 Notation Notation I For t N, let [t] := {1,..., t}. Given a string x {0, 1} and 0 i
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More information: On the P vs. BPP problem. 18/12/16 Lecture 10
03684155: On the P vs. BPP problem. 18/12/16 Lecture 10 Natural proofs Amnon Ta-Shma and Dean Doron 1 Natural proofs The ultimate goal we have is separating classes (or proving they are equal if they are).
More informationLecture 7: Pseudo Random Generators
Introduction to ryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example,
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationLecture 7: Hard-core Predicate and PRG
CS 290G (Fall 2014) Introduction to Cryptography Oct 28th, 2014 Instructor: Rachel Lin 1 Recap Lecture 7: Hard-core Predicate and PRG 1.1 Computational Indistiguishability Scribe: Leonardo Bohac Last time,
More informationOn the Fourier spectrum of symmetric Boolean functions
On the Fourier spectrum of symmetric Boolean functions Amir Shpilka Technion and MSR NE Based on joint work with Avishay Tal 1 Theme: Analysis of Boolean functions Pick favorite representation: Fourier
More informationLecture 5. Lecturer: Yevgeniy Dodis Spring 2012
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Ferbruary 22, 2012 Lecture 5 Lecturer: Yevgeniy Dodis Spring 2012 In this lecture we formalize our understanding of next-bit security and
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationNon-Interactive Zero Knowledge (II)
Non-Interactive Zero Knowledge (II) CS 601.442/642 Modern Cryptography Fall 2017 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 1 / 18 NIZKs for NP: Roadmap Last-time: Transformation
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationPseudorandom Generators
CS276: Cryptography September 8, 2015 Pseudorandom Generators Instructor: Alessandro Chiesa Scribe: Tobias Boelter Context and Summary In the last lecture we have had a loo at the universal one-way function,
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability
Indistinguishability Consider two distributions X and Y over the sample space Ω. The distributions X and Y are ε-indistinguishable from each other if: For all algorithms A: Ω {0, 1} the following holds
More informationConstructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs
Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Craig Gentry and Zulfikar Ramzan DoCoMo Communications Laboratories USA, Inc. {cgentry, ramzan}@docomolabs-usa.com Abstract. Even and Mansour
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 10: Learning DNF, AC 0, Juntas. 1 Learning DNF in Almost Polynomial Time
Analysis of Boolean Functions (CMU 8-859S, Spring 2007) Lecture 0: Learning DNF, AC 0, Juntas Feb 5, 2007 Lecturer: Ryan O Donnell Scribe: Elaine Shi Learning DNF in Almost Polynomial Time From previous
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information1 Randomized Computation
CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at
More informationAdaptively Secure Puncturable Pseudorandom Functions in the Standard Model
Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger Johns Hopkins University susan@cs.hu.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu November
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More information