Search
- Filter Results
- Location
- There are no locations to filter by
- Classification
- Include attachments
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/08%3A_Security_against_Chosen_Plaintext_Attacks/8.04%3A_ExercisesLet ∑ be an encryption scheme, and suppose there is a program A that recovers the key from a chosen plaintext attack. Construction 7.4 is a randomized encryption scheme, but w...Let ∑ be an encryption scheme, and suppose there is a program A that recovers the key from a chosen plaintext attack. Construction 7.4 is a randomized encryption scheme, but we could also consider defining it as a nonce-based scheme, interpreting r as the nonce: Enc(k,r,m)=(r,F(k,r)⊕m). (b) Prove that the scheme has CPA security if at least one of {Σ1,Σ2} has CPA security.
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/05%3A_Basing_Cryptography_on_Limits_of_Computation/5.04%3A_Birthday_Probabilities_and_Sampling_with_out_ReplacementWe can use both of these upper and lower bounds on e−x to show the following: \[\prod_{i=1}^{q-1}\left(1-\frac{i}{N}\right) \leqslant \prod_{i=1}^{q-1} e^{-\frac{i}{N}}=e^{-\sum_{i=1}^{q-1} \fr...We can use both of these upper and lower bounds on e−x to show the following: q−1∏i=1(1−iN)⩽q−1∏i=1e−iN=e−∑q−1i=1iN=e−q(q−1)2N⩽1−0.632q(q−1)2N. With the last inequality we used the fact that q⩽√2N, and therefore q(q−1)2N⩽1 (this is necessary to apply the inequality e−x⩽1−0.632x ).
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/07%3A_Pseudorandom_Functions_and_Block_CiphersA pseudorandom generator allows us to take a small amount of uniformly sampled bits, and “amplify” them into a larger amount of uniform-looking bits. A PRG must run in polynomial time, so the length o...A pseudorandom generator allows us to take a small amount of uniformly sampled bits, and “amplify” them into a larger amount of uniform-looking bits. A PRG must run in polynomial time, so the length of its pseudorandom output can only be polynomial in the security parameter. But what if we wanted even more pseudorandom output? Is it possible to take λ uniformly sampled bits and generate 2λ pseudorandom bits?
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/03%3A_The_Basics_of_Provable_Security/3.01%3A_How_to_Write_a_Security_Definition"an encryption scheme is a good one if encryptions of mL look like encryptions of mR to an attacker, when each key is secret and used to encrypt only one plaintext, even when the attacke..."an encryption scheme is a good one if encryptions of mL look like encryptions of mR to an attacker, when each key is secret and used to encrypt only one plaintext, even when the attacker chooses mL and mR.
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/03%3A_The_Basics_of_Provable_SecurityThis chapter is about the fundamental skills that revolve around security definitions: how to write them, how to understand & interpret them, how to prove security using the hybrid technique, and how ...This chapter is about the fundamental skills that revolve around security definitions: how to write them, how to understand & interpret them, how to prove security using the hybrid technique, and how to demonstrate insecurity using attacks against the security definition.
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/07%3A_Pseudorandom_Functions_and_Block_Ciphers/7.06%3A_Strong_Pseudorandom_PermutationsIn the exercises, you will see that it is possible to construct F which is a secure PRP, whose inverse F−1 is not a secure PRP! An even stronger requirement would allow the distinguisher to...In the exercises, you will see that it is possible to construct F which is a secure PRP, whose inverse F−1 is not a secure PRP! An even stronger requirement would allow the distinguisher to query both F and F−1 in a single interaction (rather than one security definition where the distinguisher queries only F, and another definition where the distinguisher queries only F−1 ).
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/08%3A_Security_against_Chosen_Plaintext_AttacksOur previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Fortunately we have arranged things so that we get the "correct" security definitio...Our previous security definitions for encryption capture the case where a key is used to encrypt only one plaintext. Fortunately we have arranged things so that we get the "correct" security definition when we modify the earlier definition in a natural way. We say that Σ has security against chosen-plaintext attacks (CPA security) if LΣcpa-L ≈LΣcpa-R , where:
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/00%3A_Front_Matter/04%3A_PrefaceFor example, suppose an encryption scheme was insecure because the XOR of the first two output blocks is the same as the XOR of the third and fourth output blocks. In these notes, the thingamajig-secu...For example, suppose an encryption scheme was insecure because the XOR of the first two output blocks is the same as the XOR of the third and fourth output blocks. In these notes, the thingamajig-security of A gives the student a new constructive rewriting rule that can be placed in his/her toolbox and used to bridge hybrids when proving the doohickey-security of B.
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/13%3A_Authenticated_Encryption_and_AEAD/13.01%3A_DefinitionsThe two libraries are different from each other in two major ways: whether the calling program sees real ciphertexts or random strings (that have nothing to do with the given plaintext), and whether t...The two libraries are different from each other in two major ways: whether the calling program sees real ciphertexts or random strings (that have nothing to do with the given plaintext), and whether the calling program sees the true result of decryption or an error message. By making a distinction between plaintext and associated data separately in AEAD, the ciphertext length can depend only on the length of the plaintext, and not depend on the length of the associated data.
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/16%3A_Public-Key_Encryption/16.04%3A_Hybrid_Encryption\[\begin{aligned} \operatorname{Dec}(s k, \operatorname{Enc}(p k, m)) &=\operatorname{Dec}\left(s k,\left(\Sigma_{\text {pub }} \cdot \operatorname{Enc}(p k, t k), \Sigma_{\text {sym }} \cdot \operato...\[\begin{aligned} \operatorname{Dec}(s k, \operatorname{Enc}(p k, m)) &=\operatorname{Dec}\left(s k,\left(\Sigma_{\text {pub }} \cdot \operatorname{Enc}(p k, t k), \Sigma_{\text {sym }} \cdot \operatorname{Enc}(t k, m)\right)\right) \\ &=\Sigma_{\text {sym }} \cdot \operatorname{Dec}\left(\Sigma_{\text {pub }} \cdot \operatorname{Dec}\left(s k, \Sigma_{\text {pub }} \cdot \operatorname{Enc}(p k, t k)\right), \Sigma_{\text {sym }} \cdot \operatorname{Enc}(t k, m)\right) \\ &=\Sigma_{\text {sym }…
- https://eng.libretexts.org/Under_Construction/Book%3A_The_Joy_of_Cryptography_(Rosulek)/05%3A_Basing_Cryptography_on_Limits_of_Computation/5.03%3A_Indistinguishability\[\begin{gathered} =\left|\begin{array}{c} \left(\operatorname{Pr}\left[\mathcal{A} \diamond \mathcal{L}_{\text {left }} \Rightarrow 1 \mid \mathcal{B}_{\text {left }}\right] \cdot p^{*}+\operatorname...\[\begin{gathered} =\left|\begin{array}{c} \left(\operatorname{Pr}\left[\mathcal{A} \diamond \mathcal{L}_{\text {left }} \Rightarrow 1 \mid \mathcal{B}_{\text {left }}\right] \cdot p^{*}+\operatorname{Pr}\left[\mathcal{A} \diamond \mathcal{L}_{\text {left }} \Rightarrow 1 \mid \overline{\mathcal{B}_{\text {left }}}\right]\left(1-p^{*}\right)\right) \\ -\left(\operatorname{Pr}\left[\mathcal{A} \diamond \mathcal{L}_{\text {right }} \Rightarrow 1 \mid \mathcal{B}_{\text {right }}\right] \cdot p^{*…