Perfectly-Secret Encryption
|
|
- Roger Sharp
- 5 years ago
- Views:
Transcription
1 Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1
2 Outline Definition of encryption schemes Shannon's notion of perfect secrecy Shannon's Theorems Limitions of perfect secrecy Perfect indistinguishability 2
3 Symmetric-ey encryption scheme An encryption scheme consists of three algorithms Gen, Enc, Dec and three spaces, M, C., M, C : ey space, message space, ciphertext space. ey generation algorithm Gen generates eys according to some distribution (usually uniform distribution). We write Gen. Encryption algorithm : c Enc ( m) Decryption algorithm : m : Dec ( c) Note: Gen and Enc are probabilistic algorithms, Dec is deterministic. 3
4 Note: We don't need to explicitly specify and C as they are implicitly defined by Gen and Enc, respectively. Correctness requirement: for any and mm, Dec Enc ( m) m. To use the scheme, Alice and Bob run Gen to generate a ey, and eep it secret. Question: What is the security requirement? 4
5 Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bit b {0,1}. Let Enc ( m) ( m 5 b)mod 26. ( m ) mod 26 with probability 1 2 I.e., Enc ( m) ( m 5) mod 26 with probability 1 2 Decryption:? 5
6 The notion of security Consider a ciphertext-only attac, where the adversary is an eavesdropper with a single ciphertext c Enc ( m). Adversary's possible objectives: 1. To recover the secret ey. 2. To recover the plaintext m. 3. To recover any information about m. We will adopt and formalize the last one (#3). Informally, an encryption scheme is secu re if from a ciphertext c no adversary can obtain any information about its plaintext m. 6
7 Shannon's notion of perfect secrecy Adversary: an eavesdropper with unlimited computing power and being able to see a single ciphertext. Encryption scheme: ( Gen, Enc, Dec,, M, C) Envision an experiment: Alice generates a ey Gen, pics a message M from the message space M according to some probability distribution, and obtains a ciphertext C Enc ( M). M,, C are random variables over M,, C, respectively. 7
8 Notation: Pr[ M m] probability that message m is piced. Pr[ ] probability that ey is generated by Gen. Pr[ C c] probability that c is the ciphertext. The distribution of M is a characteristic of M. The distribution of is determined by Gen. The distribution of C is induced by Enc and depends on the distributions of Mand C: Pr[ c] Pr[ m] Pr Pr Enc ( m) c C M mm, 8
9 Conditional probabilities: C c M m Enc m c Pr Pr[ ] Pr ( ) Pr M m C c Pr ( M m) ( C c) Pr C c M m Enc m c PrC c Pr ( ) ( ) ( ( ) ) M m Enc m c PrC c Pr Pr Pr ( ) ( M and and the randomness of Enc are assumed to be independent.) 9
10 Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: {0,,25}. u ( m ) mod 26 with probability 1 2 Encryption: Enc ( m) ( m5) mod 26 with probability 1 2 Assume Pr M m ( m1) 10. Enc m c Enc m c Get familiar with these: Pr ( ), Pr ( ), Enc M c C c c m m c Pr ( ), Pr, Pr, Pr C M M C 10
11 Shannon's Definition of Perfect Scerecy: An encryption scheme is perfectly secret if for every probability distribution over cc for which Lemma M, every message m M, and every ciphertext Pr C 0, it holds: M m C c M m Pr Pr 1: An encryption scheme is perfectly secret if and only if for all m, m M and c C, it holds: c PrEnc ( m) c Pr Enc ( m) c Enc m c Enc m c where Pr ( ) Pr[ ] Pr ( ). 11
12 To show a scheme not perfectly secret, it suffices to show a counterexample, i.e., to construct a distribution over M, a message such that: mm, and a ciphertext c C with Pr C c 0, M m C c M m Pr Pr Or construct two messages m, mm and a c C such that Enc m c P Enc ( m) c Pr ( ) r 12
13 Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bi t b {0,1}. Let Enc ( m) ( m 5 b)mod 26. For every mm, c C, it holds: Enc m c m b c 1 2 Pr ( c m)mod Pr ( c m 5) mod 26 Pr ( ) Pr ( 5 )mod This scheme is perfectly secret by Lemma 1. 13
14 Vernam's one-time pad encryption scheme M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n u n One-time pad: each ey is used only once. The scheme is perfectly secret (against eavesdroppers having a single ciphertext). Reasons: n Enc m c m c m, c 0,1, Enc ( m) c iff m c. Thus, n Pr ( ) Pr 1 2. Apply Lemma1. 14
15 If a pad is used twice M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n n If a ey is used to encrypt two messages: c : m and c: m From c and c, the adversary can tell something about the messages: m m c c. The scheme is not secure against eavesdroppers with multiple ciphertexts. 15
16 If a pad is used twice We may regard the scheme as having 0,1 and M C 2 0,1, with encryption algorithm: Enc ( m) m ( ). It is not perfectly secret since n n n n n n n n Pr M 0 0 C Pr M for the uniform distribution over M. 16
17 One-time pad for messages of varying length M C 0,1 0,1, n fixed. n 0,1. ey generation: 0,1. Encryption: c : E ( m) : m n u where if m 0,1 then only the first bit of is used. Questio n: Is this scheme perfectly secret? n 17
18 Shannon's Theorems Theorem 1: [a necessary condition for perfect secrecy] If an encryption scheme is perfectly secrect, then M. n l Thus, if M {0,1} and {0,1}, then n l, i.e., eys mus t be at least as long as messages. Theorem 2: When M C, the encryption scheme is perfectly secret if and only if both of the following hold: Every ey is generated by Gen with equal probability 1 ; For every m M and c C, there is a unique such that Enc ( m) c. (Encrypting a message m with different eys will yield different ciphertexts c.) 18
19 Proof of M (Theorem 1) Consider the uniform distribution over M. Let c be any ciphertext such that Pr C c 0. Let M ( c) Dec ( c) :, the set of all messages that may be encrypted to c with non-zero probability. Clearly, M ( c). If M ( c) M m C c M m M, then there is a message mm M ( c) for which Pr 0 Pr, contradicting the assumption of perfect secrecy. Hence, M ( c) M, and thus M ( c). 19
20 Proof of Theorem 2 Observation: M C Enc is deterministic. Sufficiency: The two conditions hold For every m M and c C, Pr Enc ( m) c 1 For all m, m M and c C, r Enc ( m ) c Pr Enc ( m) c P Perfect secrecy (by Lemma 1). 20
21 Necessity: Assume M C and perfect secrecy. Consider any arbitrary (but fixed) cc. Let ( m) : Enc ( m) c, the set of all eys encryping m to c. Note: ( m) ( m) if m m. There is an m M with Pr Enc ( m) c 0, since M C. By Lemma 1, Pr Enc ( m) c 0 for every m M. Thus, ( m) 1 for every mm. This, together with M, implies m ( ) 1. Let m be the unique ey in ( m) that encrypts m to c. Enc m c m Then, Pr ( ) Pr. Since Pr Enc ( m) c Pr Enc ( m ) c for all m, m M, Pr Pr 1 for all m, m M. m m 21
22 Applying Shannon's Theorem With Shannon's theorem, it is trivial to see that Vernam's one-time pad is perfectly secret. It is easy to design another perfectly secret encryption scheme. For example, tae Caesar s shift cipher: M C {0, 1,..., 25} { a, b,..., z}. ey generation:. Encryption: E ( m) ( m ) mod 26 u Caesar s shift cipher is perfectly secret if it is used to encrypt only one letter. 22
23 Is it perfectly secret? Suppose we use Caesar s shift cipher to encrypt a message (any sequence of letters), but uniformly randomly generate a new ey for each letter. * * Thus, M C {0, 1,..., 25} { a, b,..., z}. To encrypt a message m m m m : Generate a ey, with for each i. t i u Let Enc ( m) c c c, where c ( m ) mod t i i i t Each plaintext letter entire message. m i is perfectly protected, but not the 23
24 Limitations of Perfect Secrecy To achieve perfect secrecy: l n eys must be as long as messages (if {0,1} and M {0,1} ); a new ey must be generated for each message. It is desired to use a short ey to encrypt multiple messages. To this end, we need to relax the security requirement. Unfortunately, it is hard to relax the conditions of perfect secrecy. W e will define a different notion of security that is equivalent to perfect secrecy and can be easily relaxed. 24
25 Perfect Indistinguishability Experiment Priv A eav, Imagine an experiment on an encryption scheme : The adversary A chooses two messages m, m M, not necessarily of the same length. 0 1 Bob generates a ey Gen and a bit b {0,1}. He computes and gives the ciphertext c Enc ( m ) to A. ( c is called the challenge ciphertext.) A outputs a bit b, triying to tell whether c is the encryption of m or m. 0 1 The output, Priv (i.e., A succeed s.) eav A,, of the experiment is 1 iff b b u b 25
26 Definition of Perfect Indistinguishability Encryption scheme: ( Gen, Enc, Dec) with message space M. Adversary: an eavesdropper with unlimited computing power. We model the adversary as a probabilistic algorithm A that on input m, m M and c C outputs a bit b{0,1}. 0 1 An encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, eav A, eav 1 Pr Priv A, ( m0, m1 ) 1 2 or, equivalently, for every A and every two m, m M, Pr Priv ( m, m )
27 eav Some authors write Pr Priv A, ( m0, m1 ) 1 as Pr A m0, m1, Enc ( mb ) b : bu {0,1}, Gen where A m, m, Enc ( m ) indicate the output of input m, m, Enc ( m ). b b A on Thus, an encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, 0 1 Pr A m0, m1, Enc ( mb ) b : b u {0,1}, Gen or, equivalently, Pr A m0, m1, Enc ( m0 ) 1: Gen Pr A m0, m1, Enc ( m1 ) 1: Gen
28 Remar eav Pr Priv A, ( m0, m1 ) 1 b{0,1} = Pr A m0, m1, E( mb) b : b{0,1}, cc {0, 1}, Gen = Pr[ b] Pr[ ] Pr A m0, m1, Enc( mb) b b Enc ( m ) c A, = Pr[ b] Pr[ ] Pr b Pr m0, m1 c b b{0,1} cc ( ),, = Pr[ b] Pr Enc mb c Pr A m0 m1 c b u 0, 1, mb = output of on i 0 1 A m m Enc ( ) A nput m, m, Enc ( m ). b 28
29 Equivalence of perfect secrecy and perfect indistinguishability Theorem: An encryption scheme is perfectly secret if and only if it is perfectly indistinguishable. 29
30 Perfect secrecy perfect indistinguishability If the encryption scheme is perfectly secret, then Pr Enc ( m ) c Pr Enc ( m ) c for all m, m M, c C eav Pr Priv A, ( m0, m1 ) 1 Pr A wins i0,1; cc cc i0,1 Pr b i, Enc ( m ) c, A( m, m, c) i i b i Enc m c A m m c i 0 1 Pr Pr ( ) Pr (,, ) i Pr Enc( m0 ) c Pr A( m0, m1, c) i 2 cc i0,1 2 30
31 Perfect secrecy perfect indistinguishability If not perfectly secret, then there exist m, m M such that 0 1 * * * Pr Enc( m0) c Pr Enc( m1) c for some ciphertext c C. Define an adversary A as follows. A chooses the above two messages m, m. 0 1 On a given challenge ciphertext c, Enc m0 c Enc m1 c 0 if Pr ( ) Pr ( ) A( m0, m1, c) 1 if Pr Enc( m0 ) c Pr Enc( m1 ) c b u 0,1 otherwise It can be verified that A succeeds with probability >1 2. The scheme is not perfectly indistinguisha ble. 31
Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationSolution of Exercise Sheet 6
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationCircuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.
Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationShannon s Theory of Secrecy Systems
Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationa Course in Cryptography rafael pass abhi shelat
a Course in Cryptography rafael pass abhi shelat LECTURE NOTES 2007 c 2007 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Contents Contents List
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCryptography CS 555. Topic 4: Computational Security
Cryptography CS 555 Topic 4: Computational Security 1 Recap Perfect Secrecy, One-time-Pads Theorem: If (Gen,Enc,Dec) is a perfectly secret encryption scheme then KK M 2 What if we want to send a longer
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationThe Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )
A Better Cipher The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and ) To the first letter, add 1 To the second letter, add 14 To the third
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationOutline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad
Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides
More information... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.
Assignment 3 - Cryptography Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc. Deutsche Telekom Chair of Mobile Business & Multilateral Security Goethe-University Frankfurt a. M.
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLecture 8 - Cryptography and Information Theory
Lecture 8 - Cryptography and Information Theory Jan Bouda FI MU April 22, 2010 Jan Bouda (FI MU) Lecture 8 - Cryptography and Information Theory April 22, 2010 1 / 25 Part I Cryptosystem Jan Bouda (FI
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationand its Extension to Authenticity
EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More information