Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions
|
|
- Randolph Flynn
- 6 years ago
- Views:
Transcription
1 CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we will see that if there exists a PRG G : {0, 1} n {0, 1} n+1, then we can construct a new PRG F : {0, 1} n {0, 1} n+l, where l is polynomial in n. Construction 1 We construct the new PRG F as follows. (a) Input: S 0 is the input of F, and S 0 $ {0, 1} n. (b) i [l] = {1, 2,, l}, (σ i, S i ) := G(S i 1 ), where σ i {0, 1}, S i {0, 1} n. (c) Output: σ 1 σ 2 σ l S l. Theorem 2 The F described above is a PRG. Proof. We prove this by hybrid argument. Define the hybrid H i as follows. (a) Input: σ 1, σ 2,, σ i $ {0, 1}, Si $ {0, 1} n. (b) j {i + 1, i + 2,, l}, (σ j, S j ) := G(S j 1 ), where σ j {0, 1}, S j {0, 1} n. (c) Output: σ 1 σ 2 σ l S l. Note that H 0 F, and H l U n+l. Assume for the purpose of contradiction that we have a non-uniform PPT adversary A that can distinguish H 0 form H l. Define ɛ i := Pr[A(H i ) = 1] for i = 0, 1,, l. Then there exists a non-negligible function v(n) such that ɛ 0 ɛ l v(n). Since ɛ 0 ɛ 1 + ɛ 1 ɛ ɛ l 1 ɛ l ɛ 0 ɛ l v(n), we know that there exists k {0, 1,, l 1} such that ɛ k ɛ k+1 v(n). l l is polynomial in n, so v(n) l is also a non-negligible function. That is to say, A can distinguish H k from H k+1. Then we will construct an adversary R that can distinguish U n+1 from G(U n ) (which leads to a contradiction): For an input T {0, 1} n+1, T could be either from U n+1 or G(U n ). We define R(T ) := A(H k+1 (σ 1,, σ k, T )), where σ 1, σ 2,, σ k $ {0, 1}. Firstly, since A and G are both PPT computable, R is also PPT computable. Further, we have 5-1
2 Thus if T is from G(U n ), then H k+1 (σ 1,, σ k, T ) is from H k ; if T is from U n+1, then H k+1 (σ 1,, σ k, T ) is from H k+1. Pr[B(G(U n )) = 1] Pr[B(U n+1 ) = 1] = Pr[A(H k ) = 1] Pr[A(H k+1 ) = 1] = ɛ k ɛ k+1 v(n), l which means R is a non-uniform PPT computable adversary to G. Contradiction to the fact that G is PRG. 2 PRG from OWP (One-Way Permutations) In this section we will show how to construct pseudorandom generators under the assumption that one-way permutations exist. Construction 3 Let f : {0, 1} n {0, 1} n be a OWP. We construct G : {0, 1} 2n {0, 1} 2n+1 as G(x, r) = f(x) r B(x, r), where x, r {0, 1} n, and B(x, r) defines a hard core bit. Note that the hard core bit always exists because we know from previous classes that ( n ) b(x, r) = x i r i mod 2 is a hard core bit. i=1 Theorem 4 The G constructed above is a PRG. Proof. Assume for the purpose of contradiction that G is not PRG. We construct three ensembles of probability distributions: H 0 := G(U 2n ) = f(x) r B(x, r), where x, r $ {0, 1} n ; H 1 := f(x) r σ, where x, r $ {0, 1} n, σ $ {0, 1}; H 2 := U 2n+1. Since f is a permutation, H 1 is uniformly distributed in {0, 1} 2n+1, i.e., H 1 H 2. G is not PRG implies that there exists a non-uniform PPT adversary A that can distinguish H 0 from H 2. And since H 1 H 2, A can distinguish H 0 from H 1, that is, there exists a non-negligible function v(n) satisfying Pr[A(H 0 ) = 1] Pr[A(H 1 ) = 1] v(n). 5-2
3 Next we will construct an adversary R that can predict the hard core bit (which leads to a contradiction). Define a new ensemble of probability distribution Then we have H 1 = f(x) r (1 B(x, r)), where x, r $ {0, 1} n. Pr[A(H 1 ) = 1] = Pr[σ = B(x, r)] Pr[A(H 0 ) = 1] + Pr[σ = 1 B(x, r)] Pr[A(H 1) = 1] = 1 2 Pr[A(H 0) = 1] Pr[A(H 1) = 1], Pr[A(H 1 ) = 1] Pr[A(H 0 ) = 1] = 1 2 Pr[A(H 1) = 1] 1 2 Pr[A(H 0) = 1], 1 Pr[A(H 0 ) = 1] Pr[A(H 2 1) = 1] = Pr[A(H 1 ) = 1] Pr[A(H 0 ) = 1] v(n), Pr[A(H 0 ) = 1] Pr[A(H 1) = 1] 2v(n). Without loss of generality, we assume that Then we define R(f(x), r) as follows: where σ $ {0, 1}. Then we have Pr[A(H 0 ) = 1] Pr[A(H 1) = 1] 2v(n). R(f(x), r) := Pr[R(f(x), r) = B(x, r)] { σ, if A(f(x), r, σ) = 1 1 σ, if A(f(x), r, σ) = 0, = Pr[σ = B(x, r)] Pr[A(f(x), r, σ) = 1 σ = B(x, r)]+ Pr[σ = 1 B(x, r)] Pr[A(f(x), r, σ) = 0 σ = 1 B(x, r)]+ = 1 ( ) Pr[A(f(x), r, B(x, r)) = 1] + 1 Pr[A(f(x), r, 1 B(x, r)) = 1] 2 = ( Pr[A(H0 ) = 1] Pr[A(H 2 1) = 1] ) v(n). Thus B(x, r) is not a hard core bit, which leads to a contradiction. 3 PRF (Pseudo-Random Functions) from PRG In this section, we will first define pseudo-random functions, and then show that we can construct a pseudo-random function if we have a pseudo-random generator. Considering the set of all functions f : {0, 1} n {0, 1} n, there are (2 n ) 2n of them. And to describe a random function in this set, we need n 2 n bits. Intuitively, a pseudo-random function is one that cannot be distinguished from a random one, but we might need much fewer bits to describe it, e.g., polynomial in n. Nota bene, we restrict the distinguisher in such a way that it is only allowed to ask the function poly(n) times and decide whether it s random or pseudo-random. 5-3
4 3.1 Definitions Definition 1 A function ensemble is a sequence of Random Variables F 1, F 2,, F n, denoted as {F n } n N such that F n assumes values in the set of functions mapping n-bit input to n-bit output. Note that we will denote a random function ensemble by {R n } n N. Definition 2 A function ensemble is called efficiently computable if (a) Succinct: a PPT algorithm I and a mapping φ from strings to functions such that φ(i(1 n )) and F n are identically distributed. Note that we can view I as the description of the function. (b) Efficient: a poly-time machine V such that V (i, x) = f i (x) for every x {0, 1} n, where i is in the range of I(1 n ), and f i = φ(i). Definition 3 A function ensemble F = {F n } n N is pseudo-random if for every non-uniform PPT oracle adversary A, there exists a negligible function ɛ(n) such that Pr[A Fn (1 n ) = 1] Pr[A Rn (1 n ) = 1] ɛ(n). Here by saying oracle we mean that A has oracle access to a function (in our definition, the function is F n or R n ), and each call to that function costs 1 unit of time. Note that we will only consider efficiently computable pseudo-random ensembles in the following parts. 3.2 Construction of PRF from PRG Now we are ready to present the construction of pseudo-random functions from pseudo-random generators. Construction 5 Assume there exists a PRG G : {0, 1} n {0, 1} 2n, let G 0 (x) be the first n bits of G(x), G 1 (x) be the last n bits of G(x). We construct F i : {0, 1} n {0, 1} n as F i (x) = F i (x 1 x 2 x n ) := G xn (G xn 1 ( (G x1 (i)) )). Here i is an n-bit string, which is the seed of the pseudo-random function. The construction can be viewed as a full binary tree of depth n, as shown in Figure 1. Claim 6 The function ensemble constructed above is pseudo-random. Proof. Assume for the purpose of contradiction that {F n } n N is not PRG. Then there exists a non-uniform PPT oracle adversary A that can distinguish {F n } from {R n }. We use hybrid argument. Define H i (i = 0, 1,, n) in the following way: Let H i be a full binary tree of depth n where the nodes of levels 0 to i are truly random values, and the levels i + 1 to n are constructed by G 0 and G 1. Then we have H 0 F n and H n R n. Since A that can distinguish H 0 from H n, by hybrid argument, there exists j {0, 1,, n 1} such that A can distinguish H j from H j
5 Figure 1: view the construction as a binary tree Next, we need to use hybrid argument again. Note that A is PPT, so there are only poly(n) nodes in the j th level of the tree that have been visited by A. Denote all the nodes by v 1, v 2,, v t, where t = poly(n). We construct H j,i (i = 0, 1,, t) as follows: Let H j,i be a full binary tree of depth n where the nodes of levels 0 to j are random, the sons of nodes v 1, v 2,, v i are random, and all the rest nodes are constructed by G 0 and G 1. We have H j,0 H j. Further, H j,t and H j+1 are equivalent for A since the different nodes between H j,t and H j+1 are not visited by A. Thus, A that can distinguish H j,0 from H j,t. By hybrid argument, there exists k {0, 1,, t 1} such that A can distinguish H j,k from H j,k+1. Now we are ready to construct an adversary B : {0, 1} 2n {0, 1} where the input T could be either from U 2n or G(U n ): Construct a full binary tree of depth n where the nodes of levels 0 to j are random, the sons of nodes v 1, v 2,, v k are random, the left son of node v k+1 is the first n bits of T, the right son of node v k+1 is the last n bits of T, and all the rest nodes are constructed by G 0 and G 1. Take this binary tree as the input of A, then we have if T is from U 2n, then A s input is from H j,k+1 ; if T is from G(U n ), then A s input is from H j,k. Since A can distinguish H j,k from H j,k+1, A can distinguish from U 2n and G(U n ). Contradiction to the fact that G is a PRG. 3.3 Application Consider an interesting game: Alice and Bob are talking on the phone. Alice flips a coin, and Bob guesses whether it s head or tail. But the problem is how can Alice convince Bob that the coin is indeed head or tail? If we have pseudo-random functions, the problem could be easily solved. Assume we have a PRF F n : {0, 1} n {0, 1} n. Alice and Bob have a shared key i {0, 1} n, then f i ( ) is shared information. Now Alice has a message m {0, 1} n and wants to let Bob guess it, the procedure consists of three steps. 5-5
6 (a) Alice chooses a string r {0, 1} n, and sends to Bob m = f i (r) m ; (b) Bob guesses m; (c) Alice sends r to Bob. In step (a), since F n is PRF, all the information that Bob gets is a random n-bit string, so it will not influence his behavior in step (b). Then in step (c), Bob receives r and will be convinced that the true value of m is f i (r) m. 5-6
Lecture 7: Pseudo Random Generators
Introduction to ryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example,
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture 7: Hard-core Predicate and PRG
CS 290G (Fall 2014) Introduction to Cryptography Oct 28th, 2014 Instructor: Rachel Lin 1 Recap Lecture 7: Hard-core Predicate and PRG 1.1 Computational Indistiguishability Scribe: Leonardo Bohac Last time,
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationWe begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.
CS276: Cryptography September 16, 2015 PRGs ) PRFs, Pseudorandom Permutations, and Feistel Permutations Instructor: Alessandro Chiesa Scribe: Brian Gluzman 1 Introduction Today we will constuct PRFs (Pseudorandom
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationPseudorandom Generators
CS276: Cryptography September 8, 2015 Pseudorandom Generators Instructor: Alessandro Chiesa Scribe: Tobias Boelter Context and Summary In the last lecture we have had a loo at the universal one-way function,
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLecture 4 - Computational Indistinguishability, Pseudorandom Generators
Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Boaz Barak September 27, 2007 Computational Indistinguishability Recall that we defined that statistical distance of two distributions
More informationLecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability
Indistinguishability Consider two distributions X and Y over the sample space Ω. The distributions X and Y are ε-indistinguishable from each other if: For all algorithms A: Ω {0, 1} the following holds
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationComputational hardness. Feb 2 abhi shelat
L4 6501 Computational hardness Feb 2 abhi shelat Eve Alice Bob Eve Alice Bob k Gen k Eve Alice Bob c=enck(mi) k Gen k Eve c Alice Bob c=enck(mi) k Gen k Eve c Alice c=enck(mi) Bob m=deck(c) k Gen k Eve
More information: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 8 December 9, 2009 Scribe: Naama Ben-Aroya Last Week 2 player zero-sum games (min-max) Mixed NE (existence, complexity) ɛ-ne Correlated
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationExtracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.
106 CHAPTER 3. PSEUDORANDOM GENERATORS Using the ideas presented in the proofs of Propositions 3.5.3 and 3.5.9, one can show that if the n 3 -bit to l(n 3 ) + 1-bit function used in Construction 3.5.2
More informationLecture 5. Lecturer: Yevgeniy Dodis Spring 2012
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Ferbruary 22, 2012 Lecture 5 Lecturer: Yevgeniy Dodis Spring 2012 In this lecture we formalize our understanding of next-bit security and
More informationLecture 8: Computational Indistinguishability and Pseudorandomness
COM S 6830 Cryptography Tuesday, September 22, 2009 Lecture 8: Computational Indistinguishability and Instructor: Rafael Pass Pseudorandomness Scribe: Chin Isradisaikul In this lecture we introduce the
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationCS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5
UC Berkeley Handout N5 CS94: Pseudorandomness and Combinatorial Constructions September 3, 005 Professor Luca Trevisan Scribe: Gatis Midrijanis Notes for Lecture 5 In the few lectures we are going to look
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationCS151 Complexity Theory. Lecture 14 May 17, 2017
CS151 Complexity Theory Lecture 14 May 17, 2017 IP = PSPACE Theorem: (Shamir) IP = PSPACE Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More information: On the P vs. BPP problem. 18/12/16 Lecture 10
03684155: On the P vs. BPP problem. 18/12/16 Lecture 10 Natural proofs Amnon Ta-Shma and Dean Doron 1 Natural proofs The ultimate goal we have is separating classes (or proving they are equal if they are).
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationPseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationTheoretical Cryptography, Lectures 18-20
Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationCS Communication Complexity: Applications and New Directions
CS 2429 - Communication Complexity: Applications and New Directions Lecturer: Toniann Pitassi 1 Introduction In this course we will define the basic two-party model of communication, as introduced in the
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationCS120, Quantum Cryptography, Fall 2016
CS10, Quantum Cryptography, Fall 016 Homework # due: 10:9AM, October 18th, 016 Ground rules: Your homework should be submitted to the marked bins that will be by Annenberg 41. Please format your solutions
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationLecture 23: Alternation vs. Counting
CS 710: Complexity Theory 4/13/010 Lecture 3: Alternation vs. Counting Instructor: Dieter van Melkebeek Scribe: Jeff Kinne & Mushfeq Khan We introduced counting complexity classes in the previous lecture
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationLast time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2
CMPT 881: Pseudorandomness Prof. Valentine Kabanets Lecture 20: N W Pseudorandom Generator November 25, 2004 Scribe: Ladan A. Mahabadi 1 Introduction In this last lecture of the course, we ll discuss the
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationGeneric Case Complexity and One-Way Functions
Groups-Complexity-Cryptology Volume 1 2009), No. 1, 13 31 Generic Case Complexity and One-Way Functions Alex D. Myasnikov Department of Mathematical Sciences, Stevens Institute of Technology, Hoboken,
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More information1 From previous lectures
CS 810: Introduction to Complexity Theory 9/18/2003 Lecture 11: P/poly, Sparse Sets, and Mahaney s Theorem Instructor: Jin-Yi Cai Scribe: Aparna Das, Scott Diehl, Giordano Fusco 1 From previous lectures
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationLecture 4 : Quest for Structure in Counting Problems
CS6840: Advanced Complexity Theory Jan 10, 2012 Lecture 4 : Quest for Structure in Counting Problems Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K. Theme: Between P and PSPACE. Lecture Plan:Counting problems
More informationNotes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators
UC Bereley Handout N7 CS294: Pseudorandomness and Combinatorial Constructions September 20, 2005 Professor Luca Trevisan Scribe: Constantinos Dasalais Notes for Lecture 7 1 Increasing the Stretch of Pseudorandom
More informationLecture 4: Computationally secure cryptography
CS 7880 Graduate Cryptography September 18, 017 Lecture 4: Computationally secure cryptography Lecturer: Daniel Wichs Scribe: Lucianna Kiffer 1 Topic Covered ε-security Computationally secure cryptography
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 25, 2017 CPSC 467, Lecture 15 1/31 Primitive Roots Properties of primitive roots Lucas test Special form primes Functions
More informationProvable Security for Program Obfuscation
for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationIntroduction to Interactive Proofs & The Sumcheck Protocol
CS294: Probabilistically Checkable and Interactive Proofs January 19, 2017 Introduction to Interactive Proofs & The Sumcheck Protocol Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Pratyush Mishra
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationLecture 10: Learning DNF, AC 0, Juntas. 1 Learning DNF in Almost Polynomial Time
Analysis of Boolean Functions (CMU 8-859S, Spring 2007) Lecture 0: Learning DNF, AC 0, Juntas Feb 5, 2007 Lecturer: Ryan O Donnell Scribe: Elaine Shi Learning DNF in Almost Polynomial Time From previous
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More information1 Randomized Computation
CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at
More informationSimple Unpredictable Pseudo-Random Number Generator
Simple Unpredictable Pseudo-Random Number Generator The 1/P Generator R. Ashworth & H. Imanda University of Oxford 1/18 Definition Let l be a polynomial. We say that a deterministic polynomial-time algorithm
More information