DOCSLIB.ORG

A Course in Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

a Course in Cryptography rafael pass abhi shelat c 2007 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Contents Contents i List of Algorithms and Protocols v List of Definitions vi Preface vii Notation ix 1 Introduction 1 1.1 Classical Cryptography: Hidden Writing . 1 1.2 Modern Cryptography: Provable Security . 5 1.3 Shannon’s Treatment of Provable Secrecy . 9 1.4 Overview of the Course . 16 2 Computational Hardness 19 2.1 Efficient Computation and Efficient Adversaries . 19 2.2 One-Way Functions . 23 2.3 Multiplication, Primes, and the Factoring Assumption . 25 2.4 Weak One-way Functions . 28 2.5 Hardness Amplification . 30 2.6 Collections of One-Way Functions . 34 2.7 Basic Computational Number Theory . 35 2.8 Factoring-based Collection . 43 2.9 Discrete Logarithm-based Collection . 43 2.10 RSA collection . 45 2.11 One-way Permutations . 46 2.12 Trapdoor Permutations . 47 2.13 A Universal One Way Function . 48 i II CONTENTS 3 Indistinguishability & Pseudo-Randomness 51 3.1 Computational Indistinguihability . 52 3.2 Pseudo-randomness . 57 3.3 Pseudo-random generators . 60 3.4 Hard-Core Bits from Any OWF . 65 3.5 Secure Encryption . 71 3.6 An Encryption Scheme with Short Keys . 72 3.7 Multi-message Secure Encryption . 73 3.8 Pseudorandom Functions . 74 3.9 Construction of Multi-message Secure Encryption . 78 3.10 Public Key Encryption . 80 3.11 El-Gamal Public Key Encryption scheme . 83 3.12 A Note on Complexity Assumptions . 84 4 Knowledge 87 4.1 When Does a Message Convey Knowledge . 87 4.2 A Knowledge-Based Notion of Secure Encryption . 88 4.3 Zero-Knowledge Interactions . 90 4.4 Interactive Protocols . 91 4.5 Interactive Proofs . 93 4.6 Zero-Knowledge Proofs . 97 4.7 Zero-knowledge proofs for NP . 100 4.8 Proof of knowledge . 105 4.9 Applications of Zero-knowledge . 105 5 Authentication 107 5.1 Message Authentication . 107 5.2 Message Authentication Codes . 108 5.3 Digital Signature Schemes . 109 5.4 A One-Time Digital Signature Scheme for 0, 1 n . 110 { } 5.5 Collision-Resistant Hash Functions . 112 5.6 A One-Time Digital Signature Scheme for 0, 1 . 116 { }∗ 5.7 *Signing Many Messages . 118 5.8 Intuition for Constructing Efficient Digital Signature . 120 5.9 Zero-knowledge Authentication . 121 6 Computing on Secret Inputs 123 6.1 Secret Sharing . 123 6.2 Secure Computation . 125 6.3 Yao Circuit Evaluation . 126 III 7 Composability 135 7.1 Composition of Encryption Schemes . 135 7.2 Composition of Zero-knowledge Proofs* . 142 7.3 Composition Beyond Zero-Knowledge Proofs . 144 8 *More on Randomness and Pseudorandomness 145 8.1 A Negative Result for Learning . 145 8.2 Derandomization . 145 8.3 Imperfect Randomness and Extractors . 147 A Basic Probability 151 B Basic Complexity Classes 155 List of Algorithms and Protocols 2.5 A (f, y) where y 0, 1 n ..................... 32 0 ∈ { } 2.13 funiversal(y): A Universal One-way Function . 49 3.4 (y) .................................. 69 B 3.4 (y) for the General case . 70 B 3.6 Encryption Scheme for n-bit message . 72 3.9 Many-message Encryption Scheme . 78 3.10 1-Bit Secure Public Key Encryption . 82 3.11 El-Gamal Secure Public Key Encryption . 84 4.5 Protocol for Graph Non-Isomorphism . 94 4.5 Protocol for Graph Isomorphism . 96 4.6 Simulator for Graph Isomorphism . 99 4.7 Zero-Knowledge for Graph 3-Coloring . 102 4.7 Simulator for Graph 3-Coloring . 103 5.2 MAC Scheme . 108 5.4 One-Time Digital Signature Scheme . 110 5.5 Collision Resistant Hash Function . 115 5.6 One-time Digital Signature for 0, 1 . 117 { }∗ 6.1 Shamir Secret Sharing Protocol . 124 6.3 A Special Encryption Scheme . 128 6.3 Oblivious Transfer Protocol . 132 6.3 Honest-but-Curious Secure Computation . 132 v VI LIST OF DEFINITIONS 7.2 ZK Protocol that is not Concurrently Secure . 143 List of Definitions 1.1 Private-key Encryption . 3 1.3 Shannon secrecy . 10 1.3 Perfect Secrecy . 10 2.1 Efficient Private-key Encryption . 22 2.2 Worst-case One-way Function . 23 2.6 Collection of OWFs . 34 2.11 One-way permutation . 46 2.12 Trapdoor Permutations . 47 3.1 Computational Indistinguishability . 54 3.2 Pseudo-random Ensembles . 57 3.3 Pseudo-random Generator . 60 3.3 Hard-core Predicate . 61 3.5 Secure Encryption . 71 3.7 Multi-message Secure Encryption . 73 3.8 Oracle Indistinguishability . 75 3.8 Pseudo-random Function . 76 3.10 Public Key Encryption Scheme . 80 3.10 Secure Public Key Encryption . 81 4.2 Zero-Knowledge Encryption . 88 4.5 Interactive Proof . 93 4.5 Interactive Proof with Efficient Provers . 96 4.7 Commitment . 101 5.3 Security of Digital Signatures . 110 Preface We would like to thank the students of CS 687 (Stephen Chong, Michael Clarkson, Michael George, Lucja Kot, Vikram Krishnaprasad, Huijia Lin, Jed Liu, Ashwin Machanavajjhala, Tudor Marian, Thanh Nguyen, Ariel Rabkin, Tom Roeder, Wei-lung Tseng, Muthuramakrishnan Venkitasubramaniam and Parvathinathan Venkitasubramaniam) for scribing the original lecture notes which served as a starting point for these notes. In particular, we are very grateful to Muthu for compiling these original sets of notes. RAFAEL PASS Ithaca, NY ABHI SHELAT Charlottesville, VA August 2007 vii Notation Algorithms Let A denote an algorithm. We write A( ) to denote an algorithm with one · input and A( , ) for two inputs. In general, the output of a (randomized) · · algorithm is described by a probability distribution; we let A(x) denotes the probability distribution associated with the output of A on input x. An algo- rithm is said to be deterministic if the probability distribution is concentrated on a single element. Experiments We denote by x S the experiment of sampling an element x from a proba- ← bility distribution S. If F is a finite set, then x F denotes the experiment of ← sampling uniformly from the set F . We use semicolon to describe the ordered sequences of event that make up an experiment, e.g., x S;(y, z) A(x) ← ← Probabilities If p(., .) denotes a predicate, then Pr[x S;(y, z) A(x): p(y, z)] ← ← is the probability that the predicate p(y, z) is true after the ordered sequence of events (x S;(y, z) A(x)). The notation x S;(y, z) A(x): ← ← { ← ← (y, z) denotes the probability distribution over y, z generated by the ex- } { } periment x S;(y, z) A(x). ← ← ix Chapter 1 Introduction The word cryptography stems from the Greek words krypt´os—meaning “hidden”— and gr´afein—meaning “ to write”. Indeed, the classical cryptographic prob- lem, which dates back millenia, considers the task of using “hidden writing” to secure, or conceal communication between two parties. 1.1 Classical Cryptography: Hidden Writing Consider two parties, Alice and Bob. Alice wants to privately send messages (called plaintexts) to Bob over an insecure channel. By an insecure channel, we here refer to an “open” and tappable channel; in particular, Alice and Bob would like their privacy to be maintained even in face of an adversary Eve (for eavesdropper) who listens to all messages sent on the channel. How can this be achieved? A possible solution Before starting their communication, Alice and Bob agree on some “secret code” that they will later use to communicate. A secret code consists of a key, an algorithm, Enc, to encrypt (scramble) plaintext mes- sages into ciphertexts and an algorithm Dec to decrypt (or descramble) cipher- texts into plaintext messages. Both the encryption and decryption algorithms require the key to perform their task. Alice can now use the key to encrypt a message, and the send the cipher- text to Bob. Bob, upon receiving a ciphertext, uses the key to decrypt the ciphertext and retrieve the orignal message. 1 2 INTRODUCTION ? Eve ③ c Alice Bob ② ④ ① c = Enck(m) k k m = Deck(c) Gen Figure 1.1: Illustration of the steps involved in private-key encryption. First, a key k must be generated by the Gen algorithm and privately given to Alice and Bob. In the picture, this is illustrated with a green “land-line.” Later, Al- ice encodes the message m into a ciphertext c and sends it over the insecure channel—in this case, over the airwaves. Bob receives the encoded message and decodes it using the key k to recover the original message m. The eaves- dropper Eve does not learn anything about m except perhaps its length. 1.1.1 Private-Key Encryption To formalize the above task, we must consider an additional algorithm, Gen, called the key-generation algorithm; this algorithm is executed by Alice and Bob to generate the key k which they use to encrypt and decrypt messages. A first question that needs to be addressed is what information needs to be “public”—i.e., known to everyone—and what needs to be “private”—i.e., kept secret. In the classical approach—security by obscurity—all of the above algorithms, Gen, Enc, Dec, and the generated key k were kept private; the idea was of course that the less information we give to the adversary, the harder it is to break the scheme. A design principle formulated by Kerchoff in 1884— known as Kerchoff’s principle—instead stipulates that the only thing that one should assume to be private is the key k; everything else (i.e., Gen, Encand Dec) should be assumed to be public! Why should we do this? Designs of en- cryption algorithms are often eventually leaked, and when this happens the effects to privacy could be disastrous.
Recommended publications
  • On the Foundations of Cryptography∗

    On the Foundations of Cryptography∗

    On the Foundations of Cryptography∗ Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. [email protected] May 6, 2019 Abstract We survey the main paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. We start by presenting some of the central tools used in cryptography; that is, computational difficulty (in the form of one-way functions), pseudorandomness, and zero-knowledge proofs. Based on these tools, we turn to the treatment of basic cryptographic applications such as encryption and signature schemes as well as the design of general secure cryptographic protocols. Our presentation assumes basic knowledge of algorithms, probability theory and complexity theory, but nothing beyond this. Keywords: Cryptography, Theory of Computation. ∗This revision of the primer [59] will appear as Chapter 17 in an ACM book celebrating the work of Goldwasser and Micali. 1 Contents 1 Introduction and Preliminaries 1 1.1 Introduction.................................... ............... 1 1.2 Preliminaries ................................... ............... 4 I Basic Tools 6 2 Computational Difficulty and One-Way Functions 6 2.1 One-WayFunctions................................ ............... 6 2.2 Hard-CorePredicates . .. .. .. .. .. .. .. ................ 9 3 Pseudorandomness 11 3.1 Computational Indistinguishability . ....................... 11 3.2 PseudorandomGenerators. ................. 12 3.3 PseudorandomFunctions . ...............
  • Key Agreement from Weak Bit Agreement

    Key Agreement from Weak Bit Agreement

    Key Agreement from Weak Bit Agreement Thomas Holenstein Department of Computer Science Swiss Federal Institute of Technology (ETH) Zurich, Switzerland [email protected] ABSTRACT In cryptography, much study has been devoted to find re- Assume that Alice and Bob, given an authentic channel, lations between different such assumptions and primitives. For example, Impagliazzo and Luby show in [9] that imple- have a protocol where they end up with a bit SA and SB , respectively, such that with probability 1+ε these bits are mentations of essentially all non-trivial cryptographic tasks 2 imply the existence of one-way functions. On the other equal. Further assume that conditioned on the event SA = hand, many important primitives can be realized if one-way SB no polynomial time bounded algorithm can predict the δ functions exist. Examples include pseudorandom generators bit better than with probability 1 − 2 . Is it possible to obtain key agreement from such a primitive? We show that [7], pseudorandom functions [5], and pseudorandom permu- 1−ε tations [12]. for constant δ and ε the answer is yes if and only if δ > 1+ε , both for uniform and non-uniform adversaries. For key agreement no such reduction to one-way functions The main computational technique used in this paper is a is known. In fact, in [10] it is shown that such a reduction strengthening of Impagliazzo’s hard-core lemma to the uni- must be inherently non-relativizing, and thus it seems very form case and to a set size parameter which is tight (i.e., hard to find such a construction.
  • Draft Lecture Notes

    Draft Lecture Notes

    CS-282A / MATH-209A Foundations of Cryptography Draft Lecture Notes Winter 2010 Rafail Ostrovsky UCLA Copyright © Rafail Ostrovsky 2003-2010 Acknowledgements: These lecture notes were produced while I was teaching this graduate course at UCLA. After each lecture, I asked students to read old notes and update them according to the lecture. I am grateful to all of the students who participated in this massive endeavor throughout the years, for asking questions, taking notes and improving these lecture notes each time. Table of contents PART 1: Overview, Complexity classes, Weak and Strong One-way functions, Number Theory Background. PART 2: Hard-Core Bits. PART 3: Private Key Encryption, Perfectly Secure Encryption and its limitations, Semantic Security, Pseudo-Random Generators. PART 4: Implications of Pseudo-Random Generators, Pseudo-random Functions and its applications. PART 5: Digital Signatures. PART 6: Trapdoor Permutations, Public-Key Encryption and its definitions, Goldwasser-Micali, El-Gamal and Cramer-Shoup cryptosystems. PART 7: Interactive Proofs and Zero-Knowledge. PART 8: Bit Commitment Protocols in different settings. PART 9: Non-Interactive Zero Knowledge (NIZK) PART 10: CCA1 and CCA2 Public Key Encryption from general Assumptions: Naor-Yung, DDN. PART 11: Non-Malleable Commitments, Non-Malleable NIZK. PART 12: Multi-Server PIR PART 13: Single-Server PIR, OT, 1-2-OT, MPC, Program Obfuscation. PART 14: More on MPC including GMW and BGW protocols in the honest-but-curious setting. PART 15: Yao’s garbled circuits, Efficient ZK Arguments, Non-Black-Box Zero Knowledge. PART 16: Remote Secure Data Storage (in a Cloud), Oblivious RAMs. CS 282A/MATH 209A: Foundations of Cryptography °c 2006-2010 Prof.
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
  • How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle

    How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle

    How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris1, Phillip Rogaway2, and Till Stegers2 1 Dept. of Mathematics, University of California, Davis, California 95616, USA 2 Dept. of Computer Science, University of California, Davis, California 95616, USA Abstract. We analyze the security of the Thorp shuffle, or, equivalently, a maximally unbalanced Feistel network. Roughly said, the Thorp shuffle on N cards mixes any N 1−1/r of them in O(r lg N) steps. Correspond- ingly, making O(r) passes of maximally unbalanced Feistel over an n-bit string ensures CCA-security to 2n(1−1/r) queries. Our results, which em- ploy Markov-chain techniques, enable the construction of a practical and provably-secure blockcipher-based scheme for deterministically encipher- ing credit card numbers and the like using a conventional blockcipher. 1 Introduction Small-space encryption. Suppose you want to encrypt a 9-decimal-digit plaintext, say a U.S. social-security number, into a ciphertext that is again a 9-decimal-digit number. A shared key K is used to control the encryption. Syn- tactically, you seek a cipher E: K×M → M where M = {0, 1,...,N− 1}, 9 N =10 ,andEK = E(K, ·) is a permutation for each key K ∈K. You aim to construct your scheme from a well-known primitive, say AES, and to prove your scheme is as secure as the primitive from which you start. The problem is harder than it sounds. You can’t just encode each plaintext M ∈Mas a 128-bit string and then apply AES, say, as that will return a 128-bit string and projecting back onto M will destroy permutivity.
  • The Design and Evolution Of

    The Design and Evolution Of

    J Cryptol (2021) 34:36 https://doi.org/10.1007/s00145-021-09399-8 The Design and Evolution of OCB Ted Krovetz Computer Science Department, California State University, 6000 J Street, Sacramento, California 95819, USA [email protected] Phillip Rogaway Department of Computer Science, Kemper Hall of Engineering, University of California, Davis, California 95616, USA [email protected] Communicated by Tetsu Iwata. Received 20 December 2019 / Revised 26 August 2020 / Accepted 14 September 2020 Abstract. We describe OCB3, the final version of OCB, a blockcipher mode for au- thenticated encryption (AE). We prove the construction secure, up to the birthday bound, assuming its underlying blockcipher is secure as a strong-PRP. We study the scheme’s software performance, comparing its speed, on multiple platforms, to a variety of other AE schemes. We reflect on the history and development of the mode. Keywords. AEAD, Authenticated encryption, CAESAR competition, Cryptographic standards, Fast software encryption, Modes of operation, OCB. 1. Introduction Schemes for authenticated encryption (AE) symmetrically encrypt a message in a way that ensures both its confidentiality and authenticity. OCB is a well-known algorithm for achieving this aim. It is a blockcipher mode of operation, the blockcipher usually being AES. There are three main variants of OCB. The first, now called OCB1 (2001) [39], was mo- tivated by Charanjit Jutla’s IAPM [24]. A second version, now called OCB2 (2004) [18, 38], added support for associated data (AD) [37] and redeveloped the mode using the idea of a tweakable blockcipher [30]. OCB2 was recently found to have a disastrous bug [17].
  • Investigation of Ice Particle Habits to Be Used for Ice Cloud Remote Sensing for the GCOM-C Satellite Mission

    Investigation of Ice Particle Habits to Be Used for Ice Cloud Remote Sensing for the GCOM-C Satellite Mission

    Atmos. Chem. Phys., 16, 12287–12303, 2016 www.atmos-chem-phys.net/16/12287/2016/ doi:10.5194/acp-16-12287-2016 © Author(s) 2016. CC Attribution 3.0 License. Investigation of ice particle habits to be used for ice cloud remote sensing for the GCOM-C satellite mission Husi Letu1,2, Hiroshi Ishimoto3, Jerome Riedi4, Takashi Y. Nakajima1, Laurent C.-Labonnote4, Anthony J. Baran5, Takashi M. Nagao6, and Miho Sekiguchi7 1Research and Information Center (TRIC), Tokai University, 4-1-1 Kitakaname Hiratsuka, Kanagawa 259-1292, Japan 2Institute of Remote Sensing and Digital Earth, Chinese Academy of Sciences (CAS), DaTun Road No. 20 (North), Beijing 100101, China 3Meteorological Research Institute, 1-1 Nagamine, Tsukuba, Ibaraki 305-0052, Japan 4Laboratoire d’Optique Atmosphérique, UMR CNRS 8518, Université de Lille 1-Sciences et Technologies, Villeneuve d’Ascq, France 5Met Office, Fitzroy Road, Exeter, EX1 3PB, UK 6Earth Observation Research Center (EORC), Japan Aerospace Exploration Agency (JAXA), 2-1-1 Sengen Tsukuba, Ibaraki 305-8505, Japan 7Tokyo University of Marine Science and Technology, Tokyo 135-8533, Japan Correspondence to: Takashi Y. Nakajima ([email protected]) Received: 29 September 2015 – Published in Atmos. Chem. Phys. Discuss.: 11 November 2015 Revised: 10 September 2016 – Accepted: 15 September 2016 – Published: 29 September 2016 Abstract. In this study, various ice particle habits are in- phase matrix. The characteristics of calculated extinction ef- vestigated in conjunction with inferring the optical proper- ficiency, single-scattering albedo, and asymmetry factor of ties of ice clouds for use in the Global Change Observa- the five ice particle habits are compared.
  • Stdin (Ditroff)

    Stdin (Ditroff)

    - 50 - Foundations of Cryptography Notes of lecture No. 5B (given on Apr. 2nd) Notes taken by Eyal Kushilevitz Summary In this (half) lecture we introduce and define the concept of secure encryption. (It is assumed that the reader is familiar with the notions of private-key and public-key encryption, but we will define these notions too for the sake of self-containment). 1. Secure encryption - motivation. Secure encryption is one of the fundamental problems in the field of cryptography. One of the important results of this field in the last years, is the success to give formal definitions to intuitive concepts (such as secure encryption), and the ability to suggest efficient implementations to such systems. This ability looks more impressive when we take into account the strong requirements of these definitions. Loosely speaking, an encryption system is called "secure", if seeing the encrypted message does not give any partial information about the message, that is not known beforehand. We describe here the properties that we would like the definition of encryption system to capture: g Computational hardness - As usual, the definition should deal with efficient procedures. That is, by saying that the encryption does not give any partial information about the message, we mean that no efficient algorithm is able to gain such an information Clearly, we also require that the encryption and decryption procedures will be efficient. g Security with respect to any probability distribution of messages - The encryption system should be secure independently of the probability distribution of the messages we encrypt. For example: we do not want a system which is secure with respect to messages taken from a uniform distribution, but not secure with respect to messages written in English.
  • On One-Way Functions and Kolmogorov Complexity

    On One-Way Functions and Kolmogorov Complexity

    On One-way Functions and Kolmogorov Complexity Yanyi Liu Rafael Pass∗ Cornell University Cornell Tech [email protected] [email protected] September 25, 2020 Abstract We prove that the equivalence of two fundamental problems in the theory of computing. For every polynomial t(n) ≥ (1 + ")n; " > 0, the following are equivalent: • One-way functions exists (which in turn is equivalent to the existence of secure private-key encryption schemes, digital signatures, pseudorandom generators, pseudorandom functions, commitment schemes, and more); • t-time bounded Kolmogorov Complexity, Kt, is mildly hard-on-average (i.e., there exists a t 1 polynomial p(n) > 0 such that no PPT algorithm can compute K , for more than a 1 − p(n) fraction of n-bit strings). In doing so, we present the first natural, and well-studied, computational problem characterizing the feasibility of the central private-key primitives and protocols in Cryptography. arXiv:2009.11514v1 [cs.CC] 24 Sep 2020 ∗Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.
  • On One-Way Functions and Kolmogorov Complexity

    On One-Way Functions and Kolmogorov Complexity

    On One-way Functions and Kolmogorov Complexity Yanyi Liu Rafael Pass∗ Cornell University Cornell Tech [email protected] [email protected] September 24, 2020 Abstract We prove that the equivalence of two fundamental problems in the theory of computing. For every polynomial t(n) ≥ (1 + ")n; " > 0, the following are equivalent: • One-way functions exists (which in turn is equivalent to the existence of secure private-key encryption schemes, digital signatures, pseudorandom generators, pseudorandom functions, commitment schemes, and more); • t-time bounded Kolmogorov Complexity, Kt, is mildly hard-on-average (i.e., there exists a t 1 polynomial p(n) > 0 such that no PPT algorithm can compute K , for more than a 1 − p(n) fraction of n-bit strings). In doing so, we present the first natural, and well-studied, computational problem characterizing the feasibility of the central private-key primitives and protocols in Cryptography. ∗Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein. 1 Introduction We prove the equivalence of two fundamental problems in the theory of computing: (a) the exis- tence of one-way functions, and (b) mild average-case hardness of the time-bounded Kolmogorov Complexity problem.
  • Fast Multiplication of Binary Polynomials with the Forthcoming Vectorized VPCLMULQDQ Instruction

    Fast Multiplication of Binary Polynomials with the Forthcoming Vectorized VPCLMULQDQ Instruction

    Fast multiplication of binary polynomials with the forthcoming vectorized VPCLMULQDQ instruction Nir Drucker Shay Gueron Vlad Krasnov University of Haifa, Israel, University of Haifa, Israel, CloudFlare, Inc. and and San Francisco, USA Amazon Web Services Inc.1 Amazon Web Services Inc.1 Abstract—Polynomial multiplication over binary fields F2n is Intel has recently announced [7] that its future architecture, a common primitive, used for example by current cryptosystems codename ”Ice Lake”, will introduce a new instruction called n = 128 such as AES-GCM (with ). It also turns out to be a prim- VPCLMULQDQ. This instruction, together with the new vector- itive for other cryptosystems, that are being designed for the Post VAESENC VAESDEC Quantum era, with values n 128. Examples from the recent ized AES instructions ( and ), are useful submissions to the NIST Post-Quantum Cryptography project, for accelerating AES-GCM. However, we argue that even as a are BIKE, LEDAKem, and GeMSS, where the performance of standalone instruction, VPCLMULQDQ is useful for some new the polynomial multiplications, is significant. Therefore, efficient emerging algorithms, which paper demonstrates how it can be F n n polynomial multiplication over 2 , with large , is a significant used for accelerating ”big” polynomial multiplications (with emerging optimization target. > 511 Anticipating future applications, Intel has recently announced degree ). that its future architecture (codename ”Ice Lake”) will introduce The correctness of the algorithms (and the code) can be a new vectorized way to use the current VPCLMULQDQ instruc- checked now, but actual performance measurements require tion. In this paper, we demonstrate how to use this instruction a real CPU, which is currently unavailable.
  • Provably Secure Steganography

    Provably Secure Steganography

    IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. X, XXX 2009 1 Provably Secure Steganography Nicholas Hopper, Luis von Ahn, and John Langford Abstract—Steganography is the problem of hiding secret messages in “innocent-looking” public communication so that the presence of the secret messages cannot be detected. This paper introduces a cryptographic formalization of steganographic security in terms of computational indistinguishability from a channel, an indexed family of probability distributions on cover messages. We use cryptographic and complexity-theoretic proof techniques to show that the existence of one-way functions and the ability to sample from the channel are necessary conditions for secure steganography. We then construct a steganographic protocol, based on rejection sampling from the channel, that is provably secure and has nearly optimal bandwidth under these conditions. This is the first known example of a general provably secure steganographic protocol. We also give the first formalization of “robust” steganography, where an adversary attempts to remove any hidden messages without unduly disrupting the cover channel. We give a necessary condition on the amount of disruption the adversary is allowed in terms of a worst case measure of mutual information. We give a construction that is provably secure and computationally efficient and has nearly optimal bandwidth, assuming repeatable access to the channel distribution. Index Terms—Steganography, covert channels, provable security. Ç 1INTRODUCTION classic problem of computer security is the mitigation Steganographic “protocols” have a long and intriguing Aof covert channels. First introduced by Lampson [1], a history that predates covert channels, stretching back to covert channel in a (single-host or distributed) computer antiquity.