Solution of Exercise Sheet 6
|
|
- Domenic Stewart
- 5 years ago
- Views:
Transcription
1 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following questions. Provide arguments for why your answers are correct! (3 points) (a) Consider a symmetric encryption scheme with E(k, m) = 1 for every message m and every key k. Does this scheme provide perfect secrecy? Yes, it does! Given two different messages m and m, the encryption scheme E satisfies the condition for perfect secrecy: P rc = 0 k K, c E(k, m) = 1 = P rc = 0 k K, c E(k, m ) (2 points) (b) Does DES with key-length k satisfy perfect secrecy for messages with length larger than k? In the proof of optimality of the OTP, we have seen that the keyspace needs to be at least as big as the message space in order to guarantee perfect secrecy. This implies that messages of length k + 1 cannot be encrypted by a k-bit key in a way that perfect secrecy is achieved. (2 points) (c) Alice uses the same key k to encrypt two messages m 1 and m 2 to get ciphertexts c i = E(k, m i ) = k m i. Eve later manages to learn the message m 2 in addition to both ciphertexts c 1 and c 2. Show how Eve can reconstruct m 1 with the available information. Since Eve knows m 2, she can reconstruct the key by xor-ing c 2 with m 2, i.e. c 2 m 2 = k m 2 m 2 = k. She can the retrieve the message m 1 with c 1 k = k m 1 k = m 1. (2 points) (d) Suppose you have a randomly chosen key k of length n to encrypt your messages. Unfortunately, you do not have enough to communicate and your message m 1/7
2 only has length n 2. You decide to pad your message with some additional bits. Does the resulting encryption scheme E 1 with provide perfect secrecy? E 1 (k, m) = k (01 m), m {0, 1} n 2, k {0, 1} n (Note: x y is the concatenation operator that combines the two strings x and y to one string.) E 1 does indeed provide perfect secrecy. Intuitively, as the key is chosen randomly, the last bit of E 1 is always random. The rest of E 1 is an OTP, which already provides perfect secrecy. (3 points) (e) Suppose you have a message m of length n, but you can only generate random keys of length k and l with k + l = n 1. You decide to generate two random keys and combine them with an additioanl bit. Does the resulting encryption scheme E 2 with E 2 (k 1, k 2, m) = (k 1 0 k 2 ) m, m {0, 1} n, k 1 {0, 1} k, k 2 {0, 1} l provide perfect secrecy? E 2 corresponds to an OTP where an intermediate bit of the key is fixed. Thus, the corresponding bit of the ciphertext only depends on the chosen message. For two messages m 0 and m 1 that differ in this intermediate bit the probability that some c C is the output of E 2 (k, m 0 ) is not equal to the probability that c is the output of E 2 (k, m 1 ). More specifically, c can only be the output of the encryption of a message where the last bit of c and the message are the same. A suitable counterexample for E 2 could be: m 0 = 000, m 1 = 111. For every key combined k = k 1 0 k 2, the second bit of E 2 (k, m 0 ) is 0 and the second bit of E 2 (k, m 1 ) is 1. Given a ciphertext c, e.g., c = 110, Pr c = c : k K, c = E 2 (k, m 1 ) = 0, while Pr c = c : k K, c = E 2 (k, m 1 ) = 1 2 > 0. 2 Encryption Schemes and Perfect Secrecy Consider the following encryption scheme. Let M := {0, 1} and C := {1, 2, 3} denote the set of plaintexts and ciphertexts, respectively. The key generation algorithm K randomly selects a key from {1, 2, 3}. Let the encryption algorithm E be defined by the following table: 2/7
3 m E(1, m) E(2, m) E(3, m) (5 points) (a) Give a decryption function D such that (K, E, D) constitutes a correct encryption scheme with message space M and ciphertext space C. One possible decryption function is the following: c D(1, c) D(2, c) D(3, c) 1 ( ) ( ) 3 0 ( ) 1 Notice that the entries marked with a star ( ) are not fixed by the correctness property of encryption. However, decryption is defined as a function from C to M { }, so one needs to specify these values to get a function. The distinguished error symbol is the typical choice here, however this is not enforced by the definition of a symmetric encryption scheme (see Definition 1.1 in the lecture notes), so any other value in M is also fine. (8 points) (b) Does your scheme have perfect secrecy? Explain why or give a counterexample. To prove that this scheme provides perfect secrecy, one simply checks that, for any c C, m M, the following holds: Pr c = c ; K R K, c E(K, m) = 1 K = 1 3. Since this value does not depend on m, we have that for all m 0, m 1 M and for all c C Pr c = c ; K R K, c E(K, m 0 ) = Pr c = c ; K R K, c E(K, m 1 ). As desired, this is the definition of perfect secrecy. 3 Imperfect Randomness Consider a random source that outputs bits b 1, b 2,... that are uncorrelated but biased, i.e., for all i = 1, 2,..., Pr b i = 0 = 1 Pr b i = 1 = p for some 0 < p < 1. We now use the following method to obtain unbiased bits: First, take two bits from the source. If they are identical, throw them away and take the next two bits from the source. Continue until the bits you obtain are (0, 1) or (1, 0). Output 0 in the first case and 1 in the second case. Repeat the whole process by taking two bits 3/7
4 again from the source. (3 points) (a) What is the probability that you throw away your two bits? We add the probabilities that both bits have the same value. Since Pr b = 0 = p, we get a probability of p 2 for getting 00, and a probability of (1 p) 2 for 11. (7 points) (b) Prove that the output c 1, c 2,... of the above method are unbiased coins, i.e., Pr c i = 1 = Pr c i = 0 = 1/2 for all i = 1, 2,.... (Hint: Consider the conditional probabilities Pr c = 0 method outputs a bit and Pr c = 1 method outputs a bit, where c is the output of the method above. You can find a refresher on conditional probabilities here: We calculate the probability that the algorithm, on input b 1, b 2, outputs a specific bit c. More formally, Pr c = 0 outputs a bit = Pr c = 0 b 1 b 2 = Pr c = 0 b 1 b 2 Pr b 1 b 2 = Pr b 1 = 0 b 2 = 1 Pr b 1 b 2 p(1 p) = p(1 p) + (1 p)p = 1 2. This also implies that Pr c = 1 outputs a bit = 1 2, thus the output of the above method is unbiased. 4 Perfect Secrecy for Two-time Key Use In the lecture notes we have given the definition of perfect secrecy for the case that the adversary sees the encryption of a single message: namely, for all m 0, m 1 M and for all c C, we have Pr c = c ; k K, c E(k, m 0 ) = Pr c = c ; k K, c E(k, m 1 ). (8 points) (a) Formulate a definition of perfect secrecy for the case that the adversary sees the encryption of two messages (using the same key k). (Hint: You should have messages m 0, m 1, m 0, m 1 in your definition.) 4/7
5 This is probably the toughest exercise on the sheet, so let s step through this slowly. Recall the intuition behind the definition of perfect secrecy above: For any ciphertext c that the adversary sees, the probability that this ciphertext c is the encryption of some message m 0 with a random key is equal to the probability that it is the encryption of some message m 1 with a random key (i.e., c contains any plaintext with equal likelihood.) So, to define perfect secrecy in the case the adversary sees two ciphertexts c 0 and c 1, encrypted using the same key, we would like to say this: the probability that c 0 is the encryption of some message m 0 and that c 1 is the encryption of some message m 1, with the same random key, is equal to the probability that c 0 is the encryption of some message m 0 and c 1 is the encryption of some message m 1, with the same random key (which may be different from the random key used to encrypt m 0 and m 1.) Hence, the most natural solution is the following: A cipher (E, D) provides perfect secrecy for two-time key use iff for all m 0, m 1, m 0, m 1 M and for all c 0, c 1 C the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) = P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) Intuitively, this means that no adversary can tell which two plaintexts have been encrypted, seeing the two ciphertexts. (7 points) (b) Assume your encryption scheme is deterministic, i.e. for a given message m and key k it always produces the same ciphertext c. Show that such a deterministic encryption scheme cannot satisfy your definition in part (a). (Hint: Consider the case that some messages of m 0, m 1, m 0, m 1 are equal.) Since our above definition of perfect secrecy for two-time key use must hold for all messages m 0, m 1, m 0, m 1 and all ciphertexts c 0, c 1, we only need to find one instantiation of these messages and ciphertexts for which the above definition cannot hold, in order to prove that the definition cannot be fulfilled by any encryption scheme. So, let us choose any m 0 = m 0 = m 1 m 1. Additionally, let us fix some key k and choose c 0 = c 1 = E(k, m 0 ). 5/7
6 Then, if encryption is deterministic, we will show that the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) 1 K > 0, but P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) = 0. (2) This violates the definition given in (a), and so no deterministic encryption scheme can fulfill our definition of perfect secrecy for two-time key use. Intuitively, what this means, and what we will show below, is that if the adversary sees a ciphertext c 0 = c 1, the probability that it is the encryption of a message m 0 and also the encryption of an identical message m 1 is non-zero, but the probability that it is the encryption of a message m 0 and at the same time the encryption of a different message m 1 is 0. First, consider equation (1). We know that c 0 = c 1 = E(k, m 0 ). Since m 0 = m 1, we also have that c 0 = c 1 = E(k, m 0) for a randomly chosen k. Clearly, if encryption is deterministic and k = k, we get that c 0 = c 0 c 1 = c 1. The event that k = k happens with probability 1 / K, which is why we know that the probability given in equation (1) is at least 1 / K (which is strictly greater than 0). For example, if E was the one-time pad, then the probability would be exactly 1 / K. However, in general, we can only say that it is greater or equal than 1 / K, because there are encryption schemes that produce the same ciphertext with different keys. (For example, imagine an encryption scheme where the key is one bit longer than the message, and encryption/decryption simply ignore the last bit of the key and otherwise operate like the one-time pad; this may be useless, but it shows that there exist encryption schemes where different keys map to the same ciphertext. For this particular encryption scheme, the probability given in equation (1) would be 2 / K.) Next, consider equation (2). Recall once more that c 0 = c 1 = E(k, m 0 ). We also have that c 0 = E(k, m 0 ) and c 1 = E(k, m 1 ), where m 0 m 1, for a randomly chosen k. By the correctness of the encryption scheme, we thus know that c 0 c 1, because they encrypt different messages with the same key (i.e., if encryption mapped two different messages with the same key to the same ciphertext, then decryption, which is necessarily always determinisic, could not be unambiguously defined, contradicting correctness.) We consider two cases: this case distinction is exhaustive, i.e., one of these cases always holds true. c 0 = c 0 : In this case, then since we also know that c 0 = c 1 and that c 0 c 1, we get that c 1 c 1. Hence, in this case the probability of the event c 0 = c 0 c 1 = c 1 in equation (2) is 0. (1) 6/7
7 c 0 c 0 : Actually, in this case we are already done since the probability of the event c 0 = c 0 c 1 = c 1 is obviously 0. Thus, we find that the probability given in equation (2) is 0. Finally, we see that the probabilities given in equations (1) and (2) are different, which concludes the proof. 7/7
Solution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationOutline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad
Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationRecommended Reading. A Brief History of Infinity The Mystery of the Aleph Everything and More
Direct Proofs Recommended Reading A Brief History of Infinity The Mystery of the Aleph Everything and More Recommended Courses Math 161: Set Theory What is a Proof? Induction and Deduction In the sciences,
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationShannon s Theory of Secrecy Systems
Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More information15 Public-Key Encryption
15 Public-Key Encryption So far, the encryption schemes that we ve seen are symmetric-key schemes. The same key is used to encrypt and decrypt. In this chapter we introduce public-key (sometimes called
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationEntropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39
Entropy Probability and Computing Presentation 22 Probability and Computing Presentation 22 Entropy 1/39 Introduction Why randomness and information are related? An event that is almost certain to occur
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More information