Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Similar documents
Modern Cryptography Lecture 4

Modern symmetric-key Encryption

1 Number Theory Basics

Solution of Exercise Sheet 7

Block ciphers And modes of operation. Table of contents

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

CTR mode of operation

Block Ciphers/Pseudorandom Permutations

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

CPA-Security. Definition: A private-key encryption scheme

Homework 7 Solutions

Lecture 10 - MAC s continued, hash & MAC

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

III. Pseudorandom functions & encryption

Lecture 7: CPA Security, MACs, OWFs

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

5199/IOC5063 Theory of Cryptology, 2014 Fall

Introduction to Cybersecurity Cryptography (Part 4)

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 5, CPA Secure Encryption from PRFs

Introduction to Cybersecurity Cryptography (Part 4)

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Public Key Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Quantum-secure symmetric-key cryptography based on Hidden Shifts

CS 6260 Applied Cryptography

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Computational security & Private key encryption

Leftovers from Lecture 3

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Lecture Notes. Advanced Discrete Structures COT S

Introduction to Cybersecurity Cryptography (Part 5)

Short Exponent Diffie-Hellman Problems

Topics in Cryptography. Lecture 5: Basic Number Theory

1 Cryptographic hash functions

1 Cryptographic hash functions

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

2 Message authentication codes (MACs)

Lecture 7: ElGamal and Discrete Logarithms

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Advanced Topics in Cryptography

A survey on quantum-secure cryptographic systems

Introduction to Public-Key Cryptosystems:

CSc 466/566. Computer Security. 5 : Cryptography Basics

Lecture 13: Private Key Encryption

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Discrete logarithm and related schemes

10 Concrete candidates for public key crypto

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

CSC 5930/9010 Modern Cryptography: Number Theory

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

basics of security/cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Topics. Probability Theory. Perfect Secrecy. Information Theory

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Solutions to homework 2

Chapter 11 : Private-Key Encryption

Indistinguishability and Pseudo-Randomness

Other Public-Key Cryptosystems

Public Key Cryptography

Lectures 2+3: Provable Security

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Security II: Cryptography

Message Authentication

Lecture 18: Message Authentication Codes & Digital Signa

Security II: Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 1: Introduction to Public key cryptography

Lecture 17: Constructions of Public-Key Encryption

Post-quantum security models for authenticated encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Digital Signatures. p1.

Semantic Security of RSA. Semantic Security

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Scribe for Lecture #5

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

El Gamal A DDH based encryption scheme. Table of contents

Integers and Division

Lecture 10: NMAC, HMAC and Number Theory

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Symmetric Encryption

CS 6260 Applied Cryptography

Lecture 9 - Symmetric Encryption

Transcription:

Homework #2

Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n

Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O( 1 ) 2 p n 2. n m > n 1 2 p m > μ m 3. n m > n 1 p m - μ m > 1 2p(m) 4. 1 p n - μ n O(1/p(n))

Question 2.2 Show that p(n) * μ n is negligible 1. p n is polynomial c N such that p n O(n c ) 2. μ n is negligible d N, μ n O(n d ) 3. d N, p n μ n O(n c d ) 4. e N, p n μ n O n e 5. Step 4 is equivalent to saying that p n μ n is negligible

Question 3

Question 3 Description of distinguisher z x A(y) z g x y y

Question 3 Pr[D G 0 = 1)] 1 1/p(n) D G 0 = 0 only when g(a(y)) = y Pr g A y = y 1/p(n) Pr D G 0 = 0 1/p n Pr D G 0 = 1 1 1/p(n)

Question 3 Pr[D G 1 = 1)] 1 1/2 n D G 1 = 0 only when g(a(y)) = y Pr g A y = y Pr g 1 y Pr g 1 y 2 n Pr D G 1 = 0 2 n Pr D G 1 = 1 1 2 n

Question 3 Pr[D G 0 = 1)] 1 1/p(n) Pr[D G 1 = 1)] 1 1/2 n Pr D G 1 = 1 Pr D G 0 = 1 1 1/2 n (1 1/p(n)) Pr D G 1 = 1 Pr D G 0 = 1 1/p(n) 1/2 n Pr D G 1 = 1 Pr D G 0 = 1 1 g is not a pseudo-random generator 2 p n

G (r) = G r 1 n is a PRG y r R 0,1 n y G(r 1 n ) y r R 0,1 n y G(r) := indistinguishable y R 0,1 2n y

G r G(r) G r 1 n is not a PRG 1. G b r b G r is also a PRG when G is a PRG 2. G b r b G r (b 1) G r 1 n 1 3. G b r b b 1) G r G r 1 n 1 4. G b r 1 G r G r 1 n 1 5. First bit of output is always 1 not random at all.

G (r) defined as the first l(n) 1 bits of G r G (r) defined as the first l(n) 1 bits of G r Is always pseudo-random (always is indistinguishable from random) If l n = n + 1 Input size is the same as the output size Therefore does not have the expansion property

G (r) = G (G(r)) where G is also a PRG y r R 0,1 n y G (G(r)) y r R y G (r) 0,1 l(n) := indistinguishable y R 0,1 l (n) y

Question 5 M={1100,0110,1001} 1100 0110 = 1010 1010 1001 = 0101 If we xor 1010 to the ciphertext If m {1100,0110}, the validation oracle will return accept If m = 1001, the validation oracle will return reject

Question 6 Validation oracle always accepts since all messages are valid

Question 3.9 Construct a pseudo-random function Input length log(n) Key-length n 2 log n = n Function that takes log n bits and produces a single random output bit For each input, choose a random output bit Since there are only n possible inputs, you can get a single output

Question 8 Forge a mac tag when p=183 and (m,t) = (0,53) 183 = 3 61 m, t = (0,53) m, t (61,53) 61*k + t = t (mod 183) when k % 3 = 0

Is F k x F k 0 x F k 1 x PRF? Yes, because an adversary in a PRF can choose inputs of his choice In particular, he can sample x and query both 0 x 1 x

F k x F k 0 x F k x 1 is not a PRF? Choose x such that 0 x = x 1 Denote x 0 x = x 1 F k x = F k 0 x F k x 1 = F k x F k x = (c, c)

Show that Ax+b (mod 2) is not a pseudorandom function Construct an (A,b) as follows b = f(x 0 ) where x 0 = (0,, 0) A i = f x i b where x i = 0 i 1 0 n i 1 Sample a random x i 0,1 n Test if Ax + b f x Output random if Ax + b f x Output pseudo-random if Ax+ b = f(x)

Question 3.18 Dec(c) r m f 1 c Output m Proof of security: Step 1: Probability of collision that the same r is used is negligible Step 2: Show that a distinguisher which breaks this scheme can also break the pseudo-random property of this scheme Cannot distinguish which message was encrypted when Random function is used If you could distinguish between the two, then you can distinguish between random and pseudo-random

What happens with dropped blocks for CBC, OFB, CTR All blocks after dropped block decrypt incorrectly Possible to recover if you guess a block is missing for OFB and CTR

How to encrypt a message when one encryption scheme is insecure One-time pad is the key m c 1, c 2 r R 0,1 n m m r c 1 Enc 1 (r) c 2 Enc 2 (m ) c 1, c 2 m r Dec 1 (c 1 ) m Dec 2 (c 2 ) m m r ENC Dec

Groups, fields, primes

Divisibility Definition: a divides n written as a n) if there exists a number c such that ca = n GCD a, b max x N (x a ) and (x b)

Relatively prime We say that two numbers a, b are relatively prime (co-prime) GCD(a, b) = 1 Examples 15,32 24, 35 Non-example 2,14 3, 183

Group A group Consists Set S Operation S S S Identity-element Properties Closure x, y S x y S Identity e S x S e x = x (we use e to denote the identity element) Associativity x, y, z S x y z x (y z) Inverse: x S y S x y = e Extra property Commutativity: x, y S x y = y x

Discrete logarithm Given group G, generator g, For a given y find x such g x = y Reminder g is a generator if {g i i N G Cryptographers hope that in certain groups, finding discrete logarithm is hard.

Z n Z n x Z n GCD x, n = 1} Z n, is an abelian group when denotes modular multiplication Z n Going to be critical for many cryptosystems.

Z 6 Z 6 x Z 6 GCD x, 6 = 1} = {1,5}

Z 6 Z 6 x Z 6 GCD x, 6 = 1} = {1,5} The multiplicative inverse of x in Z n y Z n such that x y = 1 (mod n) Inverses : (1,1) (5,5)

Z 6 Z 6 x Z 6 GCD x, 6 = 1} = {1,5} Group generated (power table) 5 (5 1, 5 2 ) = (5,1) (5 is a generator of the group) 1 1 (1 is not a generator) Inverses : (1,1) (5,5)

(Z 7, ) Multiplicative inverse 1,1 (2,4) (3,5) (6,6) Generator (power table) 3 3 1, 3 2, 3 3, 3 4, 3 5, 3 6, 3 7 = 3,2,6,4,5,1 5 5 1, 5 2, 5 3, 5 4, 5 5, 5 6, 5 7 = 5,4,6,2,3,1

Discrete logarithm Generator (power table) 3 3 1, 3 2, 3 3, 3 4, 3 5, 3 6, 3 7 = 3,2,6,4,5,1 5 5 1, 5 2, 5 3, 5 4, 5 5, 5 6, 5 7 = 5,4,6,2,3,1 Log 3 1,2,3,4,5,6 (7,2,1,4,5,3) Log 5 1,2,3,4,5,6 (7,4,5,2,1,6)

Z 8 Z 8 x Z 8 GCD x, 8 = 1} = {1,3,5,7} The multiplicative inverse of x in Z n y Z n such that x y = 1 (mod n) Inverses : (1,1) (3,3) (5,5) (7,7)

Z 8 Z 8 x Z 8 GCD x, 8 = 1} = {1,3,5,7} Subgroups of Z 8 are either of size 1,2,4 Group generated 1 {1} 3 3,1 5 {5,1} 7 {7,1} Z 8 has no generators

Z 15 Z 15 x Z 15 GCD x, 15 = 1} = {1,2,4,7,8,11,13,14} The multiplicative inverse of x in Z n y Z n such that x y = 1 (mod n) Inverses : (1,1) (2,8) (4,4) (7,13) (11,11) (14,14)

Z 15 Z 15 x Z 15 GCD x, 15 = 1} = {1,2,4,7,8,11,13,14} The multiplicative inverse of x in Z n y Z n such that x y = 1 (mod n) Subgroups (1,4,11,14) -> ({1},{4,1},{11,1},{14,14}} 2 -> {2,4,8,1} 8 -> {8,4,2,1} 7 -> {7,4,13,1} 13 -> (13,)

Examples of group (Z n 0, ) is a group if and only if n is prime

Field Field Consists Set S Operations +, Zero-element 0 One-element 1 Properties (S, +) is a commutative group with identity element 0 (inverse of a is a) S 0, is a commutative group with identity element 1 (inverse of a is a 1 = 1/a) Distributivity:

Arithmetic fields over (mod n) (Z n, +, ) is a field if and only if n is prime

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback