没有合适的资源?快使用搜索试试~ 我知道了~
首页Lecture Notes on Cryptography (麻省理工学院密码学讲义)
Lecture Notes on Cryptography (麻省理工学院密码学讲义)
需积分: 10 12 下载量 190 浏览量
更新于2023-03-16
评论
收藏 1.64MB PDF 举报
Lecture Notes on Cryptography (麻省理工学院密码学讲义)
资源详情
资源评论
资源推荐
Lecture Notes on Cryptography
Shafi Goldwasser
1
Mihir Bellare
2
August 2001
1
MIT Laboratory of Computer Science, 545 Technology Square, Cambridge, MA 02139, USA. E-
mail: shafi@theory.lcs.mit.edu ; Web page: http://theory.lcs.mit.edu/ shafi
2
Department of Computer Science and Engineering, Mail Code 0114, University of California
at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. E-mail: mihir@cs.ucsd.edu ; Web
page: http://www-cse.ucsd.edu/users/mihir
Foreword
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography
taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were
formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with
notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario
Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5,
and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E.
Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the
notion of provable security and its usage for the design of secure protocols.
Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate
students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and
later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed
much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is
from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science.
Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography
and network security course at UCSD.
All rights reserved.
Shafi Goldwasser and Mihir Bellare Cambridge, Massachusetts, August 2001.
2
Table of Contents
1 Introduction to Modern Cryptography 11
1.1 Encryption: Historical Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Modern Encryption: A Computational Complexity Based Theory . . . . . . . . . . . . . . . . 12
1.3 A Short List of Candidate One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5 The Model of Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.6 Road map to Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 One-way and trapdoor functions 17
2.1 One-Way Functions: Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 One-Way Functions: Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 (Strong) One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.2 Weak One-Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.3 Non-Uniform One-Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.4 Collections Of One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.5 Trapdoor Functions and Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 In Search of Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3.1 The Discrete Logarithm Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.2 The RSA function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.3 Connection Between The Factorization Problem And Inverting RSA . . . . . . . . . . 30
2.3.4 The Squaring Trapdoor Function Candidate by Rabin . . . . . . . . . . . . . . . . . . 30
2.3.5 A Squaring Permutation as Hard to Invert as Factoring . . . . . . . . . . . . . . . . . 34
2.4 Hard-core Predicate of a One Way Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.1 Hard Core Predicates for General One-Way Functions . . . . . . . . . . . . . . . . . . 35
2.4.2 Bit Security Of The Discrete Logarithm Function . . . . . . . . . . . . . . . . . . . . . 36
2.4.3 Bit Security of RSA and SQUARING functions . . . . . . . . . . . . . . . . . . . . . . 38
2.5 One-Way and Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.5.1 Examples of Sets of Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3 Pseudo-random bit generators 41
3.0.2 Generating Truly Random bit Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 41
3
4 Goldwasser and Bellare
3.0.3 Generating Pseudo-Random Bit or Number Sequences . . . . . . . . . . . . . . . . . . 42
3.0.4 Provably Secure Pseudo-Random Generators: Brief overview . . . . . . . . . . . . . . 43
3.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2 The Existence Of A Pseudo-Random Generator . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3 Next Bit Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4 Examples of Pseudo-Random Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4.1 Blum/Blum/Shub Pseudo-Random Generator . . . . . . . . . . . . . . . . . . . . . . . 49
4 Block ciphers and modes of operation 51
4.1 What is a block cipher? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2 Data Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2.1 A brief history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2.3 Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.4 Some Modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4.1 Electronic codebook mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4.2 Cipher-block chaining mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4.3 Counter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.5 Key recovery attacks on block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.6 Limitations of key-recovery based security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.7 Exercises and Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5 Pseudo-random functions 58
5.1 Function families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.2 Random functions and permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.3 Pseudorandom functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.4 Pseudorandom permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.4.1 PRP under CPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.4.2 PRP under CCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4.3 Relations between the notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.5 Sequences of families of PRFs and PRPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.6 Usage of PRFs and PRPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.6.1 The shared random function model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.6.2 Modeling block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.7 Example Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.8 Security against key-recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.9 The birthday attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.10 PRFs versus PRPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.11 Constructions of PRF families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.11.1 Extending the domain size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.12 Some applications of PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.12.1 Cryptographically Strong Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.12.2 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.12.3 Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.12.4 Identify Friend or Foe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.12.5 Private-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Cryptography: Lecture Notes 5
5.13 Historical Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.14 Exercises and Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6 Private-key encryption 82
6.1 Symmetric encryption schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.2 Some encryption schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.3 Issues in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.4 Information-theoretic security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.5 Indistinguishability under chosen-plaintext attack . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.5.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.5.2 Alternative interpretation of advantage . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.6 Example chosen-plaintext attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.6.1 Attack on ECB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.6.2 Deterministic, stateless schemes are insecure . . . . . . . . . . . . . . . . . . . . . . . 96
6.7 Security against plaintext recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.8 Security of CTR against chosen-plaintext attack . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.8.1 Proof of Theorem 6.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.8.2 Proof of Theorem 6.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.9 Security of CBC against chosen-plaintext attack . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.10 Indistinguishability under chosen-ciphertext attack . . . . . . . . . . . . . . . . . . . . . . . . 111
6.11 Example chosen-ciphertext attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.11.1 Attack on CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.11.2 Attack on CBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.12 Other methods for symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.12.1 Generic encryption with pseudorandom functions . . . . . . . . . . . . . . . . . . . . . 116
6.12.2 Encryption with pseudorandom bit generators . . . . . . . . . . . . . . . . . . . . . . 116
6.12.3 Encryption with one-way functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.13 Historical Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.14 Exercises and Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7 Public-key encryption 120
7.1 Definition of Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
7.2 Simple Examples of PKC: The Trapdoor Function Model . . . . . . . . . . . . . . . . . . . . 122
7.2.1 Problems with the Trapdoor Function Model . . . . . . . . . . . . . . . . . . . . . . . 122
7.2.2 Problems with Deterministic Encryption in General . . . . . . . . . . . . . . . . . . . 123
7.2.3 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
7.2.4 Rabin’s Public key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.2.5 Knapsacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7.3 Defining Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7.3.1 Definition of Security: Polynomial Indistinguishability . . . . . . . . . . . . . . . . . . 127
7.3.2 Another Definition: Semantic Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4 Probabilistic Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.4.1 Encrypting Single Bits: Trapdoor Predicates . . . . . . . . . . . . . . . . . . . . . . . 128
7.4.2 Encrypting Single Bits: Hard Core Predicates . . . . . . . . . . . . . . . . . . . . . . 129
7.4.3 General Probabilistic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
7.4.4 Efficient Probabilistic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
7.4.5 An implementation of EPE with cost equal to the cost of RSA . . . . . . . . . . . . . 133
剩余282页未读,继续阅读
艾米的爸爸
- 粉丝: 693
- 资源: 314
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- stc12c5a60s2 例程
- Android通过全局变量传递数据
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0