Embed Size (px)
Citation preview
Ryan Henry
I538/B609:
Introduction to CryptographyFall 2015 Lecture 5
Ryan Henry
Last Thursday’s lecture:• Perfectly secret encryption
Today’s lecture:• Negligible functions and probabilities
• Computationally secret encryption
Ryan Henry
Thursday, September 10Assignment 1 is due on Tuesday, September 8
(that’s this Thursday!)
Assignment 2 has been posted
2
Ryan Henry
Defining computational secrecy
▪ Recall: Prefect secrecy reveals nothing about plaintext– “Bad News” lemma: perfect secret 1M1 = 1C1 = 1K1– “Bad News” corollary: can only encrypt one plaintext per key
▪ Compromise: In practice, it is sufficient for Enck(m) to reveal
“essentially nothing” about plaintext to “real world” attackers– Real world attackers == attackers with only bounded resources
1
Ryan Henry
Defining “real world attackers”
▪ Idea 1: can rents 1,000 Amazon EC2 instances for 100 years – Attacker’s PhD thesis proposes a faster algorithm
▪ Idea 2: Attacker spends 10 million USD on hardware– Intel releases a significantly faster CPU (or GPU)
▪ Idea 3: Attacker controls 1.5 million host botnet– Botnet grows to contain 150 million hosts
5
Ryan Henry
Defining “real world attackers”
▪ The “right” idea: Adversary is an arbitrary Turing Machine that runs in polynomial time– We make no assumption about which polynomial
– Prove that attacker’s success probability is insignificantly small
6
Defn (Concrete security): An encryption scheme (Gen, Enc, Dec) is said to be (t , ε)-secure if every Probabilistic Turing Machine that halts
after t steps can “break” the secrecy of (Gen, Enc, Dec) with probability at most ε.
Ryan Henry
Turing Machines
7
▪ A simple, well-defined mathematical model of computation
▪ Measure running time by number of steps a TM requires before it halts– Measure robust in that all other “reasonable” models
of computation require “polynomially related” number of steps
Church-Turing thesis: TMs are universal: anything you can compute in theory, you can compute on a TM!
Ryan Henry
Probabilistic polynomial time (PPT)
Defn: A TM runs in polynomial time (PPT) if, on input an n-bit string , it halts after (at most) O( t(n) ) steps, where t(∙)
denotes some polynomial function.
8
Defn: A polynomial time TM is said to be probabilistic
polynomial time (PPT) if its output is a random variable.
Ryan Henry
Efficient attackers / algorithms
▪ An attacker is said to be efficient if we can implement is using a PPT Turing machine
Q: Why equate “efficient” with “probabilistic polynomial time”?
A: Experience tells us “doable in polynomial time” roughly equivalent to “doable (eventually) in practice”
Nice composition theorems:– poly(n) + poly(n) = poly(n) ← deg(f(n) + g(n)) =– poly(n) * poly(n) = poly(n) ← deg(f(n) * g(n)) =– poly( poly(n) ) = poly(n) ← deg(f(g(n))) =
9
??
??
??
deg(f)+deg(g)
max{ deg(f), deg(g) }
deg(f)*deg(g)
Ryan Henry
Negligible functions
Defn: A function is negligible if for every c > 0.
10
▪ Equivalently:
– A function is negligible if it “vanishes” faster than the inverse of
every positive polynomial
– A function is negligible if such that for all
Ryan Henry
Noticeable functions
11
Q: If a function is not negligible, is it necessarily noticeable?
A: No! See question 2 on assignment 2!
Defn: A function is noticeable if for some c > 0.
Ryan Henry
Closure for negligible functions
▪ Fact 1: If and are negligible functions, then is a negligible
function.
▪ Fact 2: If is a negligible function and is a positive
polynomial, then is a negligible function
▪ Fact 3: If is a negligible function and if a constant, then is a
negligible function
12
Ryan Henry
Negligible and overwhelming probabilities
Defn: An event E occurs with probability negligible in n if Pr[E]is (bounded above by) a negligible function of n.
13
Defn: An event E occurs with probability overwhelming in n if Pr[E]is (bounded above by) a negligible function of n.
Ryan Henry
That’s all for today, folks!
14
