《Foundations of Cryptography—Volume 2 Basic Applications_Oded Goldreich》pdf电子书免费下载
下载方式一:
百度网盘下载地址:https://pan.baidu.com/s/1sXW7ndk5vNU747HqWjZRuA
百度网盘密码:1111
下载方式二:
http://ziliaoshare.cn/Download/af_123819_pd_FoundationsofCryptography—Volume2BasicApplications_OdedGoldreich.zip
|
|
作者:empty 页数:449 出版社:empty |
《Foundations of Cryptography—Volume 2 Basic Applications_Oded Goldreich》介绍
Cryptography i sconce med with the conceptualization, definition, and construction ofcomputing systems that address security con cems.The design of ery p to graphic systemsmust be based on firm foundations.Foundations of Cryptography presents a rigorous andsystematic treatment of foundational issues:defining cryptographic tasks and solvingnew cryptographic problems using existing tools.The emphasis is on the clan ificationof fundamental concepts and on demonstrating the feasibility of solving several centralcryptographic problems, as opposed to desc nib ing adhoc approachesThissecondvolumecontainsarigoroustreatmentofthreebasicapplications:en-crypt ion, signatures, and general cryptographic protocols.It builds on the previousvolume, which provides a treatment of one-way functions, pseudo randomness, andzero-knowledge proofs.It is suitable for use in a graduate course on cryptography andas a reference book for experts.The author assumes basic familiarity with the designand analysis of algor thms; some knowledge of complexity theory and probability isalso usefulOded Goldreich is Professor of ComputerS e ience at the Weizmann Institute of Scienceand incumbent of the Meyer W.We is gal Professorial Chair.An active researcher, hehas wrt ten numerous papers on cryptography and is widely considered to be one ofthe world experts in the area.He is an editor of Journal of Cryptology and SIAMJournal on Computing and the author of Modern Crypto grup hy, Proba hi listic Proofsand Pseudo run dom ness.
obtained using them.Our emphasis is on the clarification of fundamental concepts andon demonstrating the feasibility of solving several central cryptographic problemsSolving a cryptographic problem for addressing a security con cem) is a two-stageprocess consisting of a defn i tional stage and a construe tive stage.First, in the defini-tional stage, the functionality underlying the natural c once misto be identified, and anadequate cryptographic problem has to be defined.Trying to list all undesired situationsis infeasible and prone to error.Instead, one should define the functionality in terms ofoperation in an imaginary ideal model, and require a candidate solution to emulate thisoperation in the real.clearly defined model(which specifies the adversary'abilities)Once the definitional stage is completed, one proceeds to construct a system that sat is-fies the definition.Such a construction may use some simpler tools, and its security isproven relying on the features of these tools.In practice, of course, such a scheme mayalso need to sat is ty some spec th cet ficiency requirementsThis work focuses on several archetypical ery p to graphic problems feg, ener yp tionand signature schemes) and on several central tools fe.g., computational diffcult y,pseudo randomness, and zero-knowledge proofs) .For each of these problems{resp.,tools l, we start by presenting the natural concern underlying it(resp., its intuitiveobjective) , then define the problem(resp., tool) , and finally demonstrate that the problemmaybe solved(resp., the tool can be constructed) .In the last step, our focus is on demon-strating the feasibility of solving the problem, not on providing a practical solution.Asas cc ondary concern, we typically discuss the level of practicality(or impracticality)of the given for known) solution.
The specific constructs mentioned earlier(as well as most constructs in this area) canexist only if some sort of computational hardness exists.Specifically.all these problemsand tools require(cit her explicitly or implicitly) the ability to gen crate instances of hardproblems.Such ability is captured in the definition of on c-way functions(see furtherdiscussion in Section 2.1) .Thus.one-way functions are the very minimum needed fordoing most sorts of cryptography.As we shall see, one-way functions actually suffice fordoing much of cryptography f and the rest can be done by augmentations and extensionsof the assumption that one-way functions exist hOur current state of understanding of efficient computation does not allow us to provethat one-way functions exist In particular, the existence of one-way functions impliesthat NP is not contained inBPP2P(not even“on the average i.which wouldresolve the most famous open problem of computer science, Thus, we have no choice(at this stage of history) but to assume that one-way functions exist As justification forthis assumption, we may only offer the combined beliefs of hundreds(or thousands) ofresearchers.Furthermore, these belief sconce ma simply stated assumption, and theirvalidity follows from several widely believed conjectures that are central to variousfield sic.g., the con jee ture that factoring integers is hard is central to computationalnumber th cory l
Since we need assumptions anyhow, why not just assume what we want(ic., theexistence of a solution to some natural cryptographic problem) ?Well, first we needto know what we want:As stated carlier, we must first clarify what exactly we want;that is, we must go through the typically complex definitional stage.But once this stageis completed, can we just assume that the definition derived can be met?Not really.On cca definition is derived, how can we know that it can be met at all?Thc way todemonstrate that a definition is viable(and so the intuitive security con cem can besat is fi cd a tally is to construct a solution based on a better-understood assumption fl.c.,one that is more common and widely believed) .For example, looking at the definitionof zero-knowledge proofs, it is not apriori clear that such proofs exist at all(in anon-trivial sense) .The non-triviality of the notion was first demonstrated by presentinga zero-knowledge proof system for statements regarding Quadratic Residuos ity thatare believed to be hard to verify(without extra information) , Furthermore, contrary toprior beliefs, it was later shown that the existence of one-way functions implies thatany NP-statement can be proven in zero-knowledge, Thus, facts that were not at allknown to hold f and were even believed to be false y were shown to hold hy reduction towidely believed assumptions(without which most of moderner yp tography collapsesanyhow) .To summarize, not all assumptions are equal, and so reducing a complex,new, and doubtful assumption to a widely believed simple{or even merely simpler)assumption is of great value.Furthermore, reducing the solution of a new task to theassumed security of a well-known primitive typically means providing a constructionthat, using the known primitive, solves the new task.This means that we not only knowfor assume) that the new task is solvable but also have a solution based on a primitivetha, being wellknown.typically has several candidat c implementations.Structure and Prerequisites
Our aim is to present the basic concepts.techniques, and results in cryptography.Asstated earlier, our emphasis is on the clarification of fundamental concepts and there la-tionship among them.This is done in away independent of the particularities of somepopular number-theoretic examples.These particular examples played a central role inthe development of the field and still offer the most practical implementations of allcryptographic primitives, but this does not mean that the presentation has to be linkedto them.On the contrary, we believe that concepts are best clarified when presentedat an abstract level, decoupled from specific implementations.Thus, the most relevantbackground for this work is provided by basic knowledge of algorithms(includingrandomized ones) , computability, and elementary probability theory.Background onf computational) number theory, which is required for specific implementations of cer-tain constructs, is not really required here(yet a short appendix presenting thc mostrelevant facts is included in the first volume so as to support the few examples ofimplementations presented here)
《Foundations of Cryptography—Volume 2 Basic Applications_Oded Goldreich》目录
Contents
Basic Applications
List of Figures
Acknowledgments
5Eneryption Schemes
5.1.The Basic Setting
5.1.1.Private-Key Versus Public-Key Schemes
5.1.2.The Syntax of Encryption Schemes
5.2.1.Semantic Security
5.2.2.Indistinguishability of Encryptions
5.2.3.Equivalence of theSe cunty Definitions
5.2.4.Multiple Messages
5.2.5.*A Uniform-Complexity Treatment
Construe tions of Secure Encryption Schemes
5.3.1.*Stream-Ciphers
5.3.2.Prel in in aries.Block-Ciphers
5.3.3.Private-Key Encryption Schemes
5.3.4.Public-Key Encryption Schemes
5.4.l.Overview
5.4.2.Key-Dependent Passive Attacks
5.4.3.Chosen Plaintext Attack
5.4.4.Chosen Ciphertext Attack
5.4.5.Non-Malleable Encryption Schemes
5.5.1.On Using Encryption Schemes
5.5.2.On Information-Theoretic Security
5.5.3.On Some Popular Schemes
5.2.Definitions of Security
5.4.*Beyond Eavesdropping Security
5.5.Miscellaneous
5.5.5.Suggestions for Further Reading
5.5.6.Open Problems
5.5.7.Exercises
6 Digital Signatures and Message Authentication
6.1.The Setting and Definitional Issues
6.2.Length-Restricted Signature Scheme
63.Constructions of Message-Authentication Schemes
6.4.Constructions of Signature Schemes
6.1.1.The Two Types of Schemes:A Brief Overview
6.1.2.Introduction to the Unified Treatment
6.1.3.Basic Mechanism
6.1.4.Attacks and Security
6.1.5.*Van ants
6.2.1.Definition
6.2.3.*Constructing Collision-Free Hashing Functions
6.3.1.Applying a Pseudorandom Function to the Document
6.3.2.*Mare on Hash-and-Hide and State-Based MACs
6.4.1.One-Time Signature Schemes
6.4.2.From One-Time Signature Schemes to General Ones
6.4.3.*Universal One-Way Hash Functions and Using Them
6.5.1.Unique Signatures
6.5.2.Super-Secure Signature Schemes
6.5.3.Of-Line/On-Line Signing
6.5.4.Incremental Signatures
6.5.5.Fail-Stop Signatures
6.6.1.On Using Signature Schemes
6.6.2.On Information-Theoretic Security
6.6.3.On Some Popular Schemes
6.6.4, Historical Notes
6.6.5.Suggestions for Further Reading
6.6.6.Open Problems
6.6.7.Exercises
7.1.1.The Definitional Approach and Some Models
7.1.2.Some Known Results
7.1.3.Construction Paradigms
7.2.2.The Semi-Honest Model
7.2.3.The Malicious Model
7.3.1.Privacy Reductions and a Composition Theorem
7.3.2.The OT, Protocol:Definition and Construction
7.3.3.Privately Computing ei+c=(a+4) (hi+h 2)
7.3.4, The Circuit Evaluation Protocol
7.4.1.The Protocol Compiler:Motivation and Overview
7.4.2.Security Reductions and a Composition Th core m
7.4.3.The Compiler:Functionalities in Use
7.4.4.The Compiler Itself
7.5.1.Definitions
7.5.5.The Second Compiler:Efl ectively Preventing Abort
7.6.1.Definitions
7.6.2.Se cunty in the Semi-Honest Model
7.6.3.Se cunty in the Malicious Model
7.7.1.*Three Deferred Issues
7.7.2.*Concurrent Executions
7.7.3.Concluding Remarks
7.7.4.Historical Notes
7.7.5.Suggestions for Further Reading
7.7.6.Open Problems
7.7.7.Exercises
C.3.1.On Parallel Composition
C.3.2.On Theorem 4.6.8 and an Afterthought
C.3.3, Consequences
C.4.1.OnNIZKswithEffcientPr over Strateg