CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Similar documents
Indistinguishability and Pseudo-Randomness

Lecture 7: Hard-core Predicate and PRG

Lecture 7: Pseudo Random Generators

Lecture 13: Private Key Encryption

Scribe for Lecture #5

Pseudorandom Generators

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

CPA-Security. Definition: A private-key encryption scheme

Lecture 5, CPA Secure Encryption from PRFs

Lecture 7: CPA Security, MACs, OWFs

Pseudorandom Generators

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 8: Computational Indistinguishability and Pseudorandomness

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Computational security & Private key encryption

Lecture 2: Perfect Secrecy and its Limitations

CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, Lecture 5: RSA OWFs

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Lecture 11: Key Agreement

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 4: Computationally secure cryptography

Block Ciphers/Pseudorandom Permutations

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Modern Cryptography Lecture 4

Cryptography 2017 Lecture 2

Computer Science A Cryptography and Data Security. Claude Crépeau

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

5 Pseudorandom Generators

Lecture 3: Randomness in Computation

Pseudorandom Generators

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Pseudorandom Generators

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lecture 3: Interactive Proofs and Zero-Knowledge

Private-Key Encryption

Notes for Lecture 27

CS 355: TOPICS IN CRYPTOGRAPHY

Introduction to Cryptology. Lecture 3

El Gamal A DDH based encryption scheme. Table of contents

Lecture Note 3 Date:

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 28: Public-key Cryptography. Public-key Cryptography

Perfectly-Secret Encryption

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

1 Cryptographic hash functions

Lecture 17: Constructions of Public-Key Encryption

Block encryption of quantum messages

Lecture 16: Public Key Encryption:II

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

1 Cryptographic hash functions

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Authentication. Chapter Message Authentication

Lecture 14: Hardness Assumptions

Lectures 2+3: Provable Security

1 Number Theory Basics

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

6.080/6.089 GITCS Apr 15, Lecture 17

Lecture 5. Lecturer: Yevgeniy Dodis Spring 2012

Introduction to Cryptography

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

2 Message authentication codes (MACs)

On Pseudorandomness w.r.t Deterministic Observers

Lecture 14: Cryptographic Hash Functions

Public-Key Encryption

CTR mode of operation

Adaptive Security of Compositions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

ASYMMETRIC ENCRYPTION

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

a Course in Cryptography rafael pass abhi shelat

Lecture 1: Introduction to Public key cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Block ciphers And modes of operation. Table of contents

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Public Key Cryptography

Lecture Notes 20: Zero-Knowledge Proofs

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Great Theoretical Ideas in Computer Science

1 Indistinguishability for multiple encryptions

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

ECS 189A Final Cryptography Spring 2011

Transcription:

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs), or a collection of functions in which it is hard to invert a randomly chosen function from the collection. We talked about one collection of OWFs in particular, called the RSA collection. The RSA collection is a set of functions that includes all f of the form with (N, e) I. f N,e (x) = x e modn I = {(N, e) : N = product of 2 primes, e Z φ(n)} (N, e) I, d, d = e 1 in Z φ (N) In this case, d is a nice feature because it can be used as a trapdoor, creating a trapdoor function. We also showed that y Z φ(n) x s.t. f N,e (x) = y Given (N,e,d,y), x = (y) d x e modn =... = y Thus, the RSA collection is a collection of trapdoor permutations which will be very useful for public key encryption. 2 Computational Security Today, we are going to come back to symmetric key encryption, or secret key encryption. Remember our first definition of security was perfect security which can be acquired by the one-time pad (OTP). An OTP XORs a randomly generated key with a message in order to generate the cipher text. This method is very impractical because k = m. This property is inherit, as we showed in Theorem 1: Any perfectly secure encryption must have k m. Theorem 1 relies on the fact that an adversary is computationally unbounded. 5-1

It is a natural idea to expand the original key by some method in order to achieve security without storing a long key. Using a pseudo-random generator(prg): k {0, 1} n k {0, 1} l(n), l(n) = n 3 such that k is random-looking for all computationally bounded adversaries. Because it contradicts Theorem 1, it is a fact that k cannot be truly random. Suppose we have a short seed, D = k {0, 1} n, k G(k) Using a PRG function G on k to map n bits to l(n) bits. PRG is deterministic (does not add entropy/randomness). We want to say that D looks random. Since there are many statistical properties that a bit-stream should meet in order to look random, we must define this property. 3 Computational Indistinguishability When can we say that two distributions look the same? D 1 D 2 A distribution looks random when it is similar to a uniformly distributed bit string, that is D 1 U l(n). When a computer is given two distributions, with unlimited time and resources, differences will be found. However, the difficulty of finding differences grows as the parameters grow. As an example, a computer seeing limited samples and attempting to tell two distributions apart is similar to a human looking at different graphs for a short time. We will use an asymptotic approach - sequences of x and y, rather than just x and y. The outputs should look more similar as parameters grow. We will look at sequences of distributions {D 1n } n N {D 2n } n N Definition Ensemble of Distributions A sequence {x n } n N is called an ensemble if n N, x n is a distribution over {0, 1} l(n) for some polynomial l. Definition Computational Indistinguishability Two ensembles {X n }, {Y n } are computationally indistinguishable if non-uniform PPT distinguisher D negligible ɛ( ) such that Adv D = P r[t X n : D(t) = 1] P r[t Y n : D(t) = 1] ɛ(n) 5-2

When two ensembles are indistinguishable, we write {X n } {Y n } Definition Pseudo Random Distribution We say an ensemble of distributions {D n } over {0, 1} l(n) is pseudo-random if {D n } n N {U l(n) } n N } In particular, {D n } is pseudo-random if it meets our statistical properties for pseudo-randomness. 1. Closure under efficient operation If we have two computationally indistinguishable ensembles, processing the samples will result in a computationally indistinguishable ensemble. e.g. {X n } {Y n } {t X n : t + 1} n N {t Y n : t + 1} n N These distributions are computationally indistinguishable, or it can be shown that the original distributions were not computationally distinguishable. Lemma: If {X n } {Y n }, then non-uniform PPT M, {M(X n )} {M(Y n )} Proof: By contraposition, Suppose D, Adv D 1 p(n) for some polynomial p D, Adv D 1 q(n) for polynomial q Adv D = P r[t X n : D (t) = 1] P r[t Y n : D (t) = 1] = P r[t X n : D(M(t)) = 1] P r[t Y n : D(M(t)) = 1] = Adv D 1 p(n) showing that {M(X n )} and {M(Y n )} are not indistinguishable. Given D we can construct D to distinguish the original distributions which is a contradiction. 2. Transitivity {X n } {Y n }, {Y n } {Z n } {X n } {Z n } Lemma: Hybrid Lemma Let {X 1n } {X mn } satisfy i [m 1], {X in } {X (i+1)n } Then {X in } {X mn } We want to show: D, ɛ negligible such that P r[t X in : D(t) = 1] P r[t X mn : D(t) = 1] < ɛ(n) 5-3

Define g in = P r[t X in : D(t)] g in g mn = (g 1n g mn = (g 1n g 2n ) + (g 2n g 3n ) g mn gin g (i+1)n Since {X in } {X (i+1)n }. By definition, ɛ( ) negligible such that gin g (i+1)n < ɛi (n) g 1n g mn i [m 1] ɛ i(n) which is negligible Example Suppose we have four sets such that {X 1 } {X 1}and{Y 1 } {Y 1}. We want to see if {X 1 } {Y 1 } {X 1} {Y 1}. {D 1n } = {x X, y Y : x y} {D 2n } = {x X, y Y : x y } {D 1n } = {x X, y Y : x y } Then {D 1n } {D 2n } and {D 2n } {D 3n } So by the hybrid lemma {D 1n } {D 3n } 4 Computation Version of OTP Definition Pseudo-Random Generator G Function G which maps {0, 1} {0, 1} is a PRG if: 1. Easy to evaluate in PPT 2. Expansion x, G(x) > x 3. Output is pseudo random {x {0, 1} n : G(x)} {U G(x) } Assume we have a PRG G that maps x to y of length l( x ). Gen(1 n ) : k {0, 1} n, where k is the seed Enc(G(k), m) m {0, 1} l(n) k m = c m 0, m 1, {k {0, 1} n, c 0 Enc(k, m 0 ) : c 0 } {k {0, 1} n, c 1 Enc(k, m 1 ) : c 1 } This provides strong (computationally indistinguishable) security. 5 Summary In this lecture, we defined an idea of computational security as computational indistinguishability. That is, using a random key, we expanded the key to be a pseudo random 5-4

key of greater length. We used an ensemble of distributions to provide greater parameters and increase the amount of computational power needed to find differences in distributions. We defined pseudo random distributions to have closure and trasitivity. Ultimately, we showed that a pseudo random generator could give us strong computational security. This gives us a step toward a pseudo random function, which will be used for symmetric (secret) key encryption. 5-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback