Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

upgrade structures and migrate to nextra v4

Browse Source
This commit is contained in:
Zheyuan Wu
2025-07-06 12:40:25 -05:00
parent 76e50de44d
commit 717520624d
317 changed files with 18143 additions and 22777 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
content/CSE442T/CSE442T_L1.md Normal file
View File

@@ -0,0 +1,127 @@
# Lecture 1
## Chapter 1: Introduction
### Alice sending information to Bob
Assuming _Eve_ can always listen
Rule 1. Message, Encryption to Code and Decryption to original Message.
### Kerckhoffs' principle
It states that the security of a cryptographic system shouldn't rely on the secrecy of the algorithm (Assuming Eve knows how everything works.)
**Security is due to the security of the key.**
### Private key encryption scheme
Let $M$ be the set of message that Alice will send to Bob. (The message space) "plaintext"
Let $K$ be the set of key that will ever be used. (The key space)
$Gen$ be the key generation algorithm.
$k\gets Gen(K)$
$c\gets Enc_k(m)$ denotes cipher encryption.
$m'\gets Dec_k(c')$ $m'$ might be null for incorrect $c'$.
$P[k\gets K:Dec_k(Enc_k(M))=m]=1$ The probability of decryption of encrypted message is original message is 1.
*_in some cases we can allow the probability not be 1_
### Some examples of crypto system
Let $M=\text{all five letter strings}$.
And $K=[1,10^{10}]$
Example:
$P[k=k']=\frac{1}{10^{10}}$
$Enc_{1234567890}("brion")="brion1234567890"$
$Dec_{1234567890}(brion1234567890)="brion"$
Seems not very secure but valid crypto system.
### Early attempts for crypto system
#### Caesar cipher
$M=\text{finite string of texts}$
$K=[1,26]$
$Enc_k=[(i+K)\% 26\ for\ i \in m]=c$
$Dec_k=[(i+26-K)\% 26\ for\ i \in c]$
```python
def caesar_cipher_enc(s: str, k:int):
return ''.join([chr((ord(i)-ord('a')+k)%26+ord('a')) for i in s])
def caesar_cipher_dec(s: str, k:int):
return ''.join([chr((ord(i)-ord('a')+26-k)%26+ord('a')) for i in s])
```
#### Substitution cipher
$M=\text{finite string of texts}$
$K=\text{set of all bijective linear transformations (for English alphabet},|K|=26!\text{)}$
$Enc_k=[iK\ for\ i \in m]=c$
$Dec_k=[iK^{-1}\ for\ i \in c]$
Fails to frequency analysis
#### Vigenere Cipher
$M=\text{finite string of texts with length }m$
$K=\text{[0,26]}^n$ (assuming English alphabet)
```python
def viginere_cipher_enc(s: str, k: List[int]):
res=''
n,m=len(s),len(k)
j=0
for i in s:
res+=caesar_cipher_enc(i,k[j])
j=(j+1)%m
return res
def viginere_cipher_dec(s: str, k: List[int]):
res=''
n,m=len(s),len(k)
j=0
for i in s:
res+=caesar_cipher_dec(i,k[j])
j=(j+1)%m
return res
```
#### One time pad
Completely random string, sufficiently long.
$M=\text{finite string of texts with length }n$
$K=\text{[0,26]}^n$ (assuming English alphabet)$
$Enc_k=m\oplus k$
$Dec_k=c\oplus k$
```python
def one_time_pad_enc(s: str, k: List[int]):
return ''.join([chr((ord(i)-ord('a')+k[j])%26+ord('a')) for j,i in enumerate(s)])
def one_time_pad_dec(s: str, k: List[int]):
return ''.join([chr((ord(i)-ord('a')+26-k[j])%26+ord('a')) for j,i in enumerate(s)])
```

210
content/CSE442T/CSE442T_L10.md Normal file
View File

@@ -0,0 +1,210 @@
# Lecture 10
## Chapter 2: Computational Hardness
### Discrete Log Assumption (Assumption 52.2)
This is collection of one-way functions
$$
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
$$
$$
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
$$
$$
f_{g,p}(x)=g^x\mod p
$$
$$
f:\mathbb{Z}_q\to \mathbb{Z}^*_p
$$
#### Evidence for Discrete Log Assumption
Best known algorithm to always solve discrete log mod p, $p\in \Pi_n$
$$
O(2^{\sqrt{2}\sqrt{\log(n)}})
$$
### RSA Assumption
Let $e$ be the exponents
$$
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\epsilon(n)
$$
#### Theorem 53.2 (RSA Algorithm)
This is a collection of one-way functions
$I=\{(N,e):N=p\cdot q,p,q\in \Pi_n \textup{ and } e\in \mathbb{Z}_{\phi(N)}^*\}$
$D_{(N,e)}=\mathbb{Z}_N^*$
$R_{(N,e)}=\mathbb{Z}_N^*$
$f_{(N,e)}(x)=x^e\mod N$
Example:
On encryption side
$p=5,q=11,N=5\times 11=55$, $\phi(N)=4*10=40$
pick $e\in \mathbb{Z}_{40}^*$. say $e=3$, and $f(x)=x^3\mod 55$
pick $y\in \mathbb{Z}_{55}^*$. say $y=17$. We have $(55,3,17)$
$x^{40}\equiv 1\mod 55$
$x^{41}\equiv x\mod 55$
$x^{40k+1}\equiv x \mod 55$
Since $x^a\equiv x^{a\mod 40}\mod 55$ (by corollary of Fermat's little Theorem: $a^x\mod N=a^{x\mod \Phi(N)}\mod N$
s )
The problem is, what can we multiply by $3$ to get $1\mod \phi(N)=1\mod 40$.
by computing the multiplicative inverse using extended Euclidean algorithm we have $3\cdot 27\equiv 1\mod 40$.
$x^3\equiv 17\mod 55$
$x\equiv 17^{27}\mod 55$
On adversary side.
they don't know $\phi(N)=40$
$$
f(N,e):\mathbb{Z}_N^*\to \mathbb{Z}_N^*
$$
is a bijection.
Proof: Suppose $x_1^e\equiv x_2^e\mod n$
Then let $d=e^{-1}\mod \phi(N)$ (exists b/c $e\in\phi(N)^*$)
So $(x_1^e)^d\equiv (x_2^e)^d\mod N$
So $x_1^{e\cdot d\mod \phi(N)}\equiv x_2^{e\cdot d\mod \phi(N)}\mod N$ (Euler's Theorem)
$x_1\equiv x_2\mod N$
So it's one-to-one.
QED
Let $y\in \mathbb{Z}_N^*$, letting $x=y^d\mod N$, where $d\equiv e^{-1}\mod \phi(N)$
$x^e\equiv (y^d)^e \equiv y\mod n$
Proof:
It's easy to sample from $I$:
* pick $p,q\in \Pi_n$. $N=p\cdot q$
* compute $\phi(N)=(p-1)(q-1)$
* pick $e\gets \mathbb{Z}^*_N$. If $gcd(e,\phi(N))\neq 1$, pick again ($\mathbb{Z}_{\phi_(N)}^*$ has plenty of elements.)
Easy to sample $\mathbb{\mathbb{Z}_N^*}$ (domain).
Easy to compute $x^e\mod N$.
Hard to invert:
$$
\begin{aligned}
&~~~~P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:f(\mathcal{A}((N,e),y))=y]\\
&=P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y)]\\
&=P[(N,e)\in I;y\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y),x^e\equiv y\mod N]\\
\end{aligned}
$$
By RSA assumption
The second equality follows because for any finite $D$ and bijection $f:D\to D$, sampling $y\in D$ directly is equivalent to sampling $x\gets D$, then computing $y=f(x)$.
QED
#### Theorem If inverting RSA is hard, then factoring is hard.
$$
\textup{ RSA assumption }\implies \textup{ Factoring assumption}
$$
If inverting RSA is hard, then factoring is hard.
i.e If factoring is easy, then inverting RSA is easy.
Proof:
Suppose $\mathcal{A}$ is an adversary that breaks the factoring assumption, then
$$
P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q;\mathcal{A}(N)=(p,q)]>\frac{1}{p(n)}
$$
infinitely often.for a polynomial $p$.
Then we designing $B$ to invert RSA.
Suppose
$p,q\gets \Pi_n;N=p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;x\gets \mathbb{Z}^n;y=x^e\mod N$
``` python
def B(N,e,y):
"""
Goal: find x
"""
p,q=A(N)
if n!=p*q:
return None
phiN=(p-1)*(q-1)
# find modular inverse of e \mod N
d=extended_euclidean_algorithm(e,phiN)
# returns (y**d)%N
x=fast_modular_exponent(y,d,N)
return x
```
So the probability of B succeeds is equal to A succeeds, which $>\frac{1}{p(n)}$ infinitely often, breaking RSA assumption.
Remaining question: Can $x$ be found without factoring $N$? $y=x^e\mod N$
### One-way permutation (Definition 55.1)
A collection function $\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$ is a one-way permutation if
1. $\forall i,f_i$ is a permutation
2. $\mathcal{F}$ is a collection of one-way functions
_basically, a one-way permutation is a collection of one-way functions that maps $\{0,1\}^n$ to $\{0,1\}^n$ in a bijection way._
### Trapdoor permutations
Idea: $f:D\to R$ is a one-way permutation.
$y\gets R$.
* Finding $x$ such that $f(x)=y$ is hard.
* With some secret info about $f$, finding $x$ is easy.
$\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$
1. $\forall i,f_i$ is a permutation
2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info"
3. $\forall i,D_i$ can be sampled efficiently.
4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time.
5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\epsilon(n)$ (note: $\mathcal{A}$ is not given $t$)
6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info"
#### Theorem RSA is a trapdoor
RSA collection of trapdoor permutation with factorization $(p,q)$ of $N$, or $\phi(N)$, as trapdoor info $f$.

114
content/CSE442T/CSE442T_L11.md Normal file
View File

@@ -0,0 +1,114 @@
# Lecture 11
Exam info posted tonight.
## Chapter 3: Indistinguishability and pseudo-randomness
### Pseudo-randomness
Idea: **Efficiently** produce many bits
which "appear" truly random.
#### One-time pad
$m\in\{0,1\}^n$
$Gen(1^n):k\gets \{0,1\}^N$
$Enc_k(m)=m\oplus k$
$Dec_k(c)=c\oplus k$
Advantage: Perfectly secret
Disadvantage: Impractical
The goal of pseudo-randomness is to make the algorithm, computationally secure, and practical.
Let $\{X_n\}$ be a sequence of distributions over $\{0,1\}^{l(n)}$, where $l(n)$ is a polynomial of $n$.
"Probability ensemble"
Example:
Let $U_n$ be the uniform distribution over $\{0,1\}^n$
For all $x\in \{0,1\}^n$
$P[x\gets U_n]=\frac{1}{2^n}$
For $1\leq i\leq n$, $P[x_i=1]=\frac{1}{2}$
For $1\leq i<j\leq n,P[x_i=1 \textup{ and } x_j=1]=\frac{1}{4}$ (by independence of different bits.)
Let $\{X_n\}_n$ and $\{Y_n\}_n$ be probability ensembles (separate of dist over $\{0,1\}^{l(n)}$)
$\{X_n\}_n$ and $\{Y_n\}_n$ are computationally **in-distinguishable** if for all non-uniform p.p.t adversary $\mathcal{D}$ ("distinguishers")
$$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|<\epsilon(n)
$$
this basically means that the probability of finding any pattern in the two array is negligible.
If there is a $\mathcal{D}$ such that
$$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n)
$$
then $\mathcal{D}$ is distinguishing with probability $\mu(n)$
If $\mu(n)\geq\frac{1}{p(n)}$, then $\mathcal{D}$ is distinguishing the two $\implies X_n\cancel{\approx} Y_n$
### Prediction lemma
$X_n^0$ and $X_n^1$ ensembles over $\{0,1\}^{l(n)}$
Suppose $\exists$ distinguisher $\mathcal{D}$ which distinguish by $\geq \mu(n)$. Then $\exists$ adversary $\mathcal{A}$ such that
$$
P[b\gets\{0,1\};t\gets X_n^b]:\mathcal{A}(t)=b]\geq \frac{1}{2}+\frac{\mu(n)}{2}
$$
Proof:
Without loss of generality, suppose
$$
P[t\gets X^1_n:\mathcal{D}(t)=1]-P[t\gets X_n^0:\mathcal{D}(t)=1]\geq \mu(n)
$$
$\mathcal{A}=\mathcal{D}$ (Outputs 1 if and only if $D$ outputs 1, otherwise 0.)
$$
\begin{aligned}
&~~~~~P[b\gets \{0,1\};t\gets X_n^b:\mathcal{A}(t)=b]\\
&=P[t\gets X_n^1;\mathcal{A}=1]\cdot P[b=1]+P[t\gets X_n^0;\mathcal{A}(t)=0]\cdot P[b=0]\\
&=\frac{1}{2}P[t\gets X_n^1;\mathcal{A}(t)=1]+\frac{1}{2}(1-P[t\gets X_n^0;\mathcal{A}(t)=1])\\
&=\frac{1}{2}+\frac{1}{2}(P[t\gets X_n^1;\mathcal{A}(t)=1]-P[t\gets X_n^0;\mathcal{A}(t)=1])\\
&\geq\frac{1}{2}+\frac{1}{2}\mu(n)\\
\end{aligned}
$$
### Pseudo-random
$\{X_n\}$ over $\{0,1\}^{l(n)}$ is **pseudorandom** if $\{X_n\}\approx\{U_{l(n)}\}$. i.e. indistinguishable from the true randomness.
Example:
Building distinguishers
1. $X_n$: always outputs $0^n$, $\mathcal{D}$: [outputs $1$ if $t=0^n$]
$$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=1-\frac{1}{2^n}\approx 1
$$
2. $X_n$: 1st $n-1$ bits are truly random $\gets U_{n-1}$ nth bit is $1$ with probability 0.50001 and $0$ with 0.49999, $D$: [outputs $1$ if $X_n=1$]
$$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=0.5001-0.5=0.001\neq 0
$$
3. $X_n$: For each bit $x_i\gets\{0,1\}$ **unless** there have been 1 million $0$'s. in a row. Then outputs $1$, $D$: [outputs $1$ if $x_1=x_2=...=x_{1000001}=0$]
$$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=|0-\frac{1}{2^{1000001}}|\neq 0
$$

152
content/CSE442T/CSE442T_L12.md Normal file
View File

@@ -0,0 +1,152 @@
# Lecture 12
## Chapter 3: Indistinguishability and Pseudorandomness
$\{X_n\}$ and $\{Y_n\}$ are distinguishable by $\mu(n)$ if $\exists$ distinguisher $\mathcal{D}$
$$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n)
$$
- If $\mu(n)\geq \frac{1}{p(n)}\gets poly(n)$ for infinitely many n, then $\{X_n\}$ and $\{Y_n\}$ are distinguishable.
- Otherwise, indistinguishable ($|diff|<\epsilon(n)$)
Property: Closed under efficient procedures.
If $M$ is any n.u.p.p.t. which can take a ample from $t$ from $X_n,Y_n$ as input $M(X_n)$
If $\{X_n\}\approx\{Y_n\}$, then so are $\{M(X_n)\}\approx\{M(Y_n)\}$
Proof:
If $\mathcal{D}$ distinguishes $M(X_n)$ and $M(Y_n)$ by $\mu(n)$ then $\mathcal{D}(M(\cdot))$ is also a polynomial-time distinguisher of $X_n,Y_n$.
### Hybrid Lemma
Let $X^0_n,X^1_n,\dots,X^m_n$ are ensembles indexed from $1,..,m$
If $\mathcal{D}$ distinguishes $X_n^0$ and $X_n^m$ by $\mu(n)$, then $\exists i,1\leq i\leq m$ where $X_{n}^{i-1}$ and $X_n^i$ are distinguished by $\mathcal{D}$ by $\frac{\mu(n)}{m}$
Proof: (we use triangle inequality.) Let $p_i=P[t\gets X_n^i:\mathcal{D}(t)=1],0\leq i\leq m$. We have $|p_0-p_m|\geq m(n)$
Using telescoping tricks:
$$
\begin{aligned}
|p_0-p_m|&=|p_0-p_1+p_1-p_2+\dots +p_{m-1}-p_m|\\
&\leq |p_0-p_1|+|p_1-p_2|+\dots+|p_{m-1}-p_m|\\
\end{aligned}
$$
If all $|p_{i-1}-p_i|<\frac{\mu(n)}{m},|p_0-p_m|<\mu_n$ contradiction.
In applications, only useful if $m\leq q(n)$ polynomial
If $X^0_n$ and $X^m_n$ are distinguishable by $\frac{1}{p(n)}$, then $2$ inner "hybrids" are distinguishable $\frac{1}{p(n)q(n)}=\frac{1}{poly(n)}$
Example:
For some Brian in Week 1 and Week 50, a distinguisher $\mathcal{D}$ outputs 1 if hair is considered "long".
There is some week $i,1\leq i\leq 50$ $|p_{i-1}-p_i|\geq 0.02$
By prediction lemma, there is a machine that could
$$
P[b\to \{0,1\};pic\gets X^{i-1+b}:\mathcal{A}(pic)=b]\geq \frac{1}{2}+\frac{0.02}{2}=0.51
$$
### Next bit test (NBT)
We say $\{X_n\}$ passes the next bit test if $\forall i\in\{0,1,...,l(n)-1\}$ on $\{0,1\}^{l(n)}$ and for all adversaries $\mathcal{A}:P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n)$ (given first $i$ bit, the probability of successfully predicts $i+1$ th bit is almost random $\frac{1}{2}$)
Note that for any $\mathcal{A}$, and any $i$,
$$
P[t\gets U_{l(n)}:\mathcal{A}(t_1,...t_i)=t_{i+1}]=\frac{1}{2}
$$
If $\{X_n\}\approx\{U_{l(n)}\}$ (pseudorandom), then $X_n$ must pass NBT for all $i$.
Otherwise $\exists \mathcal{A},i$ where for infinitely many $n$,
$$
P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n)
$$
We can build a distinguisher $\mathcal{D}$ from $\mathcal{A}$.
The converse if True!
The NBT(Next bit test) is complete.
If $\{X_n\}$ on $\{0,1\}^{l(n)}$ passes NBT, then it's pseudorandom.
Ideas of proof: full proof is on the text.
Our idea is that we want to create $H^{l(n)}_n=\{X_n\}$ and $H^0_n=\{U_{l(n)}\}$
We construct "random" bit stream:
$$
H_n^i=\{x\gets X_n;u\gets U_{l(n)};t=x_1x_2\dots x_i u_{i+1}u_{i+2}\dots u_{l(n)}\}
$$
If $\{X_n\}$ were not pseudorandom, there is a $D$
$$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[u\gets U_{l(n)}:\mathcal{D}(u)=1]|=\mu(n)\geq \frac{1}{p(n)}
$$
By hybrid lemma, there is $i,1\leq i\leq l(n)$ where:
$$
|P[t\gets H^{i-1}:\mathcal{D}(t)=1]-P[t\gets H^i:\mathcal{D}(t)=1]|\geq \frac{1}{p(n)l(n)}=\frac{1}{poly(n)}
$$
$l(n)$ is the step we need to take transform $X$ to $X^n$
Let,
$$
H^i=x_1\dots x_i u_{i+1}\dots u_{l(n)}\\
H^i=x_1\dots x_i x_{i+1}\dots u_{l(n)}
$$
notice that only two bits are distinguished in the procedure.
$\mathcal{D}$ can distinguish $x_{i+1}$ from a truly random $U_{i+1}$, knowing the first $i$ bits $x_i\dots x_i$ came from $x\gets x_n$
So $\mathcal{D}$ can predict $x_{i+1}$ from $x_1\dots x_i$ (contradicting with that $X$ passes NBT)
QED
## Pseudorandom Generator
Suppose $G:\{0,1\}^*\to\{0,1\}^*$ is a pseudorandom generator if the following is true:
1. $G$ is efficiently computable.
2. $|G(x)|\geq |x|\forall x$ (expansion)
3. $\{x\gets U_n:G(x)\}_n$ is pseudorandom
$n$ truly random bits $\to$ $n^2$ pseudorandom bits
### PRG exists if and only if one-way function exists
The other part of proof will be your homework, damn.
If one-way function exists, then Pseudorandom Generator exists.
Ideas of proof:
Let $f:\{0,1\}^n\to \{0,1\}^n$ be a strong one-way permutation (bijection).
$x\gets U_n$
$f(x)||x$
Not all bits of $x$ would be hard to predict.
**Hard-core bit:** One bit of information about $x$ which is hard to determine from $f(x)$. $P[\text{success}]\leq \frac{1}{2}+\epsilon(n)$
Depends on $f(x)$

161
content/CSE442T/CSE442T_L13.md Normal file
View File

@@ -0,0 +1,161 @@
# Lecture 13
## Chapter 3: Indistinguishability and Pseudorandomness
### Pseudorandom Generator (PRG)
#### Definition 77.1 (Pseudorandom Generator)
$G:\{0,1\}^n\to\{0,1\}^{l(n)}$ is a pseudorandom generator if the following is true:
1. $G$ is efficiently computable.
2. $l(n)> n$ (expansion)
3. $\{x\gets \{0,1\}^n:G(x)\}_n\approx \{u\gets \{0,1\}^{l(n)}\}$
#### Definition 78.3 (Hard-core bit (predicate) (HCB))
Hard-core bit (predicate) (HCB): $h:\{0,1\}^n\to \{0,1\}$ is a hard-core bit of $f:\{0,1\}^n\to \{0,1\}^*$ if for every adversary $A$,
$$
Pr[x\gets \{0,1\}^n;y=f(x);A(1^n,y)=h(x)]\leq \frac{1}{2}+\epsilon(n)
$$
Ideas: $f:\{0,1\}^n\to \{0,1\}^*$ is a one-way function.
Given $y=f(x)$, it is hard to recover $x$. A cannot produce all of $x$ but can know some bits of $x$.
$h(x)$ is just a yes/no question regarding $x$.
Example:
In RSA function, we pick $p,q\in \Pi^n$ as primes and $N=pq$. $e\gets \mathbb{Z}_N^*$ and $f(x)=x^e\mod N$.
$h(x)=x_n$ is a HCB of $f$. Given RSA assumption.
**h(x) is not necessarily one of the bits of $x=x_1x_2\cdots x_n$.**
#### Theorem Any one-way function has a HCB.
A HCB can be produced for any one-way function.
Let $f:\{0,1\}^n\to \{0,1\}^*$ be a strong one-way function.
Define $g:\{0,1\}^{2n}\to \{0,1\}^*$ as $g(x,r)=(f(x), r),x\in \{0,1\}^n,r\in \{0,1\}^n$. $g$ is a strong one-way function. (proved in homework)
$$
h(x,r)=\langle x,r\rangle=x_1r_1+ x_2r_2+\cdots + x_nr_n\mod 2
$$
$\langle x,1^n\rangle=x_1+x_2+\cdots +x_n\mod 2$
$\langle x,0^{n-1}1\rangle=x_ n$
Ideas of proof:
If A could reliably find $\langle x,1^n\rangle$, with $r$ being completely random, then it could find $x$ too often.
### Pseudorandom Generator from HCB
1. $G(x)=\{0,1\}^n\to \{0,1\}^{n+1}$
2. $G(x)=\{0,1\}^n\to \{0,1\}^{l(n)}$
For (1),
#### Theorem HCB generates PRG
Let $f:\{0,1\}^n\to \{0,1\}^n$ be a one-way permutation (bijective) with a HCB $h$. Then $G(x)=f(x)|| h(x)$ is a PRG.
Proof:
Efficiently computable: $f$ is one-way so $h$ is efficiently computable.
Expansion: $n<n+1$
Pseudorandomness:
We proceed by contradiction.
Suppose $\{G(U_n)\}\cancel{\approx} \{U_{n+1}\}$. Then there would be a next-bit predictor $A$ such that for some bit $i$.
$$
Pr[x\gets \{0,1\}^n;t=G(x);A(t_1t_2\cdots t_{i-1})=t_i]\geq \frac{1}{2}+\epsilon(n)
$$
Since $f$ is a bijection, $x\gets U_n$ and $f(x)\gets U_n$.
$G(x)=f(x)|| h(x)$
So $A$ could not predict $t_i$ with advantage $\frac{1}{2}+\epsilon(n)$ given any first $n$ bits.
$$
Pr[t_i=1|t_1t_2\cdots t_{i-1}]= \frac{1}{2}
$$
So $i=n+1$ the last bit, $A$ could predict.
$$
Pr[x\gets \{0,1\}^n;y=f(x);A(y)=h(x)]>\frac{1}{2}+\epsilon(n)
$$
This contradicts the HCB definition of $h$.
### Construction of PRG
$G'=\{0,1\}^n\to \{0,1\}^{l(n)}$
using PRG $G:\{0,1\}^n\to \{0,1\}^{n+1}$
Let $s\gets \{0,1\}^n$ be a random string.
We proceed by the following construction:
$G(s)=X_1||b_1$
$G(X_1)=X_2||b_2$
$G(X_2)=X_3||b_3$
$\cdots$
$G(X_{l(n)-1})=X_{l(n)}||b_{l(n)}$
$G'(s)=b_1b_2b_3\cdots b_{l(n)}$
We claim $G':\{0,1\}^n\to \{0,1\}^{l(n)}$ is a PRG.
#### Corollary: Combining constructions
$f:\{0,1\}^n\to \{0,1\}^n$ is a one-way permutation with a HCB $h: \{0,1\}^n\to \{0,1\}$.
$G(s)=h(x)||h(f(x))||h(f^2(x))\cdots h(f^{l(n)-1}(x))$ is a PRG. Where $f^a(x)=f(f^{a-1}(x))$.
Proof:
$G'$ is a PRG:
1. Efficiently computable: since we are computing $G'$ by applying $G$ multiple times (polynomial of $l(n)$ times).
2. Expansion: $n<l(n)$.
3. Pseudorandomness: We proceed by contradiction. Suppose the output is not pseudorandom. Then there exists a distinguisher $\mathcal{D}$ that can distinguish $G'$ from $U_{l(n)}$ with advantage $\frac{1}{2}+\epsilon(n)$.
Strategy: use hybrid argument to construct distributions.
$$
\begin{aligned}
H^0&=U_{l(n)}=u_1u_2\cdots u_{l(n)}\\
H^1&=u_1u_2\cdots u_{l(n)-1}b_{l(n)}\\
H^2&=u_1u_2\cdots u_{l(n)-2}b_{l(n)-1}b_{l(n)}\\
&\cdots\\
H^{l(n)}&=b_1b_2\cdots b_{l(n)}
\end{aligned}
$$
By the hybrid argument, there exists an $i$ such that $\mathcal{D}$ can distinguish $H^i$ and $H^{i+1}$ $0\leq i\leq l(n)-1$ by $\frac{1}{p(n)l(n)}$
Show that there exists $\mathcal{D}$ for
$$
\{u\gets U_{n+1}\}\text{ vs. }\{x\gets U_n;G(x)=u\}
$$
with advantage $\frac{1}{2}+\epsilon(n)$. (contradiction)

176
content/CSE442T/CSE442T_L14.md Normal file
View File

@@ -0,0 +1,176 @@
# Lecture 14
## Recap
$\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount
$\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$, and $G$ is pseudorandom
$$
\{G(U_n)\}\approx \{U_{l(n)}\}
$$
Back to the experiment we did long time ago:
||Group 1|Group 2|
|---|---|---|
|$00000$ or $11111$|3|16|
|4 of 1's|42|56|
|balanced|too often|usual|
|consecutive repeats|0|4|
So Group 1 is human, Group 2 is computer.
## Chapter 3: Indistinguishability and Pseudorandomness
### Computationally secure encryption
Recall with perfect security,
$$
P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]
$$
for all $m_1,m_2\in M$ and $c\in C$.
$(Gen,Enc,Dec)$ is **single message secure** if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, $\forall m_1,m_2\gets \{0,1\}^n \in M^n$, $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability.
$$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)
$$
By the prediction lemma, ($\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$)
$$
P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}
$$
and the above equation is $\frac{1}{2}$ for perfect secrecy.
### Construction of single message secure cryptosystem
cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.
$K=\{0,1\}^n$, $\mathcal{M}=\{0,1\}^{l(n)}$, $G:K \to \mathcal{M}$ is a PRG.
$Gen(1^n)$: $k\gets \{0,1\}^n$; output $k$.
$Enc_k(m)$: $r\gets \{0,1\}^{l(n)}$; output $G(k)\oplus m$.
$Dec_k(c)$: output $G(k)\oplus c$.
Proof of security:
Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher.
Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$.
Strategy: Move to OTP, then flip message.
$$
H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}
$$
$$
H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}
$$
$$
H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}
$$
$$
H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}
$$
By hybrid argument, 2 neighboring messages are indistinguishable.
However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
$H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP.
$H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
Which leads to a contradiction.
### Multi-message secure encryption
$(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, and $q(n)\in poly(n)$.
$$
\overline{m}=(m_1,\dots,m_{q(n)})
$$
$$
\overline{m}'=(m_1',\dots,m_{q(n)}')
$$
are list of $q(n)$ messages in $\{0,1\}^n$.
$\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability.
$$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)
$$
**THIS IS NOT MULTI-MESSAGE SECURE.**
We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice.
What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages.
Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$, $F(x)$ is chosen uniformly at random.
$Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$.
$Enc_F(m):$ let $r\gets U_n$; output $(r,F(r)\oplus m)$.
$Dec_F(m):$ Given $(r,c)$, output $m=F(r)\oplus c$.
Ideas: Adversary sees $r$ but has no Ideas about $F(r)$. (we choose all outputs at random)
If we could do this, this is MMS (multi-message secure).
Proof:
Suppose $m_1,m_2,\dots,m_{q(n)}$, $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle.
Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$.
Strategy: move to OTP with hybrid argument.
Suppose we choose a random function
$$
H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}
$$
and
$$
H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}
$$
$r_i,u_i\in U_n$.
By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same.
$F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random.
only possible problem is $r_i=r_j$ for some $i\neq j$, and $P[r_i=r_j]=\frac{1}{2^n}$.
And the probability that at least one pair are equal
$$
P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}
$$
which is negligible.
Unfortunately, we cannot do this in practice.
How many random functions are there?
The length of description of $F$ is $n 2^n$.
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$.

189
content/CSE442T/CSE442T_L15.md Normal file
View File

@@ -0,0 +1,189 @@
# Lecture 15
## Chapter 3: Indistinguishability and Pseudorandomness
### Random Function
$F:\{0,1\}^n\to \{0,1\}^n$
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
pick $y=F(x)\gets \{0,1\}^n$ independently at random. ($n$ bits)
This generates $n\cdot 2^n$ random bits to specify $F$.
### Equivalent description of $F$
```python
# initialized empty list L
L=collections.defaultdict(int)
# initialize n bits constant
n=10
def F(x):
""" simulation of random function
param:
x: n bits
return:
y: n bits
"""
if L[x] is not None:
return L[x]
else:
# y is a random n-bit string
y=random.randbits(n)
L[x]=y
return y
```
However, this is not a good random function since two communicator may not agree on the same $F$.
### Pseudorandom Function
$f:\{0,1\}^n\to \{0,1\}^n$
#### Oracle Access (for function $g$)
$O_g$ is a p.p.t. that given $x\in \{0,1\}^n$ outputs $g(x)$.
The distinguisher $D$ is given oracle access to $O_g$ and outputs $1$ if $g$ is random and $0$ otherwise. It can make polynomially many queries.
### Oracle indistinguishability
$\{F_n\}$ and $\{G_n\}$ are sequence of distribution on functions
$$
f:\{0,1\}^{l_1(n)}\to \{0,1\}^{l_2(n)}
$$
that are computationally indistinguishable
$$
\{f_n\}\sim \{g_n\}
$$
if for all p.p.t. $D$ (with oracle access to $F_n$ and $G_n$),
$$
\left|P[f\gets F_n:D^f(1^n)=1]-P[g\gets G_n:D^g(1^n)=1]\right|< \epsilon(n)
$$
where $\epsilon(n)$ is negligible.
Under this property, we still have:
- Closure properties. under efficient procedures.
- Prediction lemma.
- Hybrid lemma.
### Pseudorandom Function Family
Definition: $\{f_s:\{0,1\}^\{0.1\}^{|S|}\to \{0,1\}^P$ $t_0s\in \{0,1\}^n\}$ is a pseudorandom function family if $\{f_s\}_{s\in \{0,1\}^n}$ are oracle indistinguishable.
- It is easy to compute for every $x\in \{0,1\}^{|S|}$.
- $\{s \gets\{0,1\}^n\}_n\approx \{F\gets RF_n,F\}$ is indistinguishable from the uniform distribution over $\{0,1\}^P$.
- $R$ is truly random function.
Example:
For $s\in \{0,1\}^n$, define $f_s:\overline{x}\mapsto s\cdot \overline{s}$.
$\mathcal{D}$ gives oracle access to $g(0^n)=\overline{y_0}$, $g(1^n)=\overline{y_1}$. If $\overline{y_0}+\overline{y_1}=1^n$, then $\mathcal{D}$ outputs $1$ otherwise $0$.
```python
def O_g(x):
pass
def D():
# bit_stream(0,n) is a n-bit string of 0s
y0=O_g(bit_stream(0,n))
y1=O_g(bit_stream(1,n))
if y0+y1==bit_stream(1,n):
return 1
else:
return 0
```
If $g=f_s$, then $D$ returns $\overline{s}+\overline{s}+1^n =1^n$.
$$
P[f_s\gets D^{f_s}(1^n)=1]=1
$$
$$
P[F\gets RF^n,D^F(1^n)=1]=\frac{1}{2^n}
$$
#### Theorem PRG exists then PRF family exists.
Proof:
Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG.
$$
g(\overline{x})=[g_0(\overline{x})] [g_1(\overline{x})]
$$
Then we choose a random $s\in \{0,1\}^n$ (initial seed) and define $\overline{x}\gets \{0,1\}^n$, $\overline{x}=x_1\cdots x_n$.
$$
f_s(\overline{x})=f_s(x_1\cdots x_n)=g_{x_n}(\dots (g_{x_2}(g_{x_1}(s))))
$$
```python
s=random.randbits(n)
#????
def g(x):
if x[0]==0:
return g(f_s(x[1:]))
else:
return g(f_s(x[1:]))
def f_s(x):
return g(x)
```
Suppose $g:\{0,1\}^3\to \{0,1\}^6$ is a PRG.
| $x$ | $f_s(x)$ |
| --- | -------- |
| 000 | 110011 |
| 001 | 010010 |
| 010 | 001001 |
| 011 | 000110 |
| 100 | 100000 |
| 101 | 110110 |
| 110 | 000111 |
| 111 | 001110 |
Suppose the initial seed is $011$, then the constructed function tree goes as follows:
Example:
$$
\begin{aligned}
f_s(110)&=g_0(g_1(g_1(s)))\\
&=g_0(g_1(110))\\
&=g_0(111)\\
&=001
\end{aligned}
$$
$$
\begin{aligned}
f_s(010)&=g_0(g_1(g_0(s)))\\
&=g_0(g_1(000))\\
&=g_0(001)\\
&=010
\end{aligned}
$$
Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probability.
By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability.
For $H_0$,
QED

134
content/CSE442T/CSE442T_L16.md Normal file
View File

@@ -0,0 +1,134 @@
# Lecture 16
## Chapter 3: Indistinguishability and Pseudorandomness
PRG exists $\implies$ Pseudorandom function family exists.
### Multi-message secure encryption
$Gen(1^n):$ Output $f_i:\{0,1\}^n\to \{0,1\}^n$ from PRF family
$Enc_i(m):$ Random $r\gets \{0,1\}^n$
Ouput $(r,m\oplus f_i(r))$
$Dec_i(r,c):$ Output $c\oplus f_i(r)$
Proof of security:
Suppose $D$ distinguishes, for infinitly many $n$.
The encryption of $a$ pair of lists
(1) $\{i\gets Gen(1^n):(r_1,m_1\oplus f_i(r_1)),(r_2,m_2\oplus f_i(r_2)),(r_3,m_3\oplus f_i(r_3)),\ldots,(r_q,m_q\oplus f_i(r_q)), \}$
(2) $\{F\gets RF_n: (r_1,m_1\oplus F(r_1))\ldots\}$
(3) One-time pad $\{(r_1,m_1\oplus s_1)\}$
(4) One-time pad $\{(r_1,m_1'\oplus s_1)\}$
If (1) (2) distinguished,
$(r_1,f_i(r_1)),\ldots,(r_q,f_i(r_q))$ is distinguished from
$(r_1,F(r_1)),\ldots, (r_q,F(r_q))$
So $D$ distinguishing output of $r_1,\ldots, r_q$ of PRF from the RF, this contradicts with definition of PRF.
QED
Noe we have
(RSA assumption and Discrete log assumption for one-way function exists.)
One-way function exists $\implies$
Pseudo random generator exists $\implies$
Pseudo random function familiy exists $\implies$
Mult-message secure encryption exists.
### Public key cryptography
1970s.
The goal was to agree/share a key without meeting in advance
#### Diffie-Helmann Key exchange
A and B create a secret key together without meeting.
Rely on discrete log assumption.
They pulicly agree on modulus $p$ and generator $g$.
Alice picks random exponent $a$ and computes $g^a\mod p$
Bob picks random exponent $b$ and computes $g^b\mod p$
and they send result to each other.
And Alice do $(g^b)^a$ where Bob do $(g^a)^b$.
#### Diffie-Helmann assumption
With $g^a,g^b$ no one can compute $g^{ab}$.
#### Public key encryption scheme
Ideas: The recipient Bob distributes opened Bob-locks
- Once closed, only Bob can open it.
Public-key encryption scheme:
1. $Gen(1^n):$ Outputs $(pk,sk)$
2. $Enc_{pk}(m):$ Efficient for all $m,pk$
3. $Dec_{sk}(c):$ Efficient for all $c,sk$
4. $P[(pk,sk)\gets Gen(1^n):Dec_{sk}(Enc_{pk}(m))=m]=1$
Let $A, E$ knows $pk$ not $sk$ and $B$ knows $pk,sk$.
Adversary can now encrypt any message $m$ with the public key.
- Perfect secrecy impossible
- Randomness necessary
#### Security of public key
$\forall n.u.p.p.t D,\exists \epsilon(n)$ such that $\forall n,m_0,m_1\in \{0,1\}^n$
$$
\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_0))\} \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_1))\}
$$
are distinguished by at most $\epsilon (n)$
This "single" message security implies multi-message security!
_Left as exercise_
We will achieve security in sending a single bit $0,1$
Time for trapdoor permutation. (EX. RSA)
#### Encryption Scheme via Trapdoor Permutation
Given family of trapdoor permutation $\{f_i\}$ with hardcore bit $h(i)$
$Gen(1^n):(f_i,f_i^{-1})$, where $f_i^{-1}$ uses trapdoor permutation of $t$
$Output ((f_i,h_i),f_i^{-1})$
$m=0$ or $1$.
$Enc_{pk}(m):r\gets\{0,1\}^n$
$Output (f_i(r),h_i(r)+m)$
$Dec_{sk}(c_1,c_2)$
$r=f_i^{-1}(c_1)$
$m=c_2+h_1(r)$

159
content/CSE442T/CSE442T_L17.md Normal file
View File

@@ -0,0 +1,159 @@
# Lecture 17
## Chapter 3: Indistinguishability and Pseudorandomness
### Public key encryption scheme (1-bit)
$Gen(1^n):(f_i, f_i^{-1})$
$f_i$ is the trapdoor permutation. (eg. RSA)
$Output((f_i, h_i), f_i^{-1})$, where $(f_i, h_i)$ is the public key and $f_i^{-1}$ is the secret key.
$Enc_{pk}(m):r\gets \{0, 1\}^n$
$Output(f_i(r), h_i(r)\oplus m)$
where $f_i(r)$ is denoted as $c_1$ and $h_i(r)\oplus m$ is the tag $c_2$.
The decryption function is:
$Dec_{sk}(c_1, c_2)$:
$r=f_i^{-1}(c_1)$
$m=c_2\oplus h_i(r)$
#### Validity of the decryption
Proof of the validity of the decryption: Exercise.
#### Security of the encryption scheme
The encryption scheme is secure under this construction (Trapdoor permutation (TDP), Hardcore bit (HCB)).
Proof:
We proceed by contradiction. (Constructing contradiction with definition of hardcore bit.)
Assume that there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $0$ and $1$ with non-negligible probability $\mu(n)$.
$$
\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(0))\} v.s.\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(1))\} \geq \mu(n)
$$
By prediction lemma (the distinguisher can be used to create and adversary that can break the security of the encryption scheme with non-negligible probability $\mu(n)$).
$$
P[m\gets \{0,1\}; (pk,sk)\gets Gen(1^n):\mathcal{A}(pk,Enc_{pk}(m))=m]\geq \frac{1}{2}+\mu(n)
$$
We will use this to construct an agent $B$ which can determine the hardcore bit $h_i(r)$ of the trapdoor permutation $f_i(r)$ with non-negligible probability.
$f_i,h_i$ are determined.
$B$ is given $f_i(r)$ and $h_i(r)$ and outputs $b\in \{0,1\}$.
- $r\gets \{0,1\}^n$ is chosen uniformly at random.
- $y=f_i(r)$ is given to $B$.
- $b=h_i(r)$ is given to $B$.
- Choose $c_2\gets \{0,1\}= h_i(r)\oplus m$ uniformly at random.
- Then use $\mathcal{A}$ with $pk=(f_i, h_i),Enc_{pk}(m)=(f_i(r), h_i(r)\oplus m)$ to determine whether $r$ is $0$ or $1$.
- Let $m'\gets \mathcal{A}(pk,(y,c_2))$.
- Since $c_2=h_i(r)\oplus m$, we have $m=b\oplus c_2$, $b=m'\oplus c_2$.
- Output $b=m'\oplus c_2$.
The probability that $B$ correctly guesses $b$ given $f_i,h_i$ is:
$$
\begin{aligned}
&~~~~~P[r\gets \{0,1\}^n: y=f_i(r), b=h_i(r): B(f_i,h_i,y)=b]\\
&=P[r\gets \{0,1\}^n,c_2\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,c_2))=(c_2+b)]\\
&=P[r\gets \{0,1\}^n,m\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,b\oplus m))=m]\\
&>\frac{1}{2}+\mu(n)
\end{aligned}
$$
This contradicts the definition of hardcore bit.
QED
### Public key encryption scheme (multi-bit)
Let $m\in \{0,1\}^k$.
We can choose random $r_i\in \{0,1\}^n$, $y_i=f_i(r_i)$, $b_i=h_i(r_i),c_i=m_i\oplus b_i$.
$Enc_{pk}(m)=((y_1,c_1),\cdots,(y_k,c_k)),c\in \{0,1\}^k$
$Dec_{sk}:r_k=f_i^{-1}(y_k),h_i(r_k)\oplus c_k=m_k$
### Special public key cryptosystem: El-Gamal (based on Diffie-Hellman Assumption)
#### Definition 105.1 Decisional Diffie-Hellman Assumption (DDH)
> Define the group of squares mod $p$ as follows:
>
> $p=2q+1$, $q\in \Pi_{n-1}$, $g\gets \mathbb{Z}_p^*/\{1\}$, $y=g^2$
>
> $G=\{y,y^2,\cdots,y^q=1\}\mod p$
These two listed below are indistinguishable.
$\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^{ab})\}_n$
$\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b,\bold{z}\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^\bold{z})\}_n$
> (Computational) Diffie-Hellman Assumption:
>
> Hard to compute $y^{ab}$ given $p,y,y^a,y^b$.
So DDH assumption implies discrete logarithm assumption.
Ideas:
If one can find $a,b$ from $y^a,y^b$, then one can find $ab$ from $y^{ab}$ and compare to $\bold{z}$ to check whether $y^\bold{z}$ is a valid DDH tuple.
#### El-Gamal encryption scheme (public key cryptosystem)
$Gen(1^n)$:
$p\gets \tilde{\Pi_n},g\gets \mathbb{Z}_p^*/\{1\},y\gets Gen_q,a\gets \mathbb{Z}_q$
Output:
$pk=(p,y,y^a\mod p)$ (public key)
$sk=(p,y,a)$ (secret key)
**Message space:** $G_q=\{y,y^2,\cdots,y^q=1\}$
$Enc_{pk}(m)$:
$b\gets \mathbb{Z}_q$
$c_1=y^b\mod p,c_2=(y^{ab}\cdot m)\mod p$
Output: $(c_1,c_2)$
$Dec_{sk}(c_1,c_2)$:
Since $c_2=(y^{ab}\cdot m)\mod p$, we have $m=\frac{c_2}{c_1^a}\mod p$
Output: $m$
#### Security of El-Gamal encryption scheme
Proof:
If not secure, then there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $m_1,m_2\in G_q$ with non-negligible probability $\mu(n)$.
$$
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_1))\}\text{ vs. }\\
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_2))\}\geq \mu(n)
$$
And proceed by contradiction. This contradicts the DDH assumption.
QED

148
content/CSE442T/CSE442T_L18.md Normal file
View File

@@ -0,0 +1,148 @@
# Lecture 18
## Chapter 5: Authentication
### 5.1 Introduction
Signatures
**private key**
Alice and Bob share a secret key $k$.
Message Authentication Codes (MACs)
**public key**
Any one can verify the signature.
Digital Signatures
#### Definitions 134.1
A message authentication codes (MACs) is a triple $(Gen, Tag, Ver)$ where
- $k\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a key $k$.
- $\sigma\gets Tag_k(m)$ is a p.p.t. algorithm that takes as input a key $k$ and a message $m$ and outputs a tag $\sigma$.
- $Ver_k(m, \sigma)$ is a deterministic algorithm that takes as input a key $k$, a message $m$, and a tag $\sigma$ and outputs "Accept" if $\sigma$ is a valid tag for $m$ under $k$ and "Reject" otherwise.
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
$$
P[k\gets Gen(1^k):Ver_k(m, Tag_k(m))=\textup {``Accept''}]=1
$$
#### Definition 134.2 (Security of MACs)
Security: Prevent an adversary from producing any accepted $(m, \sigma)$ pair that they haven't seen before.
- Assume they have seen some history of signed messages. $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$.
- Adversary $\mathcal{A}$ has oracle access to $Tag_k$. Goal is to produce a new $(m, \sigma)$ pair that is accepted but none of $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$.
$\forall$ n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Tag_k(\cdot)$,
$$
\Pr[k\gets Gen(1^k);(m, \sigma)\gets\mathcal{A}^{Tag_k(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
$$
#### MACs scheme
$F=\{f_s\}$ is a PRF family.
$f_s:\{0,1\}^{|S|}\to\{0,1\}^{|S|}$
$Gen(1^k): s\gets \{0,1\}^n$
$Tag_k(m)$ outputs $f_s(m)$.
$Ver_s(m, \sigma)$ outputs "Accept" if $f_s(m)=\sigma$ and "Reject" otherwise.
Proof of security (Outline):
Suppose we used $F\gets RF_n$ (true random function).
If $\mathcal{A}$ wants $F(m)$ for $m\in \{m_1, \ldots, m_q\}$. $F(m)\gets U_n$.
$$
\begin{aligned}
&P[F\gets RF_n; (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]\\
&=P[F\gets RF_n; (m, \sigma)\gets F(m)]\\
&=\frac{1}{2^n}<\epsilon(n)
\end{aligned}
$$
Suppose an adversary $\mathcal{A}$ has $\frac{1}{p(n)}$ chance of success with our PRF-based scheme...
This could be used to distinguish PRF $f_s$ from a random function.
The distinguisher runs as follows:
- Runs $\mathcal{A}(1^n)$
- Whenever $\mathcal{A}$ asks for $Tag_k(m)$, we ask our oracle for $f(m)$
- $(m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^n)$
- Query oracle for $f(m)$
- If $\sigma=f(m)$, output 1
- Otherwise, output 0
$D$ will output 1 for PRF with probability $\frac{1}{p(n)}$ and for RF with probability $\frac{1}{2^n}$.
#### Definition 135.1(Digital Signature D.S. over $\{M_n\}_n$)
A digital signature scheme is a triple $(Gen, Sign, Ver)$ where
- $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$.
- $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$.
- $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
$$
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
$$
#### Security of Digital Signature
$$
P[(pk,sk)\gets Gen(1^k); (m, \sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_{pk}(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
$$
For all n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Sign_{sk}(\cdot)$.
### 5.4 One time security: $\mathcal{A}$ can only use oracle once.
Output $(m, \sigma)$ if $m\neq m$
Security parameter $n$
One time security on $\{0,1\}^n$
One time security on $\{0,1\}^*$
Regular security on $\{0,1\}^*$
Note: the adversary automatically has access to $Ver_{pk}(\cdot)$
#### One time security scheme (Lamport Scheme on $\{0,1\}^n$)
$Gen(1^k)$: $\mathbb{Z}_n$ random n-bit string
$sk$: List 0: $\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0$
List 1: $\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1$
All $\bar{x_i}^j\in\{0,1\}^n$
$pk$: For a strong one-way function $f$
List 0: $f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)$
List 1: $f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)$
$Sign_{sk}(m):(m_1, m_2, \ldots, m_n)\mapsto(\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n})$
$Ver_{pk}(m, \sigma)$: output "Accept" if $\sigma$ is a prefix of $f(m)$ and "Reject" otherwise.
> Example: When we sign a message $01100$, $$Sign_{sk}(01100)=(\bar{x_1}^0, \bar{x_2}^1, \bar{x_3}^1, \bar{x_4}^0, \bar{x_5}^0)$$
> We only reveal the $x_1^0, x_2^1, x_3^1, x_4^0, x_5^0$
> For the second signature, we need to reveal exactly different bits.
> The adversary can query the oracle for $f(0^n)$ (reveals list0) and $f(1^n)$ (reveals list1) to produce any valid signature they want.

124
content/CSE442T/CSE442T_L19.md Normal file
View File

@@ -0,0 +1,124 @@
# Lecture 19
## Chapter 5: Authentication
### One-Time Secure Digital Signature
#### Definition 136.2 (Security of Digital Signature)
A digital signature scheme is $(Gen, Sign, Ver)$ is secure if for all n.u.p.p.t. $\mathcal{A}$, there exists a negligible function $\epsilon(n)$ such that $\forall n\in\mathbb{N}$,
$$
P[(pk,sk)\gets Gen(1^n); (m,\sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^n); \mathcal{A}\textup{ did not query }m\textup{ and } Ver_{pk}(m,\sigma)=\textup{``Accept''}]\leq \frac{1}{p(n)}+\epsilon(n)
$$
A digital signature scheme is one-time secure if it is secure and the adversary makes only one query to the signing oracle.
### Lamport's One-Time Signature
Given a one-way function $f$, we can create a signature scheme as follows:
We construct a key pair $(sk, pk)$ as follows:
$sk$ is two list of random bits,
where $sk_0=\{\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0\}$
and $sk_1=\{\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1\}$.
$pk$ is the image of $sk$ under $f$, i.e. $pk = f(sk)$.
where $pk_0 = \{f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)\}$
and $pk_1 = \{f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)\}$.
To sign a message $m\in\{0,1\}^n$, we output the signature $Sign_{sk}(m=m_1m_2\ldots m_n) = \{\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n}\}$.
To verify a signature $\sigma$ on $m$, we check if $f(\sigma) = pk_m$.
This is not more than one-time secure since the adversary can ask oracle for $Sign_{sk}(0^n)$ and $Sign_{sk}(1^n)$ to reveal list $pk_0$ and $pk_1$ to sign any message.
We will show it is one-time secure
Ideas of proof:
Say their query is $Sign_{sk}(0^n)$ and reveals $pk_0$.
Now must sign $m\neq 0^n$. There must be a 1, somewhere in the message. Say the $i$th bit is the first 1. then they need to produce $x'$ such that $f(x_i)=f(x_i')$, which inverts the one-way function.
Proof of one-time security:
Suppose there exists an adversary $\mathcal{A}$ that can produce a valid signature on a different message after one query to oracle with non-negligible probability $\mu>\frac{1}{p(n)}$.
We will design a function $B$ which use $\mathcal{A}$ to invert the one-way function with non-negligible probability.
Let $x\gets \{0,1\}^n$ be a random variable, $y=f(x)$.
B: input is $y$ and $1^n$. Our goal is to find $x'$ such that $f(x')=y$.
Create 2 lists:
$sk_0=\{x_0^0, x_1^0, \ldots, x_{n-1}^0\}$
$sk_1=\{x_0^1, x_1^1, \ldots, x_{n-1}^1\}$
Then we pick a random $(c,i)\gets \{0,1\}^n\times [n]$. ($2n$ possibilities)
Replace $f(x_i^c)$ with $y$.
Return $sk_c$ with None.
Run $\mathcal{A}$ on input $y$ and $1^n$. It will query $Sign_{sk}$ on some message $m$.
Case 1: $m_i=1-c$
We can answer with all of $x_1^{m_1}, x_2^{m_2}, \ldots, x_{1-c}^{m_{1-c}}, \ldots, x_n^{m_n}$
Case 2: $m_i=c$
We must abort we don't know what to do.
Since $\mathcal{A}$ outputs $(m',\sigma)$ with non-negligible probability, we are hoping that $m_i'=c$. Then it's attempting to provide $x\to y$
Since $m'$ differs at most 1 bit from $m$, we have $x\to y$ with probability $P[m_i'=c]\geq \frac{1}{n}$.
$\sigma=(x_1^1,x_2^1,\ldots,x_n^1)$
Check if $f(\sigma)=y$. If so, output $x'$. (all correct with prob $\geq \frac{1}{p(n)}$)
If not, try again.
$B$ inverts $f$ with prob $\geq \frac{1}{p(n)}$
### Collision Resistant Hash Functions (CRHF)
We now have one-time secure signature scheme.
We want one-time secure signature scheme that increase the size of messages relative to the keys.
Let $H:\{h_i:D_i\to R_i\}_{i\in I}$ be a family of CRHF if
Easy to pick:
$Gen(1^n)$: outputs $i\in I$ (p,p,t)
Compression
$|R_i|<|D_i|$ for each $i\in I$
Easy to compute:
Can computer $h_i(x),\forall i,x\in D_i$ with a p.p.t
Collision resistant:
$\forall n.u.p.p.t \mathcal{A}$, $\forall n$,
$$
P[i\gets Gen(1^n); (x_1,x_2)\gets \mathcal{A}(1^n,i): h_i(x_1)=h_i(x_2)\land x_1\neq x_2]\leq \epsilon(n)
$$
CRHF implies one-way function.
But not the other way around. (CRHF is a stronger notion than one-way function.)

97
content/CSE442T/CSE442T_L2.md Normal file
View File

@@ -0,0 +1,97 @@
# Lecture 2
## Probability review
Sample space $S=\text{set of outcomes (possible results of experiments)}$
Event $A\subseteq S$
$P[A]=P[$ outcome $x\in A]$
$P[\{x\}]=P[x]$
Conditional probability:
$P[A|B]={P[A\cap B]\over P[B]}$
Assuming $B$ is the known information. Moreover, $P[B]>0$
Probability that $A$ and $B$ occurring: $P[A\cap B]=P[A|B]\cdot P[B]$
$P[B\cap A]=P[B|A]\cdot P[A]$
So $P[A|B]={P[B|A]\cdot P[A]\over P[B]}$ (Bayes Theorem)
**There is always a chance that random guess would be the password... Although really, really, low...**
### Law of total probability
Let $S=\bigcup_{i=1}^n B_i$. and $B_i$ are disjoint events.
$A=\bigcup_{i=1}^n A\cap B_i$ ($A\cap B_i$ are all disjoint)
$P[A]=\sum^n_{i=1} P[A|B_i]\cdot P[B_i]$
## Chapter 1: Introduction
### Defining security
#### Perfect Secrecy (Shannon Secrecy)
$k\gets Gen()$ $k\in K$
$c\gets Enc_k(m)$ or we can also write as $c\gets Enc(k,m)$ for $m\in M$
And the decryption procedure:
$m'\gets Dec_k(c')$, $m'$ might be null.
$P[k\gets Gen(): Dec_k(Enc_k(m))=m]=1$
#### Definition 11.1 (Shannon Secrecy)
Distribution $D$ over the message space $M$
$P[k\gets Gen;m\gets D: m=m'|c\gets Enc_k(m)]=P[m\gets D: m=m']$
Basically, we cannot gain any information from the encoded message.
Code shall not contain any information changing the distribution of expectation of message after viewing the code.
**NO INFO GAINED**
#### Definition 11.2 (Perfect Secrecy)
For any 2 messages, say $m_1,m_2\in M$ and for any possible cipher $c$,
$P[k\gets Gen:c\gets Enc_k(m_1)]=P[k\gets Gen():c\gets Enc_k(m_2)]$
For a fixed $c$, any message (have a equal probability) could be encrypted to that...
#### Theorem 12.3
Shannon secrecy is equivalent to perfect secrecy.
Proof:
If a crypto-system satisfy perfect secrecy, then it also satisfy Shannon secrecy.
Let $(Gen,Enc,Dec)$ be a perfectly secret crypto-system with $K$ and $M$.
Let $D$ be any distribution over messages.
Let $m'\in M$.
$$
={P_k[c\gets Enc_k(m')]\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\
$$
$$
P[k\gets Gen();m\gets D:m=m'|c\gets Enc_k(m)]={P_{k,m}[c\gets Enc_k(m)\vert m=m']\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\
P_{k,m}[c\gets Enc_k(m)]=\sum^n_{i=1}P_{k,m}[c\gets Enc_k(m)|m=m_i]\cdot P[m=m_i]\\
=\sum^n_{i=1}P_{K,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i]
$$
and $P_{k,m_i}[c\gets Enc_k(m_i)]$ is constant due to perfect secrecy
$\sum^n_{i=1}P_{k,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i]=\sum^n_{i=1} P[m=m_i]=1$

176
content/CSE442T/CSE442T_L20.md Normal file
View File

@@ -0,0 +1,176 @@
# Lecture 20
## Chapter 5: Authentication
### Construction of CRHF (Collision Resistant Hash Function)
Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:
$Gen(1^n):(g,p,y)$
$p\in \tilde{\Pi}_n(p=2q+1)$
$g$ generator for group of sequence $\mod p$ (G_q)
$y$ is a random element in $G_q$
$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$
$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.
Under the discrete log assumption, $H$ is a CRHF.
- It is easy to sample $(g,p,y)$
- It is easy to compute
- Compressing by 1 bit
Proof:
The hash function $h$ is a CRHF
Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$.
$$
P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}
$$
Where $y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p$ is the collision of $H$.
Suppose $b_1=b_2$.
Then $y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p$ implies $g^{x_1}\equiv g^{x_2}\mod p$.
So $x_1=x_2$ and $(x_1,b_1)=(x_2,b_2)$.
So $b_1\neq b_2$, Without loss of generality, say $b_1=1$ and $b_2=0$.
$y\cdot g^{x_1}\equiv g^{x_2}\mod p$ implies $y\equiv g^{x_2-x_1}\mod p$.
We can create a adversary $\mathcal{B}$ that can break the discrete log assumption with non-negligible probability $\mu(n)$ using $\mathcal{A}$.
Let $g,p$ be chosen and set random $x$ such that $y=g^x\mod p$.
Let the algorithm $\mathcal{B}$ defined as follows:
```pseudocode
function B(p,g,y):
(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
If (x_1,1) and (x_2,0) and there is a collision:
y=g^{x_2-x_1}\mod p
return x_2-x_1 for b=1
Else:
return "Failed"
```
$$
P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}
$$
So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$, which contradicts the discrete log assumption.
So $h$ is a CRHF.
QED
To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$, then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times.
$$
h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x)
$$
To find a collision of $h_k$, the adversary must find a collision of $h$.
### Application of CRHF to Digital Signature
Digital signature scheme on $\{0,1\}^*$ for a fixed security parameter $n$. (one-time secure)
- Use Digital Signature Scheme on $\{0,1\}^{n}$: $Gen, Sign, Ver$.
- Use CRHF family $\{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}$
$Gen'(1^n):(pk,sk)\gets Gen(1^n)$, choose $i\in I$ uniformly at random.
$sk'=(sk,i)$
$Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m))$, return $(i,\sigma)$
$pk'=(pk,i)$
$Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma)$ and $i\in I$
One-time secure:
- Given that ($Gen,Sign,Ver$) is one-time secure
- $h$ is a CRHF
Then ($Gen',Sign',Ver'$) is one-time secure.
Ideas of Proof:
If the digital signature scheme ($Gen',Sign',Ver'$) is not one-time secure, then there exists an adversary $\mathcal{A}$ which can ask oracle for one signature on $m_1$ and receive $\sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1))$.
- It outputs $m_2\neq m_1$ and receives $\sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2))$.
- If $Ver'_{pk'}(m_2,\sigma_2)$ is accepted, then $Ver_{pk}(h_i(m_2),\sigma_2)$ is accepted and $i\in I$.
There are two cases to consider:
Case 1: $h_i(m_1)=h_i(m_2)$, Then $\mathcal{A}$ finds a collision of $h$.
Case 2: $h_i(m_1)\neq h_i(m_2)$, Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$. This contradicts the one-time secure of ($Gen,Sign,Ver$).
QED
### Many-time Secure Digital Signature
Using one-time secure digital signature scheme on $\{0,1\}^*$ to construct many-time secure digital signature scheme on $\{0,1\}^*$.
Let $Gen,Sign,Ver$ defined as follows:
$Gen(1^n):(pk,sk)\gets (pk_0,sk_0)
For the first message:
$(pk_1,sk_1)\gets Gen'(1^n)$
$Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1)$, return $\sigma_1'=(1,m_1,pk_1,\sigma_1)$
We need to remember state $\sigma_1'$ and $sk_1$ for the second message.
For the second message:
$(pk_2,sk_2)\gets Gen'(1^n)$
$Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0)$, return $\sigma_2'=(0,m_2,pk_0,\sigma_1')$
We need to remember state $\sigma_2'$ and $sk_2$ for the third message.
...
For the $i$-th message:
$(pk_i,sk_i)\gets Gen'(1^n)$
$Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1})$, return $\sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')$
We need to remember state $\sigma_i'$ and $sk_i$ for the $(i+1)$-th message.
$Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1}))$ Will need to verify all the states public keys so far.
$$
Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\
Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\
\vdots\\
Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept}
$$
Proof on homework.
Drawbacks:
- Signature size and verification time grows linearly with the number of messages.
- Memory for signing grows linearly with the number of messages.
These can be fixed.
Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.

147
content/CSE442T/CSE442T_L21.md Normal file
View File

@@ -0,0 +1,147 @@
# Lecture 21
## Chapter 5: Authentication
### Digital Signature Scheme
"Chain based approach".
$pk_0\to m_1||pk_1\to m_2||pk_2\to m_3||pk_3\to m_4\dots$
The signature size grows linearly with the message size $n$.
Improvement:
Use "Tree based approach".
Instead of creating 1 public key, we create 2 public keys each time and use the shorter one to sign the next message.
For example, let $n=4$, and we want to sign $m=1100$.
Every verifier knows the public key.
Then we generates $(pk_0,sk_0),(pk_1,sk_1)$ and store $\sigma, sk_0,sk_1$
$\sigma=Sign_{sk_0}(pk_0||pk_1)$
and generates $\to (pk_2,sk_2)\to (pk_3,sk_3)\to (pk_4,sk_4)$
$\sigma_1=Sign_{sk_1}(pk_{10}||pk_{11})$
$\sigma_{11}=Sign_{sk_{11}}(pk_{110}||pk_{111})$
$\sigma_{110}=Sign_{sk_{110}}(pk_{1100}||pk_{1101})$
$\sigma_{1100}=Sign_{sk_{1100}}(m)$
So we sign $m=1100$ as $\sigma_{1100}$.
The final signature is $\sigma'=(pk,\sigma,pk_1,\sigma_1,pk_{11},\sigma_{11},pk_{110},\sigma_{110},pk_{1100},\sigma_{1100})$.
The verifier can verify the signature by checking the authenticity of each public key.
Outputs $m,\sigma'_m$
The signature size grows logarithmically with the message size $n$.
If we want to sign $m=1110$ for next message, we can just append $1110$ to the end of the previous signature since $pk_1,pk_{11},pk_{110}$ are all stored in the previous signature tree.
So the next signature is $\sigma'_{1110}=(pk,\sigma,pk_1,\sigma_1,pk_{11},\sigma_{11},pk_{111},\sigma_{111},pk_{1110},\sigma_{1110})$.
The size of the next signature is still $O(\log n)$.
Advantages:
1. The signature size is small (do not grow linearly as the number of messages grows).
2. The verification is efficient (do not need to check all the previous messages).
3. The signature is secure.
Disadvantages:
1. Have to store all the public keys securely pair as you go.
Fix: Psudo-randomness.
Use a Pseudo-random number generator to generate random pk/sk pairs.
Since the PRG is deterministic, we don't need to store the public keys anymore.
We can use a random seed to generate all the pk/sk pairs.
### Trapdoor-based Signature Scheme
Idea: use RSA to create
$N=p\cdot q$, $e\in\mathbb{Z}_{\phi(N)}^*$, $d=e^{-1}\mod\phi(N)$ (secret key)
We do the "flip" encryption as follows:
Let $c=Enc_{pk}(m)=m^e\mod N$
Then $Dec_{sk}(c)=c^d\mod N=m'\mod N$.
$\sigma=Sign_{sk}(m)=m^d\mod N$
$Verify_{pk}(m,\sigma)=1\iff \sigma^e=(m^d)^e\mod N=m$
#### Forgery 1:
Ask oracle nothing.
Pick random $\sigma$ let $m=\sigma^e$.
Although in this case, the adversary has no control over $m$, it is still not very good.
#### Forgery 2:
They want to sign $m$.
Pick $m_1,m_2$ and $m=m_1\cdot m_2$.
Ask oracle for $Enc_{pk}(m_1)=\sigma_1$ and $Enc_{pk}(m_2)=\sigma_2$.
Output $\sigma=\sigma_1\cdot\sigma_2$, since $\sigma_1\cdot\sigma_2=(m_1^d\mod N)\cdot(m_2^d\mod N)=(m_1\cdot m_2)^d\mod N=m^d=\sigma$.
This is a valid signature for $m$.
That's very bad.
This means if we signed two messages $m_1,m_2$, we can get a valid signature for $m_1\cdot m_2$. If unfortunately $m_1\cdot m_2$ is the message we want to sign, the adversary can produce a fake signature for free.
#### Fix for forgeries
Pick a "random"-looking function $h:\mathcal{M}\to\mathbb{Z}_N^*$. ($h(\cdot)$ is collision-resistant)
$pk=(h,N,e)$, $sk=(h,N,d)$
$Sign_{sk}(m)=h(m)^d\mod N$
$Verify_{pk}(m,\sigma)=1\iff \sigma^e=h(m)\mod N$
If $h$ is truly random, this would be secure.
$\sigma^e=m$ and $\sigma^e=h(m)\cancel{\to}m$
So $\sigma_1=h(m_1)^d$ and $\sigma_2=h(m_2)^d$, If $m=m_1\cdot m_2$, then $\sigma_1\cdot\sigma_2=h(m_1)^d\cdot h(m_2)^d\neq h(m)^d=\sigma$. (the equality is very unlikely to happen)
This is secure.
Choices of $h$:
1. $h$ is random function. Not practical since we need the verifier to know $h$.
2. $h$ is pseudo-random function. Verifier needs to use $h$, with full access to the random oracle. If we use $f_k$ for a random key $k$, they need $k$. No more pseudo-random security guarantee.
3. $h$ is a collision-resistant hash function. We can't be sure it doesn't have any patterns like $h(m_1\cdot m_2)=h(m_1)\cdot h(m_2)$.
Here we present our silly solution:
#### Random oracle model:
Assume we have a true random function $h$, the adversary only has oracle access to $h$.
And $h$ is practical to use.
This RSA scheme under the random oracle model is secure. (LOL)
This requires a proof.
In practice, SHA-256 is used as $h$. Fun, no one really finds a collision yet.

201
content/CSE442T/CSE442T_L22.md Normal file
View File

@@ -0,0 +1,201 @@
# Lecture 22
## Chapter 7: Composability
So far we've sought security against
$$
c\gets Enc_k(m)
$$
Adversary knows $c$, but nothing else.
### Attack models
#### Known plaintext attack (KPA)
Adversary has seen $(m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q))$.
$m_1,\cdots,m_q$ are known to the adversary.
Given new $c=Enc_k(m)$, is previous knowledge helpful?
#### Chosen plaintext attack (CPA)
Adversary can choose $m_1,\cdots,m_q$ and obtain $Enc_k(m_1),\cdots,Enc_k(m_q)$.
Then adversary see new encryption $c=Enc_k(m)$. with the same key.
Example:
In WWII, Japan planned to attack "AF", but US suspected it means Midway.
So US use Axis: $Enc_k(AF)$ and ran out of supplies.
Then US know Japan will attack Midway.
#### Chosen ciphertext attack (CCA)
Adversary can choose $c_1,\cdots,c_q$ and obtain $Dec_k(c_1),\cdots,Dec_k(c_q)$.
#### Definition 168.1 (Secure private key encryption against attacks)
Capture these ideas with the adversary having oracle access.
Let $\Pi=(Gen,Enc,Dec)$ be a private key encryption scheme. Let a random variable $IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)$ where $\mathcal{A}$ is an n.u.p.p.t. The security parameter is $n\in \mathbb{N}$, $b\in\{0,1\}$ denoting the real scheme or the adversary's challenge.
The experiment is the following:
- Key $k\gets Gen(1^n)$
- Adversary $\mathcal{A}^{O_1(k)}(1^n)$ queries oracle $O_1$
- $m_0,m_1\gets \mathcal{A}^{O_1(k)}(1^n)$
- $c\gets Enc_k(m_b)$
- $\mathcal{A}^{O_2(c)}(1^n,c)$ queries oracle $O_2$ to distinguish $c$ is encryption of $m_0$ or $m_1$
- $\mathcal{A}$ outputs bit $b'$ which is either zero or one
$\Pi$ is CPA/CCA1/CCA2 secure if for all PPT adversaries $\mathcal{A}$,
$$
\{IND_0^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n\approx\{IND_1^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n
$$
where $\approx$ is statistical indistinguishability.
|Security|$O_1$|$O_2$|
|:---:|:---:|:---:|
|CPA|$Enc_k$|$Enc_k$|
|CCA1|$Enc_k,Dec_k$|$Enc_k$|
|CCA2 (or full CCA)|$Enc_k,Dec_k$|$Enc_k,Dec_k^*$|
Note that $Dec_k^*$ will not allowed to query decryption of a functioning ciphertext.
You can imagine the experiment is a class as follows:
```python
n = 1024
@lru_cache(None)
def oracle_1(m,key,**kwargs):
"""
Query oracle 1
"""
pass
@lru_cache(None)
def oracle_2(c,key,**kwargs):
"""
Query oracle 2
"""
pass
class Experiment:
def __init__(self, key, oracle_1, oracle_2):
self.key = key
self.oracle_1 = oracle_1
self.oracle_2 = oracle_2
def sufficient_trial(self):
pass
def generate_test_message(self):
pass
def set_challenge(self, c):
self.challenge = c
def query_1(self):
while not self.sufficient_trial():
self.oracle_1(m,self.key,**kwargs)
def challenge(self):
"""
Return m_0, m_1 for challenge
"""
m_0, m_1 = self.generate_test_message()
self.m_0 = m_0
self.m_1 = m_1
return m_0, m_1
def query_2(self, c):
while not self.sufficient_trial():
self.oracle_2(c,self.key,**kwargs)
def output(self):
return 0 if self.challenge==m_0 else 1
if __name__ == "__main__":
key = random.randint(0, 2**n)
exp = Experiment(key, oracle_1, oracle_2)
exp.query_1()
m_0, m_1 = exp.challenge()
choice = random.choice([m_0, m_1])
exp.set_challenge(choice)
exp.query_2()
b_prime = exp.output()
print(f"b'={b_prime}, b={choice==m_0}")
```
#### Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.
Have a PRF family $\{f_k\}:\{0,1\}^{|k|}\to\{0,1\}^{|k|}$
$Gen(1^n)$ outputs $k\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
$Enc_k(m)$ samples $r\in\{0,1\}^n$ and outputs $(r,f_k(r)\oplus m)$. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
$Dec_k(r,c)$ outputs $f_k(r)\oplus c$.
Familiar Theme:
- Show the R.F. version is secure.
- $F\gets RF_n$
- If the PRF version were insecure, then the PRF can be distinguished from a random function...
$IND_b^{O_1,O_2}(\Pi,\mathcal{A},n), F\gets RF_n$
- $Enc$ queries $(m_1,(r_1,m_1\oplus F_k(r_1))),\cdots,(m_{q_1},(r_{q_1},m_{q_1}\oplus F_k(r_{q_1})))$
- $Dec$ queries $(s_1,c_1),\cdots,(s_{q_2},c_{q_2})$, where $m_i=c_i-F_k(s_i)$
- $m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)$, $Enc_F(m_b)=(R,M_b+F(R))$
- Query round similar to above.
As long as $R$ was never seen in querying rounds, $P[\mathcal{A} \text{ guesses correctly}]=1/2$.
$P[R\text{ was seen before}]\leq \frac{p(n)}{2^n}$ (by the total number of queries in all rounds.)
**This encryption scheme is not CCA2 secure.**
After round 1, $O^n,1^n\gets \mathcal{A}^{O_1(k)}(1^n)$,
$(r,m+F(r))=(r,c)$ in round 2.
Query $Dec_F(r,c+0\ldots 01)=0\ldots 01 \text{ or } 1\ldots 10$.
$c+0\ldots 01-F(r)=M+0\ldots 01$
### Encrypt then authenticate
Have a PRF family $\{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}$
$Gen(1^n)$ outputs $k_1,k_2\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
$Enc_{k_1,k_2}(m)$ samples $r\in\{0,1\}^n$ and let $c_1=f_{k_1}(r)\oplus m$ and $c_2=f_{k_2}(c_1)$. Then we output $(r,c_1,c_2)$. where $c_1$ is the encryption, and $c_2$ is the tag. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
$Dec_{k_1,k_2}(r,c_1,c_2)$ checks if $c_2=f_{k_2}(c_1)$. If so, output $c_1-f_{k_1}(r)$. Otherwise, output $\bot$.
Show that this scheme is CPA secure.
1. Show that the modifier version $\Pi'^{RF}$ where $f_{k_2}$ is replaced with a random function is CCA2 secure.
2. If ours isn't, then PRF detector can be created.
Suppose $\Pi^RF$ is not secure, then $\exists \mathcal{A}$ which can distinguish $IND_i^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$ with non-negligible probability. We will use this to construct $B$ which breaks the CPA security of $\Pi$.
Let $B$ be the PPT algorithm that on input $1^n$, does the following:
- Run $\mathcal{A}^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$
- Let $m_0,m_1$ be the messages that $\mathcal{A}$ asked for in the second round.
- Choose $b\in\{0,1\}$ uniformly at random.
- Query $Enc_{k_1,k_2}(m_b)$ to the oracle.
- Let $c$ be the challenge ciphertext.
- Return whatever $\mathcal{A}$ outputs.

125
content/CSE442T/CSE442T_L23.md Normal file
View File

@@ -0,0 +1,125 @@
# Lecture 23
## Chapter 7: Composability
### Zero-knowledge proofs
Let the Prover Peggy and the Verifier Victor.
Peggy wants to prove to Victor that she knows a secret $x$ without revealing anything about $x$. (e.g. $x$ such that $g^x=y\mod p$)
#### Zero-knowledge proofs protocol
The protocol should satisfy the following properties:
- **Completeness**: If Peggy knows $x$, she can always make Victor accept.
- **Soundness**: If a malicious Prover $P^*$ does not know $x$, then $V$ accepts with probability at most $\epsilon(n)$.
- **Zero-knowledge**: After the process, $V^*$ (possibly dishonest Verifier) knows no more about $x$ than he did before.
[The interaction could have been faked without $P$]
#### Example: Hair counting magician
"Magician" who claims they can count the number of hairs on your head.
secret info: the method of counting.
Repeat the following process for $k$ times:
1. "Magician" tells the number of hairs
2. You remove some hair $b\in \{0,1\}$ from your head.
3. "Magician" tells the number of hairs left.
4. Reject if the number of hairs is incorrect. Accept after $k$ times. (to our desired certainty)
#### Definition
Let $P$ and $V$ be two interactive Turing machines.
Let $x$ be the shared input, $y$ be the secret knowledge, $z$ be the existing knowledge about $y$, with $r_1,r_2,\cdots,r_k$ being the random tapes.
$V$ should output accept or reject after the interaction for $q$ times.
```python
class P(TuringMachine):
"""
:param x: the shared input with V
:param y: auxiliary input (the secret knowledge)
:param z: auxiliary input (could be existing knowledge about y)
:param r_i: random message
"""
def run(self, x)->str:
"""
:return: the message to be sent to V $m_p$
"""
class V(TuringMachine):
"""
The verifier will output accept or reject after the interaction for $q$ times.
:param x: the shared input with P
:param y: auxiliary input (the secret knowledge)
:param z: auxiliary input (could be existing knowledge about y)
:param r_i: random message
"""
def run(self, q: int)->bool:
"""
:param q: the number of rounds
:return: accept or reject
"""
for i in range(q):
m_v = V.run(i)
m_p = P.run(m_v)
if m_p!=m_v:
return False
return True
```
Let the transcript be the sequence of messages exchanged between $P$ and $V$. $\text{Transcript} = (m_1^p,m_1^v,m_2^p,m_2^v,\cdots,m_q^p,m_q^v)$.
Define $(P,V)$ be the zero-knowledge proof protocol. For a **language** $L$, $(P,V)$ is a zero-knowledge proof for $L$ if:
> Language $L$ is a set of pairs of isomorphic graphs (where two graphs are isomorphic if there exists a bijection between their vertices).
- $(P,V)$ is complete for $L$: $\forall x\in L$, $\exists$ "witness" $y$ such that $\forall z\in \{0,1\}^n$, $Pr[out_v[P(x,y)\longleftrightarrow V(x,z)]=\text{accept}]=1$.
- $(P,V)$ is sound for $L$: $\forall x\notin L$, $\forall P^*$, $Pr[out_v[P^*(x)\longleftrightarrow V(x,z)]=\text{accept}]< \epsilon(n)$.
- $(P,V)$ is zero-knowledge for $L$: $\forall V^*$, $\exists$ p.p.t. simulator $S$ such that the following distributions are indistinguishable:
$$
\{\text{Transcript}[P(x,y)\leftrightarrow V^*(x,z)\mid x\in L,y\leftarrow \{0,1\}^n]\}\quad\text{and}\quad\{S(x,z)\mid x\notin L\}.
$$
*If these distributions are indistinguishable, then $V^*$ learns nothing from the interaction.*
#### Example: Graph isomorphism
Let $G_0$ and $G_1$ be two graphs.
$V$ picks a random permutation $\pi\in S_n$ and sends $G_\pi$ to $P$.
$P$ needs to determine if $G_\pi=G_0$ or $G_\pi=G_1$.
If they are isomorphic, then $\exists$ permutation $\sigma:\{1,\cdots,n\}\rightarrow \{1,\cdots,n\}$ such that $G_0=\{(i,j)\mid (i,j)\in G_1\}$.
Protocol:
Shared input $\overline{x}=(G_0,G_1)$ witness $\overline{y}=\sigma$. Repeat the following process for $n$ times, where $n$ is the number of vertices.
1. $P$ picks a random permutation $\pi\in \mathbb{P}_n$ and sends $G_\pi=\pi(G_0)$ to $V$.
2. $V$ picks a random $b\in \{0,1\}$ and sends $b$ to $P$.
3. If $b=1$, $P$ sends $\sigma=\pi^{-1}$ to $V$.
4. If $b=0$, $P$ sends $\sigma=\pi$ to $V$.
5. $V$ receives $\phi$ and checks if $b=0$ and $G_\sigma=\phi(G_0)$ or $b=1$ and $G_\sigma =\phi(G_1)$. Return accept if true.
If they are not isomorphic, $P$ rejects with probability 1.
If they are isomorphic, $P$ accepts with probability $\frac{1}{n!}$.
Proof:
- Completeness: If $G_0$ and $G_1$ are isomorphic, then $P$ can always find a permutation $\sigma$ such that $G_\sigma=G_0$ or $G_\sigma=G_1$.
- Soundness:
- If $P^*$ knows that $V$ was going to send $b=0$, then they will pick $\Pi$ and send $G=\Pi(G_0)$ to $V$. However, if we thought they would send $0$ but they sent $1$, then $G=\Pi(G_1)$ and they would reject.
- If $P^*$ knows that $V$ was going to send $b=1$, then they will pick $\Pi$ and send $G=\Pi(G_1)$ to $V$. However, if we thought they would send $1$ but they sent $0$, then $G=\Pi(G_0)$ and they would reject.
- The key is that $P^*$ can only response correctly with probability at most $\frac{1}{2}$ each time.
Continue on the next lecture. (The key is that $P^*$ can only get a random permutation)

45
content/CSE442T/CSE442T_L24.md Normal file
View File

@@ -0,0 +1,45 @@
# Lecture 24
## Chapter 7: Composability
### Continue on zero-knowledge proof
Let $X=(G_0,G_1)$ and $y=\sigma$ permutation. $\sigma(G_0)=G_1$.
$P$ is a random $\Pi$ permutation and $H=\Pi(G_0)$.
$P$ sends $H$ to $V$.
$V$ sends a random $b\in\{0,1\}$ to $P$.
$P$ sends $\phi=\Pi$ if $b=0$ and $\phi=\Pi\phi^{-1}$ if $b=1$.
$V$ outputs accept if $\phi(G_0)=G_1$ and reject otherwise.
### Message transfer protocol
The message transfer protocol is defined as follow.
Construct a simulator $S(x,z)$ based on $V^*(x,z)$.
Pick $b'\gets\{0,1\}$.
$\Pi\gets \mathbb{P}_n$ and $H\gets \Pi(G_0)$.
If $V^*$ sends $b=b'$, we send $\Pi$/ output $V^*$'s output
Otherwise, we start over. Go back to the beginning state. Do this until "n" successive accept.'
### Zero-knowledge definition (Cont.)
In zero-knowledge definition. We need the simulator $S$ to have expected running time polynomial in $n$.
Expected two trials for each "success"
2*n running time (one interaction)
$$
\{Out_{V^*}[S(x,z)\leftrightarrow V^*(x,z)]\}=\{Out_{V^*}[P(x,y)\leftrightarrow V^*(x,z)]\}
$$
If $G_0$ and $G_1$ are indistinguishable, $H_s=\Pi(G_{b'})$ same distribution as $H_p=\Pi(G_0)$. (random permutation of $G_1$ is a random permutation of $G_0$)

115
content/CSE442T/CSE442T_L3.md Normal file
View File

@@ -0,0 +1,115 @@
# Lecture 3
All algorithms $C(x)\to y$, $x,y\in \{0,1\}^*$
P.P.T= Probabilistic Polynomial-time Turing Machine.
## Chapter 2: Computational Hardness
### Turing Machine: Mathematical model for a computer program
A machine that can:
1. Read in put
2. Read/Write working tape move left/right
3. Can change state
### Assumptions
Anything can be accomplished by a real computer program can be accomplished by a "sufficiently complicated" Turing Machine (TM).
### Polynomial time
We say $C(x),|x|=n,n\to \infty$ runs in polynomial time if it uses at most $T(n)$ operations bounded by some polynomials. $\exist c>0$ such that $T(n)=O(n^c)$
If we can argue that algorithm runs in polynomially-many constant-time operations, then this is true for the T.M.
$p,q$ are polynomials in $n$,
$p(n)+q(n),p(n)q(n),p(q(n))$ are polynomial of $n$.
Polynomial-time $\approx$ "efficient" for this course.
### Probabilistic
Our algorithm's have access to random "coin-flips" we can produce poly(n) random bits.
$P[C(x)\text{ takes at most }T(n)\text{ steps }]=1$
Our adversary $a(x)$ will be a P.P.T which is non-uniform (n.u.) (programs description size can grow polynomially in n)
### Efficient private key encryption scheme
#### Definition 3.2 (Efficient private key encryption scheme)
The triple $(Gen,Enc,Dec)$ is an efficient private key encryption scheme over the message space $M$ and key space $K$ if:
1. $Gen(1^n)$ is a randomized p.p.t that outputs $k\in K$
2. $Enc_k(m)$ is a potentially randomized p.p.t that outputs $c$ given $m\in M$
3. $Dec_k(c')$ is a deterministic p.p.t that outputs $m$ or "null"
4. $P_k[Dec_k(Enc_k(m))=m]=1,\forall m\in M$
### Negligible function
$\epsilon:\mathbb{N}\to \mathbb{R}$ is a negligible function if $\forall c>0$, $\exists N\in\mathbb{N}$ such that $\forall n\geq N, \epsilon(n)<\frac{1}{n^c}$ (looks like definition of limits huh) (Definition 27.2)
Idea: for any polynomial, even $n^{100}$, in the long run $\epsilon(n)\leq \frac{1}{n^{100}}$
Example: $\epsilon (n)=\frac{1}{2^n}$, $\epsilon (n)=\frac{1}{n^{\log (n)}}$
Non-example: $\epsilon (n)=O(\frac{1}{n^c})\forall c$
### One-way function
Idea: We are always okay with our chance of failure being negligible.
Foundational concept of cryptography
Goal: making $Enc_k(m),Dec_k(c')$ easy and $Dec^{-1}(c')$ hard.
#### Definition 27.3 (Strong one-way function)
$$
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
$$
There is a negligible function $\epsilon (n)$ such that for any adversary $\mathcal{A}$ (n.u.p.p.t)
$$
P[x\gets\{0,1\}^n;y=f(x):f(\mathcal{A}(y))=y]\leq\epsilon(n)
$$
_Probability of guessing a message $x'$ with the same output as the correct message $x$ is negligible_
and
there is a p.p.t which computes $f(x)$ for any $x$.
- Hard to go back from output
- Easy to find output
$a$ sees output y, they wan to find some $x'$ such that $f(x')=y$.
Example: Suppose $f$ is one-to-one, then $a$ must find our $x$, $P[x'=x]=\frac{1}{2^n}$, which is negligible.
Why do we allow $a$ to get a different $x'$?
> Suppose the definition is $P[x\gets\{0,1\}^n;y=f(x):\mathcal{A}(y)=x]\neq\epsilon(n)$, then a trivial function $f(x)=x$ would also satisfy the definition.
To be technically fair, $\mathcal{A}(y)=\mathcal{A}(y,1^n)$, size of input $\approx n$, let them use $poly(n)$ operations. (we also tells the input size is $n$ to $\mathcal{A}$)
#### Do one-way function exists?
Unknown, actually...
But we think so!
We will need to use various assumptions. one that we believe very strongly based on evidence/experience
Example:
$p,q$ are large random primes
$N=p\cdot q$
Factoring $N$ is hard. (without knowing $p,q$)

140
content/CSE442T/CSE442T_L4.md Normal file
View File

@@ -0,0 +1,140 @@
# Lecture 4
## Recap
Negligible function $\epsilon(n)$ if $\forall c>0,\exist N$ such that $n>N$, $\epsilon (n)<\frac{1}{n^c}$
Example:
$\epsilon(n)=2^{-n},\epsilon(n)=\frac{1}{n^{\log (\log n)}}$
## Chapter 2: Computational Hardness
### One-way function
#### Strong One-Way Function
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$.
$$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<\epsilon(n)
$$
_That is, the probability of success guessing should decreasing (exponentially) as encrypted message increase (linearly)..._
To negate statement 2:
$$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n)
$$
is a negligible function.
Negation:
$\exists \mathcal{A}$, $P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n)$ is not a negligible function.
That is, $\exists c>0,\forall N \exists n>N \epsilon(n)>\frac{1}{n^c}$
$\mu(n)>\frac{1}{n^c}$ for infinitely many $n$. or infinitely often.
> Keep in mind: $P[success]=\frac{1}{n^c}$, it can try $O(n^c)$ times and have a good chance of succeeding at least once.
#### Definition 28.4 (Weak one-way function)
$f:\{0,1\}^n\to \{0,1\}^*$
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$.
$$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<1-\frac{1}{p(n)}
$$
_The probability of success should not be too close to 1_
### Probability
#### Useful bound $0<p<1$
$1-p<e^{-p}$
(most useful when $p$ is small)
For an experiment has probability $p$ of failure and $1-p$ of success.
We run experiment $n$ times independently.
$P[\text{success all n times}]=(1-p)^n<(e^{-p})^n=e^{-np}$
#### Theorem 35.1 (Strong one-way function from weak one-way function)
If there exists a weak one-way function, there there exists a strong one-way function
In particular, if $f:\{0,1\}^n\to \{0,1\}^*$ is weak one-way function.
$\exists$ polynomial $q(n)$ such that
$$
g(x):\{0,1\}^{nq(n)}\to \{0,1\}^*
$$
and for every $n$ bits $x_i$
$$
g(x_1,x_2,..,x_{q(n)})=(f(x_1),f(x_2),...,f(x_{q(n)}))
$$
is a strong one-way function.
Proof:
1. Since $\exist P.P.T.$ that computes $f(x),\forall x$ we use this $q(n)$ polynomial times to compute $g$.
2. (Idea) $a$ has to succeed in inverting $f$ all $q(n)$ times.
Since $x$ is a weak one-way, $\exists$ polynomial $p(n)$. $\forall q, P[q$ inverts $f]<1-\frac{1}{p(n)}$ (Here we use $<$ since we can always find a polynomial that works)
Let $q(n)=np(n)$.
Then $P[a$ inverting $g]\sim P[a$ inverts $f$ all $q(n)]$ times. $<(1-\frac{1}{p(n)})^{q(n)}=(1-\frac{1}{p(n)})^{np(n)}<(e^{-\frac{1}{p(n)}})^{np(n)}=e^{-n}$ which is negligible function.
QED
_we can always force the adversary to invert the weak one-way function for polynomial time to reach the property of strong one-way function_
Example: $(1-\frac{1}{n^2})^{n^3}<e^{-n}$
### Some candidates of one-way function
#### Multiplication
$$
Mult(m_1,m_2)=\begin{cases}
1,m_1=1 | m_2=1\\
m_1\cdot m_2
\end{cases}
$$
But we don't want trivial answers like (1,1000000007)
Idea: Our "secret" is 373 and 481, Eve can see the product 179413.
Not strong one-way for all integer inputs because there are trivial answer for $\frac{3}{4}$ of all outputs. `Mult(2,y/2)`
Factoring Assumption:
The only way to efficiently factorizing the product of prime is to iterate all the primes.
In other words:
$\forall a\exists \epsilon(n)$ such that $\forall n$. $P[p_1\gets \prod n_j]$
We'll show this is a weak one-way function under the Factoring Assumption.
$\forall a,\exists \epsilon(n)$ such that $\forall n$,
$$
P[p_1\gets \Pi_n;p_2\gets \Pi_n;N=p_1\cdot p_2:a(n)=\{p_1,p_2\}]<\epsilon(n)
$$
where $\Pi_n=\{p\text{ all primes }p<2^n\}$

116
content/CSE442T/CSE442T_L5.md Normal file
View File

@@ -0,0 +1,116 @@
# Lecture 5
## Chapter 2: Computational Hardness
Proving that there are one-way functions relies on assumptions.
Factoring Assumption: $\forall \mathcal{A}, \exist \epsilon (n)$, let $p,q\in \Pi_n,p,q<2^n$
$$
P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)
$$
Evidence: To this point, best known procedure to always factor has run time $O(2^{\sqrt{n}\sqrt{log(n)}})$
Distribution of prime numbers:
- We have infinitely many prime
- Prime Number Theorem $\pi(n)\approx\frac{n}{\ln(n)}$, that means, $\frac{1}{\ln n}$ of all integers are prime.
We want to (guaranteed to) find prime:
$\pi(n)>\frac{2^n}{2n}$
e.g.
$$
P[x\gets \{0,1\}^n:x\in prime]\geq {\frac{2^n}{2n}\over 2^n}=\frac{1}{2n}
$$
Theorem:
$$
f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n},f_{mult}(x_1,x_2)=x_1\cdot x_2
$$
Idea: There are enough pairs of primes to make this difficult.
> Reminder: Weak on-way if easy to compute and $\exist p(n)$,
> $P[\mathcal{A}\ \text{inverts=success}]<1-\frac{1}{p(n)}$
> $P[\mathcal{A}\ \text{inverts=failure}]>\frac{1}{p(n)}$ high enough
### Prove one-way function (under assumptions)
To prove $f$ is on-way (under assumption)
1. Show $\exists p.p.t$ solves $f(x),\forall x$.
2. Proof by contradiction.
- For weak: Provide $p(n)$ that we know works.
- Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{p(n)}$
- For strong: Provide $p(n)$ that we know works.
- Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>\frac{1}{p(n)}$
Construct p.p.t $\mathcal{B}$
which uses $\mathcal{A}$ to solve a problem, which contradicts assumption or known fact.
Back to Theorem:
We will show that $p(n)=8n^2$ works.
We claim $\forall \mathcal{A}$,
$$
P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}
$$
For the sake of contradiction, suppose
$$
\exists \mathcal{A} \textup{ such that} P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{8n^2}
$$
We will use this $\mathcal{A}$ to design p.p.t $B$ which can factor 2 random primes with non-negligible prob.
```python
def A(y):
# the adversary algorithm
# expecting N to be product of random integer, don't need to be prime
def is_prime(x):
# test if x is a prime
def gen(n):
# generate number up to n bits
def B(y):
# N is the input cipher
x1,x2=gen(n),gen(n)
p=x1*x2
if is_prime(x1) and is_prime(x2):
return A(p)
return A(y)
```
How often does $\mathcal{B}$ succeed/fail?
$\mathcal{B}$ fails to factor $N=p\dot q$, if:
- $x$ and $y$ are not both prime
- $P_e=1-P(x\in \Pi_n)P(y\in \Pi_n)\leq 1-(\frac{1}{2n})^2=1-\frac{1}{4n^2}$
- if $\mathcal{A}$ fails to factor
- $P_f<\frac{1}{8n^2}$
So
$$
P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq (1-\frac{1}{4n^2}+\frac{1}{8n^2})=1-\frac{1}{8n^2}
$$
So
$$
P[\mathcal{B} \text{ succeed}]\geq \frac{1}{8n^2} (\text{non-negligible})
$$
This contradicting factoring assumption. Therefore, our assumption that $\mathcal{A}$ exists was wrong.
Therefore $\forall \mathcal{A}$, $P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}$ is wrong.

114
content/CSE442T/CSE442T_L6.md Normal file
View File

@@ -0,0 +1,114 @@
# Lecture 6
## Review
$$
f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n}
$$
is a weak one-way.
$P[\mathcal{A}\ \text{invert}]\leq 1-\frac{1}{8n^2}$ over $x,y\in$ random integers $\{0,1\}^n$
## Chapter 2: Computational Hardness
### Converting weak one-way function to strong one-way function
By factoring assumptions, $\exists$ strong one-way function
$f:\{0,1\}^N\to \{0,1\}^N$ for infinitely many $N$.
$f=\left(f_{mult}(x_1,y_1),f_{mult}(x_2,y_2),\dots,f_{mult}(x_q,y_q)\right)$, $x_i,y_i\in \{0,1\}^n$.
$f:\{0,1\}^{8n^4}\to \{0,1\}^{8n^4}$
Idea: With high probability, at least one pair $(x_i,y_i)$ are both prime.
Factoring assumption: $\mathcal{A}$ has low chance of factoring $f_{mult}(x_i,y_i)$
Use $P[x \textup{ is prime}]\geq\frac{1}{2n}$
$$
P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]=P[p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]^q
$$
$$
P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]\leq(1-\frac{1}{4n^2})^{4n^3}\leq (e^{-\frac{1}{4n^2}})^{4n^3}=e^{-n}
$$
### Proof of strong one-way function
1. $f_{mult}$ is efficiently computable, and we compute it poly-many times.
2. Suppose it's not hard to invert. Then
$\exists \text{n.u.p.p.t.}\ \mathcal{A}$such that $P[w\gets \{0,1\}^{8n^4};z=f(w):f(\mathcal{A}(z))=0]=\mu (n)>\frac{1}{p(n)}$
We will use this to construct $\mathcal{B}$ that breaks factoring assumption.
$p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q$
```psudocode
function B:
Receives N
Sample (x,y) q times
Compute z_i = f_mult(x_i,y_i) for each i
From i=1 to q
check if both x_i y_i are prime
If yes,
z_i = N
break // replace first instance
Let z = (z_1,z_2,...,z_q) // z_k = N hopefully
((x_1,y_1),...,(x_k,y_k),...,(x_q,y_q)) <- a(z)
if (x_k,y_k) was replaced
return x_k,y_k
else
return null
```
Let $E$ be the event that all pairs of sampled integers were not both prime.
Let $F$ be the event that $\mathcal{A}$ failed to invert
$P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq e^{-n}+(1-\frac{1}{p(n)})=1-(\frac{1}{p(n)}-e^{-n})\leq 1-\frac{1}{2p(n)}$
$P[\mathcal{B} \text{ succeeds}]=P[p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q:\mathcal{B}(N)\in \{p,q\}]\geq \frac{1}{2p(n)}$
Contradicting factoring assumption
We've defined one-way functions to hae domain $\{0,1\}^n$ for some $n$.
Our strong one-way function $f(n)$
- Takes $4n^3$ pairs of random integers
- Multiplies all pairs
- Hope at least pair are both prime $p,q$ b/c we know $N=p\cdot q$ is hard to factor
### General collection of strong one-way functions
$F=\{f_i:D_i\to R_i\},i\in I$, $I$ is the index set.
1. We can effectively choose $i\gets I$ using $Gen$.
2. $\forall i$ we ca efficiently sample $x\gets D_i$.
3. $\forall i\forall x\in D_i,f_i(x)$ is efficiently computable
4. For any n.u.p.p.t $\mathcal{A}$, $\exists$ negligible function $\epsilon (n)$.
$P[i\gets Gen(1^n);x\gets D_i;y=f_i(x):f(\mathcal{A}(y,i,1^n))=y]\leq \epsilon(n)$
#### An instance of strong one-way function under factoring assumption
$f_{mult,n}:(\Pi_n\times \Pi_n)\to \{0,1\}^{2n}$ is a collection of strong one way function.
Ideas of proof:
1. $n\gets Gen(1^n)$
2. We can efficiently sample $p,q$ (with justifications)
3. Factoring assumption
Algorithm for sampling a random prime $p\gets \Pi_n$
1. $x\gets \{0,1\}^n$ (n bit integer)
2. Check if $x$ is prime.
- Deterministic poly-time procedure
- In practice, a much faster randomized procedure (Miller-Rabin) used
$P[x\cancel{\in} \text{prime}|\text{test said x prime}]<\epsilon(n)$
3. If not, repeat. Do this for polynomial number of times

120
content/CSE442T/CSE442T_L7.md Normal file
View File

@@ -0,0 +1,120 @@
# Lecture 7
## Chapter 2: Computational Hardness
### Letter choosing experiment
For 100 letter tiles,
$p_1,...,p_{27}$ (with one blank)
$(p_1)^2+\dots +(p_{27})^2\geq\frac{1}{27}$
For any $p_1,...,p_n$, $0\leq p_i\leq 1$.
$\sum p_i=1$
$P[\text{the same event twice in a row}]=p_1^2+p_2^2....+p_n^2$
By Cauchy-Schwarz: $|u\cdot v|^2 \leq ||u||\cdot ||v||^2$.
let $\vec{u}=(p_1,...,p_n)$, $\vec{v}=(1,..,1)$, so $(p_1^2+p_2^2....+p_n)^2\leq (p_1^2+p_2^2....+p_n^2)\cdot n$. So $p_1^2+p_2^2....+p_n^2\geq \frac{1}{n}$
So for an adversary $\mathcal{A}$, who random choose $x'$ and output $f(x')=f(x)$ if matched. $P[f(x)=f(x')]\geq\frac{1}{|Y|}$
So $P[x\gets f(x);y=f(x):\mathcal{A}(y,1^n)=y]\geq \frac{1}{|Y|}$
### Modular arithmetic
For $a,b\in \mathbb{Z}$, $N\in \mathbb{Z}^2$
$a\equiv b \mod N\iff N|(a-b)\iff \exists k\in \mathbb{Z}, a-b=kN,a=kN+b$
Ex: $N=23$, $-20\equiv 3\equiv 26\equiv 49\equiv 72\mod 23$.
#### Equivalent relations for any $N$ on $\mathbb{Z}$
$a\equiv a\mod N$
$a\equiv b\mod N\iff b\equiv a\mod N$
$a\equiv b\mod N$ and $b\equiv c\mod N\implies a\equiv c\mod N$
#### Division Theorem
For any $a\in \mathbb{Z}$, and $N\in\mathbb{Z}^+$, $\exists unique\ r,0\leq r<N$.
$\mathbb{Z}_N=\{0,1,2,...,N-1\}$ with modular arithmetic.
$a+b\mod N,a\cdot b\mod N$
Theorem: If $a\equiv b\mod N$ and$c\equiv d\mod N$, then $a\cdot c\equiv b\cdot d\mod N$.
Definition: $gcd(a,b)=d,a,b\in \mathbb{Z}^+$, is the maximum number such that $d|a$ and $d|b$.
Using normal factoring is slow... (Example: large $p,q,r$, $N=p\cdot q,,M=p\cdot r$)
##### Euclidean algorithm
Recursively relying on fact that $(a>b>0)$
$gcd(a,b)=gcd(b,a\mod b)$
```python
def euclidean_algorithm(a,b):
if a<b: return euclidean_algorithm(b,a)
if b==0: return a
return euclidean_algorithm(b,a%b)
```
Proof:
We'll show $d|a$ and $d|b\iff d|b$ and $d|(a\mod b)$
$\impliedby$ $a=q\cdot b+r$, $r=a\mod b$
$\implies$ $d|r$, $r=a\mod b$
Runtime analysis:
Fact: $b_{i+2}<\frac{1}{2}b_i$
Proof:
Since $a_i=q_i\cdot b_i+b_{i+1}$, and $b_1=q_2\cdot b_2+b_3$, $b_2>b_3$, and $q_2$ in worst case is $1$, so $b_3<\frac{b_1}{2}$
$T(n)=2\Theta(\log b)=O(\log n)$ (linear in size of bits input)
##### Extended Euclidean algorithm
Our goal is to find $x,y$ such that $ax+by=gcd(a,b)$
Given $a\cdot x\equiv b\mod N$, we do euclidean algorithm to find $gcd(a,b)=d$, then reverse the steps to find $x,y$ such that $ax+by=d$
```python
def extended_euclidean_algorithm(a,b):
if a%b==0: return (0,1)
x,y=extended_euclidean_algorithm(b,a%b)
return (y,x-y*(a//b))
```
Example: $a=12,b=43$, $gcd(12,43)=1$
$$
\begin{aligned}
43&=3\cdot 12+7\\
12&=1\cdot 7+5\\
7&=1\cdot 5+2\\
5&=2\cdot 2+1\\
2&=2\cdot 1+0\\
1&=1\cdot 5-2\cdot 2\\
1&=1\cdot 5-2\cdot (7-1\cdot 5)\\
1&=3\cdot 5-2\cdot 7\\
1&=3\cdot (12-1\cdot 7)-2\cdot 7\\
1&=3\cdot 12-5\cdot 7\\
1&=3\cdot 12-5\cdot (43-3\cdot 12)\\
1&=-5\cdot 43+18\cdot 12\\
\end{aligned}
$$
So $x=-5,y=18$

74
content/CSE442T/CSE442T_L8.md Normal file
View File

@@ -0,0 +1,74 @@
# Lecture 8
## Chapter 2: Computational Hardness
### Computational number theory/arithmetic
We want to have a easy-to-use one-way functions for cryptography.
How to find $a^x\mod N$ quickly. $a,x,N$ are positive integers. We want to reduce $[a\mod N]$
Example: $129^{39}\mod 41\equiv (129\mod 41)^{39}\mod 41=6^{39}\mod 41$
Find the binary representation of $x$. e.g. express as sums of powers of 2.
`x=39=bin(1,0,0,1,1,1)`
Repeatedly square $floor(\log_2(x))$ times.
$$
\begin{aligned}
6^{39}\mod 41&=6^{32+4+2+1}\mod 41\\
&=(6^{32}\mod 41)(6^{4}\mod 41)(6^{2}\mod 41)(6^{1}\mod 41)\mod 41\\
&=(-4)(25)(-5)(6)\mod 41\\
&=7
\end{aligned}
$$
The total multiplication steps is $floor(\log_2(x))$
_looks like fast exponentiation right?_
Goal: $f_{g,p}(x)=g^x\mod p$ is a one-way function, for certain choice of $p,g$ (and assumptions)
#### A group (Nice day one for MODERN ALGEBRA)
A group $G$ is a set with, a binary operation $\oplus$. and $\forall a,b\in G$, $a \oplus b\to c$
1. $a,b\in G,a\oplus b\in G$ (closure)
2. $(a\oplus b)\oplus c=a\oplus(b\oplus c)$ (associativity)
3. $\exists e$ such that $\forall a\in G, e\oplus g=g=g\oplus e$ (identity element)
4. $\exists g^{-1}\in G$ such that $g\oplus g^{-1}=e$ (inverse element)
Example:
- $\mathbb{Z}_N=\{0,1,2,3,...,N-1\}$ with addition $\mod N$, with identity element $0$. $a\in \mathbb{Z}_N, a^{-1}=N-a$.
- A even simpler group is $\Z$ with addition.
- $\mathbb{Z}_N^*=\{x:x\in \mathbb{Z},1 \leq x\leq N: gcd(x,N)=1\}$ with multiplication $\mod N$ (we can do division here! yeah...).
- If $N=p$ is prime, then $\mathbb{Z}_p^*=\{1,2,3,...,p-1\}$
- If $N=24$, then $\mathbb{Z}_{24}^*=\{1,5,7,11,13,17,19,23\}$
- Identity is $1$.
- Let $a\in \mathbb{Z}_N^*$, by Euclidean algorithm, $gcd(a,N)=1$,$\exists x,y \in Z$ such that $ax+Ny=1,ax\equiv 1\mod N,x=a^{-1}$
- $a,b\in \mathbb{Z}_N^*$. Want to show $gcd(ab,N)=1$. If $gcd(ab,N)=d>1$, then some prime $p|d$. so $p|(a,b)$, which means $p|a$ or $p|b$. In either case, $gcd(a,N)>d$ or $gcd(b,N)>d$, which contradicts that $a,b\in \mathbb{C}_N^*$
#### Euler's totient function
$\phi:\mathbb{Z}^+\to \mathbb{Z}^+,\phi(N)=|\mathbb{Z}_N^*|=|\{1\leq x\leq N:gcd(x,N)=1\}|$
Example: $\phi(1)=1$, $\phi(24)=8$, $\phi (p)=p-1$, $\phi(p\cdot q)=(p-1)(q-1)$
#### Euler's Theorem
For any $a\in \mathbb{Z}_N^*$, $a^{\phi(N)}\equiv 1\mod N$
Consequence: $a^x\mod N$, $x=K\cdot \phi(N)+r,0\leq r\leq \phi(N)$
$$
a^x\equiv a^{K \cdot \phi (N) +r}\equiv ( a^{\phi(n)} )^K \cdot a^r \mod N$
$$
So computing $a^x\mod N$ is polynomial in $\log (N)$ by reducing $a\mod N$ and $x\mod \phi(N)<N$
Corollary: Fermat's little theorem:
$1\leq a\leq p-1,a^{p-1}\equiv 1 \mod p$

118
content/CSE442T/CSE442T_L9.md Normal file
View File

@@ -0,0 +1,118 @@
# Lecture 9
## Chapter 2: Computational Hardness
### Continue on Cyclic groups
$$
\begin{aligned}
107^{662}\mod 51&=(107\mod 51)^{662}\mod 51\\
&=5^{662}\mod 51
\end{aligned}
$$
Remind that $\phi(p),p\in\Pi,\phi(p)=p-1$.
$51=3\times 17,\phi(51)=\phi(3)\times \phi(17)=2\times 16=32$, So $5^{32}\mod 1$
$5^2\equiv 25\mod 51=25$
$5^4\equiv (5^2)^2\equiv(25)^2 \mod 51\equiv 625\mod 51=13$
$5^8\equiv (5^4)^2\equiv(13)^2 \mod 51\equiv 169\mod 51=16$
$5^16\equiv (5^8)^2\equiv(16)^2 \mod 51\equiv 256\mod 51=1$
$$
\begin{aligned}
5^{662}\mod 51&=107^{662\mod 32}\mod 51\\
&=5^{22}\mod 51\\
&=5^{16}\cdot 5^4\cdot 5^2\mod 51\\
&=19
\end{aligned}
$$
For $a\in \mathbb{Z}_N^*$, the order of $a$, $o(a)$ is the smallest positive $k$ such that $a^k\equiv 1\mod N$. $o(a)\leq \phi(N),o(a)|\phi (N)$
In a general finite group
$g^{|G|}=e$ (identity)
$o(g)\vert |G|$
If a group $G=\{a,a^2,a^3,...,e\}$ $G$ is cyclic
In a cyclic group, if $o(a)=|G|$, then a is a generator of $G$.
Fact: $\mathbb{Z}^*_p$ is cyclic
$|\mathbb{Z}^*_p|=p-1$, so $\exists$ generator $g$, and $\mathbb{Z}$, $\phi(\mathbb{Z}_{13}^*)=12$
For example, $2$ is a generator for $\mathbb{Z}_{13}^*$ with $2,4,8,3,6,12,11,9,5,10,7,1$.
If $g$ is a generator, $f:\mathbb{Z}_p^*\to \mathbb{Z}_p^*$, $f(x)=g^x \mod p$ is onto.
What type of prime $p$?
- Large prime.
- If $p-1$ is very factorable, that is very bad.
- Pohlig-Hellman algorithm
- $p=2^n+1$ only need polynomial time to invert
- We want $p=2q+1$, where $q$ is prime. (Sophie Germain primes, or safe primes)
There are _probably_ infinitely many safe prime and efficient to sample as well.
If $p$ is safe, $g$ generator.
$$
\mathbb{Z}_p^*=\{g,g^2,..,e\}
$$
Then $\{g^2,...g^{2q}\}S_{g,p}\subseteq \mathbb{Z}_p^*$ is a subgroup; $g^{2k}\cdot g^{2l}=g^{2(k+l)}\in S_{g,p}$
It is cyclic with generator $g^2$.
It is easy to find a generator.
- Pick $a\in \mathbb{Z}_p^*$
- Let $x=a^2$. If $x\neq 1$, it is a generator of subgroup $S_p$
- $S_p=\{x,x^2,...,x^q\}\mod p$
Example: $p=2\cdot 11+1=23$
we have a subgroup with generator $4$ and $S_4=\{4,16,18,3,12,2,8,9,13,6,1\}$
```python
def get_generator(p):
"""
p should be a prime, or you need to do factorization
"""
g=[]
for i in range(2,p-1):
k=i
sg=[]
step=p
while k!=1 and step>0:
if k==0:
raise ValueError(f"Damn, {i} generates 0 for group {p}")
sg.append(k)
k=(k*i)%p
step-=1
sg.append(1)
# if len(sg)!=(p-1): continue
g.append((i,[j for j in sg]))
return g
```
### (Computational) Diffie-Hellman assumption
If $p$ is a randomly sampled safe prime.
Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$
Then
$$
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \epsilon(n)
$$
$p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups.
Notes: $f:\Z_q\to \mathbb{Z}_p^*$ is one-to-one, so $f(\mathcal{A}(y))\iff \mathcal{A}(y)=x$

215
content/CSE442T/Exam_reviews/CSE442T_E1.md Normal file
View File

@@ -0,0 +1,215 @@
# System check for exam list
**The exam will take place in class on Monday, October 21.**
The topics will cover Chapters 1 and 2, as well as the related probability discussions we've had (caveats below).  Assignments 1 through 3 span this material.
## Specifics on material:
NOT "match-making game" in 1.2 (seems fun though)
NOT the proof of Theorem 31.3 (but definitely the result!)
NOT 2.4.3 (again, definitely want to know this result, and we have discussed the idea behind it)
NOT 2.6.5, 2.6.6
NOT 2.12, 2.13
The probability knowledge/techniques I've expanded on include conditional probability, independence, law of total probability, Bayes' Theorem, union bound, 1-p bound (or "useful bound"), collision
I expect you to demonstrate understanding of the key definitions, theorems, and proof techniques.  The assignments are designed to reinforce all of these.  However, exam questions will be written with the understanding of the time limitations.
The exam is "closed-book," with no notes of any kind allowed.  The advantage of this is that some questions might be very basic.  However, I will expect that you will have not just memorized definitions and theorems, but you can also explain their meaning and apply them.
## Chapter 1
### Prove security
#### Definition 11.1 Shannon secrecy
$(\mathcal{M},\mathcal{K}, Gen, Enc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *Shannon-secrete with respect to distribution $D$ over the message space $\mathcal{M}$* if for all $m'\in \mathcal{M}$ and for all $c$,
$$
P[k\gets Gen;m\gets D:m=m'|Enc_k(m)=c]=P[m\gets D:m=m']
$$
(The adversary cannot learn all, part of, any letter of, any function off, or any partial information about the plaintext)
#### Definition 11.2 Perfect Secrecy
$(\mathcal{M},\mathcal{K}, Gen, ENc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *perfectly secret* if forall $m_1,m_2\in \mathcal{M},\forall c$:
$$
P[k\gets Gen:Enc_k(m_1)=c]=P[k\gets Gen:Enc_k(m_2)=c]
$$
(For all coding scheme in the crypto system, for any two different message, they are equally likely to be mapped to $c$)
#### Definition 12.3
A private-key encryption scheme is perfectly secret if and only if it is Shannon secret.
## Chapter 2
### Efficient Private-key Encryption
#### Definition 24.7
A triplet of algorithms $(Gen,Enc,Dec)$ is called an efficient private-key encryption scheme if the following holds.
1. $k\gets Gen(1^n)$ is a p.p.t. such that for every $n\in \mathbb{N}$, it samples a key $k$.
2. $c\gets Enc_k(m)$ is a p.p.t. that given $k$ and $m\in \{0,1\}^n$ produces a ciphertext $c$.
3. $m\gets Dec_c(c)$ is a p.p.t. that given a ciphertext $c$ and key $k$ produces a message $m\in \{0,1\}^n\cup \perp$.
4. For all $n\in \mathbb{N},m\in \{0,1\}^n$
$$
Pr[k\gets Gen(1^n);Dec_k(Enc_k(m))=m]=1
$$
### One-Way functions
#### Definition 26.1
A function $f:\{0,1\}^*\to\{0,1\}^*$ is worst-case one-way if the function is:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$
\forall x,P[\mathcal{A}(f(x))\in f^{-1}(f(x))]=1
$$
#### Definition 27.2 Negligible function
A function $\epsilon(n)$ is negligible if for every $c$. there exists some $n_0$ such that for all $n>n_0$, $\epsilon (n)\leq \frac{1}{n^c}$.
#### Definition 27.3 Strong One-Way Function
A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$
P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq \epsilon(n)
$$
#### Definition 28.4 (Weak One-Way Function)
A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$
P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq 1-\frac{1}{q(n)}
$$
#### Notation for prime numbers
Denote the (finite) set of primes that are smaller than $2^n$ as
$$
\Pi_n=\{q|q<2^n\textup{ and } q \textup{ is prime}\}
$$
#### Assumption 30.1 (Factoring)
For every adversary $\mathcal{A}$, there exists a negligible function $\epsilon$ such that
$$
P[p\gets \Pi_n;q\gets \Pi_n;N\gets pq:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)
$$
(For every product of random 2 primes, the probability for any adversary to find the prime factors is negligible.)
(There is no polynomial function that can decompose the product of two $n$ bit prime, the best function is $2^{O(n^{\frac{1}{3}}\log^{\frac{2}{3}}n)}$)
#### Theorem 35.1
For any weak one-way function $f:\{0,1\}^n\to \{0,1\}^*$, there exists a polynomial $m(\cdot)$ such that function
$$
f'(x_1,x_2,\dots, x_{m(n)})=(f(x_1),f(x_2),\dots, f(x_{m(n)})).
$$
from $f'=(\{0,1\}^n)^{m(n)}\to(\{0,1\}^*)^{m(n)}$ is strong one-way.
### RSA
#### Definition 46.7
A group $G$ is a set of elements with a binary operator $\oplus:G\times G\to G$ that satisfies the following properties
1. Closure: $\forall a,b\in G, a\oplus b\in G$
2. Identity: $\exists i\in G$ such that $\forall a\in G, i\oplus a=a\oplus i=a$
3. Associativity: $\forall a,b,c\in G,(a\oplus b)\oplus c=a\oplus(b\oplus c)$.
4. Inverse: $\forall a\in G$, there is an element $b\in G$ such that $a\oplus b=b\oplus a=i$
#### Definition Euler totient function $\Phi(N)$.
$$
\Phi(p)=p-1
$$
if $p$ is prime
$$
\Phi(N)=(p-1)(q-1)
$$
if $N=pq$ and $p,q$ are primes
#### Theorem 47.10
$\forall a\in \mathbb{Z}_N^*,a^{\Phi(N)}=1\mod N$
#### Corollary 48.11
$\forall a\in \mathbb{Z}_p^*,a^{p-1}\equiv 1\mod p$.
#### Corollary 48.12
$a^x\mod N=a^{x\mod \Phi(N)}\mod N$
## Some other important results
### Exponent
$$
(1-\frac{1}{n})^n\approx e
$$
when $n$ is large.
### Primes
Let $\pi(x)$ be the lower-bounds for prime less than or equal to $x$.
#### Theorem 31.3 Chebyshev
For $x>1$,$\pi(x)>\frac{x}{2\log x}$
#### Corollary 31.3
For $2^n>1$, $p(n)>\frac{1}{n}$
(The probability that a uniformly sampled n-bit integer is prime is greater than $\frac{1}{n}$)
### Modular Arithmetic
#### Extended Euclid Algorithm
```python
def eea(a,b)->tuple(int):
# assume a>b
# return x,y such that ax+by=gcd(a,b)=d.
# so y is the modular inverse of b mod a
# so x is the modular inverse of a mod b
# so gcd(a,b)=ax+by
if a%b==0:
return (0,1)
x,y=eea(b,a%b)
return (y,x-y(a//b))
```

222
content/CSE442T/Exam_reviews/CSE442T_E2.md Normal file
View File

@@ -0,0 +1,222 @@
# CSE442T Exam 2 Review
## Review
### Assumptions used in cryptography (this course)
#### Diffie-Hellman assumption
The Diffie-Hellman assumption is that the following problem is hard.
$$
\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.
$$
More formally,
If $p$ is a randomly sampled safe prime.
Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$
Then
$$
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)
$$
$p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups.
#### Discrete logarithm assumption
> If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.
This is a corollary of the Diffie-Hellman assumption, it states as follows.
This is collection of one-way functions
$$
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
$$
$$
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
$$
$$
f_{g,p}(x)=g^x\mod p
$$
$$
f:\mathbb{Z}_q\to \mathbb{Z}^*_p
$$
#### RSA assumption
The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with $n$ bits)
Let $e$ be the exponents
$$
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)
$$
#### Factoring assumption
> If RSA assumption holds, then factoring assumption holds.
The only way to efficiently factorize the product of prime is to iterate all the primes.
### Fancy product of these assumptions
#### Trapdoor permutation
> RSA assumption $\implies$ Trapdoor permutation exists.
Idea: $f:D\to R$ is a one-way permutation.
$y\gets R$.
* Finding $x$ such that $f(x)=y$ is hard.
* With some secret info about $f$, finding $x$ is easy.
$\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$
1. $\forall i,f_i$ is a permutation
2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info"
3. $\forall i,D_i$ can be sampled efficiently.
4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time.
5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n)$ (note: $\mathcal{A}$ is not given $t$)
6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info"
_There is one bit of trapdoor info that without it, finding $x$ is hard._
#### Collision resistance hash function
> If discrete logarithm assumption holds, then collision resistance hash function exists.
Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:
$Gen(1^n):(g,p,y)$
$p\in \tilde{\Pi}_n(p=2q+1)$
$g$ generator for group of sequence $\mod p$ (G_q)
$y$ is a random element in $G_q$
$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$
$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.
Under the discrete log assumption, $H$ is a CRHF.
- It is easy to sample $(g,p,y)$
- It is easy to compute
- Compressing by 1 bit
#### One-way permutation
> If trapdoor permutation exists, then one-way permutation exists.
A one-way permutation is a function that is one-way and returns a permutation of the input.
#### One-way function
> If one-way permutation exists, then one-way function exists.
One-way function is a class of functions that are easy to compute but hard to invert.
##### Weak one-way function
A weak one-way function is
$$
f:\{0,1\}^n\to \{0,1\}^*
$$
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
2. $\forall a$ adversaries, $\exists \varepsilon(n),\forall n$.
$$
P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}
$$
_The probability of success should not be too close to 1_
##### Strong one-way function
> If weak one-way function exists, then strong one-way function exists.
A strong one-way function is
$$
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
$$
There is a negligible function $\varepsilon (n)$ such that for any adversary $a$ (n.u.p.p.t)
$$
P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)
$$
_Probability of guessing correct message is negligible_
#### Hard-core bits
> Strong one-way function $\iff$ hard-core bits exists.
A hard-core bit is a bit that is hard to predict given the output of a one-way function.
#### Pseudorandom generator
> If one-way permutation exists, then pseudorandom generator exists.
We can also use pseudorandom generator to construct one-way function.
And hard-core bits can be used to construct pseudorandom generator.
#### Pseudorandom function
> If pseudorandom generator exists, then pseudorandom function exists.
A pseudorandom function is a function that is indistinguishable from a true random function.
### Multi-message secure private-key encryption
> If pseudorandom function exists, then multi-message secure private-key encryption exists.
A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.
#### Single message secure private-key encryption
> If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.
#### Message-authentication code
> If pseudorandom function exists, then message-authentication code exists.
### Public-key encryption
> If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.
### Digital signature
A digital signature scheme is a triple $(Gen, Sign, Ver)$ where
- $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$.
- $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$.
- $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
$$
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
$$
#### One-time secure digital signature
#### Fixed-length one-time secure digital signature
> If one-way function exists, then fixed-length one-time secure digital signature exists.

4
content/CSE442T/Exam_reviews/_meta.js Normal file
View File

@@ -0,0 +1,4 @@
export default {
CSE442T_E1: "CSE442T Exam 1 Review",
CSE442T_E2: "CSE442T Exam 2 Review"
}

31
content/CSE442T/_meta.js Normal file
View File

@@ -0,0 +1,31 @@
export default {
//index: "Course Description",
"---":{
type: 'separator'
},
Exam_reviews: "Exam reviews",
CSE442T_L1: "Introduction to Cryptography (Lecture 1)",
CSE442T_L2: "Introduction to Cryptography (Lecture 2)",
CSE442T_L3: "Introduction to Cryptography (Lecture 3)",
CSE442T_L4: "Introduction to Cryptography (Lecture 4)",
CSE442T_L5: "Introduction to Cryptography (Lecture 5)",
CSE442T_L6: "Introduction to Cryptography (Lecture 6)",
CSE442T_L7: "Introduction to Cryptography (Lecture 7)",
CSE442T_L8: "Introduction to Cryptography (Lecture 8)",
CSE442T_L9: "Introduction to Cryptography (Lecture 9)",
CSE442T_L10: "Introduction to Cryptography (Lecture 10)",
CSE442T_L11: "Introduction to Cryptography (Lecture 11)",
CSE442T_L12: "Introduction to Cryptography (Lecture 12)",
CSE442T_L13: "Introduction to Cryptography (Lecture 13)",
CSE442T_L14: "Introduction to Cryptography (Lecture 14)",
CSE442T_L15: "Introduction to Cryptography (Lecture 15)",
CSE442T_L16: "Introduction to Cryptography (Lecture 16)",
CSE442T_L17: "Introduction to Cryptography (Lecture 17)",
CSE442T_L18: "Introduction to Cryptography (Lecture 18)",
CSE442T_L19: "Introduction to Cryptography (Lecture 19)",
CSE442T_L20: "Introduction to Cryptography (Lecture 20)",
CSE442T_L21: "Introduction to Cryptography (Lecture 21)",
CSE442T_L22: "Introduction to Cryptography (Lecture 22)",
CSE442T_L23: "Introduction to Cryptography (Lecture 23)",
CSE442T_L24: "Introduction to Cryptography (Lecture 24)"
}

55
content/CSE442T/index.md Normal file
View File

@@ -0,0 +1,55 @@
# CSE 442T
## Course Description
This course is an introduction to the theory of cryptography. Topics include:
One-way functions, Pseudorandomness, Private-key cryptography, Public-key cryptography, Authentication, and etc.
### Instructor:
[Brian Garnett](bcgarnett@wustl.edu)
Math Phd… Great!
Proof based course and write proofs.
CSE 433 for practical applications.
### Office Hours:
Right after class! 4-5 Mon, Urbaur Hall 227
### Textbook:
[A course in cryptography Lecture Notes](https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf)
### Comments:
Most proofs are not hard to understand.
Many definitions to remember. They are long and tedious.
For example, I have to read the book to understand the definition of "hybrid argument". It was given as follows:
>Let $X^0_n,X^1_n,\dots,X^m_n$ are ensembles indexed from $1,..,m$
> If $\mathcal{D}$ distinguishes $X_n^0$ and $X_n^m$ by $\mu(n)$, then $\exists i,1\leq i\leq m$ where $X_{n}^{i-1}$ and $X_n^i$ are distinguished by $\mathcal{D}$ by $\frac{\mu(n)}{m}$
I'm having a hard time to recover them without reading the book.
The lecturer's explanation is good but you'd better always pay attention in class or you'll having a hard time to catch up with the proof.
### Notations used in this course
The notations used in this course is very complicated. However, since we need to defined those concepts mathematically, we have to use those notations. Here are some notations I changed or emphasized for better readability at least for myself.
- I changed all the element in set to lowercase letters. I don't know why K is capitalized in the book.
- I changed the message space notation $\mathcal{M}$ to $M$, and key space notation $\mathcal{K}$ to $K$ for better readability.
- All the $\mathcal{A}$ denotes a algorithm. For example, $\mathcal{A}$ is the adversary algorithm, and $\mathcal{D}$ is the distinguisher algorithm.
- As always, $[1,n]$ denotes the set of integers from 1 to n.
- $P[A]$ denotes the probability of event $A$.
- $\{0,1\}^n$ denotes the set of all binary strings of length $n$.
- $1^n$ denotes the string of length $n$ with all bits being 1.
- $0^n$ denotes the string of length $n$ with all bits being 0.
- $;$ means and, $:$ means given that.
- $\Pi_n$ denotes the set of all primes less than $2^n$.