DOCSLIB.ORG

Pseudo-Random Synthesizers, Functions and Permutations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

PseudoRandom Synthesizers Functions and Permutations Thesis for the Degree of DOCTOR of PHILOSOPHY by Omer Reingold Department of Applied Mathematics and Computer Science Weizmann Institute of Science Submitted to the Scientic Council of The Weizmann Institute of Science Rehovot Israel November i ii Thesis Advisor Professor Moni Naor Department of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel Acknowledgments Writing these lines I realize how many p eople to ok part in my initiation into the world of science In the following few paragraphs I will try to acknowledge some of these many contributions Naturallymywarmest thanks are to Moni Naor my advisor and much more than that Thanking Moni for all he has done and b een to me these last four years is extremely easy and extremely hard at the same time Extremely easy since I havesomuchIwant to thank him for and Im grateful for this opp ortunity to do so a cynic might say that this is the ve so much I want most imp ortant function of the dissertation Extremely hard since I ha to thank him for what chance is there to do a go o d enough job Im sure that in the silent understanding b etween us Moni is more aware of the extent of friendship admiration and gratitude I have for him than I am able to express in words But this is not only for his eyes so letmedomy b est Thank you Moni for your close guidance in all dierent asp ects of the scientic pro cess In all things large and small I always knew that I can count on you Thank you for your constant encouragement for treating me as a colleague from the rst time I stepp ed into your oce when I deserved it even less than now and at the same time for sheltering me in a parental manner Thank you for pushing me forward when p ossible and for laying o in times work could not have b een a high priority for me Thank you for sharing with me in hours and hours of conversation your deep understanding and amazing knowledge of computer science as well as your scientic philosophy and an abundance of ideas all of which will surely nd their way into my research for years to come Last but certainly not least thank you for your friendship which was most explicitly articulated by Yael but was very clear to me all along The nest you have built for me is so warm that I hate leaving it Therefore at least in my mind I will not Before picking up the pace sp ecial thanks are due to one other friend teacher and Although my joint research with Ran Raz is not presented in this dis colleague of mine sertation I enjoyed it enormously and have learned much from it I enjoyed viewing Rans sup erb research capabilities and creativity in action hop e some of it has rubb ed o on me to o I admire his relentless optimism and enthusiasm I treasure his friendship so very deeply I wish for many more years of all of that lessons they have I thank my teachers at the Weizmann Institute for the invaluable taught me both inside and outside of the class ro om Sp ecial thanks to each member of the Cryptography group Oded Goldreich Sha Goldwasser Moni Naor and Adi Shamir I take great pride and pleasure in the fact that I have learned from this incredible group of researchers and even in being asso ciated with them I often toy with the idea of not iii iv ACKNOWLEDGMENTS graduating in order to continue learning in the presence of these exp erts I also thank Itai Benjamini Uri Feige Yoram Moses and David Peleg for their enlightening courses A group of researchers to whom I have sp ecial sentiments are my teachers from under graduate studies at TelAviv University Noga Alon Yossi Azar Amos Fiat Ron Shamir and Uri Zwick I thank them for installing in me the love for the foundations of computer science Over the years I have learned with and from many of myfello w students I will list only a few but I thank them all for many hours of work and fun Sp ecial thanks are due to my close brothers at the house of Moni namely Kobbi Nissim and BennyPinkas Having you guys around was priceless Many thanks are also due to Avishai Wo ol and to the new recruit Yehuda Lindell I also thank Tal Malkin for our jointwork at the coee shops of Manhattan and Tal Yadid for an extremely valuable time we sp ent together in undergraduate scho ol There are so many other p eople to whom I am in debt for sharing their knowledge and ideas with me The partial list that comes to mind rightnow includes Eli Biham Dan Boneh Ran Canetti Cynthia Dwork Russell Impagliazzo Daniele Micciancio Noam Nisan Steven Rudich Amnon TaShma Avi Wigderson and Shiyu Zhou I ap ologize to anyone I have forgetfully omitted and thank you all for many stimulating conversations Sp ecial thanks to Cynthia Russell and Steven for extending to me part of their sentiments for Moni Iwould also like to thank Joan Feigenbaum Christos Papadimitriou Charlie Racko and Umesh Vazirani for their warm hospitalityduringafew memorable visits I would like to acknowledge now the direct contributions to the work presented in this dissertation Most of the work is based on my joint research with Moni Section is based on jointwork with Eli Biham and Dan Boneh My research during this time was supp orted by a Clore Scholars award and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences We thank Sha Goldwasser and Jon Sorenson who brought to our attention and Mihir Bellare for his observation describ ed in Section Sp ecial thanks to Victor Shoup for suggesting the improved pro of of Lemma and for p ointing out We thank Ran Canetti Oded Goldreich Jo e Kilian Kobbi Nissim Benny Pinkas Amnon TaShma and the anonymous referees of the relevant journals and conferences for many helpful comments and for their diligent reading of some of the work included here It is dicult to overestimate Odeds contribution to the presentation of the work describ ed in Chapter Iwould also like to thank Oded Goldreich Jo e Kilian Yehuda Lindell and Alon Rosen for their comments on several parts of the dissertation Finally many thanks are due to my family and friends However they deserve their thanks in p erson and hop efuly I did not let them wait till now Abstract The research reected in this dissertation is a study of computational pseudorandomness More sp ecically the main ob jective of this research is the ecient and simple construction of pseudorandom functions and permutations where eciency refers b oth to the sequential and parallel time complexity of the computation Pseudorandom functions and permutations are fundamental cryptographic primitives with many applications in cryptog raphy and more generally in computational complexity Constructions of PseudoRandom Functions For our constructions of pseudorandom functions we intro duce and study a new crypto graphic primitive which we call a pseudorandom synthesizer and a generalization of this primitive whichwecallak dimensional pseudorandom synthesizer These primitiv es are of indep endent interest as well In addition we consider various applications of our construc tions and study some of the underlying cryptographic assumptions used in these construc tions The main results obtained by this research are Intro ducing new cryptographic primitives called pseudorandom synthesizer and k dimensional pseudorandom synthesizer Using pseudorandom synthesizers for a parallel construction of a pseudorandom func tion the depth of the functions is larger by a logarithmic factor than the depth of the synthesizers Showing several NC implementations of synthesizers based on concrete intractability assumptions such as factoring and the computational DieHellman assumption Showing a very simple parallel construction of synthesizers based on what we call weak pseudorandom functions which implies simple constructions of synthesizers based on trap do or oneway permutations and based on any hardtolearn problem under the denition of These results yield the rst parallel pseudorandom functions based on computational in tractability assumptions and the rst alternative to the original construction of Goldre ich Goldwasser and Micali In addition we show two new constructions of pseudo random functions that are related to the construction based on synthesizers The pseudo randomness of one construction is proven under the assumption that factoring is hard while v vi ABSTRACT the other construction is pseudorandom if the decisional version of the DieHel lman as sumption holds These functions have the following prop erties They are much more ecient than previous prop osals Computing the value of our functions at any given pointinvolves two subset pro ducts They are in TC the class of functions computable by constant depth circuits con sisting of a p olynomial number of threshold gates This fact has several interesting applications They have a simple algebraic structure that implies additional features In particular weshow a zeroknowledge pro of for statements of the form y f x and y f x s s given a commitmenttoa key s of a pseudorandom function f s We discuss some applications of our constructions in cryptography including applications in publickey cryptography as well as their consequences in computational complexity and in computational learningtheory Constructions of PseudoRandom Permutations Luby and Racko showed a metho d for constructing a pseudorandom p ermutation from a pseudorandom function The metho d is based on comp osing four or three for weakened security so called Feistel p ermutations each of which requires the evaluation of a pseudo random function
Recommended publications
  • Balanced Permutations Even–Mansour Ciphers

    Balanced Permutations Even–Mansour Ciphers

    Article Balanced Permutations Even–Mansour Ciphers Shoni Gilboa 1, Shay Gueron 2,3 ∗ and Mridul Nandi 4 1 Department of Mathematics and Computer Science, The Open University of Israel, Raanana 4353701, Israel; [email protected] 2 Department of Mathematics, University of Haifa, Haifa 3498838, Israel 3 Intel Corporation, Israel Development Center, Haifa 31015, Israel 4 Indian Statistical Institute, Kolkata 700108, India; [email protected] * Correspondence: [email protected]; Tel.: +04-824-0161 Academic Editor: Kwangjo Kim Received: 2 February 2016; Accepted: 30 March 2016; Published: 1 April 2016 Abstract: The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikoli´c et al. and Dinur et al. for r = 2, 3. These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikoli´c et al.): for a “typical” permutation P, the distribution of P(x) ⊕ x is not uniform. This naturally raises the following question. Let us call permutations for which the distribution of P(x) ⊕ x is uniformly “balanced” — is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even–Mansour block cipher? We show how to generate families of balanced permutations from the Luby–Rackoff construction and use them to define a 2n-bit block cipher from the 2-round Even–Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of f0, 1g2n, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is o(2n/2).
  • Definition of PRF 4 Review: Security Against Chosen-Plaintext Attacks

    Definition of PRF 4 Review: Security Against Chosen-Plaintext Attacks

    1 Announcements – Paper presentation sign up sheet is up. Please sign up for papers by next class. – Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: – Symmetric key encryption: various security defintions and constructions. This lecture: – Review definition of PRF, construction (and proof) of symmetric key encryption from PRF – Block ciphers, modes of operation – Public Key Encryption – Digital Signature Schemes – Additional background for readings 3 Review: Definition of PRF Definition 1. Let F : f0; 1g∗ × f0; 1g∗ ! f0; 1g∗ be an efficient, length-preserving, keyed function. We say that F is a pseudorandom function if for all probabilistic polynomial-time distinguishers D, there exists a negligible function neg such that: FSK (·) n f(·) n Pr[D (1 ) = 1] − Pr[D (1 ) = 1] ≤ neg(n); where SK f0; 1gn is chosen uniformly at random and f is chosen uniformly at random from the set of functions mapping n-bit strings to n-bit strings. 4 Review: Security Against Chosen-Plaintext Attacks (CPA) The experiment is defined for any private-key encryption scheme E = (Gen; Enc; Dec), any adversary A, and any value n for the security parameter: cpa The CPA indistinguishability experiment PrivKA;E (n): 1. A key SK is generated by running Gen(1n). n 2. The adversary A is given input 1 and oracle access to EncSK(·) and outputs a pair of messages m0; m1 of the same length. 3. A random bit b f0; 1g is chosen and then a ciphertext C EncSK(mb) is computed and given to A. We call C the challenge ciphertext.
  • Cs 255 (Introduction to Cryptography)

    Cs 255 (Introduction to Cryptography)

    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
  • Asphalion: Trustworthy Shielding Against Byzantine Faults

    Asphalion: Trustworthy Shielding Against Byzantine Faults

    Asphalion: Trustworthy Shielding Against Byzantine Faults IVANA VUKOTIC, SnT, University of Luxembourg VINCENT RAHLI, University of Birmingham PAULO ESTEVES-VERÍSSIMO, SnT, University of Luxembourg Byzantine fault-tolerant state-machine replication (BFT-SMR) is a technique for hardening systems to tolerate arbitrary faults. Although robust, BFT-SMR protocols are very costly in terms of the number of required replicas (3f + 1 to tolerate f faults) and of exchanged messages. However, with “hybrid” architectures, where “normal” components trust some “special” components to provide properties in a trustworthy manner, the cost of using BFT can be dramatically reduced. Unfortunately, even though such hybridization techniques decrease the message/time/space complexity of BFT protocols, they also increase their structural complexity. Therefore, we introduce Asphalion, the first theorem prover-based framework for verifying implementations of hybrid systems and protocols. It relies on three novel languages: (1) HyLoE: a Hybrid Logic of Events to reason about hybrid fault models; (2) MoC: a Monadic Component language to implement systems as collections of interacting hybrid components; and (3) LoCK: a sound Logic Of events-based Calculus of Knowledge to reason about both homogeneous and hybrid systems at a high-level of abstraction (thereby allowing reusing proofs, and capturing the high-level logic of distributed systems). In addition, Asphalion supports compositional reasoning, e.g., through mechanisms to lift properties about trusted-trustworthy components, to the level of the distributed systems they are integrated in. As a case study, we have verified crucial safety properties (e.g., agreement) of several implementations of hybrid protocols. CCS Concepts: • Theory of computation → Logic and verification.
  • Sok: a Consensus Taxonomy in the Blockchain Era*

    Sok: a Consensus Taxonomy in the Blockchain Era*

    SoK: A Consensus Taxonomy in the Blockchain Era* Juan A. Garay Aggelos Kiayias† Texas A&M University University of Edinburgh & IOHK [email protected] [email protected] Sunday 8th December, 2019 Abstract Consensus is arguably one of the most fundamental problems in distributed computing, playing also an important role in the area of cryptographic protocols as the enabler of a secure broadcast functionality. While the problem has a long and rich history and has been analyzed from many dif- ferent perspectives, recently, with the advent of blockchain protocols like Bitcoin, it has experienced renewed interest from a much wider community of researchers and has seen its application expand to various novel settings. One of the main issues in consensus research is the many different variants of the problem that exist as well as the various ways the problem behaves when different setup, computational assump- tions and network models are considered. In this work we perform a systematization of knowledge in the landscape of consensus research in the Byzantine failure model starting with the original formu- lation in the early 1980s up to the present blockchain-based new class of consensus protocols. Our work is a roadmap for studying the consensus problem under its many guises, classifying the way it operates in the various settings and highlighting the exciting new applications that have emerged in the blockchain era. 1 Introduction The consensus problem—reaching agreement distributedly in the presence of faults—has been exten- sively studied in the literature starting with the seminal work of Shostak, Pease and Lamport [PSL80, LSP82].
  • An In-Depth Analysis of Various Steganography Techniques

    An In-Depth Analysis of Various Steganography Techniques

    International Journal of Security and Its Applications Vol.9, No.8 (2015), pp.67-94 http://dx.doi.org/10.14257/ijsia.2015.9.8.07 An In-depth Analysis of Various Steganography Techniques Sangeeta Dhall, Bharat Bhushan and Shailender Gupta YMCA University of Science and Technology [email protected], [email protected], [email protected] Abstract The Steganography is an art and technique of hiding secret data in some carrier i.e. image, audio or video file. For hiding data in an image file various steganography techniques are available with their respective pros and cons. Broadly these techniques are classified as Spatial domain techniques, Transform domain techniques, Distortion techniques and Visual cryptography. Each technique is further classified into different types depending on their actual implementation. This paper is an effort to provide comprehensive comparison of these steganography techniques based on different Performance Metrics such as PSNR, MSE, MAE, Intersection coefficient, Bhattacharyya coefficient, UIQI, NCD, Time Complexity and Qualitative analysis. For this purpose a simulator is designed in MATLAB to implement above said techniques. The techniques are compared based on performance metrics. Keywords: Steganography, Classification of Steganography Techniques, Performance Metrics and MATLAB 1. Introduction "Steganography is the art and science of communicating in a way which hides the existence of the communication. In contrast to Cryptography, where the enemy is allowed to detect, intercept and modify messages without being able to violate certain security premises guaranteed by the cover message with the embedded cryptosystem. The goal of Steganography is to hide messages inside other harmless messages in a way that does not allow any enemy to even detect that there is a second message present"[1].
  • Cryptography

    Cryptography

    Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant distributed computing, and more. We cannot hope to give a comprehensive account of the ¯eld here. Instead, we will narrow our focus to those aspects of cryptography most relevant to the problem of secure communication. Broadly speaking, secure communication encompasses two complementary goals: the secrecy and integrity of communicated data. These terms can be illustrated using the simple example of a user A attempting to transmit a message m to a user B over a public channel. In the simplest sense, techniques for data secrecy ensure that an eavesdropping adversary (i.e., an adversary who sees all communication occurring on the channel) cannot learn any information about the underlying message m. Viewed in this way, such techniques protect against a passive adversary who listens to | but does not otherwise interfere with | the parties' communication. Techniques for data integrity, on the other hand, protect against an active adversary who may arbitrarily modify the information sent over the channel or may inject new messages of his own. Security in this setting requires that any such modi¯cations or insertions performed by the adversary will be detected by the receiving party. In the cases of both secrecy and integrity, two di®erent assumptions regarding the initial set-up of the communicating parties can be considered. In the private-key setting (also known as the \shared-key," \secret-key," or \symmetric-key" setting), which was the setting used exclusively for cryptography until the mid-1970s, parties A and B are assumed to have shared some secret information | a key | in advance.
  • Self-Sorting SSD: Producing Sorted Data Inside Active Ssds

    Self-Sorting SSD: Producing Sorted Data Inside Active Ssds

    Foreword This volume contains the papers presentedat the Third Israel Symposium on the Theory of Computing and Systems (ISTCS), held in Tel Aviv, Israel, on January 4-6, 1995. Fifty five papers were submitted in response to the Call for Papers, and twenty seven of them were selected for presentation. The selection was based on originality, quality and relevance to the field. The program committee is pleased with the overall quality of the acceptedpapers and, furthermore, feels that many of the papers not used were also of fine quality. The papers included in this proceedings are preliminary reports on recent research and it is expected that most of these papers will appear in a more complete and polished form in scientific journals. The proceedings also contains one invited paper by Pave1Pevzner and Michael Waterman. The program committee thanks our invited speakers,Robert J. Aumann, Wolfgang Paul, Abe Peled, and Avi Wigderson, for contributing their time and knowledge. We also wish to thank all who submitted papers for consideration, as well as the many colleagues who contributed to the evaluation of the submitted papers. The latter include: Noga Alon Alon Itai Eric Schenk Hagit Attiya Roni Kay Baruch Schieber Yossi Azar Evsey Kosman Assaf Schuster Ayal Bar-David Ami Litman Nir Shavit Reuven Bar-Yehuda Johan Makowsky Richard Statman Shai Ben-David Yishay Mansour Ray Strong Allan Borodin Alain Mayer Eli Upfal Dorit Dor Mike Molloy Moshe Vardi Alon Efrat Yoram Moses Orli Waarts Jack Feldman Dalit Naor Ed Wimmers Nissim Francez Seffl Naor Shmuel Zaks Nita Goyal Noam Nisan Uri Zwick Vassos Hadzilacos Yuri Rabinovich Johan Hastad Giinter Rote The work of the program committee has been facilitated thanks to software developed by Rob Schapire and FOCS/STOC program chairs.
  • Security Levels in Steganography – Insecurity Does Not Imply Detectability

    Security Levels in Steganography – Insecurity Does Not Imply Detectability

    Electronic Colloquium on Computational Complexity, Report No. 10 (2015) Security Levels in Steganography { Insecurity does not Imply Detectability Maciej Li´skiewicz,R¨udigerReischuk, and Ulrich W¨olfel Institut f¨urTheoretische Informatik, Universit¨atzu L¨ubeck Ratzeburger Allee 160, 23538 L¨ubeck, Germany [email protected], [email protected], [email protected] Abstract. This paper takes a fresh look at security notions for steganography { the art of encoding secret messages into unsuspicious covertexts such that an adversary cannot distinguish the resulting stegotexts from original covertexts. Stegosystems that fulfill the security notion used so far, however, are quite inefficient. This setting is not able to quantify the power of the adversary and thus leads to extremely high requirements. We will show that there exist stegosystems that are not secure with respect to the measure considered so far, still cannot be detected by the adversary in practice. This indicates that a different notion of security is needed which we call undetectability. We propose different variants of (un)-detectability and discuss their appropriateness. By constructing concrete ex- amples of stegosystems and covertext distributions it is shown that among these measures only one manages to clearly and correctly differentiate different levels of security when compared to an intuitive understanding in real life situations. We have termed this detectability on average. As main technical contribution we design a framework for steganography that exploits the difficulty to learn the covertext distribution. This way, for the first time a tight analytical relationship between the task of discovering the use of stegosystems and the task of differentiating between possible covertext distributions is obtained.
  • Pseudorandom Functions from Pseudorandom Generators

    Pseudorandom Functions from Pseudorandom Generators

    Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF’s (pseudorandom functions) are extremely useful, and we’ll see some more applications of them later on. But are they perhaps too amazing to exist? Why would someone imagine that such a wonderful object is feasible? The answer is the following theorem: The PRF Theorem: Suppose that the PRG Conjecture is true, then there n exists a secure PRF collection {fs}s∈{0,1}∗ such that for every s ∈ {0, 1} , fs maps {0, 1}n to {0, 1}n. Proof: If the PRG Conjecture is true then in particular by the length extension theorem there exists a PRG G : {0, 1}n → {0, 1} that maps n bits into 2n bits. Let’s denote G(s) = G0(s)◦G1(s) where ◦ denotes concatenation. That is, G0(s) denotes the first n bits and G1(s) denotes the last n bits of G(s). n For i ∈ {0, 1} , we define fs(i) as Gin (Gin−1 (··· Gi1 (s))). This might be a bit hard to parse and is easier to understand via a figure: By the definition above we can see that to evaluate fs(i) we need to evaluate the pseudorandom generator n times on inputs of length n, and so if the pseudorandom generator is efficiently computable then so is the pseudorandom function. Thus, “all” that’s left is to prove that the construction is secure and this is the heart of this proof. I’ve mentioned before that the first step of writing a proof is convincing yourself that the statement is true, but there is actually an often more important zeroth step which is understanding what the statement actually means.
  • Efficient and Provably Secure Steganography

    Efficient and Provably Secure Steganography

    Efficient and Provably Secure Steganography Ulrich W¨olfel Dissertation Universit¨at zu Lubeck¨ Institut fur¨ Theoretische Informatik Aus dem Institut fur¨ Theoretische Informatik der Universit¨at zu Lubeck¨ Direktor: Prof. Dr. Rudiger¨ Reischuk Efficient and Provably Secure Steganography Inauguraldissertation zur Erlangung der Doktorwurde¨ der Universit¨at zu Lubeck¨ Aus der Sektion Informatik / Technik vorgelegt von Ulrich W¨olfel aus Kiel Lubeck,¨ Januar 2011 1. Berichterstatter: PD Dr. Maciej Li´skiewicz 2. Berichterstatter: Prof. Dr. Matthias Krause Tag der mundlichen¨ Prufung:¨ 05. Mai 2011 Zum Druck genehmigt. Lubeck,¨ den 06. Mai 2011 Danksagung An erster Stelle m¨ochte ich mich bei Maciej Li´skiewicz bedanken, der mich als mein Doktorvater auf dem Weg zur Promotion begleitet hat. In zahlreichen angeregten Diskussionen half er mir immer wieder, meine vielen unscharfen Ideen exakt zu formulieren und die einzelnen Ergebnisse zu einem koh¨arenten Ganzen zu schmieden. Ganz besonders m¨ochte ich auch Rudiger¨ Reischuk danken, der zusammen mit Maciej Li´skiewicz und mir Forschungsarbeiten durchgefuhrt¨ hat, deren Resultate den Kapiteln 5 und 6 zugrun- deliegen. Durch seine Bereitschaft, mich fur¨ das Jahr 2009 kurzfristig auf einer halben Stelle als wissenschaftlichen Mitarbeiter zu besch¨aftigen, konnte ich die Arbeit an der Dissertation gut voranbringen. Dafur¨ an dieser Stelle nochmals meinen herzlichen Dank. Ferner danke ich der Universit¨at zu Lubeck¨ und dem Land Schleswig-Holstein fur¨ die Gew¨ahrung eines Promotionsstipendiums, das ich vom 01. Januar 2005 bis 31. Juli 2005, in der Anfangsphase meines Promotionsvorhabens, in Anspruch nehmen konnte. Meinen Vorgesetzten und Kollegen im BSI und AMK m¨ochte ich fur¨ die sehr angenehme und freundliche Arbeitsatmosph¨are danken und dafur,¨ daß mir ausreichend Freiraum fur¨ die Anfertigung dieser Dissertation gegeben wurde.
  • Block Ciphers and Modes of Operation Table of Contents

    Block Ciphers and Modes of Operation Table of Contents

    Introduction Pseudorandom permutations Block Ciphers Modes of Operation Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Introduction Pseudorandom permutations Block Ciphers Modes of Operation Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation Introduction Pseudorandom permutations Block Ciphers Modes of Operation Keyed permutations: Some definitions Definition. Let F : 0, 1 0, 1 0, 1 be an efficient, { }⇤ ⇥ { }⇤ ! { }⇤ length-preserving, keyed function. We call F a keyed permutation if for every k, the function F ( )isone-to-one. k · Definition. We say that a keyed permutation is efficient if there is a polynomial time algorithm computing Fk (x) given k and x,aswell 1 as a polynomial-time algorithms computing Fk− (x) given k and x. Remark. The input and output lengths, called the block size are the same, but the key length may be smaller or larger than the block size. Introduction Pseudorandom permutations Block Ciphers Modes of Operation Pseudorandom permutations Definition. Let F : 0, 1 0, 1 0, 1 an efficient keyed { }⇤ ⇥ { }⇤ ! { }⇤ permutation. We say that F is a pseudorandom permutation if for all probabilistic polynomial-time distinguishers D,thereexistsa negligible function negl such that: F ( ) n f ( ) n Pr[D k · (1 ) = 1] Pr[D · (1 ) = 1] negl(n), − where k 0, 1 n is chosen uniformly at random and f is chosen { } uniformly at random from the set of permutations mapping n-bit strings to n-bit strings. Introduction Pseudorandom permutations Block Ciphers Modes of Operation Pseudorandom functions and permutations are polynomially indistinguishable Theorem 3.27. If F is a pseudorandom permutation then it is also a pseudorandom function.