COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
|
|
- Thomasina Bertina Scott
- 5 years ago
- Views:
Transcription
1 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27
2 Previously on COS 433
3 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
4 Security Definition (One- time setting) Definition: (Enc, Dec) has (t,ε)-ciphertext indistinguishability if, for all running in time at most t Pr[ß IND-Exp ( ) ] Pr[ß IND-Exp ( ) ] ε
5 Construction with k << m Idea: use OTP, but have key generated by some expanding function G k G m
6 What Do We Want Out of G? Definition: G:{,} λ à {,} n is a (t,ε)- secure pseudorandom generator (PRG) if: n > λ G is deterministic For all running in time at most t, Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} n ] ε
7 Reminder: Kerckhoffs s Principle Kerckhoffs s Principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Applies to any crypto object we ll see in this course For PRGs, the key is just the input to the function
8 Secure PRG à Ciphertext Indistinguishability K = {,} λ M = {,} n C = {,} n Enc(k,m) = PRG(k) m Dec(k,c) = PRG(k) c
9 Security? Intuitively, security is obvious: PRG(k) looks random, so should completely hide m However, formalizing this argument is non- trivial. Solution: reductions Assume toward contradiction an adversary for the encryption scheme, derive an adversary for the PRG
10 Security Assume towards contradiction that there is a such that b m, m M c k ß K c ß G(k) m b b Pr[W ]-Pr[W ] ε, non- negligible W b : b = in IND-Exp b
11 Security Use to build. will run as a subroutine, and pretend to be m, m M b c b ß {,} c ß x m b x (either G(s) or truly random) b b
12 Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b m, m M c b ß {,} s ß K c ß PRG(s) m b b
13 Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½( + Pr[W ] Pr[W ]) = ½( ± ε )
14 Security Case 2: x is truly random sees OTP encryption m, m M λ c b ß {,} x ß {,} n c ß x m b b
15 Security Case 2: x is truly random sees OTP encryption Therefore Pr[b = b=] = Pr[b = b=] Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½
16 Security Putting it together: Pr[ (G(s))=:sß {,} λ ] = ½( ± ε(λ) ) Pr[ (x)=:xß {,} n ] = ½ Absolute Difference: ½ε, Contradiction!
17 Security Thm: If G is a (t+t,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability, where t is the time to: Flip a random bit b XOR two n- bit strings
18 Security Thm: If G is a (t+poly,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability
19 An Alternate Proof: Hybrids Idea: define sequence of hybrid experiments between IND-Exp and IND-Exp In each hybrid, make small change from previous hybrid Hopefully, each small change is undetectable Using triangle inequality, overall change from IND- Exp and IND-Exp is undetectable
20 An Alternate Proof: Hybrids Hybrid : IND-Exp m, m M c k ß K c ß G(k) m b
21 An Alternate Proof: Hybrids Hybrid : m, m M c x ß {,} n c ß x m b
22 An Alternate Proof: Hybrids Hybrid 2: m, m M c x ß {,} n c ß x m b
23 An Alternate Proof: Hybrids Hybrid 3: IND-Exp m, m M c k ß K c ß G(k) m b
24 An Alternate Proof: Hybrids Pr[b = : IND-Exp ]-Pr[b = : IND-Exp ] = Pr[b = : Hyb ]-Pr[b = : Hyb 3] Pr[b = : Hyb ]-Pr[b = : Hyb ] + Pr[b = : Hyb ]-Pr[b = : Hyb 2] + Pr[b = : Hyb 2]-Pr[b = : Hyb 3] If Pr[b =:IND-Exp ]-Pr[b =:IND-Exp ] ε, Then for some i=,,2, Pr[b =:Hyb i]-pr[b =:Hyb i+] ε/3
25 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 k ß K x ß {,} n m, m M c ß G(k) m m, m M c ß x m b b
26 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct m, m M c c ß x m x (either G(s) or truly random) b b
27 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct If is given G(s) for a random s, sees Hybrid If is given x for a random x, sees Hybrid Therefore, advantage of is equal to advantage of which is at least ε/3 Contradiction!
28 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε/3 m, m M x ß {,} n c ß x m m, m M c ß x m x ß {,} n b b
29 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε(λ)/3 m, m M λ x ß {,} s(λ) Impossible by OTP security m, m M λ x ß {,} s(λ) c ß x m c ß x m b b
30 An Alternate Proof: Hybrids Suppose distinguishes Hybrid 2 from Hybrid 3 with advantage ε/3 m, m M c ß x m x ß {,} n m, m M k ß K c ß G(k) m b b Proof essentially identical to Hybrid /Hybrid case
31 How do we build PRGs?
32 Linear Feedback Shift Registers In each step, Last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
33 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
34 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
35 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
36 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
37 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
38 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
39 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
40 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits
41 Linear Feedback Shift Registers Are LFSR s secure PRGs?
42 Linear Feedback Shift Registers Are LFSR s secure PRGs? No! First n bits of output = initial state x Write x = x,,x n, x Initialize LFSB to have state x,,x n Run LFSB for x steps, obtaining y Check if y = x
43 PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Definition: G is (t,p,ε)-unpredictable if, for all running in time at most t, Pr[G(s) p+ ß (G(s) [,p] ) ] ½ ε
44 PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Theorem: G is unpredictable iff it is pseudorandom
45 Proof Pseudorandomness à Unpredictability Assume towards contradiction s.t. Pr[G(s) p+ ß (G(s) [,p] ) ] ½ > ε
46 Proof Pseudorandomness à Unpredictability Construct x x [,p] b b x p+
47 Proof Pseudorandomness à Unpredictability Analysis: If x is random, Pr[ b x p+ = ] = ½ If x is pseudorandom, Pr[ b x p+ = ] = Pr[G(s) p+ ß (G(s) [,p] ) ] > (½ + ε) or < (½ - ε)
48 Proof Unpredictability à Pseudorandomness Assume towards contradiction s.t. Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} t ] > ε
49 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i H : truly random x H t : pseudorandom t
50 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i Pr[ (x)=:xß H s ] Pr[ (x)=:xß H ] > ε Let q i = Pr[ (x)=:xß H i ]
51 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i q t q > ε Let q i = Pr[ (x)=:xß H i ]
52 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i By triangle inequality, there must exist an i s.t. q i q i- > ε/t Can assume wlog that q i q i- > ε/t
53 Proof Unpredictability à Pseudorandomness Construct y=g(s) [,i-] bß {,} y ß {,} t-i x = y b y b b b
54 Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then sees H i outputs with probability q i outputs b=g(s) i with probability q i
55 Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then Define q i as Pr[ outputs ] ½(q i + q i ) = q i- q i = 2q i- - q i outputs G(s) [,i] with probability -q i = + q i 2q i-
56 Proof Unpredictability à Pseudorandomness Analysis: Pr[ outputs G(s) i ] = ½ (q i ) + ½ ( + q i 2q i- ) = ½ + q i q i- > ½ + ε/t
57 Linearity
58 Linearity LFSR s are linear: state = state output = ( ) state ( )
59 Linearity LFSR s are linear: Each output bit is a linear function of the initial state (that is, G(s) = A s (mod 2) ) Any linear G cannot be a PRG Can check if x is in column- span of A using linear algebra
60 Introducing Non- linearity Non- linearity in the output: Non- linear feedback:
61 LFSR period Period = number of bits before state repeats After one period, output sequence repeats Therefore, should have extremely long period Ideally almost 2 λ Possible to design LFSR s with period 2 λ -
62 Hardware vs Software PRGs based on LFSR s are very fast in hardware Unfortunately, not easily amenable to software
63 RC4 Fast software based PRG Resisted attack for several years No longer considered secure, but still widely used
64 RC4 State = permutation on [256] plus two integers Permutation stored as 256- byte array S Init(6- byte k): For i=,,255 S[i] = i j = For i=,,255 j = j + S[i] + k[i mod 6] (mod 256) Swap S[i] and S[j] Output (S,,)
65 RC4 GetBits(S,i,j): i++ (mod 256) j+= S[i] (mod 256) Swap S[i] and S[j] t = S[i] + S[j] (mod 256) Output (S,i,j), S[t] New state Next output byte
66 Insecurity of RC4 Second byte of output is slightly biased towards Pr[second byte = 8 ] 2/256 Should be /256 Means RC4 is not secure according to our definition outputs iff second byte is equal to 8 Advantage: /256 Not a serious attack in practice, but demonstrates some structural weakness
67 Insecurity of RC4 Possible to extend attack to actually recover the input k in some use cases The seed is set to (IV, k) for some initial value IV Encrypt messages as RC4(IV,k) m Also give IV to attacker Cannot show security assuming RC4 is a PRG Can be used to completely break WEP encryption standard
68 Extending the Stretch of a PRG Suppose you have a fixed- stretch PRG G Better yet, a PRG that expands by a single bit G: {,} λ à {,} λ+ Construct a PRG G of arbitrary output length
69 Extending the Stretch of a PRG seed G state state G state 2 state 2 G state 3 state 3 G
70 Security Proof Assume towards contradiction Define hybrids
71 Security Proof H : {,} λ seed G state state G state 2 state 2 G state 3 state 3 G
72 Security Proof H : {,} λ {,} state state 2 G state 2 G state 3 state 3 G
73 Security Proof H 2 : {,} λ {,} {,} state 2 state 3 G state 3 G
74 Security Proof H t : {,} {,} {,} {,}
75 Security Proof H corresponds to pseudorandom x H t corresponds to truly random x Let q i = Pr[ (x)=:xß H i ] By assumption, q t q > ε i s.t. q i q i- > ε/t
76 Security Proof y state i state i+ G state i+ G state i+2 state i+2 G
77 Security Proof Analysis If y = G(s), then sees H i- Pr[ outputs ] = q i- Pr[ outputs ] = q i- If y is random, then sees H i Pr[ Pr[ outputs ] = q i outputs ] = q i
78 Summary Stream ciphers = secure encryption for arbitrary length, number of messages (though we did not completely prove it) However, implementation difficulties due to having to maintaining state
79 Reminders Project part Due Tomorrow HW2 will be released tonight
Dan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLecture 4 - Computational Indistinguishability, Pseudorandom Generators
Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Boaz Barak September 27, 2007 Computational Indistinguishability Recall that we defined that statistical distance of two distributions
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Integer Factorization iven an integer N, find it s prime factors Studied for centuries, presumed difficult rade school algorithm:
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationLecture 7: Pseudo Random Generators
Introduction to ryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example,
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationLecture 5. Lecturer: Yevgeniy Dodis Spring 2012
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Ferbruary 22, 2012 Lecture 5 Lecturer: Yevgeniy Dodis Spring 2012 In this lecture we formalize our understanding of next-bit security and
More informationSolution of Exercise Sheet 6
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pre- modern Cryptography 1900 B.C. mid 1900 s A.D With few exceptions, synonymous with encryption c = Enc(k,m)
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationSimple Unpredictable Pseudo-Random Number Generator
Simple Unpredictable Pseudo-Random Number Generator The 1/P Generator R. Ashworth & H. Imanda University of Oxford 1/18 Definition Let l be a polynomial. We say that a deterministic polynomial-time algorithm
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationCryptography Lecture 3. Pseudorandom generators LFSRs
Cryptography Lecture 3 Pseudorandom generators LFSRs Remember One Time Pad is ideal With OTP you need the same transmission capacity via an already secure channel for the key as you can then secure via
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationEfficient Pseudorandom Generators Based on the DDH Assumption
Efficient Pseudorandom Generators Based on the DDH Assumption Andrey Sidorenko (Joint work with Reza Rezaeian Farashahi and Berry Schoenmakers) TU Eindhoven Outline Introduction provably secure pseudorandom
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More information