## Introduction to Modern Cryptography (2005)

### Cached

### Download Links

Venue: | UCSD CSE 207 Course Notes |

Citations: | 12 - 0 self |

### BibTeX

@INPROCEEDINGS{Bellare05introductionto,

author = {Mihir Bellare and Phillip Rogaway},

title = {Introduction to Modern Cryptography},

booktitle = {UCSD CSE 207 Course Notes},

year = {2005},

pages = {207}

}

### OpenURL

### Abstract

### Citations

2912 | L.: A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al. - 1978 |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ryption oracle will return M1, and A will return 0, meaning will return 1 with probability zero. 5.11 Historical notes The pioneering work on the theory of encryption is that of Goldwasser and Micali =-=[18]-=-, with refinements by [28, 13]. This body of work is however in the asymmetric (i.e., public key) setting, and uses the asymptotic framework of polynomial-time adversaries and negligible success proba... |

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ...rictions are put on the prover in the completeness and soundness conditions, one obtains what is actually called an interactive proof in the literature, a notion due to Goldwasser, Micali and Rackoff =-=[20]-=-. A remarkable fact is that IP, the class of languages possessing interactive proofs of membership, equals PSPACE [27, 34], showing that interaction and randomness extend language membership-proof cap... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks - Goldwasser, Micali, et al. - 1988 |

628 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ing x at (I), and thus recover ɛ. random and setting y = h(x), namely as in Experiment Exp owf h 4.11 Historical notes The concept of pseudorandom functions is due to Goldreich, Goldwasser and Micali =-=[17]-=-, while that of pseudorandom permutation is due to Luby and Rackoff [25]. These works are however in the complexity-theoretic or “asymptotic” setting, where one considers an infinite sequence of famil... |

379 | Proofs that Yield Nothing But Their Validity or All languages in N P Have Zero-Knowledge Proof Systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ... first evidence as to the power of interactive proofs was provided by the fact that the language of non-isomorphic graphs, although not known to be in NP, possesses an interactive proof of membership =-=[15]-=-. Eventually, as noted above, it was found that IP = PSPACE. The related model of probabilistically checkable proofs has been applied to derive strong non-approximability results for NP-optimization p... |

339 | Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack - Rackoff, Simon - 1992 |

308 | Algebraic methods for interactive proof systems
- Lund, Fortnow, et al.
- 1992
(Show Context)
Citation Context ...teractive proof in the literature, a notion due to Goldwasser, Micali and Rackoff [20]. A remarkable fact is that IP, the class of languages possessing interactive proofs of membership, equals PSPACE =-=[27, 34]-=-, showing that interaction and randomness extend language membership-proof capability well beyond NP. Thinking of the prover’s computation as one to be actually implemented in a cryptographic protocol... |

284 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ... in Experiment Exp owf h 4.11 Historical notes The concept of pseudorandom functions is due to Goldreich, Goldwasser and Micali [17], while that of pseudorandom permutation is due to Luby and Rackoff =-=[25]-=-. These works are however in the complexity-theoretic or “asymptotic” setting, where one considers an infinite sequence of families rather than just one family, and defines security by saying that pol... |

252 | Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...ons for three kinds of collision-resistant hash functions under known-key attack. Type Name(s) in literature CR2-KK collision-free, collision-resistant, collision-intractable CR1-KK universal one-way =-=[29]-=- (aka. target-collision resistant [1]) CR0 universal, almost universal Figure 6.5: Types of hash functions, with names in our framework and corresponding names found in the literature. In measuring re... |

193 | On the Composition of Zero-Knowledge Proof Systems - Goldreich, Krawczyk - 1996 |

168 | Witness indistinguishable and witness hiding protocols - Feige, Shamir - 1990 |

112 | Definitions and properties of Zero-Knowledge proof systems - Goldreich, Oren - 1994 |

82 |
The Notion of Security for Probabilistic Cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ... M1, and A will return 0, meaning will return 1 with probability zero. 5.11 Historical notes The pioneering work on the theory of encryption is that of Goldwasser and Micali [18], with refinements by =-=[28, 13]-=-. This body of work is however in the asymmetric (i.e., public key) setting, and uses the asymptotic framework of polynomial-time adversaries and negligible success probabilities. The treatment of sym... |

75 | A uniform-complexity treatment of encryption and zero-knowledge
- Goldreich
- 1993
(Show Context)
Citation Context ... M1, and A will return 0, meaning will return 1 with probability zero. 5.11 Historical notes The pioneering work on the theory of encryption is that of Goldwasser and Micali [18], with refinements by =-=[28, 13]-=-. This body of work is however in the asymmetric (i.e., public key) setting, and uses the asymptotic framework of polynomial-time adversaries and negligible success probabilities. The treatment of sym... |

32 | The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet (2nd Edition, Simon - Kahn - 1997 |

24 |
The solution of McCurley’s discrete log challenge
- Weber, Denny
- 1998
(Show Context)
Citation Context ...nd the algorithm used was the GNFS. A little earlier, discrete logarithms had been computed modulo a slightly larger prime, namely a 129 digit one, but this had a special structure that was exploited =-=[35]-=-. Faster discrete logarithm computation can come from many sources. One is exploiting parallelism and the paradigm of distributing work across available machines on the Internet. Another is algorithmi... |

12 |
Erik Mathiassen, A Chosen-Plaintext Linear Attack on
- Knudsen, John
- 1978
(Show Context)
Citation Context ...4] improved differential in two ways. The number of inputoutput examples required is reduced to 2 44 , and only a known-message attack is required. (An alternative version uses 2 42 chosen plaintexts =-=[24]-=-.) These were major breakthroughs in cryptanalysis that required careful analysis of the DES construction to find and exploit weaknesses. Yet, the practical impact of these attacks is small. Why? Ordi... |

12 |
A study of password security
- Luby, Rackoff
(Show Context)
Citation Context ...ed"concrete security," and originates with [2]. Definitions 3.4 and 3.5 are from [2], as are Propositions 3.14 and 3.15. The materiel of Section 3.10 is a concrete securtityadaptation of results from =-=[23]-=-. 3.13 Exercises and problems Exercise 3.1 Let E: f0; 1gk \Thetasf0; 1gn ! f0; 1gn be a secure PRP. Consider thePRP E0: f0; 1gk \Thetasf0; 1g2n ! f0; 1g2n defined by E0K(xx0) = EK (x) EK(x \Phisx0) wh... |

11 | Standing the test of time: The Data Encryption Standard - Landau - 2000 |

3 | The RC6 Block Cipher. Available via http://theory.lcs.mit.edu/~rivest/publications.html - Rivest, Robshaw, et al. - 1978 |

1 | Computing a discrete logarithm in GF(p), p a 120 digits prime, http://www.medicis.polytechnique.fr/˜lercier/english/dlog.html - Joux, Lercier |

1 | The rise and fall of knapsack cryptosystems. Available via http://www. research.att.com/˜amo/doc/cnt.html - Odlyzko |

1 | Witness Indistinguishability and Witness HidingProtocols - Feige, Shamir - 1990 |

1 | On the Composition of Zero-KnowledgeProof Systems - Goldreich, Krawczyk - 1996 |

1 |
How to construct randomfunctions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...(x), namely as in Experiment Exmtowfh;I , and thus recover ffl. 3.11 Pseudorandom generators 3.12 Historical notes The basic notion of pseudorandom functions is due to Goldreich, Goldwasser andMicali =-=[16]-=-. In particular these authors introduced the important notion of distinguishers. The notion of a pseudorandom permutation is due to Luby and Rackoff[22]. These works are in the complexity-theoretic or... |

1 | Algebraic Methodsfor Interactive Proof Systems - Lund, Fortnow, et al. - 1992 |