



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
These are lecture notes from the first lecture of COS 533: Advanced Cryptography at Princeton University. The notes cover basic cryptography review, defining encryption, and security requirements for encryption schemes. The notes also cover the notion of negligible functions and the model of computation used in the course.
Typology: Lecture notes
1 / 5
This page cannot be seen from the preview
Don't miss anything!




COS 533: Advanced Cryptography Princeton University Lecture 1 (September 13, 2017) Lecturer: Mark Zhandry Scribe: Mark Zhandry
Basic Notation. Essentially every cryptosystem we will see in this course will depend on a security parameter, which we will denote λ. The idea is that increasing λ will provide better security (which we will formalize in a bit). For now, think of λ as the length of the key, though later on we will sometimes allow the key length to be something different than the security parameter.
For the most part, we will not care too much about the precise model of computation. For concreteness, you can take the model of computation to be Turing machines. For randomized/probabilistic algorithms, we will use Turing machines that have access to a random tape.
Cryptographic algorithms will almost always be required to be efficient. Our notion of efficiency will be polynomial time. We will sometimes restrict to deterministic polynomial-time algorithms, and otherwise allow probabilistic algorithms. We will use PPT as shorthand for probabilistic polynomial time.
We say that a function (λ) is negligible if it goes to zero faster than any polynomial. More precisely, for any constant c, there exists a constant λ 0 such that (λ) < (^) λ^1 c for all λ > λ 0. We will use negligible functions for any quantity that we want to go to zero extremely fast.
Defining Encryption. A (symmetric key or secret key) encryption scheme consists of two algorithms (Enc, Dec). Enc is a PPT algorithm that takes as input a key and a plaintext, and outputs a ciphertext. Dec is deterministic polynomial time, takes as input a key and a ciphertext, and outputs a plaintext. For correctness, we require that when used with the same key, Dec inverts Enc. More precisely, for all messages m,
Pr[Dec(k, Enc(k, m)) = m, k $ ← { 0 , 1 }λ] = 1
Here, the probability is taken over a random k, and any random coins chosen by Enc. Since the probability is 1, this means that for any key and any coins, Dec will always correctly decrypt a plaintext. It is also possible to consider schemes where the probability 1 is replaced with 1 − (λ) for a negligible .
For security, we want a definition that captures the following:
We therefore define security as follows. Let A be an adversary. Let IND-CPA-EXPb(A, λ) be the following experiment on A, parameterized by a bit b:
Here, IND refers to indistinguishability, meaning that the adversary is trying to dis- tinguish between two experiments, b = 0 and b = 1. CPA stands for “chosen plaintext attack”. This refers to the fact that the adversary is able to choose the plaintexts that get encrypted.
Definition 2 An encryption scheme (Enc, Dec) is IND-CCA secure (in words, indis- tinguishable under a chosen ciphertext attack) if, for all PPT adversaries A, there exists a negligible function such that
| Pr[1 ← IND-CCA-EXP 0 (A, λ)] − Pr[1 ← IND-CCA-EXP 1 (A, λ)] | < (λ)
We will often simply call such a scheme “CCA secure”.
Public Key Encryption. Symmetric key encryption (meaning both sender and receiver use the same key) was the only kind of encryption for centuries. One signif- icant limitation with symmetric key encryption as defined above is that it requires Alice and Bob to have established a shared secret key at some point in time. This would seem to require either meeting in person, or sending a trusted courier with the key.
One of the major discoveries of the last 50 years was a different kind of encryption called Asymmetric key encryption, or public key encryption. The difference here is that the sender and receiver use different keys. Moreover, the sender’s key can actually be public. This means that even if the adversary learns the encryption key, it still cannot decrypt messages.
Using such a scheme, not Alice and Bob never need to meet in person. Bob generates a secret decryption key and corresponding public encryption key. He then broadcasts the public key to everyone. Now Alice, or anyone else for that matter, can send messages to Bob, and only Bob can decrypt.
In more detail, a public key encryption scheme consists of three algorithms (Gen, Enc, Dec). Gen is a PPT algorithm that takes as input the security parameter (represented in unary as 1λ^ so that it runs in polynomial time in λ) and generates a secret key sk and corresponding public key pk. Enc is the same as before, except it uses pk instead of k. Dec is the same as before, except it uses sk instead of k.
The CPA and CCA games above can be modified for public key schemes. The only differences are: