Comments for Cryptosophy

Comment on Course objective by David Morrison

David Morrison — Tue, 29 Sep 2009 03:38:33 +0000

Speaking of “primitives”… Here’s the stick figure guide to AES:

http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

Comment on Course objective by mikero

mikero — Tue, 22 Sep 2009 16:23:23 +0000

just too many of them resemble each other (for e.g., those which take an input and a key, and produce an output that looks like gibberish)

So cryptography is essentially about appreciating the fine subtleties among the myriad of ways of producing gibberish… which I guess makes us gibberish connoisseurs.

I think next time someone asks me what I do, I will tell them I’m a connoisseur of gibberish.

Comment on Defining Security (again) by Manoj

Manoj — Mon, 21 Sep 2009 18:44:01 +0000

Hi David,

(Sorry for the delay in replying here, but hopefully your question was answered by now.)

SIM-* definitions are not the “traditional” definitions used for encryption. We introduced them as a way to justify the traditional IND-* definitions. In the case of CCA and CPA secure encryptions (SKE or PKE), yes, you can omit saying IND/SIM, because they are equivalent. As mentioned in the class, IND-* definitions are more technical/low-level. When you build an encryption scheme and want to show that it is secure, go with the IND definition. But, if you are using an encryption scheme, sometimes you’d want to go with the SIM definition as it gives a more high-level guarantee, that is easy to use. So both definitions are still very much useful.

Later on, when we move beyond simple encryption, often SIM definitions are all that we will have. Or, when you do come up with a natural looking IND definition, it may turn out not to capture all the security requirements.

Comment on Defining Security (again) by David Morrison

David Morrison — Wed, 09 Sep 2009 02:45:19 +0000

One thing that has been confusing to me in the last couple of lectures is the distinction between the IND-* definitions and the SIM-* definitions. As I understand it, we’re basically approaching the same notion of security from two different viewpoints: the real/ideal framework, and this sort of “experiment” framework. But fundamentally you can show that these are the same notion of security (that is, IND-CPA and SIM-CPA make the same security guarantees — at least, that was what I’d understood from lecture), so why the distinction between the two? Why not just say that we’ve achieved CPA security?

Comment on Coin flips by Cryptosophy · What is cryptography?

Cryptosophy · What is cryptography? — Fri, 28 Aug 2009 00:07:07 +0000

[...] point we briefly touched up on in the introductory lecture, especially if it lets me recycle an old blog post. The very notion of information (from which stems the notion of secrecy) is based on a [...]

Comment on On defining security – I by David Molnar

David Molnar — Mon, 25 Dec 2006 08:28:37 +0000

Good to see your weblog!

There’s an interesting parallel between what you say at the end, regarding knowing what can go wrong, and cryptographic research into database privacy. A lot of the work from our community comes at it from the perspective of secure multi-party computation — that is, we will promise you that a specification will be fulfilled as if we had access to a trusted third party, but we make no guarantees that the spec is correct. So for example, we’ll do secure set intersection, but our protocols don’t stop Alice from playing with a set of size 1 to see if a particular name is in Bob’s database…

Comment on Coin flips by Sariel Har-Peled

Sariel Har-Peled — Sat, 02 Sep 2006 21:08:52 +0000

And for a really nice discussion of randomness, see teh beginning of the movie/play Rosenkrantz and Gilderstein are Dead.