Topics. Probability Theory. Perfect Secrecy. Information Theory

Size: px
Start display at page:

Download "Topics. Probability Theory. Perfect Secrecy. Information Theory"

Transcription

1

2 Topics Probability Theory Perfect Secrecy Information Theory

3 Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult problem Unconditional Security Oscar (adversary) can do whatever he wants, as much as he wants 3

4 Probability Review, pg. 1 A random variable (event) is an experiment whose outcomes are mapped to real numbers. Probability: We denote p X (x) = Pr(X = x). For a subset A, Joint Probability: Sometimes we want to consider more than two events at the same time, in which we case we lump them together into a joint random variable, e.g. Z = (X,Y). p X, Y p(a) xa X,Y x, y PrX x, Y y Independence: We say that two events are independent if p X,Y p X x X,Y x, y p xp y X Y

5 Probability Review, pg. Conditional Probability: We will often ask questions about the probability of events Y given that we have observed X=x. In particular, we define the conditional probability of Y=y given X=x by p Y (y x) p p XY X (x, y) (x) Independence: We immediately get p Y (y x) p Y (y) Bayes s Theorem: If p X (x)>0 and p Y (y)>0 then p X (x y) = p X (x)p Y (y x) p Y (y)

6 Example

7 Perfect Secrecy Defined A cryptosystem (P,C,K,E,D) has perfect secrecy if Ciphertext yields no information about plaintext 7

8 Perfect Secrecy p(m): (a priori) probability that plaintext M is sent. p(c): probability that ciphertext C was received. P(M C): probability that plaintext M was sent, given that ciphertext C was received. P(C M): probability that ciphertext C was received, given that plaintext M was sent. P(K): probability that key K was chosen. A cryptosystem provides perfect secrecy if p(m C) = p(m) for all M and C with p(c) > 0

9 Implications Perfect secrecy means exactly that the random variables on M and C are independent. Ciphertext C gives us no information about M Proof using Bayes s theorem A cryptosystem provides perfect secrecy if and only if p(c M) = p(c) for all M;C with p(m) > 0 and p(c) > 0

10 Theorem If a cryptosystem has perfect secrecy, then K M. Proof idea? There is some message M such that for a given ciphertext C; no key K encrypts M to C P(C M)=0 but P(C)>0

11 One-Time Pad The one-time pad, which is a provably secure cryptosystem, was developed by Gilbert Vernam in The message is represented as a binary string (a sequence of 0 s and 1 s using a coding mechanism such as ASCII coding. The key is a truly random sequence of 0 s and 1 s of the same length as the message. The encryption is done by adding the key to the message modulo, bit by bit. This process is often called exclusive or, and is denoted by XOR. The symbol is used

12 exclusive or Operator a b c = a b

13 Example message = IF then its ASCII code =( ) key = ( ) Encryption: plaintext key ciphertext Decryption: ciphertext key plaintext

14 OTP Security The security depends on the randomness of the key. It is hard to define randomness. In cryptographic context, we seek two fundamental properties in a binary random key sequence: Unpredictability: Balanced (Equal Distribution):

15 OTP Security Unpredictability: Independent of the number of the bits of a sequence observed, the probability of guessing the next bit is not better than ½. Therefore, the probability of a certain bit being 1 or 0 is exactly equal to ½. Balanced (Equal Distribution): The number of 1 s and 0 s should be equal.

16 Entropy Want to be able to measure the uncertainty or information of some random variable X. Entropy Information theory captures the amount of information in a piece of text. How much information or uncertainty is in a cryptosystem? 16

17 Entropy and Source Coding Theory There is a close relationship between entropy and representing information. Entropy captures the notion of how many Yes-No questions are needed to accurately identify a piece of information that is, how many bits are needed! One of the main focus areas in the field of information theory is on the issue of source-coding: How to efficiently ( Compress ) information into as few bits as possible. One such technique, Huffman Coding.

18 Entropy and Uncertainty We are concerned with how much uncertainty a random event has, but how do we define or measure uncertainty? We want our measure to have the following properties: 1. To each set of nonnegative numbers p p1,p,, pn with p1 p pn 1, we define the uncertainty by. H(p). H(p) should be a continuous function: A slight change in p should not drastically change H(p) H 1 for all n>0. Uncertainty increases n,, n H, n1, n1 when there are more outcomes.

19 Entropy, pg. We define the entropy of a random variable by Example: Consider a fair coin toss. There are two outcomes, with probability ½ each. The entropy is 1 H X log 1 x p x 1 log 1bit Example: Consider a non-fair coin toss X with probability p of getting heads and 1-p of getting tails. The entropy is log 1 p(x) X plog p 1 plog 1 p H

20 Entropy, pg. 3 Entropy may be thought of as the number of yes-no questions needed to accurately determine the outcome of a random event. Example: Flip two coins, and let X be the number of heads. The possibilities are {0,1,} and the probabilities are {1/4, 1/, 1/4}. The Entropy is 1 log log 1 1 log bits So how can we relate this to questions? Half the time you needed one question, half you needed two

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides

More information

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3 Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48

More information

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes

More information

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect

More information

Cryptographic Engineering

Cryptographic Engineering Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information

More information

Cryptography 2017 Lecture 2

Cryptography 2017 Lecture 2 Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple

More information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

Private-key Systems. Block ciphers. Stream ciphers

Private-key Systems. Block ciphers. Stream ciphers Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:

More information

Chapter 2 : Perfectly-Secret Encryption

Chapter 2 : Perfectly-Secret Encryption COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability

More information

Lecture Note 3 Date:

Lecture Note 3 Date: P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the

More information

William Stallings Copyright 2010

William Stallings Copyright 2010 A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!

More information

Shannon s Theory of Secrecy Systems

Shannon s Theory of Secrecy Systems Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory

More information

Cryptography - Session 2

Cryptography - Session 2 Cryptography - Session 2 O. Geil, Aalborg University November 18, 2010 Random variables Discrete random variable X: 1. Probability distribution on finite set X. 2. For x X write Pr(x) = Pr(X = x). X and

More information

Historical cryptography. cryptography encryption main applications: military and diplomacy

Historical cryptography. cryptography encryption main applications: military and diplomacy Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

Lecture 2: Perfect Secrecy and its Limitations

Lecture 2: Perfect Secrecy and its Limitations CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption

More information

Solution of Exercise Sheet 6

Solution of Exercise Sheet 6 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following

More information

Lecture 8 - Cryptography and Information Theory

Lecture 8 - Cryptography and Information Theory Lecture 8 - Cryptography and Information Theory Jan Bouda FI MU April 22, 2010 Jan Bouda (FI MU) Lecture 8 - Cryptography and Information Theory April 22, 2010 1 / 25 Part I Cryptosystem Jan Bouda (FI

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Scribe for Lecture #5

Scribe for Lecture #5 CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations

More information

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n + Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(

More information

Information-theoretic Secrecy A Cryptographic Perspective

Information-theoretic Secrecy A Cryptographic Perspective Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy Cryptography Computational assumptions

More information

Introduction to Cryptology. Lecture 3

Introduction to Cryptology. Lecture 3 Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at

More information

02 Background Minimum background on probability. Random process

02 Background Minimum background on probability. Random process 0 Background 0.03 Minimum background on probability Random processes Probability Conditional probability Bayes theorem Random variables Sampling and estimation Variance, covariance and correlation Probability

More information

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:

More information

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Lecture 4: Perfect Secrecy: Several Equivalent Formulations Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,

More information

Chapter 2. A Look Back. 2.1 Substitution ciphers

Chapter 2. A Look Back. 2.1 Substitution ciphers Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.

More information

Introduction to Information Theory. B. Škorić, Physical Aspects of Digital Security, Chapter 2

Introduction to Information Theory. B. Škorić, Physical Aspects of Digital Security, Chapter 2 Introduction to Information Theory B. Škorić, Physical Aspects of Digital Security, Chapter 2 1 Information theory What is it? - formal way of counting information bits Why do we need it? - often used

More information

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3 Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y

More information

Some Basic Concepts of Probability and Information Theory: Pt. 2

Some Basic Concepts of Probability and Information Theory: Pt. 2 Some Basic Concepts of Probability and Information Theory: Pt. 2 PHYS 476Q - Southern Illinois University January 22, 2018 PHYS 476Q - Southern Illinois University Some Basic Concepts of Probability and

More information

Lecture 13: Private Key Encryption

Lecture 13: Private Key Encryption COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define

More information

6.02 Fall 2012 Lecture #1

6.02 Fall 2012 Lecture #1 6.02 Fall 2012 Lecture #1 Digital vs. analog communication The birth of modern digital communication Information and entropy Codes, Huffman coding 6.02 Fall 2012 Lecture 1, Slide #1 6.02 Fall 2012 Lecture

More information

Block ciphers And modes of operation. Table of contents

Block ciphers And modes of operation. Table of contents Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation

More information

CS 361: Probability & Statistics

CS 361: Probability & Statistics February 12, 2018 CS 361: Probability & Statistics Random Variables Monty hall problem Recall the setup, there are 3 doors, behind two of them are indistinguishable goats, behind one is a car. You pick

More information

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment. CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1

More information

Entropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39

Entropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39 Entropy Probability and Computing Presentation 22 Probability and Computing Presentation 22 Entropy 1/39 Introduction Why randomness and information are related? An event that is almost certain to occur

More information

5199/IOC5063 Theory of Cryptology, 2014 Fall

5199/IOC5063 Theory of Cryptology, 2014 Fall 5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.

More information

Shannon s Theory. Objectives

Shannon s Theory. Objectives Shannon Theory Debdeep Mukhopadhyay IIT Kharagpur Objective Undertand the definition of Perfect Secrecy Prove that a given crypto-ytem i perfectly ecured One Time Pad Entropy and it computation Ideal Cipher

More information

Classical Cryptography

Classical Cryptography Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice

More information

An Introduction to Probabilistic Encryption

An Introduction to Probabilistic Encryption Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key

More information

The enumeration of all possible outcomes of an experiment is called the sample space, denoted S. E.g.: S={head, tail}

The enumeration of all possible outcomes of an experiment is called the sample space, denoted S. E.g.: S={head, tail} Random Experiment In random experiments, the result is unpredictable, unknown prior to its conduct, and can be one of several choices. Examples: The Experiment of tossing a coin (head, tail) The Experiment

More information

CS 630 Basic Probability and Information Theory. Tim Campbell

CS 630 Basic Probability and Information Theory. Tim Campbell CS 630 Basic Probability and Information Theory Tim Campbell 21 January 2003 Probability Theory Probability Theory is the study of how best to predict outcomes of events. An experiment (or trial or event)

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine

More information

Unpredictable Binary Strings

Unpredictable Binary Strings San Jose State University From the SelectedWorks of Mark Stamp 2005 Unpredictable Binary Strings Richard M. Low, San Jose State University Mark Stamp, San Jose State University R. Craigen, University of

More information

DISCRETE RANDOM VARIABLES: PMF s & CDF s [DEVORE 3.2]

DISCRETE RANDOM VARIABLES: PMF s & CDF s [DEVORE 3.2] DISCRETE RANDOM VARIABLES: PMF s & CDF s [DEVORE 3.2] PROBABILITY MASS FUNCTION (PMF) DEFINITION): Let X be a discrete random variable. Then, its pmf, denoted as p X(k), is defined as follows: p X(k) :=

More information

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement

More information

Modern symmetric-key Encryption

Modern symmetric-key Encryption Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his

More information

Lecture 1. Crypto Background

Lecture 1. Crypto Background Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

1. Basics of Information

1. Basics of Information 1. Basics of Information 6.004x Computation Structures Part 1 Digital Circuits Copyright 2015 MIT EECS 6.004 Computation Structures L1: Basics of Information, Slide #1 What is Information? Information,

More information

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today: Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

Pseudorandom Generators

Pseudorandom Generators Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,

More information

STREAM CIPHER. Chapter - 3

STREAM CIPHER. Chapter - 3 STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.

More information

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February

More information

Block Ciphers and Feistel cipher

Block Ciphers and Feistel cipher introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure

More information

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage

More information

6.080/6.089 GITCS April 8, Lecture 15

6.080/6.089 GITCS April 8, Lecture 15 6.080/6.089 GITCS April 8, 2008 Lecturer: Scott Aaronson Lecture 15 Scribe: Tiffany Wang 1 Administrivia Midterms have been graded and the class average was 67. Grades will be normalized so that the average

More information

5 Pseudorandom Generators

5 Pseudorandom Generators 5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic

More information

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines. Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

El Gamal A DDH based encryption scheme. Table of contents

El Gamal A DDH based encryption scheme. Table of contents El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption

More information

MATH3302 Cryptography Problem Set 2

MATH3302 Cryptography Problem Set 2 MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International

More information

Chapter 7 Wednesday, May 26th

Chapter 7 Wednesday, May 26th Chapter 7 Wednesday, May 26 th Random event A random event is an event that the outcome is unpredictable. Example: There are 45 students in this class. What is the probability that if I select one student,

More information

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier

More information

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc. Assignment 3 - Cryptography Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc. Deutsche Telekom Chair of Mobile Business & Multilateral Security Goethe-University Frankfurt a. M.

More information

Perfectly-Secret Encryption

Perfectly-Secret Encryption Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes

More information

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch

More information

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

Exercises with solutions (Set B)

Exercises with solutions (Set B) Exercises with solutions (Set B) 3. A fair coin is tossed an infinite number of times. Let Y n be a random variable, with n Z, that describes the outcome of the n-th coin toss. If the outcome of the n-th

More information

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations

More information

and Other Fun Stuff James L. Massey

and Other Fun Stuff James L. Massey Lectures in Cryptology 10-14 October 2005 School of Engineering and Science International University Bremen Lecture 3: Public-Key Cryptography and Other Fun Stuff James L. Massey [Prof.-em. ETH Zürich,

More information

and its Extension to Authenticity

and its Extension to Authenticity EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of

More information

INTRODUCTION TO INFORMATION THEORY

INTRODUCTION TO INFORMATION THEORY INTRODUCTION TO INFORMATION THEORY KRISTOFFER P. NIMARK These notes introduce the machinery of information theory which is a eld within applied mathematics. The material can be found in most textbooks

More information

4F5: Advanced Communications and Coding Handout 2: The Typical Set, Compression, Mutual Information

4F5: Advanced Communications and Coding Handout 2: The Typical Set, Compression, Mutual Information 4F5: Advanced Communications and Coding Handout 2: The Typical Set, Compression, Mutual Information Ramji Venkataramanan Signal Processing and Communications Lab Department of Engineering ramji.v@eng.cam.ac.uk

More information

A block cipher enciphers each block with the same key.

A block cipher enciphers each block with the same key. Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block

More information

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

6.080 / Great Ideas in Theoretical Computer Science Spring 2008 MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

Elliptic Curve Cryptography

Elliptic Curve Cryptography Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is

More information

CS 395T. Probabilistic Polynomial-Time Calculus

CS 395T. Probabilistic Polynomial-Time Calculus CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is

More information

Shannon's Theory of Communication

Shannon's Theory of Communication Shannon's Theory of Communication An operational introduction 5 September 2014, Introduction to Information Systems Giovanni Sileno g.sileno@uva.nl Leibniz Center for Law University of Amsterdam Fundamental

More information

Chapter 2 Random Variables

Chapter 2 Random Variables Stochastic Processes Chapter 2 Random Variables Prof. Jernan Juang Dept. of Engineering Science National Cheng Kung University Prof. Chun-Hung Liu Dept. of Electrical and Computer Eng. National Chiao Tung

More information

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance. 9. Distance measures 9.1 Classical information measures How similar/close are two probability distributions? Trace distance Fidelity Example: Flipping two coins, one fair one biased Head Tail Trace distance

More information

Solution to Midterm Examination

Solution to Midterm Examination YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book

More information

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24

More information

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf

More information