Cryptography 2017 Lecture 2
|
|
- Jeremy Gardner
- 6 years ago
- Views:
Transcription
1 Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, / 39
2 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time Pad (OTP) Perfect Secrecy Stream Ciphers Pseudo Random Generators (PRG) (unpredictable) Attacks!! November 3, / 39
3 Secret Key Cryptography: An intuition Alice Plaintext See you today at 5pm Secret key Encryption Secret key Decryption See you today at 5pm Ciphertext Ciphertext Bob The same key is used to encrypt and to decrypt messages! November 3, / 39
4 Symmetric Ciphers: Definition K Key space (i.e., set of all possible keys) M Message space (i.e., set of all possible messages) C Ciphertext space (i.e., set of all possible ciphertexts) Definition A cipher defined over (K,M,C) is a pair of efficient algorithms (E, D) where E : K M C, D : K C M such that m M,k K it holds: E(k,m) = c and D(k,c) = m The last equation also known as Correctness property can be rewritten as: D(k,E(k,m)) = m November 3, / 39
5 Symmetric Ciphers: The One Time Pad (OTP) (Vernam 1917) The OTP cipher K = M = C = {0,1} n i.e., the key, the message and the ciphertext have all the same length n E : K M C, E(k,m) = k m D : K C M, D(k,c) = k c Correctness of the OTP D(k,E(k,m)) =? m Indeed since: D(k,E(k,m)) = k E(k,m) = k (k m) = m Example msg k C November 3, / 39
6 Quiz question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Question - Key of OTP You are given a message (m) and its OTP encryption (c) Can you compute the OTP key from m and c? A No, I cannot compute the key. B Yes the key is k = m c. C I can only compute half the bits of the key D Yes, the key is k = m m. Why? m c = m (k m) = m m k = k November 3, / 39
7 What is a good cipher? The Fundamental Properties of a (Good) Cipher 1. Correctness: D(k, E(k, m)) = m. 2. Efficiency: the algorithms E and D are efficient, i.e., run in polynomial time. in polynomial time : there exists a polynomial p() such that the algorithms E and D run in time p(n), where n is the length of the algorithm s input. 3. Security: the cipher is secure against some attacks (see next slide). Principles of Modern Cryptography Describe clearly what you want to achieve so that you know if and when you have achieved it! Formal Definitions Precise Assumptions Proof of Security November 3, / 39
8 Information Theoretic Security - Perfect Secrecy (Shannon 1949) Perfect secrecy (Intuition) The ciphertext should reveal no info about the plaintext Definition A cipher (E,D) defined over (K,M,C) has perfect secrecy if: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0 ) = c] = P[E(k,m 1 ) = c] where k is chosen uniformly at random from K (i.e., k R K) (What does this mean?) The adversary that sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1. November 3, / 39
9 What does uniformly at random mean? Definition A probability distribution P over a finite set X is a function P : X [0,1] such that x X P(x) = 1 A probability distribution is called uniform U if its value U(x) is the same for all x in X. Example - Uniform distribution When flipping a coin the probability of getting head is 1/2 and equal to the probability of getting tails where X = [head,tails] and U(head) = U(tails) = 1/2 When throwing a dice the probability to get any side of the dice (1,2,3,4,5,6) is equal to 1/6. November 3, / 39
10 Quiz question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Question - OTP Let m M and c C. How many OTP keys k K map m to c. A None B 1 C 2 D Depends on m November 3, / 39
11 The OTP has perfect secrecy Lemma The OTP has perfect secrecy! i.e., it holds: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0) = c] = P[E(k,m 1) = c] where k is chosen uniformly at random from K Proof m,c : P k [E(k,m) = c] = number of keys k K s.t. E(k,m) = c K Suppose that m,c : { number of keys k K s.t. E(k,m) = c} = constant cipher has perfect secrecy - For OTP : if E(k,m) = c k m = c k = m c #{k K : E(k,m) = c} = 1 m,c OTP has perfect secrecy November 3, / 39
12 The OTP has perfect secrecy Shannon s Theorem Perfect secrecy implies that K M i.e., key length message length the length of the key must be at least as long as the length of the message we want to encrypt. Corollary Suppose that K = M = C. We have perfect secrecy if each key is used with equal probability 1/ K and for any m M and for any c C, there exists a unique key k K such that E(k,m) = c. November 3, / 39
13 OTP - The Venona Project ( ) A program of the USA Signal Intelligence Service (i.e., NSA) run to decrypt messages encrypted by the Russian intelligence services (e.g., KGB) during the World War II. Encryption: The Russians used a code (ASCII) to convert letters to numbers and the OTP to encrypt the messages. Reminder: The OTP when used correctly is unbreakable! But... The Russians generated the one-time pads (keys) with a very laborious process. A human was throwing a dice & collected the dice throws to generate the one time keys! Mistake: They used some one-time-pads (keys) twice! The NSA was able to intercept and decrypt about 3000 messages! November 3, / 39
14 The Verona Project: How was the Russian s OTP broken? Lets assume that the same key is used to encrypt two messages: c 1 = m 1 k and c 2 = m 2 k. Then we have: c 1 c 2 = (m 1 k) (m 2 k) = (m 1 m 2) (k k) Gene Grabeel the first crypto analyst of the Venona project = m 1 m 2 If we have m 1 m 2 we can easily recover m 1 and m 2 Why? Redundancy in English language Not all combinations of letters are likely or possible. Remember: Never use the same key in OTP! Most code breakers were women Example Let language L = {00100, 10011, 11100, 10100} If we have m 1 m 2 = then we can deduce that: m 1 = and m 2 = 10011, since only by XORing m 1 and m 2 we get m 1 m 2 November 3, / 39
15 Quiz Question! OTP malleability Let m be a message and c = m k its OTP encryption. If an attacker performs c a what will Bob (receiver) decrypt? mm a kk a Alice Plaintext m k Encryption c=m k Ciphertext k c a k m a Decryption c a New ciphertext Bob November 3, / 39
16 Is OTP a good cipher? Pros Very very fast encryption/decryption! Perfect secrecy (when K M ) PROS CONS Cons Very long keys (at least as long as the message)! Difficult to use in practice! Malleable: modifications in the ciphertext have impact on the plaintext November 3, / 39
17 Stream Ciphers: Can we make the OTP more practical? s G k PSEUDORANDOM GENERATOR G(s) = k m (plaintext) c c = E(s,m) = m G(s) D(s,c) = c G(s) STREAM CIPHERS Replace the random key (k) by a pseudorandom key (k ) Instead of using a long (uniformly at random) key k use a short seed s Use s to generate a long pseudorandom key k with a pseudorandom generator G. MORE FORMALLY: Pseudorandom Generator (PRG:) is a function G : {0,1} l {0,1} n, n >> l (n much bigger than l) Example: seed 128 bits expand to Gbytes. November 3, / 39
18 Examples of Stream Ciphers! RC4: Used in WEP and TLS Protocol A5/1: Used in GSM (Global System for Communications) E0: Used in Bluetooth All badly Broken! Badly Broken! November 3, / 39
19 Quiz Question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Stream ciphers & perfect secrecy Can a stream cipher have perfect secrecy? A Yes, if the PRG is really secure B No, there are no ciphers with perfect secrecy C Yes, every cipher has perfect secrecy D No, since the key is shorter than the message Stream ciphers cannot have perfect secrecy!!! The security of stream cipher depends on the specific PRG. November 3, / 39
20 November 3, / 39
21 PRG: Pseudo Random Generators Intuition A PRG is a function that takes as input a short random number (seed) and outputs a long string that looks random. Definition A function G : {0,1} l {0,1} n with l n (i.e., l much smaller than n), is a secure Pseudo Random Generator (PRG), if for any efficient statistical test D (Distinguisher), it holds that: P[D(G(s)) = 1] P[D(r) = 1] is negligible (i.e., too small) for every s R {0,1} l r R {0,1} n selected uniformly at random. STATISTICAL TEST Distinguisher { 1, if x is truly random D(x) = 0, if x is pseudorandom int D (int x) { if x is truly random return 1; else return 0; } November 3, / 39
22 PRG: Pseudo Random Generators space of output k space of key s G k 2 s k 1 k 1 image s 1 x Does x belong in the image or not? {0,1} l {0,1} n What does it mean that G(s) = k is indistinguishable from random? An adversary D that sees the output of G cannot distinguish it from something completely random (i.e., coming from the uniform distribution). November 3, / 39
23 Unpredictable PRGs A good/secure PRG must be unpredictable!!! What does unpredictable mean? Given a part of the output of G(s) = k, it is impossible to predict the rest output. G(s) = k Given the first i bits G(k) 1,...,i attackera cannot predict the rest G(k) i+1,...,n ?????? Definition Hard to formally define unpredictable PRGs. Lets define predictable PRGs! A PRG G : {0,1} l {0,1} n is predictable if there exists an efficient algorithm A and an index 1 i n such that it holds: for some non-negligible value ǫ [ ) ] Pr A (G(s) 1,...,i = G(s) i+1 1 +ǫ 2 Programming assignment: Break a weak PRG! Yao (in 1982) proved that if a PRG is unpredictable then it is secure! November 3, / 39
24 What if a PRG is predictable?? Attacks!! Let A (adversary) be the algorithm that can efficiently compute G(s) i+1 given G(s) 1,...,i c m G(k) If A knows the ciphertext and the beginning of the plaintext (e.g., headers). Then A can recover part of the predictable PRG, and subsequently decrypt! November 3, / 39
25 Quiz Question! Is this PRG predictable? Suppose G : K {0,1} n is such that for all k K it holds XOR ( G(k) ) = 1. Is G predictable? A Yes, given the first bit I can predict the second B No, G is unpredictable C Yes, given the first (n 1) bits I can predict the last bit D No it is impossible! Example: If n = 5 and G(k 1 ) = g 1 g 2 g 3 g 4 g 5 where g i is the i-th bit of G(k 1 ) i {1,2,3,4,5} then, I know that g 1 g 2 g 3 g 4 g 5 = 1. If I know g 1,g 2,g 3,g 4, then I can predict g 5. For instance: G(k 1 )= 0110? Then, we have: g 5 = 1 and g 5 = 1. November 3, / 39
26 WEP attacks k Sender Wifi Communication m PRG(IV k) CRC(m) IV c (ciphetext) k Receiver Access Point - Has k - Receives IV, c - Can compute PRG(IV k), m Badly Broken! WEP attack - Two Time Pad The key should be used only once (to encrypt) Lets change the key using IV. Length of IV = 24 bits. Problem 1: 2 24 possible IVs, repeated after some frames! Problem 2: in some WEP cards IV resets to 0 after a power cycle! Remember: Never use the same key to encrypt a message (for one time pad ciphers)! November 3, / 39
27 How can we define the security of a cipher? Step 1: Decide what the attacker can do (power) & what he wants to achieve (goal). Power See ciphertexts? Encrypt some chosen messages? Decrypt some chosen messages? Step 2: Select the approach to secure the cipher: Information theoretic security Even if the attacker had infinite time & computational power to try all possible keys he can determine the key only with probability 1 # of all possible keys. Example: One Time Pad Goal Decrypt messages. Encrypt messages. Find the secret key. Complexity-based security Used often in crypto. An attacker that can perform an attack can also break a very complex/hard problem! November 3, / 39
28 What is a secure cipher? Attacker s power Can get one ciphertext Attacker s Goal Break the cipher! How to define a secure cipher? Attempt 1 The attacker should not be able to recover the key! E(k,m) = m Attempt 2 The attacker should not be able to recover the whole plaintext! E(k,m 0 m 1) = m 0 (k m 1) Security requirement satisfied! Encryption algorithm not secure! Security requirement satisfied! Encryption algorithm not secure! November 3, / 39
29 Recall Shannon s perfect secrecy Shannon s idea: The ciphertext should reveal no info about the plaintext! SEEN IN SLIDE 7 Definition A cipher (E,D) defined over (K,M,C) has perfect secrecy if: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0 ) = c] = P[E(k,m 1 ) = c] where k is chosen uniformly at random from K (i.e., k R K) (What does this mean?) The adversary that sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1. i.e., If c 0 is the encryption of m 0 and c 1 is the encryption of m 1 then c 0 and c 1 have the same distribution. November 3, / 39
30 Relaxing the notion of perfect secrecy Fact: Only OTP has perfect secrecy! Shannon s definition is too strong (strict)! Let s relax it so that more ciphers can satisfy it! Instead of saying that c 0 and c 1 (encryptions of m 0 and m 1) have identical distributions, we say that the adversary cannot distinguish them. Instead of saying that m 0 and m 1 are completely random, we say that the adversary has chosen them! November 3, / 39
31 The Semantic Security Game (one time key) Attacker A Challenger C m 0,m 1 c D m 0,m 1 M k K chosen len(m 0 )=len(m 1 ) c=e(k,m b ) uniformly at random b R {0,1} Useful for the exercises/exams!! Output b {0,1} a guess for b Definition if b=0, c is the encryption of m 0 if b=1, c is the encryption of m 1 A cipher (E,D) is semantically secure (with one time key) if for any efficient adversary, it holds: P(b = b) < 1 2 +negligible negligible < , non negligible > November 3, / 39
32 Where is the definition of semantic security useful? Useful for the exercises/exams!! Let s define with W 0 : the event that C chooses b = 0, and A chooses b = 0. Let s define with W 1 : the event that C chooses b = 1, and A chooses b = 0. Show that P(W 0 ) P(W 1 ) is negligible (very very small) or non-negligible (not that small). Example: i.e., P(W 0 ) P(W 1 ) is non-negligible Prove that the encryption scheme E(k,m 00 m 01 ) = m 00 (k m 01 ) is not semantically secure. m 00 denotes the first bit of a message m 0 and m 01 denotes the second bit of a message m 0. Correspondingly for m 1. We need to show that A can win the security game (described in the previous slide): Let A choose: m 0 = m 00 m 01 = 0 0 and m 1 = m 10 m 11 = 1 1 If C chooses b = 0, then m b = m 0 and c = m 00 (k m 01 ) = 0 c 0 c = 0 c 0 then b = 0 If C chooses b = 1, then m b = m 1 and c = m 10 (k m 11 ) = 1 c 1 c = 1 c 1 then b = 1 A can output b = {first bit of c} as a guess for b. Then, we have: P(W 0 ) P(W 1 ) = 1 0 = 1 November 3, / 39
33 The Advantage of an Adversary Remember: The value P(W 0) P(W 1) is called advantage of the adversary A and it is denoted as: Adv SEM.SEC [A,E] Notations SEM.SEC: Security notion we are considering. E: name of scheme we are considering. A: name of the adversary we are considering. November 3, / 39
34 Things to remember Things to remember What is perfect secrecy? Does OTP have perfect secrecy? How do stream ciphers work? What is a predictable PRG? What is the advantage of an adversary to break an encryption scheme? November 3, / 39
35 References: Cryptography and Network Security: Principles and practice (Chapters 2.1, 2.2, 7.1.) Introduction to Modern Cryptography, Lindell and Katz (Chapter 1.4, 2, 3.3.1) Thank you for your attention! November 3, / 39
Dan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationSolution of Exercise Sheet 6
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationDan Boneh. Introduction. Course Overview
Online Cryptography Course Introduction Course Overview Welcome Course objectives: Learn how crypto primitives work Learn how to use them correctly and reason about security My recommendations: Take notes
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationOutline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad
Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1
Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationCircuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.
Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSecurity and Cryptography 1
Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationCryptography CS 555. Topic 4: Computational Security
Cryptography CS 555 Topic 4: Computational Security 1 Recap Perfect Secrecy, One-time-Pads Theorem: If (Gen,Enc,Dec) is a perfectly secret encryption scheme then KK M 2 What if we want to send a longer
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationBlock encryption of quantum messages
Block encryption of quantum messages Min Liang 1 and Li Yang,3 1 Data Communication Science and Technology Research Institute, Beijing 100191, China liangmin07@mails.ucas.ac.cn State Key Laboratory of
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More information18733: Applied Cryptography Anupam Datta (CMU) Course Overview
18733: Applied Cryptography Anupam Datta (CMU) Course Overview Logistics Introductions Instructor: Anupam Datta Office hours: SV Bldg 23, #208 + Google Hangout (id: danupam) Office hours: Mon 1:30-2:30
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationReal scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan
Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm David Morgan XOR as a cipher Bit element encipherment elements are 0 and 1 use modulo-2 arithmetic Example: 1
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationShannon s Theory of Secrecy Systems
Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory
More information