Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
|
|
- Erika Hampton
- 6 years ago
- Views:
Transcription
1 Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of n] K n is finite and is called the key space, M n is called the message space and C n is called the ciphertext space - Gen and Enc are probabilistic polynomial-time algorithms, and Dec is a deterministic polynomial-time algorithm - for every n N, Gen(1 n ) outputs an element of K n [the distribution of Gen(1 n ) is not necessarily uniform over K n ] - Enc(k,m) C n for every k K n and m M n - for every n N, every m M n and every k K n, Dec(k,Enc(k,m)) = m - (n is called the security parameter) Sample question: why does the definition above write Gen(1 n ) instead of writing Gen(n)? (Answer: Because n typically represents the length of the key, and we want Gen() to be able to run in polynomial time of the length of the key, so if we want to say Gen is polynomial-time we need to give an input whose length is polynomially related to the length of the key. Another solution would have been to say Gen is an exponential-time probabilistic algorithm such that Gen(n) outputs an element of K n for each n N.) Definition of a non-asymptotic encryption scheme: It s a tuple Π = ((K,M,C),Gen,Enc,Dec) where: - K,M,C are sets of bitstrings such that K is finite; K is called the key space, M is called the message space and C is called the ciphertext space - Gen is a probabilistic algorithm that takes no input and that outputs an element of K - Enc and Dec are polynomial-time algorithms (Enc can also be probabilistic) such that Enc(k,m) C and Dec(k,Enc(k,m)) = m for every k K and m M Sample question: what is the purpose of the security parameter n? (Answer: the security parameter n allows one to make asymptotic statements about the advantage of polynomial-time adversaries.) In your solutions to other problems (i.e., when the question is not Give the definition of a private-key encryption scheme ), you can simply say Let Π = (Gen, Enc, Dec) be a private-key encryption scheme, etc you don t need to mention (K n,m n,c n ) n=1 Sample question: I choose a random string in {0,1} 128 and I ask an adversary to guess the string. The adversary names values until it finds my string, and then the game stops. Can a polynomial-time adversary win this game with probability 1, if we consider the input length of the problem to be 128? (Answer: yes. The polynomial-time adversary in question simply tries all strings of length 128 one after one, which takes time in the worst case. This is a constant running time. In fact, we could even define the input length of the problem to be 0, and the running time would still be constant (and polynomial). This shows why you need the security parameter in crypto definitions.) Sample question: What is an information-theoretic adversary? (Answer: An adversary with unbounded computational powers we don t care about the adversary s running time or size of Turing machine description, etc. The only limit on what such an adversary can achieve is the amount of information they receive, hence the name information-theoretic.) Sample question: What is a computational adversary? (Answer: The opposite of information-theoretic. It s an adversary that is computationally bounded in some way or other; it has to be efficient in some sense (usually polynomial-time).) Definition of perfect privacy for non-asymptotic private-key encryption schemes. Let Π =... Let K be a random variable distributed according to Gen(). Let M be any distribution over M (i.e., M is a random 1
2 variable of range M). Let C = Enc(K,M). Then C and M are independent. In other words, for all c C and m M or, put differently, Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m] for every c C such that Pr[C = c] > 0, and for every m M. To be able to prove that the above definition is equivalent to the fact that for every m 1,m 2 M, Enc(K,m 1 ) has the same distribution over C as Enc(K,m 2 ) (i.e., Pr[Enc(K,m 1 ) = c] = Pr[Enc(K,m 2 ) = c] for every c C; note randomness comes from K as well as from Enc). (Note this second definition of perfect privacy doesn t mention any distribution M over the message space.) To be able to prove that if M > C, then a (non-asymptotic) encryption scheme Π cannot be perfectly private To be able to do Additional Problem 2 in homework 3 (sorry) Know the PrivK eav Π,A experiment for asymptotic and non-asymptotic schemes (the experiment looks a little different in the asymptotic setting, because then the security parameter n is there); be ready to argue(maybe not completely formally) that Pr[PrivK eav Π,A = 1] = 1 2 if Π is a non-asymptotic perfectly secret encryption scheme NOTE: FROM HERE ON, EVERYTHING REFERS TO ASYMPTOTIC SECURITY (i.e., with security parameter) Know the definition of a negligible function Know the definition of indistinguishable encryptions against in the presence of an eavesdropper asymptotic (description of PrivK eav Π,A experiment + definition with negl(n)); be ready to argue (maybe not completely formally) that Pr[PrivK eav Π,A = 1] = 1 2 if Π is perfectly secret (the other direction is also true, but don t worry about it). The definition of chosen plaintext security. (Description of PrivK cpa Π,A experiment + definition itself.) Know what a computational reduction means (it just means a proof of the type if there exists an (efficient) adversary A that can do task X, there also exists an (efficient) adversary that can do task Y The definition of semantic security (Definition 3.13 in your book, I think; discussed in the bonus problem of homework 2). Be ready to outline the proof that an encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper (IEIPE, let s say) is also semantically secure. The outline is as follows: Let A be a polytime adversary. We construct A as follows. A chooses a fixed message m 0 M n, samples a key k by running Gen(1 n ), then runs A with input (1 n,enc k (m 0 ),h(m)), and outputs what A outputs (note A s own input is (1 n,h(m)) it forwards the value h(m) to A). Thus, A (1 n,h(m)) = A(1 n,enc k (m 0 ),h(m)) where k is chosen randomly according to Gen(1 n ), and so all we need to show is that Pr[A(1 n,enc K (m),h(m)) = f(m)] Pr[A(1 n,enc K (m 0 ),h(m)) = f(m)] negl(n) (1) where K is distributed according to Gen(1 n ) and m is distributed according to X n. To show (1), we use a computational reduction to IEIPE. Namely, we build an adversary B for IEIPE from A. B works as follows: it uses the same m 0 as fixed by A (technically: it runs A to find m 0 ), and selects m = m 1 by sampling 2
3 X n (which can be done efficiently). Then B outputs (m 0,m 1 ) as its challenge ciphertexts, and receives back the encryption c = Enc K (m b ) for K Gen(1 n ) and b {0,1} uniform at random. Then B runs A(1 n,enc K (m b ),h(m = m 1 )) and outputs b = 1 if A outputs f(m = m 1 ), and outputs 0 otherwise. If b = 1 then B has chance Pr[A(1 n,enc K (m),h(m)) = f(m)] of outputting 1, whereas if b = 0 then B has chance 1 Pr[A(1 n,enc K (m 0 ),h(m)) = f(m)] of outputting 1. If follows from a standard manipulation of probabilities that if B s advantage is negligible, then (1) is also negligible. Know the definition of a pseudorandom generator, as in the book. Sample question: Let G be a pseudorandom generator. Can anyone compute G(0 n )? G(1 n )? (Answer: yes, of course. G is a public, polynomial-time function and there is no secret key.) Be able to prove that an information-theoretic adversary can distinguish any pseudorandom generator with advantage at least 1 2 ; namely, that if G : {0,1}n {0,1} l(n) is a pseudorandom generator (with, of course, l(n) n+1) then there exists a information- theoretic distinguisher D such that Pr,G(s)) = 1] Pr [D(1 n,r) = 1] 1 s {0,1} n[d(1n r {0,1} l(n) 2. (D simply checks to see if the value it received is in the range of G, and this has chance at most 1 2 of happening in the random world.) Knowing how to build a IEIPE scheme from a pseudorandom generator, and knowing how to prove that the construction is indeed IEIPE (construction 3.15 and theorem 3.16 in my book maybe something else in your edition) Knowing, on an informal level, the multiple message experiment PrivK mult Π,A, and being able to explain why no deterministic encryption scheme can satisfy this notion of security Know the definition of CPA security... of course. (Note there are two things: one is the experiment PrivK cpa Π,A, and another thing is the definition itself.) [Don t forget: the adversary must choose ciphertexts (m 0,m 1 ) of equal length!] Know the little story about the second world war, with the Japanese and the Americans and midway island Know the definition of a pseudorandom function, as stated in the book. Know how to use a pseudorandom function to build a CPA-secure scheme for fixed-length messages, and, actually, even for arbtriray-length messages, as described in the book (you don t need to learn the proof of security) Know the definition of a pseudorandom permutation and of a strong pseudorandom permutation. (Note: for a strong pseudorandom permutation, the inverse also needs to be efficiently computable (knowing the key, of course).) Know the definition of a blockcipher. It s simply: E : {0,1} k {0,1} n n is a blockcipher if E(k, ) is a permutation of {0,1} n for every k {0,1} k, and for which both E(k, ) and E 1 (k, ) are efficiently computable. (Of course, a good blockcipher should have the property that E ±1 (k, ) looks like a random permutation for a randomly chosen k, but it is hard to formalize this mathematically if the blockcipher E is only defined for one particular value of k and n, such as k = n = 256, or something.) 3
4 Know the different modes of operation based on blockciphers; ECB mode, CBC mode, OFB mode and CTR mode. Know the definition of CCA security. Be ready to explain, say, why none of the above modes are CCA secure. (MACs) Know the definition of a Message Authentication Code (MAC). Note: The definition of a MAC does not include any definition of secutiy; that s separate. Know the definition of existentially unforgeable under a chosen plaintext attack for MACs (the standard 1 security notion for MACs, as in the book) Know the definition of what it means for a MAC to have unique tags. (It means that for each message m and key k, there is at most one t such that Vrfy(k,m,t) = 1.) (Note: a deterministic MAC meaning that Mac( ) is deterministic outputs only one t per message m (and key k), but this does not mean the MAC has unique tags; Vrfy can accept more tags than the tag which is output by Mac.) (OWFs, OWPs, HARDCORE BITS, GOLDREICH-LEVIN HARDCORE BIT, ETC) Know the definition of a one-way function. (Don t forget it s polytime; of course, also don t forget that the adversary must be polytime.) Know the definition of a one-way permutation... Know the definition of a hardcore bit (for a one-way permutation, say). [Note: if f : {0,1} {0,1} is a permutation of {0,1} n for each n N (i.e., f is a permutation ) and hc : {0,1} {0,1} is a function, then we can define what it means for hc to be a hardcore bit for f without making the assumption that f is one-way. Namely, you can define hardcore bit for f even if f is not a one-way permutation. But the definition will never be satisfied: if f is not a OWP, then no hc will exists that satisfies the definition, because you can invert f with non-negligible probability to compute hc.] Know the construction of the Goldreich-Levin hardcore bit gl. I would also like you to know the proof that gl is really a hardcore bit for the function (x,r) (f(x),r), but that s asking too much. However, know these parts of the proof: 1. Markov s inequality: that if X is an r.v. such that X 0 then Pr[X c] E[X]/c, for all c > 0. (No proof needed.) 2. The following useful fact: that if X is a random variable such that 0 X 1, such that E[X] = µ, then Pr[X µ t] t for every 0 t µ. Know this fact, and know how to prove it from Markov s inequality by considering the r.v. 1 X. 3. Therefore (by 2), if A is an adversary that can compute x r from (f(x),r) with probability at least 1 2 +ε(n) (for random x and r), then a fraction of at least 1 2ε(n) of the x s have the property that for that fixed x (and for random r), A s chance of computing hc is still at least ε(n). (Proof: let p x be A s chance of computing hc for a given x, with randomness over r and over A s coins; then E x [p x ] = 1 2 +ε(n), and so we can apply item 1 with µ = 1 2 +ε(n) and t = 1 2 ε(n).) 4. Know Chebyshev s inequality with its (easy) proof (see the book). 5. Know how to prove that if two random variables X and Y are independent, then Var(X + Y) = 1 Just because it is standard does not really mean it is the best security notion; but nevermind. 4
5 Var(X)+Var(Y). (You can use the fact that E[XY] = E[X]E[Y] for independent random variables X and Y without proving that fact.) 6. Know how to prove that if X 1,...,X m are pairwise independent random variables such that E[X i ] = µ for each i, then [ i Pr X ] i m µ ε 1 4ε 2 m. (Use Chebyshev s inequality and item 5.) 7. Know the description of the adversary A for inverting f, that uses the adversarya for computing hc( ); see the paragraph The inversion algorithm A in the book. (You don t need to remember the exact value of l which was named m when I did it in class but you should know that 2 l = poly(n).) Moving on: know how to construct a PRG from a pair (f,hc) where f is a OWP and hc is a hardcore bit for f. Know the proof (the one I messed up in class, that Tianren finished). Finally... last but not least... know the hybrid argument for proving unpredictability implies pseudorandomness, the one from your homework. (If you didn t use a hybrid argument then you probably did it wrong.) 5
Computational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationLecture 4: Computationally secure cryptography
CS 7880 Graduate Cryptography September 18, 017 Lecture 4: Computationally secure cryptography Lecturer: Daniel Wichs Scribe: Lucianna Kiffer 1 Topic Covered ε-security Computationally secure cryptography
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationa Course in Cryptography rafael pass abhi shelat
a Course in Cryptography rafael pass abhi shelat LECTURE NOTES 2007 c 2007 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Contents Contents List
More information7 Security Against Chosen Plaintext
7 Security Against Chosen Plaintext Attacks Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Clearly it would be more useful to have
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationLecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate
Lecture 24: : Intuition A One-way Function: A function that is easy to compute but hard to invert (efficiently) Hardcore-Predicate: A secret bit that is hard to compute Theorem (Goldreich-Levin) If f :
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCryptography CS 555. Topic 4: Computational Security
Cryptography CS 555 Topic 4: Computational Security 1 Recap Perfect Secrecy, One-time-Pads Theorem: If (Gen,Enc,Dec) is a perfectly secret encryption scheme then KK M 2 What if we want to send a longer
More informationSecurity II: Cryptography
Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II http://www.cl.cam.ac.uk/teaching/1213/securityii/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationSecurity II: Cryptography
Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/teaching/1314/securityii/ These notes are provided as an aid for following the lectures, and are
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More information