DOCSLIB.ORG

An Intensive Introduction to Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

BOAZBARAK ANINTENSIVE INTRODUCTION TOCRYPTOGRAPHY LECTURENOTES. AVAILABLEON HTTPS://INTENSECRYPTO.ORG Text available on https://github.com/boazbk/crypto - please post any issues there - thank you! This version was compiled on Thursday 23rd September, 2021 13:32 Copyright © 2021 Boaz Barak This work is licensed under a Creative Commons “Attribution-NonCommercial- NoDerivatives 4.0 International” license. If you can just get your mind together Then come on across to me We’ll hold hands, and then we’ll watch the sun rise From the bottom of the sea Jimi Hendrix, Are You Experienced? Contents Foreword and Syllabus 9 I Preliminaries 15 0 Mathematical Background 17 1 Introduction 39 II Private key cryptography 59 2 Computational Security 61 3 Pseudorandomness 83 4 Pseudorandom functions 103 5 Pseudorandom functions from pseudorandom generators and CPA security 117 6 Chosen Ciphertext Security 137 7 Hash Functions and Random Oracles 153 8 Key derivation, protecting passwords, slow hashes, Merkle trees 167 9 Private key crypto recap 177 III Public key cryptography 179 10 Public key cryptography 181 11 Concrete candidates for public key crypto 211 12 Chosen ciphertext security for public key encryption 229 Compiled on 9.23.2021 13:32 6 13 Lattice based cryptography 231 14 Establishing secure connections over insecure channels 247 IV Advanced topics 257 15 Zero knowledge proofs 259 16 Fully homomorphic encryption: Introduction and boot- strapping 273 17 Fully homomorphic encryption: Construction 285 18 Multiparty secure computation I: Definition and Honest- But-Curious to Malicious complier 299 19 Multiparty secure computation II: Construction using Fully Homomorphic Encryption 315 20 Quantum computing and cryptography I 325 21 Quantum computing and cryptography II 337 22 Software Obfuscation 347 23 More obfuscation, exotic encryptions 357 24 Anonymous communication 363 V Conclusions 365 25 Ethical, moral, and policy dimensions to cryptography 367 26 Course recap 373 Contents (detailed) Foreword and Syllabus 9 0.1 Syllabus ............................ 10 0.1.1 Prerequisites ..................... 12 0.2 Why is cryptography hard? . 12 I Preliminaries 15 0 Mathematical Background 17 0.1 A quick overview of mathematical prerequisites . 17 0.2 Mathematical Proofs .................... 19 0.2.1 Example: The existence of infinitely many primes. 20 0.3 Probability and Sample spaces . 22 0.3.1 Random variables . 24 0.3.2 Distributions over strings . 26 0.3.3 More general sample spaces. 27 0.4 Correlations and independence . 27 0.4.1 Independent random variables . 29 0.4.2 Collections of independent random variables. 30 0.5 Concentration and tail bounds . 31 0.5.1 Chebyshev’s Inequality . 32 0.5.2 The Chernoff bound . 33 0.6 Exercises ........................... 34 0.7 Exercises ........................... 35 1 Introduction 39 1.1 Some history ......................... 39 1.2 Defining encryptions .................... 41 1.3 Defining security of encryption . 43 1.3.1 Generating randomness in actual cryptographic systems ........................ 44 1.4 Defining the secrecy requirement. 46 1.5 Perfect Secrecy ........................ 49 1.5.1 Achieving perfect secrecy . 52 1.6 Necessity of long keys ................... 54 8 1.6.1 Amplifying success probability . 57 1.7 Bibliographical notes .................... 58 II Private key cryptography 59 2 Computational Security 61 2.0.1 Proof by reduction . 65 2.1 The asymptotic approach . 66 2.1.1 Counting number of operations. 68 2.2 Our first conjecture ..................... 70 2.3 Why care about the cipher conjecture? . 71 2.4 Prelude: Computational Indistinguishability . 71 2.5 The Length Extension Theorem or Stream Ciphers . 76 2.5.1 Appendix: The computational model . 80 3 Pseudorandomness 83 3.0.1 Unpredictability: an alternative approach for proving the length extension theorem . 88 3.1 Stream ciphers ........................ 90 3.2 What do pseudorandom generators actually look like? . 92 3.2.1 Attempt 0: The counter generator . 92 3.2.2 Attempt 1: The linear checksum / linear feed- back shift register (LFSR) . 92 3.2.3 From insecurity to security . 94 3.2.4 Attempt 2: Linear Congruential Generators with dropped bits . 95 3.3 Successful examples ..................... 96 3.3.1 Case Study 1: Subset Sum Generator . 96 3.3.2 Case Study 2: RC4 . 97 3.3.3 Case Study 3: Blum, Blum and Shub . 98 3.4 Non-constructive existence of pseudorandom generators 99 4 Pseudorandom functions 103 4.1 One time passwords (e.g. Google Authenticator, RSA ID, etc.) ............................107 4.1.1 How do pseudorandom functions help in the login problem? . 108 4.1.2 Modifying input and output lengths of PRFs . 111 4.2 Message Authentication Codes . 112 4.3 MACs from PRFs . 114 4.4 Arbitrary input length extension for MACs and PRFs . 115 4.5 Aside: natural proofs . 115 9 5 Pseudorandom functions from pseudorandom generators and CPA security 117 5.1 Securely encrypting many messages - chosen plaintext security ............................122 5.2 Pseudorandom permutations / block ciphers . 125 5.3 Encryption modes . 130 5.4 Optional, Aside: Broadcast Encryption . 131 5.5 Reading comprehension exercises . 134 6 Chosen Ciphertext Security 137 6.1 Short recap . 137 6.2 Going beyond CPA . 138 6.2.1 Example: The Wired Equivalence Privacy (WEP) 138 6.2.2 Chosen ciphertext security . 140 6.3 Constructing CCA secure encryption . 143 6.4 (Simplified) GCM encryption . 148 6.5 Padding, chopping, and their pitfalls: the “buffer overflow” of cryptography . 149 6.6 Chosen ciphertext attack as implementing metaphors . 150 6.7 Reading comprehension exercises . 150 7 Hash Functions and Random Oracles 153 7.1 The “Bitcoin” Problem . 153 7.1.1 The Currency Problem . 153 7.1.2 Bitcoin Architecture . 154 7.2 The Bitcoin Ledger . 155 7.2.1 From Proof of Work to Consensus on Ledger . 158 7.3 Collision Resistance Hash Functions and Creating Short “Unique” Identifiers . 160 7.4 Practical Constructions of Cryptographic Hash Func- tions ..............................161 7.4.1 Practical Random-ish Functions . 162 7.4.2 Some History . 163 7.4.3 The NSA and Hash Functions . 164 7.4.4 Cryptographic vs Non-Cryptographic Hash Functions . 164 7.5 Reading comprehension exercises . 165 8 Key derivation, protecting passwords, slow hashes, Merkle trees 167 8.1 Keys from passwords . 167 8.2 Merkle trees and verifying storage. 170 8.3 Proofs of Retrievability . 171 8.4 Entropy extraction . 172 8.4.1 Forward and backward secrecy . 175 10 9 Private key crypto recap 177 9.0.1 Attacks on private key cryptosystems . 178 III Public key cryptography 179 10 Public key cryptography 181 10.1 Private key crypto recap . 183 10.2 Public Key Encryptions: Definition . 185 10.2.1 The obfuscation paradigm . 186 10.3 Some concrete candidates: . 188 10.3.1 Diffie-Hellman Encryption (aka El-Gamal) . 189 10.3.2 Sampling random primes . 193 10.3.3 A little bit of group theory. 194 10.3.4 Digital Signatures . 195 10.3.5 The Digital Signature Algorithm (DSA) . 196 10.4 Putting everything together - security in practice. 200 10.5 Appendix: An alternative proof of the density of primes 204 10.6 Additional Group Theory Exercises and Proofs . 205 10.6.1 Solved exercises: . 206 11 Concrete candidates for public key crypto 211 11.1 Some number theory. 211 11.1.1 Primaliy testing . 212 11.1.2 Fields . 213 11.1.3 Chinese remainder theorem . 214 11.1.4 The RSA and Rabin functions . 215 11.1.5 Abstraction: trapdoor permutations . 216 11.1.6 Public key encryption from trapdoor permuta- tions . 217 11.1.7 Digital signatures from trapdoor permutations . 220 11.2 Hardcore bits and security without random oracles . 222 11.2.1 Extending to more than one hardcore bit . 226 12 Chosen ciphertext security for public key encryption 229 13 Lattice based cryptography 231 13.0.1 Quick linear algebra recap . 233 13.1 A world without Gaussian elimination . 235 13.2 Security in the real world. 237 13.3 Search to decision . 238 13.4 An LWE based encryption scheme . 239 13.5 But what are lattices? . 244 13.6 Ring based lattices . 245 14 Establishing secure connections over insecure channels 247 11 14.1 Cryptography’s obsession with adjectives. 247 14.2 Basic Key Exchange protocol . 249 14.3 Authenticated key exchange . 250 14.3.1 Bleichenbacher’s attack on RSA PKCS V1.5 and SSL V3.0 . 250 14.4 Chosen ciphertext attack security for public key cryp- tography . 251 14.5 CCA secure public key encryption in the Random Oracle Model . 253 14.5.1 Defining secure authenticated key exchange . 255 14.5.2 The compiler approach for authenticated key exchange . 255 14.6 Password authenticated key exchange. 256 14.7 Client to client key exchange for secure text messaging - ZRTP, OTR, TextSecure . 256 14.8 Heartbleed and logjam attacks . 256 IV Advanced topics 257 15 Zero knowledge proofs 259 15.1 Applications for zero knowledge proofs. 260 15.1.1 Nuclear disarmament . 260 15.1.2 Voting . 261 15.1.3 More applications . 261 15.2 Defining and constructing zero knowledge proofs . 261 15.3 Defining zero knowledge . 265 15.4 Zero knowledge proof for Hamiltonicity. 268 15.4.1 Why is this interesting? . 271 15.5 Parallel repetition and turning zero knowledge proofs to signatures. 271 15.5.1 “Bonus features” of zero knowledge . 272 16 Fully homomorphic encryption: Introduction and boot- strapping 273 16.1 Defining fully homomorphic encryption . 276 16.1.1 Another application: fully homomorphic en- cryption for verifying computation . 277 16.2 Example: An XOR homomorphic encryption . 278 16.2.1 Abstraction: A trapdoor pseudorandom generator.280 16.3 From linear homomorphism to full homomorphism . 282 16.4 Bootstrapping: Fully Homomorphic “escape velocity” . 282 16.4.1 Radioactive legos analogy . 283 16.4.2 Proving the bootstrapping theorem . 283 12 17 Fully homomorphic encryption: Construction 285 17.1 Prelude: from vectors to matrices .
Recommended publications
  • On the Foundations of Cryptography∗

    On the Foundations of Cryptography∗

    On the Foundations of Cryptography∗ Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. [email protected] May 6, 2019 Abstract We survey the main paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. We start by presenting some of the central tools used in cryptography; that is, computational difficulty (in the form of one-way functions), pseudorandomness, and zero-knowledge proofs. Based on these tools, we turn to the treatment of basic cryptographic applications such as encryption and signature schemes as well as the design of general secure cryptographic protocols. Our presentation assumes basic knowledge of algorithms, probability theory and complexity theory, but nothing beyond this. Keywords: Cryptography, Theory of Computation. ∗This revision of the primer [59] will appear as Chapter 17 in an ACM book celebrating the work of Goldwasser and Micali. 1 Contents 1 Introduction and Preliminaries 1 1.1 Introduction.................................... ............... 1 1.2 Preliminaries ................................... ............... 4 I Basic Tools 6 2 Computational Difficulty and One-Way Functions 6 2.1 One-WayFunctions................................ ............... 6 2.2 Hard-CorePredicates . .. .. .. .. .. .. .. ................ 9 3 Pseudorandomness 11 3.1 Computational Indistinguishability . ....................... 11 3.2 PseudorandomGenerators. ................. 12 3.3 PseudorandomFunctions . ...............
  • Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition

    Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition

    KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT INGENIEURSWETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK{ESAT Kasteelpark Arenberg 10, 3001 Leuven-Heverlee Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition Promotor: Proefschrift voorgedragen tot Prof. Dr. ir. Bart Preneel het behalen van het doctoraat in de ingenieurswetenschappen door Souradyuti Paul November 2006 KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT INGENIEURSWETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK{ESAT Kasteelpark Arenberg 10, 3001 Leuven-Heverlee Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition Jury: Proefschrift voorgedragen tot Prof. Dr. ir. Etienne Aernoudt, voorzitter het behalen van het doctoraat Prof. Dr. ir. Bart Preneel, promotor in de ingenieurswetenschappen Prof. Dr. ir. Andr´eBarb´e door Prof. Dr. ir. Marc Van Barel Prof. Dr. ir. Joos Vandewalle Souradyuti Paul Prof. Dr. Lars Knudsen (Technical University, Denmark) U.D.C. 681.3*D46 November 2006 ⃝c Katholieke Universiteit Leuven { Faculteit Ingenieurswetenschappen Arenbergkasteel, B-3001 Heverlee (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektron- isch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. D/2006/7515/88 ISBN 978-90-5682-754-0 To my parents for their unyielding ambition to see me educated and Prof. Bimal Roy for making cryptology possible in my life ... My Gratitude It feels awkward to claim the thesis to be singularly mine as a great number of people, directly or indirectly, participated in the process to make it see the light of day.
  • Security Evaluation of the K2 Stream Cipher

    Security Evaluation of the K2 Stream Cipher

    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
  • Draft Lecture Notes

    Draft Lecture Notes

    CS-282A / MATH-209A Foundations of Cryptography Draft Lecture Notes Winter 2010 Rafail Ostrovsky UCLA Copyright © Rafail Ostrovsky 2003-2010 Acknowledgements: These lecture notes were produced while I was teaching this graduate course at UCLA. After each lecture, I asked students to read old notes and update them according to the lecture. I am grateful to all of the students who participated in this massive endeavor throughout the years, for asking questions, taking notes and improving these lecture notes each time. Table of contents PART 1: Overview, Complexity classes, Weak and Strong One-way functions, Number Theory Background. PART 2: Hard-Core Bits. PART 3: Private Key Encryption, Perfectly Secure Encryption and its limitations, Semantic Security, Pseudo-Random Generators. PART 4: Implications of Pseudo-Random Generators, Pseudo-random Functions and its applications. PART 5: Digital Signatures. PART 6: Trapdoor Permutations, Public-Key Encryption and its definitions, Goldwasser-Micali, El-Gamal and Cramer-Shoup cryptosystems. PART 7: Interactive Proofs and Zero-Knowledge. PART 8: Bit Commitment Protocols in different settings. PART 9: Non-Interactive Zero Knowledge (NIZK) PART 10: CCA1 and CCA2 Public Key Encryption from general Assumptions: Naor-Yung, DDN. PART 11: Non-Malleable Commitments, Non-Malleable NIZK. PART 12: Multi-Server PIR PART 13: Single-Server PIR, OT, 1-2-OT, MPC, Program Obfuscation. PART 14: More on MPC including GMW and BGW protocols in the honest-but-curious setting. PART 15: Yao’s garbled circuits, Efficient ZK Arguments, Non-Black-Box Zero Knowledge. PART 16: Remote Secure Data Storage (in a Cloud), Oblivious RAMs. CS 282A/MATH 209A: Foundations of Cryptography °c 2006-2010 Prof.
  • How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle

    How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle

    How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris1, Phillip Rogaway2, and Till Stegers2 1 Dept. of Mathematics, University of California, Davis, California 95616, USA 2 Dept. of Computer Science, University of California, Davis, California 95616, USA Abstract. We analyze the security of the Thorp shuffle, or, equivalently, a maximally unbalanced Feistel network. Roughly said, the Thorp shuffle on N cards mixes any N 1−1/r of them in O(r lg N) steps. Correspond- ingly, making O(r) passes of maximally unbalanced Feistel over an n-bit string ensures CCA-security to 2n(1−1/r) queries. Our results, which em- ploy Markov-chain techniques, enable the construction of a practical and provably-secure blockcipher-based scheme for deterministically encipher- ing credit card numbers and the like using a conventional blockcipher. 1 Introduction Small-space encryption. Suppose you want to encrypt a 9-decimal-digit plaintext, say a U.S. social-security number, into a ciphertext that is again a 9-decimal-digit number. A shared key K is used to control the encryption. Syn- tactically, you seek a cipher E: K×M → M where M = {0, 1,...,N− 1}, 9 N =10 ,andEK = E(K, ·) is a permutation for each key K ∈K. You aim to construct your scheme from a well-known primitive, say AES, and to prove your scheme is as secure as the primitive from which you start. The problem is harder than it sounds. You can’t just encode each plaintext M ∈Mas a 128-bit string and then apply AES, say, as that will return a 128-bit string and projecting back onto M will destroy permutivity.
  • Stdin (Ditroff)

    Stdin (Ditroff)

    - 50 - Foundations of Cryptography Notes of lecture No. 5B (given on Apr. 2nd) Notes taken by Eyal Kushilevitz Summary In this (half) lecture we introduce and define the concept of secure encryption. (It is assumed that the reader is familiar with the notions of private-key and public-key encryption, but we will define these notions too for the sake of self-containment). 1. Secure encryption - motivation. Secure encryption is one of the fundamental problems in the field of cryptography. One of the important results of this field in the last years, is the success to give formal definitions to intuitive concepts (such as secure encryption), and the ability to suggest efficient implementations to such systems. This ability looks more impressive when we take into account the strong requirements of these definitions. Loosely speaking, an encryption system is called "secure", if seeing the encrypted message does not give any partial information about the message, that is not known beforehand. We describe here the properties that we would like the definition of encryption system to capture: g Computational hardness - As usual, the definition should deal with efficient procedures. That is, by saying that the encryption does not give any partial information about the message, we mean that no efficient algorithm is able to gain such an information Clearly, we also require that the encryption and decryption procedures will be efficient. g Security with respect to any probability distribution of messages - The encryption system should be secure independently of the probability distribution of the messages we encrypt. For example: we do not want a system which is secure with respect to messages taken from a uniform distribution, but not secure with respect to messages written in English.
  • Analysis of Lightweight Stream Ciphers

    Analysis of Lightweight Stream Ciphers

    ANALYSIS OF LIGHTWEIGHT STREAM CIPHERS THÈSE NO 4040 (2008) PRÉSENTÉE LE 18 AVRIL 2008 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Simon FISCHER M.Sc. in physics, Université de Berne de nationalité suisse et originaire de Olten (SO) acceptée sur proposition du jury: Prof. M. A. Shokrollahi, président du jury Prof. S. Vaudenay, Dr W. Meier, directeurs de thèse Prof. C. Carlet, rapporteur Prof. A. Lenstra, rapporteur Dr M. Robshaw, rapporteur Suisse 2008 F¨ur Philomena Abstract Stream ciphers are fast cryptographic primitives to provide confidentiality of electronically transmitted data. They can be very suitable in environments with restricted resources, such as mobile devices or embedded systems. Practical examples are cell phones, RFID transponders, smart cards or devices in sensor networks. Besides efficiency, security is the most important property of a stream cipher. In this thesis, we address cryptanalysis of modern lightweight stream ciphers. We derive and improve cryptanalytic methods for dif- ferent building blocks and present dedicated attacks on specific proposals, including some eSTREAM candidates. As a result, we elaborate on the design criteria for the develop- ment of secure and efficient stream ciphers. The best-known building block is the linear feedback shift register (LFSR), which can be combined with a nonlinear Boolean output function. A powerful type of attacks against LFSR-based stream ciphers are the recent algebraic attacks, these exploit the specific structure by deriving low degree equations for recovering the secret key.
  • On One-Way Functions and Kolmogorov Complexity

    On One-Way Functions and Kolmogorov Complexity

    On One-way Functions and Kolmogorov Complexity Yanyi Liu Rafael Pass∗ Cornell University Cornell Tech [email protected] [email protected] September 25, 2020 Abstract We prove that the equivalence of two fundamental problems in the theory of computing. For every polynomial t(n) ≥ (1 + ")n; " > 0, the following are equivalent: • One-way functions exists (which in turn is equivalent to the existence of secure private-key encryption schemes, digital signatures, pseudorandom generators, pseudorandom functions, commitment schemes, and more); • t-time bounded Kolmogorov Complexity, Kt, is mildly hard-on-average (i.e., there exists a t 1 polynomial p(n) > 0 such that no PPT algorithm can compute K , for more than a 1 − p(n) fraction of n-bit strings). In doing so, we present the first natural, and well-studied, computational problem characterizing the feasibility of the central private-key primitives and protocols in Cryptography. arXiv:2009.11514v1 [cs.CC] 24 Sep 2020 ∗Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.
  • On One-Way Functions and Kolmogorov Complexity

    On One-Way Functions and Kolmogorov Complexity

    On One-way Functions and Kolmogorov Complexity Yanyi Liu Rafael Pass∗ Cornell University Cornell Tech [email protected] [email protected] September 24, 2020 Abstract We prove that the equivalence of two fundamental problems in the theory of computing. For every polynomial t(n) ≥ (1 + ")n; " > 0, the following are equivalent: • One-way functions exists (which in turn is equivalent to the existence of secure private-key encryption schemes, digital signatures, pseudorandom generators, pseudorandom functions, commitment schemes, and more); • t-time bounded Kolmogorov Complexity, Kt, is mildly hard-on-average (i.e., there exists a t 1 polynomial p(n) > 0 such that no PPT algorithm can compute K , for more than a 1 − p(n) fraction of n-bit strings). In doing so, we present the first natural, and well-studied, computational problem characterizing the feasibility of the central private-key primitives and protocols in Cryptography. ∗Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein. 1 Introduction We prove the equivalence of two fundamental problems in the theory of computing: (a) the exis- tence of one-way functions, and (b) mild average-case hardness of the time-bounded Kolmogorov Complexity problem.
  • Cryptology: an Historical Introduction DRAFT

    Cryptology: an Historical Introduction DRAFT

    Cryptology: An Historical Introduction DRAFT Jim Sauerberg February 5, 2013 2 Copyright 2013 All rights reserved Jim Sauerberg Saint Mary's College Contents List of Figures 8 1 Caesar Ciphers 9 1.1 Saint Cyr Slide . 12 1.2 Running Down the Alphabet . 14 1.3 Frequency Analysis . 15 1.4 Linquist's Method . 20 1.5 Summary . 22 1.6 Topics and Techniques . 22 1.7 Exercises . 23 2 Cryptologic Terms 29 3 The Introduction of Numbers 31 3.1 The Remainder Operator . 33 3.2 Modular Arithmetic . 38 3.3 Decimation Ciphers . 40 3.4 Deciphering Decimation Ciphers . 42 3.5 Multiplication vs. Addition . 44 3.6 Koblitz's Kid-RSA and Public Key Codes . 44 3.7 Summary . 48 3.8 Topics and Techniques . 48 3.9 Exercises . 49 4 The Euclidean Algorithm 55 4.1 Linear Ciphers . 55 4.2 GCD's and the Euclidean Algorithm . 56 4.3 Multiplicative Inverses . 59 4.4 Deciphering Decimation and Linear Ciphers . 63 4.5 Breaking Decimation and Linear Ciphers . 65 4.6 Summary . 67 4.7 Topics and Techniques . 67 4.8 Exercises . 68 3 4 CONTENTS 5 Monoalphabetic Ciphers 71 5.1 Keyword Ciphers . 72 5.2 Keyword Mixed Ciphers . 73 5.3 Keyword Transposed Ciphers . 74 5.4 Interrupted Keyword Ciphers . 75 5.5 Frequency Counts and Exhaustion . 76 5.6 Basic Letter Characteristics . 77 5.7 Aristocrats . 78 5.8 Summary . 80 5.9 Topics and Techniques . 81 5.10 Exercises . 81 6 Decrypting Monoalphabetic Ciphers 89 6.1 Letter Interactions . 90 6.2 Decrypting Monoalphabetic Ciphers .
  • Distinguishing Attack on a Modified Version of MAG Stream Cipher Arash Mirzaei1, Mohammad Dakhil Alian2, Mahmoud Modarres Hashemi3

    Distinguishing Attack on a Modified Version of MAG Stream Cipher Arash Mirzaei1, Mohammad Dakhil Alian2, Mahmoud Modarres Hashemi3

    Distinguishing Attack on a Modified Version of MAG Stream Cipher Arash Mirzaei1, Mohammad Dakhil Alian2, Mahmoud Modarres Hashemi3 Cryptography & System Security Research Lab. (CSSRL) Isfahan University of Technology, Isfahan, Iran [email protected] 2, 3{mdalian, modarres}@cc.iut.ac.ir Abstract MAG is a synchronous stream cipher designed by Vuckovac submitted to the eSTREAM project. Vuckovac also proposed two modified versions of MAG to avoid the distinguishing attack on the first version of MAG presented by Fischer. In this paper we show that, changing the Fischer’s attack we can apply it to one of the modified versions of MAG. The modified attack requires only 514 successive bytes of known keystream and 5 xor and 2 comparison operations between 16 bit words. In addition, we show that distinguishing and key recovery attack proposed by Simpson and Henricksen on all versions of MAG is feasible just by considering an assumption on initialization of MAG that simplifies this step so much. Therefore, their attack cannot be performed in general. Keywords Cryptanalysis, MAG Stream Cipher, Distinguishing Attack, eSTREAM 1. Introduction modified versions of MAG are described in Section 4. The Simpson and Henricksen’s assumption for MAG is a stream cipher which its internal state initialization of MAG is discussed in Section 5 as well consists of 127 registers Ri of 32 bit size, as well as a as their attack. In Section 6, a distinguishing attack on 32 bit carry register C. To produce the keystream, one of the modified versions of MAG is presented. MAG is clocked iteratively.
  • Enjoy-ETSI-MAG-October-2020.Pdf

    Enjoy-ETSI-MAG-October-2020.Pdf

    OCTOBER 2020 THE INTERVIEW Dr Ulrich Dropmann, Nokia. David Kennedy, Eurescom. p.4-5 SHOWCASE Quantum cryptography implemented. p.16 TECH HIGHLIGHTS Teleportation: science fiction or fact? p.18-19 TECHNOLOGY ON THE R.I.S.E. Editorial The Interview Dr Ulrich Dropmann, Nokia. David Kennedy, Eurescom. P4/5 In this edition, we Meet the New are exploring future Standards people technological P6/7 New member breakthroughs, from Interview artificial intelligence Arkady Zaslavsky, Deakin University. to teleportation. P8/9 Tech Highlights Rounding up ICT standards for Europe. The narrative around technology is very In our Spotlight, we showcase how a diverse depending on your audience facility in Geneva implemented a quantum P10/11 but there can be no doubt that ICT is key distribution system to secure their helping us through times when physical data centres, while the main article gives interpersonal interactions are limited. a helicopter view of ETSI’s versatile In the Spotlight Over the last decades, “e” has become offer for researchers and universities. In The ETSI approach to R.I.S.E. a common prefix to several words: Tech Highlights, we explore the latest e-Meetings, e-Tickets and e-Books, research updates on teleportation, while P13-16 for example. But, will there ever be an our exclusive Interviews touch base on e-Human? several promising future applications. In Tech Highlights In this edition, Technology on the R.I.S.E, the Working Together section, SMEs Teleportation: are on stage and can engage in R&D for where R.I.S.E stands for Research, Science fiction or fact? Innovation, Standards and Ecosystem, EU-funded IoT programmes.