Foundations of Cryptography
Rahul Jain
CS6209, Jan
–
April 2011
http://www.comp.nus.edu.sg/~rahul/CS6209

11.html
Foundations of Cryptography : Basic
Applications
•
Encryption Schemes .
•
Digital Signatures .
•
General Cryptographic Protocols .
Encryption Schemes
Encryption Schemes
•
Private key v/s Public key encryption schemes, Fig. 5.1, 5.2 .
•
Definition of encryption schemes (Def. 5.1.1) .
•
Definition of security : Semantic security
–
private key (Def 5.2.1) ,
Semantic security
–
public key (Def 5.2.2) .
•
Indistinguishability
of Encryptions : Private Key (Def. 5.2.3) ,
Public

key (Def 5.2.4) .
Thm
5.2.5 : (Equivalence of definitions
–
private key) A private

key encryption
scheme is semantically secure if and only if it has indistinguishable
encryptions.
Proof done in class.
Encryption Schemes : Multiple
Messages
•
Semantic Security
–
Multiple messages (Def. 5.2.8)
•
Indistinguishability
of encryptions

Multiple messages (Def. 5.2.9)
Thm
5.2.10 (equivalence of definitions
–
multiple messages) : A private

key (resp. public

key) encryption scheme is semantically secure for multiple messages if and only if it has
indistinguishable encryptions for multiple messages.
Proof on similar lines as that of
Thm
5.2.5 .
Thm
5.2.11 . (single

message security implies multiple

message security) : A public

key
encryption scheme has indistinguishable encryptions for multiple messages if and only
if it has indistinguishable encryptions for a single message .
Proof done in class.
Propositions 5.2.12 (Effect on the private

key model) : Suppose there exists pseudorandom
generators (robust against polynomial size circuits). Then there exists a private

key
encryption scheme that satisfies Def. 5.2.3. but does not satisfy Def. 5.2.9 .
Proof done in class.
Constructions of Encryption Schemes
•
Block

Ciphers (Def. 5.3.5 ) , Semantic

security
–
private

key block

ciphers
(Def. 5.3.6) , Public

key equivalent definition can be given similarly.
•
Construction 5.3.7 (from block

ciphers to general encryption schemes)
Proposition 5.3.8 : Suppose (G,E,D) and (G’,E’,D’) be as in Construction 5.3.7 .
Suppose that the former is a secure private

key (resp. public

key) block
cipher. Then the latter is a secure private

key (resp. public

key) encryption
scheme.
Proof done in class .
•
Construction 5.3.9 (a private

key block

cipher based on pseudorandom
functions)
Constructions of Encryption Schemes
Proposition 5.3.10 : Let F and (G,E,D) be as in Construction 5.3.9 and suppose that F is pseudorandom
with respect to polynomial size circuits. Then (G,E,D) is secure.
Proof done in class.
Theorem 5.3.11 : If there exists (non

uniformly strong) one

way functions, then there exists secure
private

key encryption schemes.
Proof done in class.
Public key encryptions schemes
: Trapdoor permutations, definition.
Construction 5.3.13 (public

key block

cipher with block length 1 using trapdoor permutations with a
hard

core predicate).
Proposition 5.3.14 : Suppose that b is a (non

uniformly strong) hard core of the collection {p
α
}. Then
Construction 5.3.13 constitutes a secure public

key block

cipher with block length l = 1.
Proof done in class.
Constructions of Encryption Schemes
Theorem 5.3.15: If there exists collections of (non

uniformly hard) trapdoor
permutations, then there exists secure public

key encryption schemes.
Proof done in class.
Large Hard

Core Conjecture for RSA.
Construction 5.3.16 (
Randomized

RSA, a public

key block

cipher scheme
)
Proposition 5.3.17 : Suppose that the large hard

core conjecture for RSA does hold.
Then Construction 5.3.16 constitutes a secure public

key block

cipher (with block

length l(n) = n ) .
Proof done in class.
Constructions of Encryption Schemes
Construction 5.3.18 (an alternate public

key encryption scheme based on one

way
permutations)
Proposition 5.3.19 : Suppose that b is a (non

uniformly strong) hard core of the
collection {p
α
}. Furthermore, suppose that this trapdoor collection utilizes a
domain sampling algorithm S so that the statistical difference between S(
α
) and
the uniform distribution over the domain of p
α
is negligible in terms of 
α
. Then
Construction 5.3.18 constitutes a secure public

key encryption scheme.
Proof done in class.
Construction 5.3.20 (the Blum

Goldwasser
Public

Key Encryption Scheme)
Corollary 5.3.21: Suppose factoring is infeasible, then Construction 5.3.20 constitutes a
secure public

key encryption scheme.
Digital Signatures and Message
Authentication
Digital Signatures and Message
Authentication
A scheme for
unforgeable
signatures must satisfy:
1)
Each user can efficiently produce his/her own signature on documents of his/her
choice;
2)
Every user can efficiently verify whether a given string is a signature of another
(specific) user on a specific document; but
3)
It is infeasible to produce signatures of other users to documents that they did not sign.
A scheme for message authentication should satisfy:
1)
Each of the communicating parties can efficiently produce an authentication tag to any
message of his/her choice;
2)
Each of the communication parties can efficiently verify whether a given string is an
authentication tag of a given message; but
3)
It is infeasible for an external adversary (i.e. a party other than the communicating
parties) to produce authentication tags to messages not sent by the communicating
parties.
Digital Signatures and Message
Authentication
Definition 6.1.1 (signature scheme)
A chosen message attack is a process that can obtain signatures to strings of its choice,
relative to some fixed signing

key that is generated by G. We distinguish two case:
The private

key case: Here the attacker is
given 1
n
Comments 0
Log in to post a comment