Foundations of Cryptography

1. Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011 http://www.comp.nus.edu.sg/~rahul/CS6209-11.html

2. Foundations of Cryptography : Basic Applications • Encryption Schemes . • Digital Signatures . • General Cryptographic Protocols .

3. Encryption Schemes

4. Encryption Schemes • Private key v/s Public key encryption schemes, Fig. 5.1, 5.2 . • Definition of encryption schemes (Def. 5.1.1) . • Definition of security : Semantic security – private key (Def 5.2.1) , Semantic security – public key (Def 5.2.2) . • Indistinguishability of Encryptions : Private Key (Def. 5.2.3) , Public-key (Def 5.2.4) . Thm 5.2.5 : (Equivalence of definitions – private key) A private-key encryption scheme is semantically secure if and only if it has indistinguishable encryptions. Proof done in class.

5. Encryption Schemes : Multiple Messages • Semantic Security – Multiple messages (Def. 5.2.8) • Indistinguishability of encryptions - Multiple messages (Def. 5.2.9) Thm 5.2.10 (equivalence of definitions – multiple messages) : A private-key (resp. public-key) encryption scheme is semantically secure for multiple messages if and only if it has indistinguishable encryptions for multiple messages. Proof on similar lines as that of Thm 5.2.5 . Thm 5.2.11 . (single-message security implies multiple-message security) : A public-key encryption scheme has indistinguishable encryptions for multiple messages if and only if it has indistinguishable encryptions for a single message . Proof done in class. Propositions 5.2.12 (Effect on the private-key model) : Suppose there exists pseudorandom generators (robust against polynomial size circuits). Then there exists a private-key encryption scheme that satisfies Def. 5.2.3. but does not satisfy Def. 5.2.9 . Proof done in class.

6. Constructions of Encryption Schemes • Block-Ciphers (Def. 5.3.5 ) , Semantic-security – private-key block-ciphers (Def. 5.3.6) , Public-key equivalent definition can be given similarly. • Construction 5.3.7 (from block-ciphers to general encryption schemes) Proposition 5.3.8 : Suppose (G,E,D) and (G’,E’,D’) be as in Construction 5.3.7 . Suppose that the former is a secure private-key (resp. public-key) block cipher. Then the latter is a secure private-key (resp. public-key) encryption scheme. Proof done in class . • Construction 5.3.9 (a private-key block-cipher based on pseudorandom functions)

7. Constructions of Encryption Schemes Proposition 5.3.10 : Let F and (G,E,D) be as in Construction 5.3.9 and suppose that F is pseudorandom with respect to polynomial size circuits. Then (G,E,D) is secure. Proof done in class. Theorem 5.3.11 : If there exists (non-uniformly strong) one-way functions, then there exists secure private-key encryption schemes. Proof done in class. Public key encryptions schemes : Trapdoor permutations, definition. Construction 5.3.13 (public-key block-cipher with block length 1 using trapdoor permutations with a hard-core predicate). Proposition 5.3.14 : Suppose that b is a (non-uniformly strong) hard core of the collection {pα}. Then Construction 5.3.13 constitutes a secure public-key block-cipher with block length l = 1. Proof done in class.

8. Constructions of Encryption Schemes Theorem 5.3.15: If there exists collections of (non-uniformly hard) trapdoor permutations, then there exists secure public-key encryption schemes. Proof done in class. Large Hard-Core Conjecture for RSA. Construction 5.3.16 (Randomized-RSA, a public-key block-cipher scheme) Proposition 5.3.17 : Suppose that the large hard-core conjecture for RSA does hold. Then Construction 5.3.16 constitutes a secure public-key block-cipher (with block-length l(n) = n ) . Proof done in class.

9. Constructions of Encryption Schemes Construction 5.3.18 (an alternate public-key encryption scheme based on one-way permutations) Proposition 5.3.19 : Suppose that b is a (non-uniformly strong) hard core of the collection {pα}. Furthermore, suppose that this trapdoor collection utilizes a domain sampling algorithm S so that the statistical difference between S(α) and the uniform distribution over the domain of pα is negligible in terms of |α|. Then Construction 5.3.18 constitutes a secure public-key encryption scheme. Proof done in class. Construction 5.3.20 (the Blum-Goldwasser Public-Key Encryption Scheme) Corollary 5.3.21: Suppose factoring is infeasible, then Construction 5.3.20 constitutes a secure public-key encryption scheme.

10. Digital Signatures and Message Authentication

11. Digital Signatures and Message Authentication A scheme for unforgeable signatures must satisfy: • Each user can efficiently produce his/her own signature on documents of his/her choice; • Every user can efficiently verify whether a given string is a signature of another (specific) user on a specific document; but • It is infeasible to produce signatures of other users to documents that they did not sign. A scheme for message authentication should satisfy: • Each of the communicating parties can efficiently produce an authentication tag to any message of his/her choice; • Each of the communication parties can efficiently verify whether a given string is an authentication tag of a given message; but • It is infeasible for an external adversary (i.e. a party other than the communicating parties) to produce authentication tags to messages not sent by the communicating parties.

12. Digital Signatures and Message Authentication Definition 6.1.1 (signature scheme) A chosen message attack is a process that can obtain signatures to strings of its choice, relative to some fixed signing-key that is generated by G. We distinguish two case: The private-key case: Here the attacker is given 1n