Download presentation

Presentation is loading. Please wait.

Published byUlysses Dye Modified about 1 year ago

1
1 CIS 5371 Cryptography 3b. Pseudorandomness. B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2
2 Pseudorandomness An introduction A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random. This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.

3
3 Pseudorandomness An introduction

4
4 Existence of pseudorandom generators We cannot prove that pseudorandom generators exist! We believe that such generators can be constructed from one-way functions. There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.

5
5 Pseudorandom generators informal definition A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random. This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.

6
6 Pseudorandomness Definition

7
7 A secure fixed length encryption scheme

8
8 A secure fixed length encryption Protocol

9
9 A secure fixed length encryption Theorem

10
10 A secure fixed length encryption Reduction Adversary A ( Protocol ) Adversary A’ ( Distinguisher D )

11
11 A secure fixed length encryption Proof

12
12 A secure fixed length encryption Proof

13
13 Variable output length pseudorandom generators

14
14 Stream ciphers

15
Discussion We use the term stream cipher for the PR stream generator, not the encryption algorithm. There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4. 15

16
Discussion The WEP encryption protocol for 802.11 used RC4 and was broken. But since then it is fixed---and the standard updated. If RC4 has to be used the first 1024 bits or so should be discarded. 16

17
Discussion From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes. This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher. 17

18
18

19
Definition 19

20
Indistinguishable single encryptions vs indistinguishable multi encryptions 20

21
Secure multiple encryptions using a stream cipher Synchronized mode Communicating parties use a different part of the stream cipher output to encrypt a message. Useful for parties communicating in the same session. Communicating parties must maintain state between encryptions. 21

22
Secure multiple encryptions using a stream cipher 22

23
Security against Chosen- Plaintext Attack (CPA) We now consider a more powerful adversary that is active. The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop. 23

24
24

25
Indistinguishable encryptions under CPA Definition 25

26
CPA security for multiple encryptions 26

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google