没有合适的资源?快使用搜索试试~ 我知道了~
首页A Graduate Course in Applied Cryptography.pdf
A Graduate Course in Applied Cryptography.pdf
需积分: 30 20 下载量 187 浏览量
更新于2023-05-18
评论 1
收藏 21.81MB PDF 举报
Dan Boneh 和 Victor Shoup 合作写的一本适合研究生学习应用密码学的书
资源详情
资源评论
资源推荐
A Graduate Course in Applied Cryptography
Dan Boneh and Victor Shoup
Version 0.3, December 2016
Preface
Cryptography is an in di spensable tool used to protect information in computing systems. It is
used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at
rest and data in motion. Cryptographic systems are an integral part of standard protocols, most
notably the Transport Layer Security (TLS) protocol, making it relatively easy to incorporate
strong encryption into a wide range of applications.
While extremely u sef u l, cryptography is also highly brittle. The most secure cryptographic
system can be rendered completely insecure by a single specification or programming error. No
amount of unit testing will uncover a secur i ty vulnerability in a cryptosystem.
Instead, to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs
to show that a particular system satisfies the secu r ity properties attributed to it. We often need to
introduce certain plausible assumptions to push our security arguments through.
This book is about exactly that: constructing practical cr yp t osy st e ms for which we can argue
security under plausible assumptions. The book covers many constructions for di↵erent t ask s in
cryptography. For each task we define a precise security goal that we aim to achieve and then
present constructions that achieve the required goal. To analyze the constructions, we develop a
unified framework for doin g cryptographic proofs. A reader who masters this framework will be
capable of applying it to new constructions that may not be covered in the book.
Throughout the book we present many case studies to survey how deployed systems operate.
We describe common mistakes to avoid as well as attacks on real-world systems t hat illustrate the
importance of rigor in cryptography. We end every chapter with a fun application that applies the
ideas in the chapter in some unexpected way.
Intended audi ence and how to use this book
The book is intended to be self contained. Some supplementary material covering basic facts from
probability theory and algebra is provided in the appendices.
The book is divided into three parts. The first part develops symmetric encryption whi ch
explains how two parties, Alice and Bob , can securely ex change information when they have a
shared key unknown to the attacker. The second part develops the concepts of public-key encryption
and digital signatures, which allow Alice and Bob to do the same, but without having a shared,
secret key. The third part is about cryptographic protocols, such as protocols for user identification,
key exchange, and secure computation.
A beginning reader can read though the book to learn how cryptographic systems work and
why they are secure. Every security theorem in the book is followed by a proof idea that ex p lai n s
at a high level why t he scheme is secure. On a firs t read one can skip over the detailed proofs
ii
without losing continuity. A beginning reader may also skip over the mathematical details sections
that explore nuances of certain definitions.
An advanced reader may enjoy reading t h e detailed proofs to learn how to do proofs in cryptog-
raphy. At the end of every chapter you wil l find many exercises that e xp l ore additional aspects of
the material covered in the chapter. Some exercises rehearse what was learned, but many exercises
expand on the material and discuss topics not covered in the chapter.
Status of the book
The current draft only contains p ar t I and the first half of part II. Th e remaining chapters in
parts II and part III are forthcomi ng. We hope you enjoy this write-up. Please send us comments
and let us know if you find typos or mistakes.
Citations: While the curre nt draft is mostly complete, we still do not include c i t ati on s and
references to the many works on which this book is based. Those will be coming soon and will be
presented in the Notes section at the end of every chapter.
Dan Boneh and Victor Shoup
December, 2016
iii
Contents
1 Introduction 1
1.1 Historic cipher s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Terminology used through out th e book . . . . . . . . . . . . . . . . . . . . . . . . . . 1
I Secret key cryptography 3
2 Encryption 4
2.1 Introduct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Shannon ciphers and perfect security . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Definition of a Shannon cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2 Perfect security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3 The bad news . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Computati onal ciph er s and semantic security . . . . . . . . . . . . . . . . . . . . . . 13
2.3.1 Definition of a computational cipher . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Definition of semantic security . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.3 Connections to weaker notions of security . . . . . . . . . . . . . . . . . . . . 18
2.3.4 Consequences of semantic security . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.5 Bit guessing: an alternative characterization of semantic security . . . . . . . 25
2.4 Mathemati c al detail s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.1 Negligible, super-pol y, and poly-bounded functions . . . . . . . . . . . . . . . 28
2.4.2 Computational ciphers: the formalities . . . . . . . . . . . . . . . . . . . . . . 29
2.4.3 Efficient adversaries and attack games . . . . . . . . . . . . . . . . . . . . . . 32
2.4.4 Semantic security: the formalitie s . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.5 A fun application: anonymous routing . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.7 Exercis es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3 Stream ciphers 45
3.1 Pseudo-ran dom generat ors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.1.1 Definition of a pseudo-random generator . . . . . . . . . . . . . . . . . . . . . 46
3.1.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2 Stream ciphers : encryption with a PRG . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3 Stream cipher limi t at ion s: attacks on the one time pad . . . . . . . . . . . . . . . . . 52
3.3.1 The two-time pad is insecure . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
iv
3.3.2 The one-time pad is malleable . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4 Composing PRGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.1 A parallel construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.2 A sequential construction: the Blum- Mi cal i method . . . . . . . . . . . . . . 59
3.4.3 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.5 The next bit test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.6 Case study: the Salsa and Ch aCha PRGs . . . . . . . . . . . . . . . . . . . . . . . . 68
3.7 Case study: linear generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.7.1 An example cryptanalysis: linear congruential generators . . . . . . . . . . . 70
3.7.2 The subset sum generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.8 Case study: cryptanalysis of the DVD encryption system . . . . . . . . . . . . . . . 74
3.9 Case study: cryptanalysis of the RC4 stream cipher . . . . . . . . . . . . . . . . . . 76
3.9.1 Security of RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.10 Generating random bits in practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.11 A broader perspective: computational indistinguishability . . . . . . . . . . . . . . . 81
3.11.1 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.12 A fun application: coin flipping and commitments . . . . . . . . . . . . . . . . . . . 87
3.13 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4Blockciphers 94
4.1 Block ciphers: basic definiti on s and properties . . . . . . . . . . . . . . . . . . . . . . 94
4.1.1 Some implications of security . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.1.2 Efficient implementation of random permutations . . . . . . . . . . . . . . . . 99
4.1.3 Strongly secure block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.1.4 Using a block cipher directly for encryption . . . . . . . . . . . . . . . . . . . 100
4.1.5 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.2 Construct i n g block ciphers in practice . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.2.1 Case study: DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.2.2 Exhaustive search on DES: the DES challenges . . . . . . . . . . . . . . . . . 110
4.2.3 Strengthening ciphers against exhaustive search: the 3E c ons t ru ct i on . . . . . 112
4.2.4 Case study: AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
4.3 Sophisti c at ed attacks on block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.3.1 Algorithmic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.3.2 Side-channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.3.3 Fault-injection attacks on AES . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.3.4 Quantum exhaustive search attacks . . . . . . . . . . . . . . . . . . . . . . . . 128
4.4 Pseudo-ran dom funct i ons : basic definitions and properties . . . . . . . . . . . . . . . 129
4.4.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.4.2 Efficient implementation of random functions . . . . . . . . . . . . . . . . . . 130
4.4.3 When is a secure block cipher a secure PRF? . . . . . . . . . . . . . . . . . . 131
4.4.4 Constructing PRGs from PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.4.5 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.5 Construct i n g block ciphers from PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.6 The tree constructi on : from PRGs to PRFs . . . . . . . . . . . . . . . . . . . . . . . 144
4.6.1 Variable length tree construction . . . . . . . . . . . . . . . . . . . . . . . . . 148
v
剩余579页未读,继续阅读
shuqin_SQ
- 粉丝: 0
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- RTL8188FU-Linux-v5.7.4.2-36687.20200602.tar(20765).gz
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
- SPC统计方法基础知识.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0