Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
7abc8d7e801cb9d0feea3ec34fc8b535c7f18e2a
NoteNextra-origin/content/CSE442T/CSE442T_L16.md
Trance-0 fb1ffcd040 updates
2025-10-27 11:56:32 -05:00

3.1 KiB
Raw Blame History

CSE442T Introduction to Cryptography (Lecture 16)

Chapter 3: Indistinguishability and Pseudorandomness

PRG exists \implies Pseudorandom function family exists.

Multi-message secure encryption

Gen(1^n): Output f_i:\{0,1\}^n\to \{0,1\}^n from PRF family

Enc_i(m): Random r\gets \{0,1\}^n Ouput (r,m\oplus f_i(r))

Dec_i(r,c): Output c\oplus f_i(r)

Proof of security

Suppose D distinguishes, for infinitly many n.

The encryption of a pair of lists

(1) \{i\gets Gen(1^n):(r_1,m_1\oplus f_i(r_1)),(r_2,m_2\oplus f_i(r_2)),(r_3,m_3\oplus f_i(r_3)),\ldots,(r_q,m_q\oplus f_i(r_q)), \}

(2) \{F\gets RF_n: (r_1,m_1\oplus F(r_1))\ldots\}

(3) One-time pad \{(r_1,m_1\oplus s_1)\}

(4) One-time pad \{(r_1,m_1'\oplus s_1)\}

If (1) (2) distinguished,

(r_1,f_i(r_1)),\ldots,(r_q,f_i(r_q)) is distinguished from

(r_1,F(r_1)),\ldots, (r_q,F(r_q))

So D distinguishing output of r_1,\ldots, r_q of PRF from the RF, this contradicts with definition of PRF.

Noe we have

(RSA assumption and Discrete log assumption for one-way function exists.)

One-way function exists \implies

Pseudo random generator exists \implies

Pseudo random function familiy exists \implies

Mult-message secure encryption exists.

Public key cryptography

1970s.

The goal was to agree/share a key without meeting in advance

Diffie-Helmann Key exchange

A and B create a secret key together without meeting.

Rely on discrete log assumption.

They pulicly agree on modulus p and generator g.

Alice picks random exponent a and computes g^a\mod p

Bob picks random exponent b and computes g^b\mod p

and they send result to each other.

And Alice do (g^b)^a where Bob do (g^a)^b.

Diffie-Helmann assumption

With g^a,g^b no one can compute g^{ab}.

Public key encryption scheme

Ideas: The recipient Bob distributes opened Bob-locks

  • Once closed, only Bob can open it.

Public-key encryption scheme:

  1. Gen(1^n): Outputs (pk,sk)
  2. Enc_{pk}(m): Efficient for all m,pk
  3. Dec_{sk}(c): Efficient for all c,sk
  4. P[(pk,sk)\gets Gen(1^n):Dec_{sk}(Enc_{pk}(m))=m]=1

Let A, E knows pk not sk and B knows pk,sk.

Adversary can now encrypt any message m with the public key.

  • Perfect secrecy impossible
  • Randomness necessary

Security of public key

\forall n.u.p.p.t D,\exists \epsilon(n) such that \forall n,m_0,m_1\in \{0,1\}^n


\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_0))\} \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_1))\}

are distinguished by at most \epsilon (n)

This "single" message security implies multi-message security!

Left as exercise

We will achieve security in sending a single bit 0,1

Time for trapdoor permutation. (EX. RSA)

Encryption Scheme via Trapdoor Permutation

Given family of trapdoor permutation \{f_i\} with hardcore bit h(i)

Gen(1^n):(f_i,f_i^{-1}), where f_i^{-1} uses trapdoor permutation of t

Output ((f_i,h_i),f_i^{-1})

m=0 or 1.

Enc_{pk}(m):r\gets\{0,1\}^n

Output (f_i(r),h_i(r)+m)

Dec_{sk}(c_1,c_2)

r=f_i^{-1}(c_1)

m=c_2+h_1(r)