Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CIS 5371 Cryptography 3b. Pseudorandomness. B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.

Similar presentations


Presentation on theme: "1 CIS 5371 Cryptography 3b. Pseudorandomness. B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography."— Presentation transcript:

1 1 CIS 5371 Cryptography 3b. Pseudorandomness. B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2 2 Pseudorandomness An introduction A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random. This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.

3 3 Pseudorandomness An introduction

4 4 Existence of pseudorandom generators We cannot prove that pseudorandom generators exist! We believe that such generators can be constructed from one-way functions. There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.

5 5 Pseudorandom generators informal definition A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random. This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.

6 6 Pseudorandomness Definition

7 7 A secure fixed length encryption scheme

8 8 A secure fixed length encryption Protocol 

9 9 A secure fixed length encryption Theorem

10 10 A secure fixed length encryption Reduction Adversary A ( Protocol  ) Adversary A’ ( Distinguisher D )

11 11 A secure fixed length encryption Proof

12 12 A secure fixed length encryption Proof

13 13 Variable output length pseudorandom generators

14 14 Stream ciphers

15 Discussion We use the term stream cipher for the PR stream generator, not the encryption algorithm. There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4. 15

16 Discussion The WEP encryption protocol for used RC4 and was broken. But since then it is fixed---and the standard updated. If RC4 has to be used the first 1024 bits or so should be discarded. 16

17 Discussion From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes. This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher. 17

18 18

19 Definition 19

20 Indistinguishable single encryptions vs indistinguishable multi encryptions 20

21 Secure multiple encryptions using a stream cipher Synchronized mode Communicating parties use a different part of the stream cipher output to encrypt a message. Useful for parties communicating in the same session. Communicating parties must maintain state between encryptions. 21

22 Secure multiple encryptions using a stream cipher 22

23 Security against Chosen- Plaintext Attack (CPA)  We now consider a more powerful adversary that is active.  The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop. 23

24 24

25 Indistinguishable encryptions under CPA Definition 25

26 CPA security for multiple encryptions 26


Download ppt "1 CIS 5371 Cryptography 3b. Pseudorandomness. B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography."

Similar presentations


Ads by Google