


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Lecture notes 3 from a 2006 course on introduction to cryptography by salil vadhan and alon rosen. It discusses private-key encryption and perfect secrecy, providing definitions and examples of encryption schemes, as well as propositions and proofs related to perfect indistinguishability and shannon secrecy.
Typology: Study notes
1 / 4
This page cannot be seen from the preview
Don't miss anything!



CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Sept. 21 & 26, 2006
Recommended Reading.
The key generation algorithm G is a randomized algorithm that returns a key k ∈ K; we write k ←R G. The encryption algorithm E is a randomized algorithm that takes a key k ∈ K and a plaintext (aka message) m ∈ P and outputs a ciphertext c ∈ C; we write c ←R Ek(m). The decryption algorithm D is a deterministic algorithm that takes a key k ∈ K and a ciphertext c ∈ C and returns a plaintext m ∈ P.
The message space P is often the set of strings of a given length. The ciphertext space C does not have to equal the plaintext space. We require Dk(Ek(m)) = m for all m ∈ P.
Shift cipher (cf. Caesar cipher). The key is a random number: k ← {R 0 ,... , 25 }, the mes- sage space is P = {A,... , Z}^ (strings of length over the English alphabet) so we can see the message as m ∈ { 0 ,... , 25 }. Ek(m 1 m 2 · · · m) = c 1 c 2 · · · c`, where ci = mi + k (mod 26).
Substitution cipher. The key k is a random permutation of { 0 ,... , 25 }. Ek(m 1 m 2 · · · m) = k(m 1 )k(m 2 ) · · · k(m). One-time pad. The message space consists of binary strings of length and the key k is a random element of { 0 , 1 }. Ek(m) = m ⊕ k (bitwise XOR). The decryption is Dk(c) = c ⊕ k.
Adversary can't determine key from ciphertext. Adversary can't determine plaintext. Adversary can't determine any symbol of plaintext. Adversary can't determine any information about plaintext.
Pr [EK (m 1 ) = c] = Pr [EK (m 2 ) = c] ,
where the probabilities are taken over k ←R G and the coin tosses of E. Idea: the adversary sees the same distribution of ciphertext, regardless of the message sent. Note that there is no probability distribution over the messages; rather we assume that the adversary knows the possible messages in advance. Intuitively, the case of two messages is the worst case (the adversary knows all but one bit of information in advance), and hence is representative of the security of an encryption scheme.
Pr [M = m|EK (M ) = c] = Pr [M = m]