Advanced Cryptography Lecture Notes, Lecture notes of Cryptography and System Security

These are lecture notes from the first lecture of COS 533: Advanced Cryptography at Princeton University. The notes cover basic cryptography review, defining encryption, and security requirements for encryption schemes. The notes also cover the notion of negligible functions and the model of computation used in the course.

Typology: Lecture notes

2016/2017

Uploaded on 05/11/2023

abha
abha 🇺🇸

4.7

(10)

249 documents

1 / 5

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
COS 533: Advanced Cryptography Princeton University
Lecture 1 (September 13, 2017)
Lecturer: Mark Zhandry Scribe: Mark Zhandry
Notes for Lecture 1
1 Basic Cryptography Review
Basic Notation. Essentially every cryptosystem we will see in this course will
depend on a security parameter, which we will denote λ. The idea is that increasing
λwill provide better security (which we will formalize in a bit). For now, think of λ
as the length of the key, though later on we will sometimes allow the key length to
be something different than the security parameter.
For the most part, we will not care too much about the precise model of computation.
For concreteness, you can take the model of computation to be Turing machines. For
randomized/probabilistic algorithms, we will use Turing machines that have access
to a random tape.
Cryptographic algorithms will almost always be required to be efficient. Our notion
of efficiency will be polynomial time. We will sometimes restrict to deterministic
polynomial-time algorithms, and otherwise allow probabilistic algorithms. We will
use PPT as shorthand for probabilistic polynomial time.
We say that a function (λ) is negligible if it goes to zero faster than any polynomial.
More precisely, for any constant c, there exists a constant λ0such that (λ)<1
λcfor
all λ>λ0. We will use negligible functions for any quantity that we want to go to
zero extremely fast.
Defining Encryption. A (symmetric key or secret key) encryption scheme consists
of two algorithms (Enc,Dec). Enc is a PPT algorithm that takes as input a key and
a plaintext, and outputs a ciphertext. Dec is deterministic polynomial time, takes as
input a key and a ciphertext, and outputs a plaintext. For correctness, we require
that when used with the same key, Dec inverts Enc. More precisely, for all messages
m,
Pr[Dec(k, Enc(k, m)) = m, k $
{0,1}λ] = 1
Here, the probability is taken over a random k, and any random coins chosen by
Enc. Since the probability is 1, this means that for any key and any coins, Dec will
always correctly decrypt a plaintext. It is also possible to consider schemes where the
probability 1 is replaced with 1 (λ) for a negligible .
For security, we want a definition that captures the following:
1
pf3
pf4
pf5

Partial preview of the text

Download Advanced Cryptography Lecture Notes and more Lecture notes Cryptography and System Security in PDF only on Docsity!

COS 533: Advanced Cryptography Princeton University Lecture 1 (September 13, 2017) Lecturer: Mark Zhandry Scribe: Mark Zhandry

Notes for Lecture 1

1 Basic Cryptography Review

Basic Notation. Essentially every cryptosystem we will see in this course will depend on a security parameter, which we will denote λ. The idea is that increasing λ will provide better security (which we will formalize in a bit). For now, think of λ as the length of the key, though later on we will sometimes allow the key length to be something different than the security parameter.

For the most part, we will not care too much about the precise model of computation. For concreteness, you can take the model of computation to be Turing machines. For randomized/probabilistic algorithms, we will use Turing machines that have access to a random tape.

Cryptographic algorithms will almost always be required to be efficient. Our notion of efficiency will be polynomial time. We will sometimes restrict to deterministic polynomial-time algorithms, and otherwise allow probabilistic algorithms. We will use PPT as shorthand for probabilistic polynomial time.

We say that a function (λ) is negligible if it goes to zero faster than any polynomial. More precisely, for any constant c, there exists a constant λ 0 such that (λ) < (^) λ^1 c for all λ > λ 0. We will use negligible functions for any quantity that we want to go to zero extremely fast.

Defining Encryption. A (symmetric key or secret key) encryption scheme consists of two algorithms (Enc, Dec). Enc is a PPT algorithm that takes as input a key and a plaintext, and outputs a ciphertext. Dec is deterministic polynomial time, takes as input a key and a ciphertext, and outputs a plaintext. For correctness, we require that when used with the same key, Dec inverts Enc. More precisely, for all messages m,

Pr[Dec(k, Enc(k, m)) = m, k $ ← { 0 , 1 }λ] = 1

Here, the probability is taken over a random k, and any random coins chosen by Enc. Since the probability is 1, this means that for any key and any coins, Dec will always correctly decrypt a plaintext. It is also possible to consider schemes where the probability 1 is replaced with 1 − (λ) for a negligible .

For security, we want a definition that captures the following:

  • Security holds for arbitrary messaages. We want this so that security holds for English (or any other) language, for numerical data, or for any other use case. As an extreme example, maybe the encryption scheme will only be used to encrypt two messages, “ATTACK AT DAWN” and “ATTACK AT DUSK”. We also want security to hold even in settings where the adversary may have some influence over the messages that are sent. For example, an adversary may attack a particular location, and then wait for the adversary to send a message containing the location’s name asking for help. To be most conservative, we will therefore give the adversary complete control over messages that are sent.
  • We want to allow multiple messages to be sent, even the same message sent multiple times. Note that we want to hide whether the same message was sent again. For example, if Alice sends a ciphertext c to Bob, and then both attack the next morning, the adversary may very well guess afterward that c encrypted encrypts “ATTACK AT DAWN.” Imagine a few days later Alice wants to send the same message “ATTACK AT DAWN”. If the adversary can figure out that the same message was sent (for example, if the encryption scheme always maps “ATTACK AT DAWN” to c), then the adversary can now guess that an attack will occur the following dawn, and prepare accordingly.
  • The adversary may only care about a single bit of information about the plain- text, or even some arbitrary function of the plaintext. We want to design a scheme that works, no matter what piece of information the adversary is inter- ested in. For example, in the “ATTACK AT DAWN” vs “ATTACK AT DUSK” setting, it is sufficient for the adversary to learn, say, the last character of the plaintext.

We therefore define security as follows. Let A be an adversary. Let IND-CPA-EXPb(A, λ) be the following experiment on A, parameterized by a bit b:

  1. A interacts with a challenger, denoted Ch.
  2. At first, Ch chooses a random key k $ ← { 0 , 1 }λ
  3. Next, A sends the challenger two messages m 0 , m 1. Ch selects and encrypts mb: c ← Enc(k, mb). Then Ch sends c back to A.
  4. A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
  5. Finally, A outputs a guess b′^ for b. b′^ is the output of IND-CPA-EXPb(A, λ)

Here, IND refers to indistinguishability, meaning that the adversary is trying to dis- tinguish between two experiments, b = 0 and b = 1. CPA stands for “chosen plaintext attack”. This refers to the fact that the adversary is able to choose the plaintexts that get encrypted.

  • CCA Queries. These are Chosen Ciphertext Attack queries. A chooses an arbitrary ciphertext c of its choice, and sends c to Ch. First, Ch checks if c was the response to a challenge query. If it is, we know A can win if it learns the decryption of c. Therefore, we have Ch reject such ciphertext. Ch responds with a special failure symbol ⊥. Otherwise, even if c was the result of a CPA query, Ch decrypts c to obtain m ← Dec(k, c), and sends m back to A.
  1. A can repeat step 3 as many times as it wishes, making arbitrary queries in arbitrary order. We will charge A one unit of time for every time it makes a query.
  2. Finally, A outputs a guess b′^ for b. b′^ is the output of IND-CCA-EXPb(A, λ)

Definition 2 An encryption scheme (Enc, Dec) is IND-CCA secure (in words, indis- tinguishable under a chosen ciphertext attack) if, for all PPT adversaries A, there exists a negligible function  such that

| Pr[1 ← IND-CCA-EXP 0 (A, λ)] − Pr[1 ← IND-CCA-EXP 1 (A, λ)] | < (λ)

We will often simply call such a scheme “CCA secure”.

Public Key Encryption. Symmetric key encryption (meaning both sender and receiver use the same key) was the only kind of encryption for centuries. One signif- icant limitation with symmetric key encryption as defined above is that it requires Alice and Bob to have established a shared secret key at some point in time. This would seem to require either meeting in person, or sending a trusted courier with the key.

One of the major discoveries of the last 50 years was a different kind of encryption called Asymmetric key encryption, or public key encryption. The difference here is that the sender and receiver use different keys. Moreover, the sender’s key can actually be public. This means that even if the adversary learns the encryption key, it still cannot decrypt messages.

Using such a scheme, not Alice and Bob never need to meet in person. Bob generates a secret decryption key and corresponding public encryption key. He then broadcasts the public key to everyone. Now Alice, or anyone else for that matter, can send messages to Bob, and only Bob can decrypt.

In more detail, a public key encryption scheme consists of three algorithms (Gen, Enc, Dec). Gen is a PPT algorithm that takes as input the security parameter (represented in unary as 1λ^ so that it runs in polynomial time in λ) and generates a secret key sk and corresponding public key pk. Enc is the same as before, except it uses pk instead of k. Dec is the same as before, except it uses sk instead of k.

The CPA and CCA games above can be modified for public key schemes. The only differences are:

  • At the very beginning of the experiment, Ch runs (sk, pk) ← Gen(1λ) (instead of running k $ ← { 0 , 1 }λ).
  • Ch gives pk to A at the very beginning, before any queries. This captures the fact that the public key is public, and hence known to A.
  • When answering encryption or decryption queries, Ch inputs sk or pk into the encryption or decryption algorithm, respectively.