and its Extension to Authenticity
|
|
- Ursula Nash
- 5 years ago
- Views:
Transcription
1 EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of Denmar Trondhjemsgade 3, 2TH DK-2100 Copenhagen East JamesMassey@compuserve.com 1
2 Cryptology ( hidden word ) Cryptography (code maing) Cryptanalysis (code breaing) The good guys The bad guys 2
3 Goals of cryptography Secrecy Authenticity Xuejia Lai has given a useful razor for deciding whether something is a matter of secrecy or a matter of authenticity. 3
4 Secrecy - concerned with who has access to (or can read) a legitimate message. Secrecy deals with safeguarding the future by ensuring that only authorized recipients will be able to gain access to (or read) a legitimate message. 4
5 Authenticity - concerned with who can create (or write) a legitimate message. Authenticity deals with protecting the past by ensuring that the creator (or author) was entitled to create (or write) the message ensuring that the contents of the message have not been altered 5
6 A secrecy scheme: The Caesar Cipher Y X Z 0 1 A B C Arithmetic on a CIRCLE (Modulo 26 arithmetic) Encrypt = Add 3 (move clocwise 3 places) Decrypt = Subtract 3 (move counterclocwise 3 places) SECRET KEY = 3 C A E S A R F D H V D U plaintext ciphertext M A S S E Y D V V H B plaintext ciphertext 6
7 Today we use a SMALLER CIRCLE! 1 0 Arithmetic on this CIRCLE (Modulo 2 arithmetic) Encrypt = Add (move clocwise) Decrypt = Subtract (move counterclocwise) = (move clocwise) Decrypt = Encrypt and a LONGER SECRET KEY! plaintext secret ey ciphertext 7
8 Everybody lies to mae secret codes! 8
9 hotograph of Shannon at home in (from the New Yor Times Magazine, 30 December 2001) 9
10 As a first step in the mathematical analysis of cryptography, it is necessary to idealize the situation suitably, and to define in a mathematically acceptable way what we shall mean by a secrecy system. C.E. Shannon, "Communication Theory of Secrecy Systems", Bell System Tech. J., vol. 28, pp , Oct., This was a radical departure from previous papers in cryptography where (as in Steen and Stoffer) conjecture and imprecision reigned. Just how did Shannon define a secrecy system in a mathematically acceptable way? 10
11 He drew a picture! (Shannon, 1949) 11
12 Claude Elwood Shannon ( ) (photographed 17 April 1961 by Göran Einarsson) 12
13 Shannon s Fig. 1 Schematic of a general secrecy system maes the following assumptions crystal clear: The message M and the ey K are independent random variables. The sender and receiver both now the ey. The attacer nows only the cryptogram E (i.e., a ciphertext-only attac is assumed). The receiver is able to recover the message M from nowledge of the cryptogram E and ey K. No assumption is made about who generates the ey. You don t need a lot of words and/or equations to mae yourself mathematically precise! 13
14 Kerchoffs rinciple A cipher should be secure when the enemy cryptanalyst nows all details of the enciphering process and deciphering process except for the value of the secret ey. This principle was first stated in 1881 by the Dutchman Auguste Kerchoffs ( ). When evaluating security, one assumes that the enemy cryptanalyst nows everything (including the source statistics and ey statistics) except the secret ey. 14
15 What does unbreaable mean? To Shannon, a cipher is unbreaable in a ciphertext-only attac if it provides unconditional security, i.e., no matter how hard or how long the attacer wors, he/she can do no better than to guess the plaintext by the best guessing rule that he/she would use without having seen the ciphertext. Shannon s 1949 definition: A cipher provides perfect secrecy against a ciphertext-only attac if the plaintext and the ciphertext, considered as random variables, are independent. 15
16 Vernam s 1926 Cipher: Enemy cryptanalyst in a ciphertext-only attac. Binary laintext Source M R Secure Channel R is the secret ey, a totally random BSS sequence. Binary Symmetric Source E R R M Destination Vernam claimed that his cipher was unbreaable! 16
17 Vernam not only claimed that his cipher was unbreaable, but also stated that he had confirmed this in field trials with the U. S. Army Signal Corps. Was Vernam right? Was his cipher the first unbreaable cipher in the many thousands of years of cryptographic history? 17
18 The Binary Symmetric Source (BSS) of information theory is a money with a fair binary coin ( 0 on one side and 1 on the other). 18
19 Cryptographic property of the BSS: The modulo-two sum of a BSS output and an arbitrary random sequence is another BSS output that is INDEENDENT of the arbitrary random sequence. Example: BSS output: Arb. Ran. Seq Modulo-2 sum
20 Vernam s cipher provides perfect secrecy against a ciphertext-only attac! Binary laintext Source M R E Secure Channel R BSS Destination The cryptogram E that the enemy cryptanalyst sees is independent of the plaintext message M. This simple proof of unbreaability of Vernam s 1926 cipher was first given by Shannon in 1949! R M 20
21 Vernam s cipher is usually today called the one-time pad to emphasize that the ey is to be used for only one message. It was used by spies on both sides in World War II and is still the cipher of choice for extremely important secret communications. (What Shannon called the plaintext is the total data that will be encrypted before the ey is changed, i.e., Shannon specified a one-time ey in his theory of secrecy systems.) 21
22 Vernam s cipher needs as many binary digits of secret ey as there are bits of plaintext to be encrypted. Vernam was right about his cipher being unbreaable, but does an unbreaable cipher really need this huge amount of secret ey??? 22
23 Shannon s 1949 Lower Bound on Key Length: For perfect secrecy, the number of different eys must be AT LEAST AS GREAT as the number of different plaintexts. roof: For any fixed ey, the number of different ciphertexts e equals the number of different plaintexts m. erfect secrecy for all possible e and any fixed m, (E=e M=m) = (E=e) 0 For a fixed m, the number of different ciphertexts e must equal at least the number of different plaintexts m. But all eys from a fixed m to different e s must be different. 23
24 Shannon later gave the following proof of a slightly weaer lower bound on ey length, namely H(K) H(E). erfect secrecy H(E) = H(M E) H(MK E) = H(K E) + H(M EK) = H(K E) = 0 H(K) Thus, if the cipher is to give perfect secrecy regardless of the source statistics, it must also give perfect secrecy for the BSS for which H(M) = N bits. Thus H(K) N so that the ey must be at least N binary digits long. 24
25 The number of different plaintext messages is about 2 H(M) where H(M) is the entropy of the plaintext message. Equivalently, one says that H(M) is the number of bits of information in the plaintext message. An ideal data compressor will compress M to about H(M) binary digits. Consider the system: M Ideal Data Compressor Vernam s Cipher E K Achieves perfect secrecy and the number of binary digits of the ey K is H(M), which satisfies Shannon s lower bound with equality. 25
26 Simmons Model of a Substitution Attac on an Authenticity System MESSAGE SOURCE M ENCIHERER T K E E' DECIHERER T K -1 ACCETED M' K ENEMY CRYTANALYST Secure Channel K KEY SOURCE K RECOGNIZED UNAUTHENTIC E' can be the legitimate cryptogram E or a phony cryptogram E' (E' E) inserted by the attacer. E' is accepted if and only if it is a valid cryptogram for the ey K. 26
27 In an impersonation attac, the attacer forms E' without seeing a legitimate cryptogram E and wins if his cryptogram is accepted. I = robability of successful impersonation when the attacer uses an optimum attac. S = robability of successful substitution when the attacer uses an optimum attac. d = robability of deception = max( I, S ) Simmons 1984 bound on the probability of deception: d 2 -I(E; K) where I(E; K) = H(K) - H(K E) is the mutual information between E and K. The only way to get unconditionally secure authenticity is to let the cryptogram give information about the ey! 27
28 Example of an authenticity system meeting Simmon s lower bound on I with equality: laintext is sent in the clear and the ey is added as a signature: E = [M : K] If the ey has length n binary digits, then I = 2 -n because the attacer can only mae a random guess at the secret ey in an impersonation attac. I(E; K) = n bits so that Simmons bound on I holds with equality! This authenticity system gives no secrecy! In a substitution attac, the attacer can achieve S = 1. 28
29 Example of an authenticity system meeting Simmon s lower bound on S and d with equality: 1-bit messages with individual signatures. K = (K 1, K 2,... K ν, K ν +1,... K 2ν ) [n = 2ν-bit ey] assumed generated by a BSS. M is 0 or 1. M = 0 E = (0, K 1, K 2,... K ν ) M = 1 E = (1, K ν +1, K ν +2,... K 2ν ) Note that again there is no secrecy! Whether the attacer observes E or not, he must guess ν bits of ey to produce a cryptogram E' that will be accepted as authentic. I = S = d = 2 -ν. But I(E; K) = ν bits so that Simmons bound on d holds with equality! 29
30 This example shows that we can have unconditionally secure authenticity with no secrecy. Vernam s cipher gives perfect secrecy against a ciphertext-only attac but no protection against an impersonation attac, i.e., I = 1. The important conclusion to mae is that secrecy and authenticity are independent attributes of a cryptographic system. 30
31 The informational divergence (or the Kullbach- Leibler distance or the relative entropy or the discrimination ) from to Q, two probability distributions on the same alphabet, is the quantity D( Q) = x supp( ) Q(x) (x) log. (x) Fundamental property of informational divergence: D ( Q) 0 with equality if and only if = Q. Let H 0 and H 1 be the two possible hypotheses and let Y be the observation used to determine which hypothesis is true. Let D 0 and D 1 be the regions of Y values in which one decides for H 0 or H 1, respectively. Let α or β be the error probabilities when H 0 or H 1 is true, respectively. 31
32 Let V (0 or 1) be the decision as to which hypothesis is true so that α = V H 0 (1) and β = V H1 (0). Direct calculation gives D( V H ) 0 V H1 1- β = α log α (1 α) log β. 1-α Information-theoretic bound for hypothesis testing: D( Y H 0 Y H1 1- β ) α log (1 α with equality if and only if Y H Y H 0 1 (y) (y) β α) log 1-α has the same value for all y D 0 and has the same value for all y D 1. 32
33 For the important special case where α = 0, i.e., where we never err when H 0 is true, the previous bound gives β 2 D ( Y H 0 Y H1 Now suppose that H 0 is the hypothesis that the observation Y = E' is the legitimate cryptogram E for the ey K =, i.e., ( y) = E K ( ), and that H 1 is the hypothesis Y H y 0 = that Y = E' is formed by the attacer according to H ( y) = ( y) ( ) ( y) 1 E = K = E K Y = which may not be the optimum attacing strategy. Let β be the error probability when K = so that β 2 D ( E K = E ) ).., 33
34 34 Moreover, β is just the probability I of successful impersonation, so the information-theoretic bound becomes. 2 ) ; ( E K I I ) ( ) ( log ) ( ) ( y y y D K E E y K E E K E = = = = ) ( ) ( 2 E E K K D = ) ( )2 ( ) ( = = E K E D K K β β where we have used Jensen s inequality. But ). ; ( ) ( ) ( ) ( ) ( K E I K E H E H D E E K K = = = This completes the proof of Simmons lower bound.
35 Simmons proof of his bound on the probability of deception (or impersonation) appears in G. J. Simmons, "Authentication Theory/Coding Theory," pp in Advances in Cryptology - CRYTO '84 (Eds. G. R. Blaey and D. Chaum), Lecture Notes in Computer Science No Heidelberg and New Yor: Springer, Several simplifications of his derivation have since been given. The most insightful one, which we have followed, is by Maurer, cf. U. M. Maurer, "Information Theoretic Bounds in Authentication Theory," p.12 in roc. IEEE Inst. Symp. Info. Th., Whistler, Canada, Sept , U.M. Maurer, "A Unified and Generalized Treatment of Authentication Theory, pp in roc. 13th Symp. on Theoretical Aspects of Computer Science (STACS'96), Lecture Notes in Computer Science No. 1046, New Yor: Springer, Maurer based his treatment on Blahut s informationtheoretic approach to hypothesis testing, cf. R. E. Blahut, Hypothesis testing and information theory, IEEE Trans. Inform. Theory, vol. IT-20, pp , July
and Other Fun Stuff James L. Massey
Lectures in Cryptology 10-14 October 2005 School of Engineering and Science International University Bremen Lecture 3: Public-Key Cryptography and Other Fun Stuff James L. Massey [Prof.-em. ETH Zürich,
More informationCorrecting Codes in Cryptography
EWSCS 06 Palmse, Estonia 5-10 March 2006 Lecture 2: Orthogonal Arrays and Error- Correcting Codes in Cryptography James L. Massey Prof.-em. ETH Zürich, Adjunct Prof., Lund Univ., Sweden, and Tech. Univ.
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationOptimum Binary-Constrained Homophonic Coding
Optimum Binary-Constrained Homophonic Coding Valdemar C. da Rocha Jr. and Cecilio Pimentel Communications Research Group - CODEC Department of Electronics and Systems, P.O. Box 7800 Federal University
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationPerfectly secure cipher system.
Perfectly secure cipher system Arindam Mitra Lakurdhi, Tikarhat Road, Burdwan 713102 India Abstract We present a perfectly secure cipher system based on the concept of fake bits which has never been used
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationMODULAR ARITHMETIC. Suppose I told you it was 10:00 a.m. What time is it 6 hours from now?
MODULAR ARITHMETIC. Suppose I told you it was 10:00 a.m. What time is it 6 hours from now? The time you use everyday is a cycle of 12 hours, divided up into a cycle of 60 minutes. For every time you pass
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationInformation Theoretical Analysis of Digital Watermarking. Multimedia Security
Information Theoretical Analysis of Digital Watermaring Multimedia Security Definitions: X : the output of a source with alphabet X W : a message in a discrete alphabet W={1,2,,M} Assumption : X is a discrete
More informationOutline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad
Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides
More informationShannon s Theory of Secrecy Systems
Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationWeek 7 An Application to Cryptography
SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationHans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References
Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009 Die Unterlagen sind ausschliesslich zum persoenlichen Gebrauch der Vorlesungshoerer bestimmt. Die Herstellung von elektronischen
More informationLecture 8 - Cryptography and Information Theory
Lecture 8 - Cryptography and Information Theory Jan Bouda FI MU April 22, 2010 Jan Bouda (FI MU) Lecture 8 - Cryptography and Information Theory April 22, 2010 1 / 25 Part I Cryptosystem Jan Bouda (FI
More informationThe simple ideal cipher system
The simple ideal cipher system Boris Ryabko February 19, 2001 1 Prof. and Head of Department of appl. math and cybernetics Siberian State University of Telecommunication and Computer Science Head of Laboratory
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationInformation-theoretic Secrecy A Cryptographic Perspective
Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy Cryptography Computational assumptions
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationSecret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result
Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result Ueli Maurer, Fellow, IEEE Stefan Wolf Abstract This is the first part of a three-part paper on secret-key
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationCryptography and Number Theory
Chapter 2 Cryptography and Number Theory 2.1 Cryptography and Modular Arithmetic 2.1.1 Introduction to Cryptography For thousands of years people have searched for ways to send messages in secret. For
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine
More informationSimple Codes MTH 440
Simple Codes MTH 440 Not all codes are for the purpose of secrecy Morse Code ASCII Zip codes Area codes Library book codes Credit Cards ASCII Code Steganography: Hidden in plain sight (example from http://www.bbc.co.uk/news/10
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationTurbo Codes Can Be Asymptotically Information-Theoretically Secure
Turbo Codes Can Be Asymptotically Information-Theoretically Secure Xiao Ma Department of ECE, Sun Yat-sen University Guangzhou, GD 50275, China E-mail: maxiao@mailsysueducn Abstract This paper shows that
More informationPaper from European Trans. on Telecomm., Vol. 5, pp , July-August 1994.
Paper from European Trans. on Telecomm., Vol. 5, pp. 421-429, July-August 1994. Some Applications of Source Coding in Cryptography James L. Massey Signal and Information Processing Laboratory Swiss Federal
More informationSecrecy and the Quantum
Secrecy and the Quantum Benjamin Schumacher Department of Physics Kenyon College Bright Horizons 35 (July, 2018) Keeping secrets Communication Alice sound waves, photons, electrical signals, paper and
More informationThe BB84 cryptologic protocol
The cryptologic protocol of quantum key distribution Dimitri Petritis Institut de recherche mathématique de Rennes Université de Rennes 1 et CNRS (UMR 6625) Vernam s ciphering Principles of coding and
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationChapter 3 Cryptography
Chapter 3 Cryptography Introduction: Cryptography is an ancient art of keeping secrets. Cryptography ensures security of communication over insecure medium. Terms used in Cryptography: 1) Plain Text: The
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More information6.080/6.089 GITCS April 8, Lecture 15
6.080/6.089 GITCS April 8, 2008 Lecturer: Scott Aaronson Lecture 15 Scribe: Tiffany Wang 1 Administrivia Midterms have been graded and the class average was 67. Grades will be normalized so that the average
More informationJay Daigle Occidental College Math 401: Cryptology
3 Block Ciphers Every encryption method we ve studied so far has been a substitution cipher: that is, each letter is replaced by exactly one other letter. In fact, we ve studied stream ciphers, which produce
More informationFast Cryptanalysis of the Matsumoto-Imai Public Key Scheme
Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme P. Delsarte Philips Research Laboratory, Avenue Van Becelaere, 2 B-1170 Brussels, Belgium Y. Desmedt Katholieke Universiteit Leuven, Laboratorium
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationInformation-Theoretic Security: an overview
Information-Theoretic Security: an overview Rui A Costa 1 Relatório para a disciplina de Seminário, do Mestrado em Informática da Faculdade de Ciências da Universidade do Porto, sob a orientação do Prof
More informationChapter 3 Cryptography
Chapter 3 Cryptography Introduction: Cryptography is an ancient art of keeping secrets. Cryptography ensures security of communication over insecure medium. Terms used in Cryptography: 1) Plain text Plain
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationDetection of Eavesdropping in Quantum Key Distribution using Bell s Theorem and Error Rate Calculations
Detection of Eavesdropping in Quantum Key Distribution using Bell s Theorem and Error Rate Calculations David Gaharia Joel Wibron under the direction of Prof. Mohamed Bourennane Quantum Information & Quantum
More informationOn the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator
On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator Shahram Khazaei, Mahmood Salmasizadeh,JavadMohajeri *Department of Electrical Engineering Sharif University
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationInformation Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper
Information Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper Reevana Balmahoon and Ling Cheng School of Electrical and Information Engineering University of the Witwatersrand
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationLecture 10: HMAC and Number Theory
CS 6903 Modern Cryptography April 15, 2010 Lecture 10: HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Bidla, Samiksha Saxena,Varun Sanghvi 1 HMAC A Hash-based Message Authentication Code
More informationA UNIVERSAL ALGORITHM FOR HOMOPHONIC CODING
A UNIVERSAL ALGORITHM FOR HOMOPHONIC CODING Christoph G. Gunther Asea Brown Boveri Corporate Research CH-5405 Baden, Switzerland ABSTRACT This contribution describes a coding technique which transforms
More informationEindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015
Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Disclaimer This document contains a student thesis (bachelor's or master's), as authored
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationAn Introduction to Cryptography
An Introduction to Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics Spring 2008 What is Cryptography? cryptography: study of methods for sending messages in a form that only
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationEnhancements of the Non-linear Knapsack Cryptosystem
Enhancements of the Non-linear Knapsack Cryptosystem A thesis submitted in partial fulfilment of the requirements for the Degree of Master of Science at the University of Canterbury by Zhiqi Tu University
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationImprovements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College
Improvements to Correlation Attacks Against Stream Ciphers with Nonlinear Combiners Brian Stottler Elizabethtown College Spring 2018 1 Background 1.1 Stream Ciphers Throughout the multi-thousand year history
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationEntanglement and information
Ph95a lecture notes for 0/29/0 Entanglement and information Lately we ve spent a lot of time examining properties of entangled states such as ab è 2 0 a b è Ý a 0 b è. We have learned that they exhibit
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More information