Minentropy and its Variations for Cryptography
|
|
- Dorothy Henderson
- 5 years ago
- Views:
Transcription
1 1 Minentropy and its Variations for Cryptography Leonid Reyzin May 23, th International Conference on Information Theoretic Security
2 2 guessability and entropy Many ays to measure entropy If I ant to guess your passord, hich entropy do I care about? This talk: minentropy = log (Pr [adversary predicts sample]) predictability W H (W)= log max Pr[]
3 3 hat is minentropy good for? Passords Message authentication n/2 n/2 key = a b m + GF(2 n/2 ) GF(2 n/2 ) MAC a,b (m) = σ = am + b [Wegman-Carter 81]
4 4 hat is minentropy good for? Passords Message authentication n/2 n/2 key = a b gap g minentropy k MAC a,b (m) = σ = am + b Let a,b = n, H (a,b) = k Let entropy gap n k = g Security: k n/2=n/2 g [Maurer-Wolf 03]
5 5 hat is minentropy good for? Passords Message authentication MAC a,b (m) = σ = am + b Secret key extraction ( encryption, etc.) reusable seed i minentropy k Ext jointly uniform (ε-close) [Bennett-Brassard-Robert 85, Impagliazzo-Levin-Luby 89, Nisan-Zuckerman 93] R
6 6 is it good for privacy amplification? Alice partially secret i Bob i Ext R i Ext R Eve knos something about Goal: from a partial secret agree on a uniform secret R [Bennett-Brassard-Robert 85] Simple solution: use an extractor But ait! What is the right value for H ()? Depends on Eve s knoledge Y So ho do e kno hat Ext to apply?
7 defining conditional entropy H (W Y) E.g., W is uniform, Y = Hamming Weight(W) Pr[Y = n/2] > 1/(2 n) Pr[Y = n]= 2 n But hat about H (W Y)? H (W Y = n/2) n ½log n 1 H (W Y = 0) = 0 predictability Recall: minentropy = log (predictability) H (W)= log max Pr[] What s the probability of predicting W given Y? H (W Y)= log E max Pr[ Y=y] y average minentropy but not average of minentropy: if min-entropy is 0 half the time, and 1000 half the time, you get log ( )/2 log 1/2 = 1. W [Dodis-Ostrovsky -R-Smith 04] 7
8 8 hat is H (W Y) good for? Passords Prob. of guessing by adversary ho knos Y: 2 H (W Y) Message authentication If key is W and adversary knos Y: security H (W Y) n/2 Secret key extraction ( encryption, etc.) All extractors ork [Vadhan 11] H (W Y)=k seed i Ext R jointly uniform given Y
9 hat is H (W Y) good for? Passords Prob. of guessing by adversary ho knos Y: 2 H (W Y) Message authentication If key is W and adversary knos Y: security H (W Y) n/2 Secret key extraction ( encryption, etc.) All extractors ork [Vadhan 11] Therefore, privacy amplification! partially secret Alice i Bob i Ext R i Ext R Eve knos something about 9
10 hat about information reconciliation? 10 i Alice S Ext Bob s R error-correcting info s,i Eve s Rec i Ext R Ho long an R can you extract? Depends on H (W Y, S)! Lemma: H (W Y, S) H (W, S Y) bit-length (S)
11 ho to build S? 11 Code C: {0,1} m {0,1} n encodes m-bit messages into n-bit codeords any to codeords differ in at least d locations feer than d/2 errors unique correct decoding C
12 12 ho to build S? Idea: hat if is a codeord in an ECC? Decoding finds from If not a codeord, simply shift the ECC S() is the shift to random codeord [Juels-Watenberg 02]: s = ECC(r) Recover: dec( s) s s s=s() +s dec
13 hat about information reconciliation? i Alice Ext Bob R s = ECC(r), i Eve s Rec i Lemma: H (W Y, S) H (W, S Y) bit-length (S) = H (W Y) + r H (W Y, S) H (W Y) + m n = = Entropy loss for a code from m bits to n bits: n m m n Ext R 13
14 active adversary Alice Bob E v R e or R or Starting in Maurer and Maurer-Wolf 1997 Interesting even if = Basic problem: authenticate extractor seed i Problem: if H (W Y)<n/2, can t be used as a MAC key Idea [Renner-Wolf 2003]: use interaction, one bit in to rounds 14
15 authenticating a bit b [Renner-Wolf 03] x Alice Ext t challenge x response t = Ext x () iff b=1; else just send 0 Note: Eve can make Bob s vie Alice s vie x x E x Ext t t ve t Bob Accept 1 if Ext x () is correct x Ext t Claim: Eve can t change 0 to 1! (To prevent change of 1 to 0, make #0s = #1s) Lemma [Kanukurthi-R. 09] H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1 As long as H (W Y) is high enough for Ext to ensure quality ε; but e can measure it: each bit authenticated reduces it by t 15
16 improving entropy loss 16 Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Problem: For λ security, t λ, so each round loses λ entropy Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R 10]: -- Make t = constant. -- No Eve can change/insert/delete at most constant fraction of bits -- Encode hatever you are sending in an edit distance code [Schulman-Zuckerman99] of const. rate, correcting constant fraction
17 improving entropy loss Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Problem: For λ security, t λ, so each round loses λ entropy Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R 10]: -- Make t = constant. -- No Eve can change/insert/delete at most constant fraction of bits Ho to prove? Can e use H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1? It talks about unpredictability of a single value; but doesn t say anything about independence of to 17
18 improving entropy loss Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Can e use H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1? It talks about unpredictability of a single value; avg entropy still useful but doesn t say anything about independence of to Step 1: H (W all variables Eve sees) is sufficient Step 2: H (W a specific transcript) is sufficient ith high prob Step 3: H (W at every Ext step) is sufficient ith high prob Lemma: If H (W) is sufficient, then H (Ext(W; x) x) t 1 ith high prob. just minentropy 18
19 19 If (conditional) min-entropy is so useful in information-theoretic crypto, hat about computational analogues?
20 20 computational entropy (HILL) Min-Entropy H (W)= log max Pr[] W predictability W HILL [Håstad,Impagliazzo,Levin,Luby]: H δ,s (W) k if Z such that H (Z) = k and W Z To more parameters relating to hat means -- maximum size s of distinguishing circuit D -- maximum advantage δ ith hich D ill distinguish
21 hat is HILL entropy good for? HILL H δ,s (W) k if Z such that H (Z) = k and W Z seed i HILL entropy k Ext R looks (ε+δ)-close to uniform to circuits of size s Many uses: indistinguishability is a poerful notion. In the proofs, substitute Z for W; a bounded adversary on t notice 21
22 22 hat about conditional? Very common: entropic secret: g ab observer knos g a, g b entropic secret: SK observer knos leakage entropic secret: Sign SK (m) observer knos PK entropic secret: PRG(x) observer knos Enc(x)
23 23 conditioning HILL entropy on a fixed event Recall: ho does conditioning reduce minentropy? By the probability of the condition! H (W Y = y) H (W) log 1/Pr[y] E.g., W is uniform, Y = Hamming Weight(W) Pr[Y = n/2] > 1/(2 n) H (W Y = n/2) n ½log n 1
24 conditioning HILL entropy on a fixed event Recall: ho does conditioning reduce minentropy? By the probability of the condition! H (W Y = y) H (W) log 1/Pr[y] Theorem: same holds for computational entropy: metric* H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y] [Fuller-R 11] (variant of Dense Model Theorem of [Green-Tao 04, Tao-Ziegler 06, Reingold-Trevisan-Tulsiani-Vadhan 08, Dziemboski-Pietrzak 08] Warning: this is not H HILL! Weaker entropy notion: a different Z for each distinguisher ( metric* ) metric* H δ,s (W) k if distinguisher D Z s.t. H (Z) = k and W DZ (moreover, D is limited to deterministic distinguishers) It can be converted to H HILL ith a loss in circuit size s [Barak, Shaltiel, Wigderson 03] 24
25 conditioning HILL entropy on a fixed event It can be converted to H HILL ith a loss in circuit size s [Barak, Shaltiel, Wigderson 03] 25 Long story, but simple message: metric* H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y]
26 Hasn t found many uses because it s hard to measure (but it can be extracted from by reconstructive extractors!) 26 hat about conditioning on average? entropic secret: g ab observer knos g a, g b entropic secret: SK observer knos leakage entropic secret: Sign SK (m) observer knos PK entropic secret: PRG(x) observer knos Enc(x) Again, e may not ant to reason about specific values of Y [Hsiao-Lu-R 04]: HILL Def: H δ,s (W Y) k if Z such that H (Z Y) = k and (W, Y) (Z, Y) Note: W changes, Y doesn t What is it good for? Original purpose: negative result Computational Compression (Yao) Entropy can be > HILL
27 27 conditioning HILL entropy on average Recall: suppose Y is over b-bit strings H (W Y ) H (W) b Average-Case Entropy Version of Dense Model Theorem: metric* H δ2 b,s (W Y ) H δ,s metric* metric* (W) b Follos from H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y] Can ork ith metric* and then covert to HILL hen needed (loss in s)
28 conditioning the conditional metric* metric* H δ2 b,s (W Y ) H δ,s (W) b The theorem can be applied multiple times, of course: metric* metric* H δ2 b 1 +b 2,s (W Y 1, Y 2 ) H δ,s (W) b 1 b 2 (here support of Y i has size 2 b i) metric* metric* But e can t prove: H δ2 b 2,s (W Y 1, Y 2 ) H δ,s (W Y 1 ) b 2 (bad case: W = plaintext, Y 1 = PK; because for any given y 1, W has no entropy!) Note: Gentry-Wichs 11 implies: HILL-relaxed HILL-relaxed H 2δ,s/poly(δ, 2 b 2 ) (W Y 1, Y 2 ) H δ,s (W Y 1 ) b 2 Defn: H δ,s HILL-relaxed (W Y) k if (Z, T) such that H (Z T) = k and (W, Y) (Z, T) 28
29 29 unpredictability entropy Why should computational min-entropy be defined through indistinguishability? Why not model unpredictability directly? [Hsiao-Lu-R. 04] predictability W H (W)= log max Pr[] W H s Unp (W Z) k if for all A of size s, Pr[A(z) = ] 2 k Lemma: H Yao (W Z) H Unp (W Z) H HILL (W Z) Corollary: Reconstructive extractors ork for H Unp Lemma: H s Unp (W Y 1, Y 2 ) H s Unp (W, Y 1 ) b 2
30 hat is it good for? H s Unp (W Z) = k if for all A of size s, Pr[A(z) = ] 2 k Examples: H HILL =0 Why bother? Diffie-Hellman: g ab g a, g b One-Way Functions: x f(x) Signatures: Sign SK (m) PK Hardcore bit results (e.g., [Goldreich&Levin,Ta-Shma&Zuckerman]) are typically stated only for OWF, but used everyhere They are actually reconstructive extractors H Unp (X Z) + reconstructive extractors simple generalization language Leakage-resilient crypto (assuming strong hardness) 30
31 the last slide Minentropy is often the right measure Conditional Entropy useful natural extension Easy to use because of simple bit counting Computational Case is trickier A fe possible extensions Bit counting sometimes orks Some definitions (such as H Unp ) only make sense conditionally Separations and conversions beteen definitions exist Still, can simply proofs! 31
Extractors and the Leftover Hash Lemma
6.889 New Developments in Cryptography March 8, 2011 Extractors and the Leftover Hash Lemma Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Leo Reyzin Scribe:
More informationMetric Pseudoentropy: Characterizations and Applications
Metric Pseudoentropy: Characterizations and Applications Maciej Skorski Cryptology and Data Security Group, University of Warsaw maciej.skorski@gmail.com Abstract. Metric entropy is a computational variant
More informationBOSTON UNIVERSITY GRADUATE SCHOOL OF ARTS AND SCIENCES AN IMPROVED ROBUST FUZZY EXTRACTOR
BOSTON UNIVERSITY GRADUATE SCHOOL OF ARTS AND SCIENCES AN IMPROVED ROBUST FUZZY EXTRACTOR by BHAVANA KANUKURTHI B.E., Anna University, 2005 Submitted in partial fulfillment of the requirements for the
More informationComputational Entropy and Information Leakage
Computational Entropy and Information Leakage Benjamin Fuller Leonid Reyzin Boston University {bfuller,reyzin}@bu.edu February 10, 2011 Abstract We investigate how information leakage reduces computational
More informationPrivacy Amplification with Asymptotically Optimal Entropy Loss
Privacy Amplification with Asymptotically Optimal Entropy Loss ABSTRACT Nishanth Chandran Department of Computer Science UCLA nishanth@cs.ucla.edu Rafail Ostrovsky Department of Computer Science and Mathematics
More informationNon-Malleable Extractors with Shorter Seeds and Their Applications
Non-Malleable Extractors with Shorter Seeds and Their Applications Yanqing Yao 1, and Zhoujun Li 1, 1 School of Computer Science and Engineering, Beihang University, Beijing, China Beijing Key Laboratory
More informationOn the Randomness Requirements for Privacy
On the Randomness Requirements for Privacy by Carl Bosley A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science New York
More informationRobust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets
Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets Yevgeniy Dodis Bhavana Kanukurthi Jonathan Katz Leonid Reyzin Adam Smith Abstract Consider two parties holding samples from correlated
More informationNon-Malleable Extractors with Short Seeds and Applications to Privacy Amplification
202 IEEE 27th Conference on Computational Complexity Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification Gil Cohen Weizmann Institute of Science Rehovot, Israel gil.cohen@weizmann.ac.il
More informationA Counterexample to the Chain Rule for Conditional HILL Entropy
A Counterexample to the Chain Rule for Conditional HILL Entropy And what Deniable Encryption has to do with it Stephan Krenn 1, Krzysztof Pietrzak 2, Akshay Wadia 3 1 IBM Research Zurich, Rüschlikon stephan.krenn@ist.ac.at
More informationSimple and Tight Bounds for Information Reconciliation and Privacy Amplification
Simple and Tight Bounds for Information Reconciliation and Privacy Amplification Renato Renner 1 and Stefan Wolf 2 1 Computer Science Department, ETH Zürich, Switzerland. renner@inf.ethz.ch. 2 Département
More informationarxiv: v2 [cs.cr] 8 Aug 2008
An Improved Robust Fuzzy Extractor Bhavana Kanukurthi and Leonid Reyzin Boston University Computer Science http://cs-people.bu.edu/bhavanak, http://www.cs.bu.edu/ reyzin arxiv:0807.0799v2 [cs.cr] 8 Aug
More informationOn Extractors, Error-Correction and Hiding All Partial Information
On Extractors, Error-Correction and Hiding All Partial Information (Invited Paper) Yevgeniy Dodis Department of Computer Science New York University Email: dodis@cs.nyu.edu Abstract Randomness extractors
More informationAmplifying Privacy in Privacy Amplification
Amplifying Privacy in Privacy Amplification Divesh Aggarwal 1,YevgeniyDodis 1,, Zahra Jafargholi 2,, Eric Miles 2, and Leonid Reyzin 3, 1 New York University, New York, NY, USA 2 Northeastern University,
More informationRobust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets
Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets Yevgeniy Dodis, Bhavana Kanukurthi, Jonathan Katz, Leonid Reyzin, and Adam Smith Abstract Consider two parties holding samples
More informationLecture 21: P vs BPP 2
Advanced Complexity Theory Spring 206 Prof. Dana Moshkovitz Lecture 2: P vs BPP 2 Overview In the previous lecture, we began our discussion of pseudorandomness. We presented the Blum- Micali definition
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationCh. 2 Math Preliminaries for Lossless Compression. Section 2.4 Coding
Ch. 2 Math Preliminaries for Lossless Compression Section 2.4 Coding Some General Considerations Definition: An Instantaneous Code maps each symbol into a codeord Notation: a i φ (a i ) Ex. : a 0 For Ex.
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationT Cryptography: Special Topics. February 24 th, Fuzzy Extractors: Generating Strong Keys From Noisy Data.
February 24 th, 2005 Fuzzy Extractors: Generating Strong Keys From Noisy Data Helsinki University of Technology mkivihar@cc.hut.fi 1 Overview Motivation and introduction Preliminaries and notation General
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationComputational Fuzzy Extractors
Computational Fuzzy Extractors Benjamin Fuller 1, Xianrui Meng 2, and Leonid Reyzin 2 1 Boston University and MIT Lincoln Laboratory 2 Boston University Abstract. Fuzzy extractors derive strong keys from
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationOrdinary Math in Everyday Life. Jesse Walker, Ph.D. Intel Corporation Intel Labs Security and Privacy Research
Ordinary Math in Everyday Life Jesse Walker, Ph.D. Intel Corporation Intel Labs Security and Privacy Research jesse.walker@intel.com 1 Academia v. Industry Academic math is like fine dining Industrial
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 3: Lower bound on statistically secure encryption, extractors
CS 7880 Graduate Cryptography September, 015 Lecture 3: Lower bound on statistically secure encryption, extractors Lecturer: Daniel Wichs Scribe: Giorgos Zirdelis 1 Topics Covered Statistical Secrecy Randomness
More informationRandomness Extraction via δ-biased Masking in the Presence of a Quantum Attacker
Randomness Extraction via δ-iased Masking in the Presence of a Quantum Attacker Serge Fehr and Christian Schaffner CWI Amsterdam, The Netherlands {S.Fehr,C.Schaffner}@cwi.nl Abstract. Randomness extraction
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationCondensed Unpredictability
Condensed Unpredictability Maciej Skórski 1, Alexander Golovnev 2, and Krzysztof Pietrzak 3 1 University of Warsaw 2 New York University 3 IST Austria Abstract We consider the task of deriving a key with
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationOn the Limitations of Computational Fuzzy Extractors
On the Limitations of Computational Fuzzy Extractors Kenji Yasunaga Kosuke Yuzawa March 15, 2018 Abstract We present a negative result of fuzzy extractors with computational security. Specifically, we
More informationPRIVACY AMPLIFICATION AND NON-MALLEABLE EXTRACTORS VIA CHARACTER SUMS
PRIVACY AMPLIFICATION AND NON-MALLEABLE EXTRACTORS VIA CHARACTER SUMS YEVGENIY DODIS, XIN LI, TREVOR D. WOOLEY, AND DAVID ZUCKERMAN Abstract. In studying how to communicate over a public channel with an
More informationAdditive Combinatorics and Computational Complexity
Additive Combinatorics and Computational Complexity Luca Trevisan U.C. Berkeley Ongoing joint work with Omer Reingold, Madhur Tulsiani, Salil Vadhan Combinatorics: Studies: Graphs, hypergraphs, set systems
More informationComputational Fuzzy Extractors
Computational Fuzzy Extractors Benjamin Fuller Xianrui Meng Leonid Reyzin Boston University April 6, 2014 Abstract Fuzzy extractors derive strong keys from noisy sources. Their security is defined informationtheoretically,
More informationPseudorandomness in Computer Science and in Additive Combinatorics. Luca Trevisan University of California, Berkeley
Pseudorandomness in Computer Science and in Additive Combinatorics Luca Trevisan University of California, Berkeley this talk explain what notions of pseudorandomness and indistinguishability arise in
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationSecure Sketch for Multi-Sets
Secure Sketch for Multi-Sets Ee-Chien Chang Vadym Fedyukovych Qiming Li March 15, 2006 Abstract Given the original set X where X = s, a sketch P is computed from X and made public. From another set Y where
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationA Security Real-time Privacy Amplification Scheme in QKD System
Journal of Universal Computer Science, vol. 19, no. 16 (2013), 2420-2436 submitted: 15/7/13, accepted: 27/9/13, appeared: 1/10/13 J.UCS A Security Real-time Privacy Amplification Scheme in QKD System Bo
More informationConditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility
Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility Chun-Yuan Hsiao Chi-Jen Lu Leonid Reyzin March 10, 2007 Abstract We study conditional computational entropy: the
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationNon-Malleable Extractors with Short Seeds and Applications to Privacy Amplification
Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification Gil Cohen Ran Raz Gil Segev Abstract Motivated by the classical problem of privacy amplification, Dodis and Wichs [DW09]
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationSecret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result
Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result Ueli Maurer, Fellow, IEEE Stefan Wolf Abstract This is the first part of a three-part paper on secret-key
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLeftover Hash Lemma, Revisited
Leftover Hash Lemma, Revisited Boaz Barak Yevgeniy Dodis Hugo Krawczyk Olivier Pereira Krzysztof Pietrzak Francois-Xavier Standaert Yu Yu September 3, 2011 Abstract The famous Leftover Hash Lemma (LHL)
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationExtractors using hardness amplification
Extractors using hardness amplification Anindya De and Luca Trevisan Computer Science Division University of California, Berkeley, CA, USA {anindya,luca}@cs.berkeley.edu Abstract. Zimand [4] presented
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationOvercoming Weak Expectations
Overcoming Weak Expectations Yevgeniy Dodis 1 and Yu Yu 2 1 New York University. Email: dodis@cs.nyu.edu. 2 Institute for Interdisciplinary Information Sciences, Tsinghua University. Email: yuyu@yuyu.hk.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationPseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Abstract We revisit the problem of basing pseudorandom generators on regular one-way functions,
More informationSimple extractors via crypto pseudo-random generators
Simple extractors via crypto pseudo-random generators Marius Zimand (Towson University) Extractors vs. Pseudo-Rand. Generators Fundamental primitives in derandomization, cryptography,... They manufacture
More informationNotes for Lecture 18
U.C. Berkeley Handout N18 CS294: Pseudorandomness and Combinatorial Constructions November 1, 2005 Professor Luca Trevisan Scribe: Constantinos Daskalakis Notes for Lecture 18 1 Basic Definitions In the
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationRandomness Condensers for Efficiently Samplable, Seed- Dependent Sources
Randomness Condensers for Efficiently Samplable, Seed- Dependent Sources The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters. Citation
More informationEfficient Probabilistically Checkable Debates
Efficient Probabilistically Checkable Debates Andrew Drucker MIT Andrew Drucker MIT, Efficient Probabilistically Checkable Debates 1/53 Polynomial-time Debates Given: language L, string x; Player 1 argues
More informationRecent Developments in Explicit Constructions of Extractors
The Computational Complexity Column by Lance FORTNOW NEC Research Institute 4 Independence Way, Princeton, NJ 08540, USA fortnow@research.nj.nec.com http://www.neci.nj.nec.com/homepages/fortnow/beatcs
More informationcomplexity distributions
The of complexity distributions Emanuele Viola Northeastern University March 2012 Local functions (a.k.a. Junta, NC 0 ) f : {0,1}n {0,1} d-local : output depends on d input bits Input x d f Fact: Parity(x)
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationOn the (Im)possibility of Cryptography with Imperfect Randomness
On the (Im)possibility of Cryptography with Imperfect Randomness Yevgeniy Dodis New York University Manoj Prabhakaran Princeton University and UCLA Shien Jin Ong Harvard University Amit Sahai Princeton
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationEntropic Security and the Encryption of High Entropy Messages
Entropic Security and the Encryption of High Entropy Messages Yevgeniy Dodis New York University dodis@cs.nyu.edu Adam Smith Massachusetts Insitute of Technology asmith@theory.csail.mit.edu September 1,
More informationPublic-Key Cryptosystems Resilient to Key Leakage
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Abstract Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationKey Agreement from Close Secrets over Unsecured Channels
Key Agreement from Close Secrets over Unsecured Channels Bhavana Kanukurthi and Leonid Reyzin Boston University Computer Science http://cs-people.bu.edu/bhavanak, http://www.cs.bu.edu/~reyzin May 22, 2009
More informationCOMPRESSION OF SAMPLABLE SOURCES
COMPRESSION OF SAMPLABLE SOURCES Luca Trevisan, Salil Vadhan, and David Zuckerman Abstract. We study the compression of polynomially samplable sources. In particular, we give efficient prefix-free compression
More informationprotocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered
Privacy Amplication Secure Against Active Adversaries? Ueli Maurer Stefan Wolf Department of Computer Science Swiss Federal Institute of Technology (ETH Zurich) CH-8092 Zurich, Switzerland E-mail addresses:
More informationDetection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer 1,2, Yevgeniy Dodis 3, Serge Fehr 2, Carles Padró 4, and Daniel Wichs 3 1 Mathematical
More informationSecurity Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma
Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma Stefano Tessaro Department of Computer Science and Engineering University of California,
More informationComputational Extractors and Pseudorandomness
Computational Extractors and Pseudorandomness Dana Dachman-Soled Rosario Gennaro Hugo Krawczyk Tal Malkin Abstract Computational extractors are efficient procedures that map a source of sufficiently high
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationFuzzy Extractors. May 7, 2007
Fuzzy Extractors Yevgeniy Dodis Leonid Reyzin Adam Smith May 7, 2007 1 Motivation This chapter presents a general approach for handling secret biometric data in cryptographic applications. The generality
More informationOn the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses
On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses Per Austrin, Kai-Min Chung, Mohammad Mahmoody, Rafael Pass, Karn Seth November 12, 2012 Abstract We initiate
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationError Reconciliation in QKD. Distribution
Error Reconciliation in Quantum Key Distribution Richard P. Brent MSI, ANU 1 October 2009 Abstract The problem of "error reconciliation" arises in Quantum Cryptography, which is more accurately described
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationFour-state Non-malleable Codes with Explicit Constant Rate
Four-state Non-malleable Codes with Explicit Constant Rate Bhavana Kanukurthi Sai Lakshmi Bhavana Obbattu Sruthi Sekar Indian Institute Of Science, Bangalore Abstract. Non-malleable codes (NMCs), introduced
More informationAffine-malleable Extractors, Spectrum Doubling, and Application to Privacy Amplification
Affine-malleable Extractors, Spectrum Doubling, and Application to Privacy Amplification Divesh Aggarwal Kaave Hosseini Shachar Lovett November 10, 2015 Abstract The study of seeded randomness extractors
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More information