Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry Last Thursday’s lecture: Perfectly secret encryption Today’s lecture: Negligible functions and probabilities Computationally secret encryption

Ryan Henry Thursday, September 10 Assignment 1 is due on Tuesday, September 8 (that’s this Thursday!) Assignment 2 has been posted 2

Ryan Henry Defining computational secrecy 1

Ryan Henry Defining “real world attackers” ▪I▪Idea 1: can rents 1,000 Amazon EC2 instances for 100 years –A–Attacker’s PhD thesis proposes a faster algorithm ▪I▪Idea 2: Attacker spends 10 million USD on hardware –I–Intel releases a significantly faster CPU (or GPU) ▪I▪Idea 3: Attacker controls 1.5 million host botnet –B–Botnet grows to contain 150 million hosts 4

Ryan Henry Defining “real world attackers” ▪ The “right” idea: Adversary is an arbitrary Turing Machine that runs in polynomial time – We make no assumption about which polynomial – Prove that attacker’s success probability is insignificantly small 5 Def n (Concrete security) : An encryption scheme (Gen, Enc, Dec) is said to be (t, ε )-secure if every Probabilistic Turing Machine that halts after t steps can “break” the secrecy of (Gen, Enc, Dec) with probability at most ε.

Ryan Henry Turing Machines 6 ▪A▪A simple, well-defined mathematical model of computation ▪M▪Measure running time by number of steps a TM requires before it halts –M–Measure robust in that all other “reasonable” models of computation require “polynomially related” number of steps Church-Turing thesis: TMs are universal: anything you can compute in theory, you can compute on a TM!

Ryan Henry Probabilistic polynomial time (PPT) Def n : A TM runs in polynomial time (PPT) if, on input an n- bit string, it halts after (at most) O ( t(n) ) steps, where t( ∙ ) denotes some polynomial function. 7 Def n : A polynomial time TM is said to be probabilistic polynomial time (PPT) if its output is a random var iable.

Ryan Henry Efficient attackers / algorithms ▪A▪An attacker is said to be efficient if we can implement is using a PPT Turing machine Q: Why equate “efficient” with “probabilistic polynomial time”? A: Experience tells us “doable in polynomial time” roughly equivalent to “doable (eventually) in practice” Nice composition theorems: –p–poly(n)+ poly(n)= poly(n) ← deg ( f(n) + g(n) ) = –p–poly(n) * poly(n)= poly(n) ← deg ( f(n) * g(n) ) = – poly( poly(n) )= poly(n) ← deg ( f ( g(n) ) ) = 8 ?? ?? ?? deg(f)+deg(g) max{ deg(f), deg(g) } deg(f) * deg(g)

Ryan Henry Negligible functions 9

Ryan Henry Noticeable functions 10 Q: If a function is not negligible, is it necessarily noticeable? A: No! See question 2 on assignment 2!

Ryan Henry Closure for negligible functions 11

Ryan Henry Negligible and overwhelming probabilities Def n : An event E occurs with probability negligible in n if Pr[E]is (bounded above by) a negligible function of n. 12

Ryan Henry That’s all for today, folks! 13