Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a one-way function from a pseudorandom generator, this result shows that there is a pseudorandom generator iff there is a one-way function.

The notion of non-malleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Non-malleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

We show how to construct a public-key cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a public-key cryptosystem secure against passive eavesdropping and a non-interactive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. E-mail: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...

This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attackisSSL V.3.0.

MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 84-88) (=[6]). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), we show how the resulting MIXes can be broken by an active attack which is perfectly feasible in a typical MIX-environment. The attack does not affect the idea of MIXes as a whole: if the security requirements of [6] are concretized suitably and if a cryptosystem fulfils them, one can implement secure MIXes directly. However, it shows that present security notions for public key cryptosystems, which do not allow active attacks, do not suffice for a cryptosystem which is used to implement MIXes directly. We also warn of the same attack and others on further possible implementations of MIXes, and we mention several implementations which are not broken by any attack we know. I. INTRODUCTION: M...

We show that if a language has an interactive proof of logarithmic statistical knowledge-complexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NP-complete languages do not have logarithmic knowledge complexity. Prior to this work, there was no indication that would contradict NP languages being proven with even one bit of knowledge. Our result is a common generalization of two previous results: The rst asserts that statistical zero knowledge is contained in AM \ co AM [F-89, AH-91], while the second asserts that the languages recognizable in logarithmic statistical knowledge complexity are in BPP NP [GOP-94]. Next, we consider the relation between the error probability and the knowledge complexity of an interactive proof. Note that reducing the error probability via repetition is not free: it may increase the knowledge complexity. We show that if the negligible error probability (n) is less than 2 3k(n) (where k(n) is the knowledge complexity) then the language proven is in the third level of the polynomial time hierarchy (specically, it is in AM NP . In the standard setting of negligible error probability, there exist PSPACE-complete languages which have sub-linear knowledge complexity. However, if we insist, for example, that the error probability is less than 2 n 2 , then PSPACE-complete languages do not have sub-quadratic knowledge complexity, unless PSPACE= P 3 . In order to prove our main result, we develop an AM protocol for checking that a samplable distribution D has a given entropy h. For any fractions ; , the verier runs in time polynomial in 1= and log(1=) and fails with probability at most to detect an additive error in the entropy. We believe that this ...

This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.

Several security protocols (PGP, PEM, MOSS, S/MIME, PKCS#7, CMS, etc.) have been developed to provide confidentiality and authentication of electronic mail. These protocols are widely used and trusted for private communication over the Internet. We point out a potentially serious security hole in these protocols: any encrypted message can be decrypted using a one-message, adaptive chosen-ciphertext attack. Although such attacks have been formalized mainly for theoretical interest, we argue that they are feasible in the networked systems in which these e-mail protocols are used.

We study the security of individual bits in an RSA encrypted message EN (x). We show that given EN (x), predicting any single bit in x with only a non-negligible advantage over the trivial guessing strategy, is (through a polynomial time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bitsofxare computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme. Considering the discrete exponentiation function gx modulo p, with probability 1 − o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any one-way function f. All our results follow from a general result on the chosen multiplier hidden number problem: givenanintegerN, and access to an algorithm Px that on input a random a ∈ ZN, returns a guess of the ith bit of ax mod N, recover x. We show that for any i, ifPx has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a non-trivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O(log log N) bits.

Current constructions of cryptographic primitives typically involve a large multiplicative computational overhead that grows with the desired level of security. We explore the possibility of implementing basic cryptographic primitives, such as encryption, authentication, signatures, and secure two-party computation, while incurring only a constant computational overhead compared to insecure implementations of the same tasks. Here we make the usual security requirement that the advantage of any polynomial-time attacker must be negligible in the input length. We obtain affirmative answers to this question for most central cryptographic primitives under plausible, albeit sometimes nonstandard, intractability assumptions. • We start by showing that pairwise-independent hash functions can be computed by linear-size circuits, disproving a conjecture of Mansour, Nisan, and Tiwari (STOC 1990). This construction does not rely on any unproven assumptions and is of independent interest. Our hash functions can be used to construct message authentication schemes with constant overhead from any one-way function. • Under an intractability assumption that generalizes a previous assumption of Alekhnovich (FOCS 2003), we get (public and private key) encryption schemes with constant overhead. Using an exponentially