Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published byDamon Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry The goal of secure program obfuscation is to make a program ``unintelligible'' while preserving its functionality. For decades, program obfuscation for general programs has remained an art, with all public general-purpose obfuscation methods known to be broken. In this talk, we will describe new developments that for the first time provide a mathematical approach to the problem of general-purpose program obfuscation, where extracting secrets from the obfuscated program requires solving mathematical problems that currently take hundreds of years to solve on the world's fastest computing systems. We will also discuss the implications of these developments. Friday, November 13 at 3:00pm in LH 102: Amit Sahai, UCLA Software with Secrets

3 Ryan Henry Tuesday’s lecture: Computational hardness assumptions Diffie-Hellman key exchange Today’s lecture: Public key encryption IND-CPA / IND-CCA for public key schemes Trapdoor functions and permutations 2

4 Ryan Henry Assignment 5 is due Tuesday, November 10! (That’s next week!) 3

5 Ryan Henry Testing for generators Thm: Let (G,) be a cyclic group of order n=p 1 e 1 ⋯p k e k, where the p i are pairwise distinct primes. Then g∈G is a generator of (G,) if and only if ∀i=1,…,k, g n⁄p i ≢1.(*) 4 (“⇒”) By def n : If g∈G is a generator, then g m ≢1 for any 0<m<n. (“⇐”) Suppose g∈G satisfies Eq (*), and let j=|g|. By Lagrange’s Theorem, j|n; i.e., n=jq for some q∈ℕ +. In other words, j=p 1 e′ 1 ⋯p k e′ k where 0≤e′ i ≤e i for each i=1,…,k. If j<m, then ∃ i such that e′ i ≤e i, in which case j|(n⁄p i ). But then Eq (*) implies that g j ≢1, which is a contradiction. Hence, we must have that j≥m. ☐ Proof:

6 Ryan Henry Public-key encryption schemes 5 Def n : A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that – Gen:1 ℕ →K e ×K d is a randomized “keypair generation” algorithm; – Enc:K e ×M→C is an (often randomized) “encryption” algorithm; – Dec:K d ×C→M is a deterministic “decryption” algorithm. Usually write Enc k e (m) and Dec k d (m) instead of Enc(k e,m) and Dec(k d,m) K e is the encryption key space K d is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)

7 Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) 6 Def n : A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Dec k d (Enc k e (m))=m|(k e,k d )←Gen(1 s )]≥1-ε(s)

8 Ryan Henry Recall: IND-CPA security 7 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} (m 10 ,m 11 )∈M×M (|m 10 |=|m 11 |) c 1 ←Enc k (m 1b ) b‘∈{0,1} 1 s1 s 1 s1 s (m 10 ,m 11 ) c 1 (m 20 ,m 21 )∈M×M (|m 20 |=|m 21 |) c 2 ←Enc k (m 2b ) (m 20 ,m 21 ) c 2 (m q0 ,m q1 )∈M×M (|m q0 |=|m q1 |) c q ←Enc k (m qb ) (m q0 ,m q1 ) c q ⋮ Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| “left–or–right”

9 Ryan Henry Variants of the IND-CPA security game ▪ The game we have seen in lectures is sometimes called the “left­–or–right” IND–CPA game ▪ Three other (“equivalent”) variants are common: 1. “Real–or–random” IND–CPA security game 2. “Find–then–guess” IND–CPA security game 3. Semantic security game 8

10 Ryan Henry IND-CPA security 9 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ←Enc k (m n ) m n c n ⋮ Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ∊C b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ∊C m n c n ⋮ Game 1: (Attacker has access to random oracle) “real–or–random” Define A’s advantage to be Adv ROR (A)≔|Pr[b=b’]-½|

11 Ryan Henry IND-CPA security 10 (for symmetric-key encryption) “find–then–guess” Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m q ∈M (M 1 ,M 2 )∈M×M (|M 1 |=|M 2 |) c q ←Enc k (m qb ) m q c q ⋮ (M 1 ,M 2 ) C C←Enc k (M b ) Define A’s advantage to be Adv FTG-CPA (A)≔|Pr[b=b’]-½|

12 Ryan Henry IND-CPA security for public-key schemes ▪F▪For symmetric-key encryption, we had two options: 1. Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper 2. Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages ▪F▪For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages 11

13 Ryan Henry 12 IND-CPA security (for public-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s (m 0 ,m 1 )∈M×M (|m 0 |=|m 1 |) c←Enc k (m b ) (m 0 ,m 1 ) c Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| Def n : A public-key encryption scheme (Gen,Enc,Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CPA (A)≤ε(s).

14 Ryan Henry 13 Challenger (C) Attacker (A) (k e ,k d )←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s c1c1 m1m1 (M 0 ,M 1 ) c ⋮ c 1 ∈C (M 0 ,M 1 )∈M×M m 1 ≔Dec k d (c 1 ) c← Enc k e (M b ) ⋮ c’n2c’n2 m’n2m’n2 c’ n 2 ∈C∖ {c} m’ n 2 ≔Dec k d (c’ n 2 ) A c a n n o t a s k f o r D e c k d ( c ) cn1cn1 mn1mn1 c n 1 ∈C m n 1 ≔Dec k d (c n 1 ) c’1c’1 m’1m’1 c’ 1 ∈C∖ {c} m’ 1 ≔Dec k d (c’ 1 ) keke Define A’s advantage to be Adv CCA (A)≔|Pr[b=b’]-½| IND-CCA2 security (for public-key encryption)

15 Ryan Henry Thm: A public-key encryption scheme (Gen,Enc,Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CCA (A)≤ε(s). 14 IND-CCA2 security (for public-key encryption)

16 Ryan Henry Consequences of public keys Thm (informal): Perfectly secret public-key encryption does not exist 15 Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist ▪U▪Unbounded attacker can learn m via brute force (How do we know this is always possible?) ▪P▪PPT attacker can still learn m via brute force, given some prior knowledge about m

17 Ryan Henry Recall: One-way permutations (OWPs) 16 Challenger (C) Inverter (A) x∊{0,1} s y≔π(x) x 1 s1 s y Let E be the event that π(x)≟y Define A’s advantage to be Adv π -1 (A)≔Pr[E] 1 s1 s

18 Ryan Henry Recall: One-way permutations (OWPs) 17

19 Ryan Henry Trapdoor (one-way) permutations (TDPs) ▪I▪Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy –W–With trapdoor: ∃ PPT A that inverts with overwhelming probability –W–Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor ▪F▪Formally, we consider a family of permutations, each with its own trapdoor 18

20 Ryan Henry Trapdoor (one-way) permutations (TDPs) Def n : A triple of PPT algorithms (Gen,Samp,Inv) is a family of trapdoor permutations if 1. Gen:1 ℕ →K e ×K d is a randomized algorithm. Each (k e,k d )←Gen(1 n ) defines a set D k e and an OWP π D k e :D k e →D k e. 2. Samp: K e → ⋃ D k e is a randomized algorithm that, on input any k e ∈K e, outputs a random element of D k e 3. Inv: K d × ⋃ D k e → ⋃ D k e is a deterministic algorithm on input k d and x∈D k e for any (k e ,k d )←Gen(1 n ), outputs Π D -1 k e (x) 19

21 Ryan Henry That’s all for today, folks! 20

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Similar presentations

Ads by Google