Introduction to Cryptography
|
|
- Adelia Small
- 5 years ago
- Views:
Transcription
1 B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15
2 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1
3 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF) is a function that is easy to compute but hard to invert Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s x 2 Let E be the event that f(x ) = y Define A s advantage to be Adv f -1 (A) := Pr[E]
4 Hard-core predicates Strong OWFs are hard to invert in their entirety Want to say: f(x) reveals nothing about x Q: Do OWFs satisfy this requirement? A: In general, NO! (But why?) - Suppose g is an OWF, then it is easy to prove that f(x 1 11 x 2 ) = x 1 11 g(x 2 ) is also an OWF! A relaxation: Can we say f(x) reveals nothing about h(x), for some particular function h that depends on f but not x? 3
5 Hard-core predicates Let h: {0, 1} * {0, 1} be an efficiently computable function Think of h(x) as indicating whether x has some property (h(x)=1) or not (h(x)=0) Intuitively, we call h a hard-core predicate for f if f(x) reveals nothing about h(x) Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s b {0, 1} 4 Let E be the event that h(x) = b Define A s advantage to be Adv h,f (A) := 1 Pr[E]- 1/2 1
6 Hard-core predicates Def n : Let f: {0, 1} * {0, 1} * and let h: {0, 1} * {0, 1} be an efficiently computable Boolean-valued function. Then h is a hard-core predicate for f if, for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv h,f (A) ε(s). h is easy to compute from x but hard to predict from f(x) Equivalently: h(x) looks random given f(x) If h(x) equal some bit of x, then we call h a hard-core bit for f 5
7 Hard-core predicate examples Let f: {0, 1} * {0, 1} * be an OWF and define h(x) := 1x1 xi i=1 Q: Is h a hard-core predicate for f? A: In general, NO! (If g is a OWF, then f(x):=g(x) 11 1x1 i=1 x i is an OWF for which h(x) is not hard-core!) Let g: {0, 1} * {0, 1} * be the function that just drops the lsb of its input and define h(x) := lsb(x) Q: Is h a hard-core predicate for f? A: Yes! (But not a very useful/interesting one ) 6
8 Goldreich-Levin Theorem Thm: If there exists an OWF, then there exists a pair of functions (g, h) such that g is an OWF and h is a hard-core predicate for g. Specifically, if f is an OWF, then the function and g(x 11 r) := f(x) 11 r with 1x1 = 1r1 is an OWF 1x1 h(x) = (xi i=1 r i ) is a hard-core predicate for f. 7 Note: Goldreich-Levin does not claim that every OWF has a hard-core predicate!
9 Proving Goldreich-Levin s Theorem The full proof of Goldreich-Levin is long and involved The textbook devotes 7 full pages to the proof! We prove a super-simplified case Thm (A super-simplified Goldreich-Levin): Let f: {0, 1} * {0, 1} * and define, as in the Goldreich-Levin construction, 1x1 (i) g(x 11 r) := f(x) 11 r (with 1x1 = 1r1), and (ii) h(x) = (xi i=1 r i ) If there exists a PPT algorithm A such that n N and x 11 r {0, 1} 2n, A(g(x 11 r), 1 n ) = h(x 11 r), then there also exists a PPT algorithm A such that n N and x {0, 1} n A (f(x), 1 n ) f -1 (x). 8
10 Proof sketch for super-simplified Goldreich-Levin s Theorem 1x1 Let A be a PPT algorithm that computes h(x)= i=1 (xi r i ) given g(x11 r) := f(x) 11r and 1 n. For each i = 1,...,n, let e i denote the n-bit string with a 1 in its ith bit and 0s elsewhere Goal: Construct a PPT algorithm A to computes x f -1 (x) given (f(x), 1 n ) and oracle access to A For each i = 1,...,n, A (f(x), 1 n ) invokes A(g(x 11 e i ), 1 n ) to get x i A outputs x = x 1 11 x x n 9
11 One-way permutations Intuitively, π: {0, 1} * {0, 1} * is a one-way permutation if it is an OWF that is length-preserving and a bijection Challenger (C) Inverter (A) 1 s x R {0, 1} s y 1 s y := π(x) x 10 Let E be the event that π(x) = y Define A s advantage to be Adv π -1 (A) := Pr[E]
12 One-way permutation Def n : A function π: {0, 1} * {0, 1} * is a one-way permutation (OWP) if it is 1. easy to compute: there exists an efficient algorithm that, on input x {0, 1} *, outputs π(x); 2. length-preserving: for all x {0, 1} *, 1x1 = 1π(x)1; 3. one-to-one: for all x 1, x 2 {0, 1} *, π(x)=π(y) implies x=y; and 4. hard to invert: for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv π -1 (A) ε(s). 11
13 Fixed-length PRGs from OWPs Thm: If OWPs exist, then fixed-length PRGs also exist. Specifically, given any OWP π and a hard-core predicate h for π, define G: {0, 1} * {0, 1} * such that x {0, 1} *, G(x) := π(x) 11 h(x). (Note: By Goldreich-Levin, if there exists an OWP, then there exists an OWP with a hard-core predicate) Then G is a PRG with expansion factor l(s) = s+1. 12
14 Variable-length PRGs from fixed-length PRGs Thm: If there exists a fixed-length PRG with expansion factor l(s)=s+1, then there exists a variable-length PRG. Idea: Given a PRG G:{0,1} * {0, 1} * with expansion factor l(s) = s+1, we construct a PRG G with expansion factor l (s) = s+2 via G (x) := G(x 1 ) 11 δ 1, where G(x) = x 1 11 δ 1. Given G, we construct a PRG G with expansion factor l (s) = s+3 via G (x) := G (x 2 ) 11 δ 2, where G (x) = x 2 11 δ 1 11 δ 2. And so on We can repeat this any polynomial number of times! 13
15 PRFs from variable-length PRGs Let G: {0, 1} * 1 N {0, 1} * be a variable-length PRG Construct a length-doubling PRG G (k) := G(k, 1 21k1 ) and set G L (k) and G R (k) equal to the first and last 1x1 bits of G PRF F is represented as a binary tree To evaluate F(k,x), input k to PRG in root node At each layer i, if x i = 0, go left; else, go right Each input x corresponds to a distinct leaf Evaluating F(k,x) requires 1x1 calls to G G L (k) k G x 1 =1 G R (k) G G G L (G L (k)) G R (G L (k)) G L (G R (k)) G R (G R (k)) x 2 =0 G G G G x 3 =1 14 G G G G G G G G
16 Existence of PR*s and OW*s OWF PRP OWP PRF Variable -length PRG Fixedlength PRG 15
17 That s all for today, folks! 16
Lecture 7: Hard-core Predicate and PRG
CS 290G (Fall 2014) Introduction to Cryptography Oct 28th, 2014 Instructor: Rachel Lin 1 Recap Lecture 7: Hard-core Predicate and PRG 1.1 Computational Indistiguishability Scribe: Leonardo Bohac Last time,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLecture 5: Pseudo-Random Generators and Pseudo-Random Functions
CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More information: On the P vs. BPP problem. 18/12/16 Lecture 10
03684155: On the P vs. BPP problem. 18/12/16 Lecture 10 Natural proofs Amnon Ta-Shma and Dean Doron 1 Natural proofs The ultimate goal we have is separating classes (or proving they are equal if they are).
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Integer Factorization iven an integer N, find it s prime factors Studied for centuries, presumed difficult rade school algorithm:
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More informationLecture 5: Hard Core Predicates
Lecture 5: Hard Core Predicates Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 1 / 17 Last Time Proof via Reduction: fˆ
More informationPseudorandom Generators
CS276: Cryptography September 8, 2015 Pseudorandom Generators Instructor: Alessandro Chiesa Scribe: Tobias Boelter Context and Summary In the last lecture we have had a loo at the universal one-way function,
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationNotes for Lecture 15
U.C. Berkeley CS278: Computational Complexity Handout N15 Professor Luca Trevisan 10/27/2004 Notes for Lecture 15 Notes written 12/07/04 Learning Decision Trees In these notes it will be convenient to
More informationCOMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory
COMS W4995 Introduction to Cryptography September 29, 2005 Lecture 8: Number Theory Lecturer: Tal Malkin Scribes: Elli Androulaki, Mohit Vazirani Summary This lecture focuses on some basic Number Theory.
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationLecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate
Lecture 24: : Intuition A One-way Function: A function that is easy to compute but hard to invert (efficiently) Hardcore-Predicate: A secret bit that is hard to compute Theorem (Goldreich-Levin) If f :
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLimits: An Intuitive Approach
Limits: An Intuitive Approach SUGGESTED REFERENCE MATERIAL: As you work through the problems listed below, you should reference Chapter. of the recommended textbook (or the equivalent chapter in your alternative
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationWe begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.
CS276: Cryptography September 16, 2015 PRGs ) PRFs, Pseudorandom Permutations, and Feistel Permutations Instructor: Alessandro Chiesa Scribe: Brian Gluzman 1 Introduction Today we will constuct PRFs (Pseudorandom
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationWhere do pseudo-random generators come from?
Computer Science 2426F Fall, 2018 St. George Campus University of Toronto Notes #6 (for Lecture 9) Where do pseudo-random generators come from? Later we will define One-way Functions: functions that are
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationProvable Security for Program Obfuscation
for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationPseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLearning and Fourier Analysis
Learning and Fourier Analysis Grigory Yaroslavtsev http://grigory.us CIS 625: Computational Learning Theory Fourier Analysis and Learning Powerful tool for PAC-style learning under uniform distribution
More informationLecture 22. m n c (k) i,j x i x j = c (k) k=1
Notes on Complexity Theory Last updated: June, 2014 Jonathan Katz Lecture 22 1 N P PCP(poly, 1) We show here a probabilistically checkable proof for N P in which the verifier reads only a constant number
More informationFoundation of Cryptography ( ), Lecture 1
Foundation of Cryptography (0368-4162-01), Lecture 1 Iftach Haitner, Tel Aviv University November 1-8, 2011 Section 1 Notation Notation I For t N, let [t] := {1,..., t}. Given a string x {0, 1} and 0 i
More informationLecture 5: February 16, 2012
COMS 6253: Advanced Computational Learning Theory Lecturer: Rocco Servedio Lecture 5: February 16, 2012 Spring 2012 Scribe: Igor Carboni Oliveira 1 Last time and today Previously: Finished first unit on
More informationLecture 22: Counting
CS 710: Complexity Theory 4/8/2010 Lecture 22: Counting Instructor: Dieter van Melkebeek Scribe: Phil Rydzewski & Chi Man Liu Last time we introduced extractors and discussed two methods to construct them.
More informationLecture 10: Learning DNF, AC 0, Juntas. 1 Learning DNF in Almost Polynomial Time
Analysis of Boolean Functions (CMU 8-859S, Spring 2007) Lecture 0: Learning DNF, AC 0, Juntas Feb 5, 2007 Lecturer: Ryan O Donnell Scribe: Elaine Shi Learning DNF in Almost Polynomial Time From previous
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationNotes for Lecture 14 v0.9
U.C. Berkeley CS27: Computational Complexity Handout N14 v0.9 Professor Luca Trevisan 10/25/2002 Notes for Lecture 14 v0.9 These notes are in a draft version. Please give me any comments you may have,
More informationLecture 4: Hardness Amplification: From Weak to Strong OWFs
COM S 687 Introduction to Cryptography September 5, 2006 Lecture 4: Hardness Amplification: From Weak to Strong OWFs Instructor: Rafael Pass Scribe: Jed Liu Review In the previous lecture, we formalised
More informationCompute the Fourier transform on the first register to get x {0,1} n x 0.
CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationNotes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators
UC Bereley Handout N7 CS294: Pseudorandomness and Combinatorial Constructions September 20, 2005 Professor Luca Trevisan Scribe: Constantinos Dasalais Notes for Lecture 7 1 Increasing the Stretch of Pseudorandom
More informationOptimal Constructions of Universal One-way Hash Functions from Special One-way Functions!
1896 1920 1987 2006 Optimal Constructions of Universal One-way Hash Functions from Special One-way Functions Yu Yu 1, Dawu Gu 1, Xiangxue Li 2, Jian Weng 3 1 Shanghai Jiao Tong University, China 2 East
More informationComputational Extractors and Pseudorandomness
Computational Extractors and Pseudorandomness Dana Dachman-Soled Rosario Gennaro Hugo Krawczyk Tal Malkin Abstract Computational extractors are efficient procedures that map a source of sufficiently high
More informationCS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5
UC Berkeley Handout N5 CS94: Pseudorandomness and Combinatorial Constructions September 3, 005 Professor Luca Trevisan Scribe: Gatis Midrijanis Notes for Lecture 5 In the few lectures we are going to look
More informationGoldreich-Levin Hardcore Predicate. Lecture 28: List Decoding Hadamard Code and Goldreich-L
Lecture 28: List Decoding Hadamard Code and Goldreich-Levin Hardcore Predicate Recall Let H : {0, 1} n {+1, 1} Let: L ε = {S : χ S agrees with H at (1/2 + ε) fraction of points} Given oracle access to
More information6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch
6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch Today Probabilistic Turing Machines and Probabilistic Time Complexity Classes Now add a new capability to standard TMs: random
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationLecture 5. Lecturer: Yevgeniy Dodis Spring 2012
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Ferbruary 22, 2012 Lecture 5 Lecturer: Yevgeniy Dodis Spring 2012 In this lecture we formalize our understanding of next-bit security and
More informationPolynomial Interpolation Part II
Polynomial Interpolation Part II Prof. Dr. Florian Rupp German University of Technology in Oman (GUtech) Introduction to Numerical Methods for ENG & CS (Mathematics IV) Spring Term 2016 Exercise Session
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationDoubly half-injective PRGs for incompressible white-box cryptography
SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels White-box
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More information8. Limit Laws. lim(f g)(x) = lim f(x) lim g(x), (x) = lim x a f(x) g lim x a g(x)
8. Limit Laws 8.1. Basic Limit Laws. If f and g are two functions and we know the it of each of them at a given point a, then we can easily compute the it at a of their sum, difference, product, constant
More informationOn the Power of the Randomized Iterate
On the Power of the Randomized Iterate Iftach Haitner Danny Harnik Omer Reingold August 21, 2006 Abstract We consider two of the most fundamental theorems in Cryptography. The first, due to Håstad et.
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationHandout 5. α a1 a n. }, where. xi if a i = 1 1 if a i = 0.
Notes on Complexity Theory Last updated: October, 2005 Jonathan Katz Handout 5 1 An Improved Upper-Bound on Circuit Size Here we show the result promised in the previous lecture regarding an upper-bound
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationLecture 24: Approximate Counting
CS 710: Complexity Theory 12/1/2011 Lecture 24: Approximate Counting Instructor: Dieter van Melkebeek Scribe: David Guild and Gautam Prakriya Last time we introduced counting problems and defined the class
More informationLecture 4: One Way Functions - II
CSE 594 : Modern Cryptography 05/02/2017 Lecture 4: One Way Functions - II Instructor: Omkant Pandey Scribe: Bharathkrishna G Murali, Swarnima Shrivastava 1 Weak to Strong OWFs Theorem 1 The multiplication
More informationThe security of all bits using list decoding
The security of all bits using list decoding Paz Morillo and Carla Ràfols Dept. Matemàtica Aplicada IV Universitat Politècnica de Catalunya C. Jordi Girona -3, E-08034 Barcelona, Spain e-mail: {paz,crafols}@ma4.upc.edu
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationHomework 5 Solutions
Homework 5 Solutions Due: March 1, 2018 CS 151: Intro. to Crptograph and Computer Securit 1 Fun with One-Wa Functions (Continued) a. f a (x) is a one-wa function. Assume for the sake of contradiction that
More informationThe Many Entropies in One-Way Functions
The Many Entropies in One-Way Functions Iftach Haitner and Salil Vadhan Abstract Computational analogues of information-theoretic notions have given rise to some of the most interesting phenomena in the
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationThe Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions
The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions Scott Ames 1, Rosario Gennaro 2, and Muthuramakrishnan Venkitasubramaniam
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationLecture 23: Alternation vs. Counting
CS 710: Complexity Theory 4/13/010 Lecture 3: Alternation vs. Counting Instructor: Dieter van Melkebeek Scribe: Jeff Kinne & Mushfeq Khan We introduced counting complexity classes in the previous lecture
More informationMinimum Polynomials of Linear Transformations
Minimum Polynomials of Linear Transformations Spencer De Chenne University of Puget Sound 30 April 2014 Table of Contents Polynomial Basics Endomorphisms Minimum Polynomial Building Linear Transformations
More informationAn Improved Pseudorandom Generator Based on Hardness of Factoring
An Improved Pseudorandom Generator Based on Hardness of Factoring enad Dedić Boston University nenad@cs.bu.edu Leonid Reyzin Boston University reyzin@cs.bu.edu October 15, 2002 Salil Vadhan Harvard University
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationQuantum Computing Lecture 6. Quantum Search
Quantum Computing Lecture 6 Quantum Search Maris Ozols Grover s search problem One of the two most important algorithms in quantum computing is Grover s search algorithm (invented by Lov Grover in 1996)
More information