2
PRELIMINARIES
C
. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
. |
Probabilities and Negligible Functions . . . . . . . . . . . . . |
|
|
. |
Classical Cryptography . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Message Authentication Codes . . . . . . . . . . . . . . . . |
|
|
. . |
Cryptographic Hash Functions . . . . . . . . . . . . . . . . |
|
|
. . |
Universal Hash Functions . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Pseudo-Random Functions . . . . . . . . . . . . . . . . . . |
|
. |
Public-Key Encryption Schemes . . . . . . . . . . . . . . . . . |
|
|
. |
Hybrid Encryption . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
e Random Oracle Model . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Proof Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Hard Problems . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
e Simulation Paradigm and Hybrid Arguments . . . . . . |
|
|
. . |
e Game Proof Methodology . . . . . . . . . . . . . . . . . |
|
|
|
|
|
|
|
2.1Notations
In all this dissertation, we de ne a probabilistic algorithm to be an interactive Turing machine running on two tapes, one containing its inputs and the other one its randomness. An algorithm is said to be polynomial or to run in polynomial-time if it stops a er a polynomial number of steps in the size of it entry tape. Algorithms can also be deterministic: ose are the ones that can be modeled by a Turing machine that only runs on a tape that contains its explicit inputs.
We use the notation A(x; y) ! z to refer to running the algorithm A with input x and y and obtaining z as an output. When the algorithm is interactive and has access to an oracle O, we shall denote it AO. Finally, we de ne the view of an interactive algorithm to be its random tape and all the answers that it got from interacting with the oracles it had at its disposal. All the other messages can be computed from this view and the algorithm’s description. For an algorithm A, its view is denoted viewA.
For a discrete set X, jXj refers to its cardinality, i.e., the number of elements it contains. A vector v whose components are bits is called a binary vector. We also de ne the Hamming weight of a binary vectors as the number of 1’s that it contains.
Finally, we let N denote the set of natural numbers, 0 inclusive, and N denote the set of naturalnumbersgreaterthan 0. Likewise, Z isthesetofintegers. Zp denotesthesetofpositive integers smaller than p and Zp is a subset of the former that only includes integers that a coprime with p.
2.2Probabilities and Negligible Functions
We rst start by recalling some basic de nitions for probabilities. e probability mass function of a discrete probability distribution is a function f such that f(x) = Pr[x = x]. We also recall the de nition of the cumulative distribution function F (x) = Pr[x x].
roughout this dissertation, we will explicitly use four probability distribution. For the sake of completeness, we describe them inhere.
e Uniform Distribution. Over a discrete set, the uniform distribution assign to
|
every entry an equal probability. |
at is, its probability mass function is a constant |
|
|
function that sums to 1 over all elements of X, i.e., |
|
|
|
8x 2 X : f(x) = jXj 1: |
|
|
|
Even if it constitutes an abuse of notation, we write x 2R X to express the fact that x |
||
|
is chosen from X according to the uniform distribution. |
|
|
|
e Bernoulli Distribution. |
is distribution is de ned over the binary set f0; 1g |
|
|
and models the success of an experiment that is controlled with a probability p. |
at |
|
.