Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Similar documents
Lecture 14: Hardness Assumptions

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 17: Constructions of Public-Key Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

14 Diffie-Hellman Key Agreement

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 11: Number Theoretic Assumptions

El Gamal A DDH based encryption scheme. Table of contents

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

5.4 ElGamal - definition

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Introduction to Cryptography. Lecture 8

Efficient Pseudorandom Generators Based on the DDH Assumption

Lecture Note 3 Date:

Simple Unpredictable Pseudo-Random Number Generator

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CSC 5930/9010 Modern Cryptography: Number Theory

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Elliptic Curve Cryptography. Anupam Datta

1 Public-key encryption

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Advanced Topics in Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 11: Key Agreement

CS 6260 Some number theory

Provable security. Michel Abdalla

Adaptive Security of Compositions

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Introduction to Cryptology. Lecture 20

Public-Key Encryption: ElGamal, RSA, Rabin

Advanced Cryptography 1st Semester Public Encryption

Short Exponent Diffie-Hellman Problems

Computational Number Theory. Adam O Neill Based on

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Katz, Lindell Introduction to Modern Cryptrography

CPSC 467: Cryptography and Computer Security

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Indistinguishability and Pseudo-Randomness

An Introduction to Elliptic Curve Cryptography

G Advanced Cryptography April 10th, Lecture 11

Applications of Combinatorial Group Theory in Modern Cryptography

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

CS259C, Final Paper: Discrete Log, CDH, and DDH

Advanced Cryptography 03/06/2007. Lecture 8

Efficient Pseudorandom Generators Based on the DDH Assumption

Pseudo-random Number Generation. Qiuliang Tang

Practice Number Theory Problems

Introduction to Modern Cryptography Lecture 11

An Improved Pseudorandom Generator Based on Hardness of Factoring

From Non-Adaptive to Adaptive Pseudorandom Functions

Identity-based encryption

1 Number Theory Basics

Lecture 2: Program Obfuscation - II April 1, 2009

Chapter 4 Finite Fields

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Cryptography. Lecture 8. Arpita Patra

Lecture 1: Introduction to Public key cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture 7: ElGamal and Discrete Logarithms

Lecture 3: Randomness in Computation

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Topics in Cryptography. Lecture 5: Basic Number Theory

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Introduction to Cryptology. Lecture 19

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

Notes for Lecture 17

ECS 189A Final Cryptography Spring 2011

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

1 Cryptographic hash functions

Cryptography and Security Midterm Exam

Discrete Logarithm Problem

Introduction to Modern Cryptography Lecture 4

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Public Key Cryptography

Groups in Cryptography. Çetin Kaya Koç Winter / 13

CS 395T. Probabilistic Polynomial-Time Calculus

Digital Signatures. Adam O Neill based on

CDH/DDH-Based Encryption. K&L Sections , 11.4.

Definition of a finite group

1 Cryptographic hash functions

Recitation 2 - Non Deterministic Finite Automata (NFA) and Regular OctoberExpressions

Chapter 4 Mathematics of Cryptography

6.080/6.089 GITCS Apr 15, Lecture 17

Public Key Cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Transcription:

Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016

The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication modulo N is an abelian group Identity: 1 Inverse of a exists Closure? Z p = {1,, p 1}

Cyclic Groups and Generators Definition. Let G be a finite group of order G = m. If there exist an element g G of order m, then G is called a cyclic group and g is a generator of G = {g 0, g 1,, g m 1 }. If g is a generator of G, then for every element h G there exist x {0,, m 1} such that h = g x

The Discrete Logarithm If g is a generator of G, then for every element h G there exist x {0,, m 1} such that h = g x x is the discrete logarithm of h with respect to g Definition. The discrete logarithm problem: Let G be a cyclic group of order G = m and a generator g G. Given: h = g x for x Z m = {0,, m 1} Output: x such that g x = h Definition. The discrete logarithm assumption: There exists a cyclic group G for which the DL problem is hard

Diffie-Hellman Assumptions Definition. The computational Diffie-Hellman (CDH) problem: Let G be a cyclic group of order G = m and a generator g G. Given: g x, g y for x, y Z m = {0,, m 1} Output: g xy (Informal) Definition. The decisional Diffie-Hellman (DDH) problem: Let G be a cyclic group of order G = m and a generator g G. Goal: To distinguish between 2 distributions: - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m }

Diffie-Hellman Assumptions The DL problem is believed to be hard in cyclic groups of prime order The DL problem is believed to be hard in Z p, for p prime The CDH problem is believed to be hard in Z p The DDH problem is not hard in Z p For q = 2p + 1, the DDH problem is believed to be hard in a subgroup of Z q of order p (quadratic residues)

Indistinguishability Definition. Let D 0, D 1 be two probability distributions over 0,1 n. Then, D 0, D 1 are ε-indistinguishable for an adversary A Pr A d 0 = 1 Pr A d 1 = 1 ε d 0 D 0 d 1 D 1 1) If D 0, D 1 are ε-indistinguishable for any unbounded adversary A, we say that D 0, D 1 are statistically indistinguishable, denoted by D 0 s,ε D 1 2) If D 0, D 1 are ε-indistinguishable for any polynomial adversary A, we say that D 0, D 1 are computationally indistinguishable, denoted by D 0 c,ε D 1

Indistinguishability Symmetric: D 0 ε D 1 D 1 ε D 0 Transitive: D 0 ε D 1 and D 1 ε D 2 D 0 2ε D 2

Pseudo-Randomness Motivation: OTP r PRG Want to extract from a short, random seed a longer pseudorandom key A pseudorandom string looks like a uniformly distributed string Definition. A function G: 0,1 n 0,1 n+s (s > 0) is a ε-pseudorandom generator (ε-prg) G U n c,ε U n+s Meaning, we can t distinguish between the output of the PRG and true randomness R

Pseudo-Randomness Definition. A function G: 0,1 n 0,1 n+s (s > 0) is a ε-pseudorandom generator (ε-prg) G U n c,ε U n+s Claim. There exists an unbounded adversary A such that: Pr A G u 0 = 1 Pr A u 1 = 1 1 1 2n = 1 u 0 U n u 1 U n+s 2s 2 n+s 0,1 n G 0,1 n 2 n+s

Pseudo-Randomness 0,1 n G 0,1 n 2 n+s Claim. There exists an unbounded adversary A such that: Pr A G u 0 = 1 Pr A u 1 = 1 1 1 u 0 U n u 1 U n+s 2 s = 1 = 2n 2 n+s 1. The adversary A is given u 2. A computes the set S = G s s 0,1 n 3. A outputs 1 u S

Back to Diffie-Hellman (Informal) Definition. The decisional Diffie-Hellman (DDH) problem: Let G be a cyclic group of order G = m and a generator g G. Goal: To distinguish between 2 distributions: - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m } Definition. Let G be a cyclic group of order G = m and a generator g G. Define - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m } Then, we say that The DDH problem is hard in G D 0 c,ε D 1

DDH PRG Let G be a cyclic group of order G = m and a generator g G in which DDH is hard Define the PRG: Z m Z m G G G PRG x, y = g x, g y, g xy

PRG Expansion Assume we have a PRG G 1 : 0,1 n 0,1 n+1 We want to construct a PRG G 2 : 0,1 n 0,1 n+2 x 1 x n G 1 y 1 y n y n+1 G 1 z 1 z n z n+1 G 2 x = G 1 G 1 x 1,,n G 1 x n+1 = y 1 y n = y n+1

PRG Expansion G 2 x = G 1 G 1 x 1,,n G 1 x n+1 How do we prove that this is a PRG? We need to show G 2 U n c,2ε U n+2 We know G 1 U n c,ε U n+1 x 1 x n G 1 y 1 y n y n+1 G 1 z 1 z n z n+1 We will prove two claims: 1) G 1 G 1 U n 1,,n G 1 U n n+1 c,ε G 1 U n U 1 2) G 1 U n U 1 c,ε U n+2

PRG Expansion x 1 x n G 1 1) G 1 G 1 U n 1,,n G 1 U n n+1 c,ε G 1 U n U 1 : y 1 y n y n+1 G 1 z 1 z n z n+1 Assume that there exists an adversary A 2 such that Pr A 2 d 0 = 1 Pr A 2 d 1 = 1 ε d 0 d 1 G 1 U n U 1 Then, construct the following adversary A 1 that distinguish between G 1 (U n ) and U n+1 1. The adversary A 1 is given u (either from G 1 (U n ) or U n+1 ) 2. Denote x = u 1,,n and y = u n+1 3. A 1 runs A 2 (G 1 (x) y) and returns the same output

PRG Expansion 2) G 1 U n U 1 c,ε U n+2 : x 1 x n G 1 y 1 y n y n+1 G 1 Assume that there exists an adversary A 2 such that Pr A 2 d 0 = 1 Pr A 2 d 1 = 1 ε d 0 G 1 U n U 1 d 1 U n+2 Then, construct the following adversary A 1 that distinguish between G 1 (U n ) and U n+1 1. The adversary A 1 is given u (either from G 1 (U n ) or U n+1 ) 2. A 1 chooses at random u U 1 3. A 1 runs A 2 (u u ) and returns the same output z 1 z n z n+1

One Way Function (OWF) Definition. A function f: 0,1 n 0,1 m is a ε-one way function (ε-owf) if for any polynomial time adversary A: A f x = x < ε n Pr x 0,1 What if f is not one-to-one? What is ε?

DL OWF Let p be a prime and a generator g Z p (in which DL is hard) Define the OWF: f x = g x mod p

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback