标签： CIS 455

数学代写|密码学作业代写Cryptography代考|History of Cryptography from the 1800s

Posted on 2023年4月5日2023年4月5日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

密码学创造了具有隐藏意义的信息；密码分析是破解这些加密信息以恢复其意义的科学。许多人用密码学一词来代替密码学；然而，重要的是要记住，密码学包括了密码学和密码分析。

statistics-lab™ 为您的留学生涯保驾护航在代写密码学Cryptography方面已经树立了自己的口碑, 保证靠谱, 高质且原创的统计Statistics代写服务。我们的专家在代写密码学Cryptography代写方面经验极为丰富，各种代写密码学Cryptography相关的作业也就用不着说。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|The Vernam Cipher

The Vernam cipher is a type of one-time pad (Mollin 2000). The concept behind a one-time pad is that the plain text is somehow altered by a random string of data so that the resulting cipher text is truly random. Gilbert Vernam (April 3, 1890 to February 7,1960 ) proposed a stream cipher that would be used with teleprinters. It would combine character by character a prepared key that was stored on a paper tape, with the characters of the plain text to produce the cipher text. The recipient would again apply the key to get back the plain text.

In 1919 Vernam patented his idea (US Patent 1,310,719). In Vernam’s method he used the binary XOR (exclusive OR) operation applied to the bits of the message. We will be examining binary operations including XOR, in more detail in Chap. 4 . To truly be a one-time pad, by modern standards, a cipher needs two properties. The first is suggested by the name: the key is only used once. After a message is enciphered with a particular key, that key is never used again. This makes the one-time pad quite secure but also very impractical for ongoing communications such as one encounters in e-commerce. The second property is that the key be as long as the message. That prevents any patterns from emerging in the cipher text. It should be noted that Vernam also patented three other cryptographic inventions: US Patent $1,416,765$; US Patent 1,584,749; and US Patent 1,613,686.

One-time pads are still used for communications today, but only for the most sensitive communications. The keys must be stored in a secure location, such as a safe, and used only once for very critical messages. The keys for modern one-time pads are simply strings of random numbers sufficiently large enough to account for whatever message might be sent.

Contrary to popular misconceptions, the Enigma is not a single machine, but rather a family of machines. The first version was invented by German engineer Arthur Scherbius toward the end of World War I. It was also used by several different militaries, not just the Nazi Germans. Some military texts encrypted using a version of Enigma were broken by Polish cryptanalysts: Marian Rejewski, Jerzy Rozycki, and Henryk Zygalski. The three basically reverse engineered a working Enigma machine. The team then developed tools for breaking Enigma ciphers, including one tool named the cryptologic bomb.

The core of the Enigma machine was the rotors. These were disks that were arranged in a circle with 26 letters on them. The rotors where lined up. Essentially each rotor represented a different single-substitution cipher. You can think of the Enigma as a sort of mechanical poly-alphabet cipher. The operator of the Enigma machine would be given a message in plain text, and then type that message into Enigma. For each letter that was typed in, Enigma would provide a different cipher text based on a different substitution alphabet. The recipient would type in the cipher text, getting out the plain text, provided both Enigma machines had the same rotor settings. Figure 2.2 is a picture of an enigma machine.

数学代写|密码学作业代写Cryptography代考|The NSA: The Early Years

It is impossible to discuss the history of cryptography without some discussion of the history of the US National Security Agency. Today they are a large organization and are often reported to be the single largest employer of mathematicians, anywhere in the world. The history of cryptography in the latter half of the twentieth century, and beyond, is closely intertwined with the history of the NSA.

While the NSA formally was founded in 1952, there were many precursors to it. As early as 1919, the US Department of State created the Cipher Bureau, often simply called the “Black Chamber.” The Black Chamber operated in an office in Manhattan, and its main purpose was to crack the communications of foreign governments. They persuaded Western Union to allow them to monitor telegraphs transmitted by Western Union customers. The group had significant initial successes but was shut down in 1929 by the Secretary of State. He felt that spying was not a gentlemanly or honorable activity.

In 1924 the US Navy formed its Radio Intelligence office with the purpose of developing intelligence from monitoring radio communications. By 1942 the US Army renamed its Signal Intelligence Service, as Signal Security Service. At this time, the various military branches had their own initiatives on communications, radio intelligence, and cryptography, and cooperation was at a minimum.

In 1949 the various military agencies coordinated cryptology activities with a new, centralized organization named the Armed Forces Security Agency. This agency was part of the Department of Defense, rather than a specific branch of the military. In 1951, President Harry Truman set up a panel to investigate the shortcomings of the AFSA. Among those shortcomings was the failure to predict the outbreak of the Korean War. From this investigation came the National Security Agency. President Truman issued a classified directive entitled “Communications Intelligence Activities” that, among other things, established the NSA.

For much of its early history, the existence of the NSA was not acknowledged. This led to those who did know, jokingly referring to the NSA as “No Such Agency.” Obviously, the history of any intelligence agency is not completely public. But let’s examine some highlights that are.

After World War II, Soviet encryption was unbreakable and thus posed a significant issue for US Intelligence agencies. This fact, coupled with the discovery of Soviet Spies in various western governments, lead to a renewed emphasis on signals intelligence (SIGINT) and cryptanalysis.

The NSA had two primary roles. The first being to be able to monitor and decipher the communications of other nations. This would enable the gathering of important intelligence. The second being the protection of US communications from other nations eavesdropping. This led the NSA to develop a standard now known as TEMPEST, an acronym for Transient Electromagnetic Pulse Emanation Standard. This standard applies to both equipment used and to deployment and configuration of communications equipment.

During the cold war, the NSA grew and had some significant successes. As one prominent example, in 1964 the NSA intercepted and decrypted communications regarding China’s first nuclear weapon test. There were many others; some are still classified today. In recent years The Washington Times reported that NSA programs have foiled terrorist plots in over 20 different countries. We will see the NSA again in later chapters, particularly when we study modern cryptographic ciphers such as DES and AES in Chaps. 6 and 7 and then when we discuss cryptographic backdoors in Chap. 18.

密码学代写

数学代写|密码学作业代写Cryptography代考|The Vernam Cipher

Vernam 密码是一种一次性密码本 (Mollin 2000)。一次性一密背后的概念是纯文本以某种方式被随机数据串改变，因此生成的密文是真正随机的。Gilbert Vernam（1890 年 4 月 3 日至 1960 年 2 月 7 日）提出了一种用于电传打字机的流密码。它将一个字符一个字符地组合，一个存储在纸带上的准备好的密钥，与纯文本的字符产生密文。收件人将再次应用密钥以取回纯文本。

1919 年，Vernam 为他的想法申请了专利（美国专利 1,310,719）。在 Vernam 的方法中，他使用了应用于消息位的二进制 XOR（异或）运算。我们将在第 1 章中更详细地研究包括 XOR 在内的二进制操作。4. 要真正成为一次性一密本，按照现代标准，密码需要两个属性。第一个由名称建议：密钥仅使用一次。在使用特定密钥对消息进行加密后，该密钥将不再使用。这使得一次性一卡通非常安全，但对于正在进行的通信（例如在电子商务中遇到的人）来说也非常不切实际。第二个属性是密钥与消息一样长。这可以防止任何模式出现在密文中。值得注意的是，Vernam 还为其他三项密码学发明申请了专利：美国专利1,416,765; 美国专利 1,584,749；和美国专利 1,613,686。

一次性一密本今天仍用于通信，但仅用于最敏感的通信。密钥必须存储在安全位置，例如保险箱，并且对于非常关键的消息只能使用一次。现代一次性一密的密钥只是一串随机数，足够大以说明可能发送的任何消息。

与流行的误解相反，Enigma 不是一台机器，而是一个机器家族。第一个版本是由德国工程师 Arthur Scherbius 在第一次世界大战结束时发明的。它也被几个不同的军队使用，而不仅仅是纳粹德国人。一些使用 Enigma 版本加密的军事文本被波兰密码分析家破译：Marian Rejewski、Jerzy Rozycki 和 Henryk Zygalski。三人基本上逆向设计了一台工作的恩尼格玛机。该团队随后开发了用于破解 Enigma 密码的工具，包括一种名为密码炸弹的工具。

Enigma 机器的核心是转子。这些圆盘排列成一个圆圈，上面有 26 个字母。转子排成一行。本质上，每个转子代表一个不同的单替换密码。您可以将 Enigma 视为一种机械多字母密码。Enigma 机器的操作员将收到一条纯文本消息，然后将该消息输入 Enigma。对于输入的每个字母，Enigma 都会根据不同的替代字母表提供不同的密文。如果两台 Enigma 机器的转子设置相同，接收者将输入密文，得到明文。图 2.2 是谜机的图片。

数学代写|密码学作业代写Cryptography代考|The NSA: The Early Years

如果不讨论美国国家安全局的历史，就不可能讨论密码学的历史。今天，他们是一个大型组织，并且经常被报道为世界上任何地方最大的数学家雇主。二十世纪下半叶及以后的密码学历史与美国国家安全局的历史密切相关。

虽然 NSA 于 1952 年正式成立，但它的前身有很多。早在 1919 年，美国国务院就成立了密码局，通常简称为“黑室”。黑室在曼哈顿的一间办公室里运作，其主要目的是破解外国政府的通讯。他们说服西联汇款允许他们监控西联汇款客户发送的电报。该组织最初取得了重大成功，但在 1929 年被国务卿关闭。他觉得间谍活动不是绅士或光荣的活动。

1924 年，美国海军成立了无线电情报办公室，目的是通过监视无线电通信来开发情报。到 1942 年，美国陆军将其信号情报处更名为信号安全处。此时，各军种在通信、无线电情报、密码学等方面各有各的倡议，合作也处于最低限度。

1949 年，各种军事机构与一个名为武装部队安全局的新的中央组织协调密码学活动。该机构是国防部的一部分，而不是军队的一个特定部门。1951 年，哈里杜鲁门总统成立了一个小组来调查 AFSA 的缺点。这些缺点之一是未能预测朝鲜战争的爆发。来自这项调查的是国家安全局。杜鲁门总统发布了一项名为“通信情报活动”的机密指令，除其他外，该指令还建立了美国国家安全局。

在其早期历史的大部分时间里，NSA 的存在并未得到承认。这导致那些知道的人开玩笑地将 NSA 称为“没有这样的机构”。显然，任何情报机构的历史都不是完全公开的。但是，让我们检查一些亮点。

第二次世界大战后，苏联的加密是牢不可破的，因此给美国情报机构带来了重大问题。这一事实，再加上在各个西方政府中发现苏联间谍，导致人们重新强调信号情报 (SIGINT) 和密码分析。

美国国家安全局有两个主要角色。第一个是能够监视和破译其他国家的通信。这将使重要情报的收集成为可能。第二个是保护美国通信免受其他国家的窃听。这导致美国国家安全局制定了一个标准，现在称为 TEMPEST，瞬态电磁脉冲发射标准的首字母缩写词。本标准既适用于所使用的设备，也适用于通信设备的部署和配置。

在冷战期间，美国国家安全局发展壮大并取得了一些重大成就。举一个突出的例子，1964 年美国国家安全局截获并解密了有关中国第一次核武器试验的通信。还有很多其他的；有些至今仍属于机密。近年来，《华盛顿时报》报道称，美国国家安全局的计划已在 20 多个不同的国家挫败了恐怖主义阴谋。我们将在后面的章节中再次看到 NSA，特别是当我们在第 2 章中学习现代密码算法（例如 DES 和 AES）时。第 6 章和第 7 章，然后当我们在第 1 章讨论加密后门时。

数学代写|密码学作业代写Cryptography代考请认准statistics-lab™

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

金融工程是使用数学技术来解决金融问题。金融工程使用计算机科学、统计学、经济学和应用数学领域的工具和知识来解决当前的金融问题，以及设计新的和创新的金融产品。

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

术语广义线性模型（GLM）通常是指给定连续和/或分类预测因素的连续响应变量的常规线性回归模型。它包括多元线性回归，以及方差分析和方差分析（仅含固定效应）。

有限元方法代写

有限元方法（FEM）是一种流行的方法，用于数值解决工程和数学建模中出现的微分方程。典型的问题领域包括结构分析、传热、流体流动、质量运输和电磁势等传统领域。

有限元是一种通用的数值方法，用于解决两个或三个空间变量的偏微分方程（即一些边界值问题）。为了解决一个问题，有限元将一个大系统细分为更小、更简单的部分，称为有限元。这是通过在空间维度上的特定空间离散化来实现的，它是通过构建对象的网格来实现的：用于求解的数值域，它有有限数量的点。边界值问题的有限元方法表述最终导致一个代数方程组。该方法在域上对未知函数进行逼近。[1] 然后将模拟这些有限元的简单方程组合成一个更大的方程系统，以模拟整个问题。然后，有限元通过变化微积分使相关的误差函数最小化来逼近一个解决方案。

tatistics-lab作为专业的留学生服务机构，多年来已为美国、英国、加拿大、澳洲等留学热门地的学生提供专业的学术服务，包括但不限于Essay代写，Assignment代写，Dissertation代写，Report代写，小组作业代写，Proposal代写，Paper代写，Presentation代写，计算机作业代写，论文修改和润色，网课代做，exam代考等等。写作范围涵盖高中，本科，研究生等海外留学全阶段，辐射金融，经济学，会计学，审计学，管理学等全球99%专业科目。写作团队既有专业英语母语作者，也有海外名校硕博留学生，每位写作老师都拥有过硬的语言能力，专业的学科背景和学术写作经验。我们承诺100%原创，100%专业，100%准时，100%满意。

随机分析代写

随机微积分是数学的一个分支，对随机过程进行操作。它允许为随机过程的积分定义一个关于随机过程的一致的积分理论。这个领域是由日本数学家伊藤清在第二次世界大战期间创建并开始的。

时间序列分析代写

随机过程，是依赖于参数的一组随机变量的全体，参数通常是时间。随机变量是随机现象的数量表现，其时间序列是一组按照时间发生先后顺序进行排列的数据点序列。通常一组时间序列的时间间隔为一恒定值（如1秒，5分钟，12小时，7天，1年），因此时间序列可以作为离散时间数据进行分析处理。研究时间序列数据的意义在于现实中，往往需要研究某个事物其随时间发展变化的规律。这就需要通过研究该事物过去发展的历史记录，以得到其自身发展的规律。

回归分析代写

多元回归分析渐进（Multiple Regression Analysis Asymptotics）属于计量经济学领域，主要是一种数学上的统计分析方法，可以分析复杂情况下各影响因素的数学关系，在自然科学、社会和经济学等多个领域内应用广泛。

MATLAB代写

MATLAB 是一种用于技术计算的高性能语言。它将计算、可视化和编程集成在一个易于使用的环境中，其中问题和解决方案以熟悉的数学符号表示。典型用途包括：数学和计算算法开发建模、仿真和原型制作数据分析、探索和可视化科学和工程图形应用程序开发，包括图形用户界面构建MATLAB 是一个交互式系统，其基本数据元素是一个不需要维度的数组。这使您可以解决许多技术计算问题，尤其是那些具有矩阵和向量公式的问题，而只需用 C 或 Fortran 等标量非交互式语言编写程序所需的时间的一小部分。MATLAB 名称代表矩阵实验室。MATLAB 最初的编写目的是提供对由 LINPACK 和 EISPACK 项目开发的矩阵软件的轻松访问，这两个项目共同代表了矩阵计算软件的最新技术。MATLAB 经过多年的发展，得到了许多用户的投入。在大学环境中，它是数学、工程和科学入门和高级课程的标准教学工具。在工业领域，MATLAB 是高效研究、开发和分析的首选工具。MATLAB 具有一系列称为工具箱的特定于应用程序的解决方案。对于大多数 MATLAB 用户来说非常重要，工具箱允许您学习和应用专业技术。工具箱是 MATLAB 函数（M 文件）的综合集合，可扩展 MATLAB 环境以解决特定类别的问题。可用工具箱的领域包括信号处理、控制系统、神经网络、模糊逻辑、小波、仿真等。

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|History of Cryptography to the 1800s

Posted on 2023年4月5日2023年4月5日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|Affne Ciphers

Affine ciphers are any single-substitution alphabet ciphers (also called monoalphabet substitution) in which each letter in the alphabet is mapped to some numeric value, permuted with some relatively simple mathematical function, and then converted back to a letter. For example, using the Caesar cipher, each letter is converted to a number, shifted by some amount, and then converted back to a letter. The basic formula for any affine cipher is
$$
a x+b(\bmod m)
$$
$M$ is the size of the alphabet-so in English that would be 26 . The $x$ represents the plain text letter’s numeric equivalent, and the $b$ is the amount to shift. The letter $a$ is some multiple-in the case of the Caesar cipher, $a$ is 1 . So, the Caesar cipher would be
$$
1 x+3(\bmod 26)
$$
What has been presented thus far is rather simplified. To use an affine cipher, you need to pick the value a so that it is coprime with $\mathrm{m}$. We will explore coprime in more detail later in this book. However, for now simply understand that two numbers are coprime if they have no common factors. For example, the number 8 has the factors 2 and 4 . The number 9 has the factor 3 . Thus, 8 and 9 have no common factors and are coprime. If you don’t select a and $\mathrm{m}$ that are coprime, it may not be possible to decrypt the message.

Continuing with a simplified example (ignoring the need for coprime a and $\mathrm{m}$ ), you could obviously use any shift amount you want, as well as any multiplier. The $a x$ value could be $1 x$, as with Caesar, or it could be $2 x, 3 x$, or any other value. For example, let’s create a simple Affine cipher:
$$
2 x+4(\bmod 26)
$$
To encrypt the phrase Attack at dawn, we first convert each letter to a number and then multiply that number by 2 and calculate that result $\equiv 6$. So, $A$ is 1,2 multiplied by 1 is still 2 , add 54 , gives us $6 \bmod 26$ yielding 6 , or $F$.

数学代写|密码学作业代写Cryptography代考|Vigenère

Perhaps the most widely known multi-alphabet cipher is the Vigenère cipher. This cipher was first described in 1553 by Giovan Battista Bellaso, though it is misattributed to nineteenth-century cryptographer Blaise de Vigenère (Singh 2000). It is a method of encrypting alphabetic text by using a series of different mono-alphabet ciphers selected based on the letters of a keyword. Bellaso also added the concept of using any keyword, thereby making the choice of substitution alphabets difficult to calculate. Essentially, the Vigenère cipher uses the tabula recta with a keyword. So, let us assume you have the word book, and you wish to encrypt it. You have a keyword for encryption, that keyword is $\operatorname{dog}$. You would like up the first letter of your plaintext, $b$ on the left-hand side of the tabula recta, with the first letter or your keyword $d$ on the top. The first letter of your cipher text is then $e$. Then you take the second letter of your plaintext, $o$, and line it up with the second letter of the keyword, also $o$, producing the second letter of your cipher text, $c$. The next o in book will line up with the $\mathrm{g}$ in dog, producing $\mathrm{u}$. Now that you have reached the end of your keyword, you start over at d. So, the $k$ in book is lined up with the $d$ in dog, producing the last letter of your cipher text, which is $n$. Thus, using Vigenère, with the keyword dog, the plaintext book becomes the cipher text ecun.

For many years, Vigenère was considered very strong-even unbreakable. However, in the nineteenth century, Friedrich Kasiski published a technique for breaking the Vigenère cipher. We will revisit that when we discuss cryptanalysis later in this book. It is important that you get accustomed to mathematical notation. Here, using $P$ for plain text, $C$ for cipher text, and $K$ for key, we can view Vigenère very similarly to Caesar, with one important difference: the value $K$ changes.
$$
\mathrm{Ci}=\mathrm{Pi}+\mathrm{Ki}(\bmod 26)
$$
The $i$ denotes the current key with the current letter of plain text and the current letter of cipher text. Note that many sources use $M$ (for message) rather than $P$ (for plain text) in this notation. Let us assume the word you wish to:

A variation of the Vigenère, the running key cipher, simply uses a long string of random characters as the key, which makes it even more difficult to decipher.

密码学代写

数学代写|密码学作业代写Cryptography代考|Affne Ciphers

仿射密码是任何单替换字母表密码（也称为单字母表替换），其中字母表中的每个字母都映射到某个数值，用一些相对简单的数学函数排列，然后转换回一个字母。例如，使用凯撒密码，每个字母都被转换为数字，移位一定量，然后再转换回字母。任何仿射密码的基本公式是
$$
a x+b(\bmod m)
$$
$M$ 是字母表的大小一一所以在英语中是 26 。这 $x$ 代表纯文本字母的数字等价物，而 $b$ 是要移动的量。这封信 $a$ 是一些倍数一一在凯撒密码的情况下， $a$ 是 1 。所以，凯撒密码将是
$$
1 x+3(\bmod 26)
$$
到目前为止所呈现的内容相当简单。要使用仿射密码，您需要选择值 a 以便它与 $\mathrm{m}$. 我们将在本书后面更详细地探讨互质。但是，现在只需了解如果两个数没有公因数，则它们是互质的。例如，数字 8 具有因数 2 和 4 。数字 9 有因数 3。因此，8和 9 没有公因数并且互质。如果您不选择和 $m$ 互质，则可能无法解密消自。
继续一个简化的例子 (忽略互质 $\mathrm{a}$ 和 $\mathrm{m}$ )，你显然可以使用你想要的任何移位量，以及任何乘数。这 $a x$ 价值可能是 $1 x$ ，就像凯撒一样，或者它可能是 $2 x, 3 x$ ，或任何其他值。例如，让我们创建一个简单的仿射密码:
$$
2 x+4(\bmod 26)
$$
为了加密短语 Attack at dawn，我们首先将每个字母转换为一个数字，然后将该数字乘以 2 并计算结果 $\equiv 6$. 所以， $A$ 是 1,2 乘以 1 仍然是 2 ，加上 54 ，给我们 $6 \bmod 26$ 产生 6 ，或 $F$.

数学代写|密码学作业代写Cryptography代考|Vigenère

也许最广为人知的多字母密码是 Vigenère 密码。1553 年，忝万·巴蒂斯塔·贝拉索 (Giovan Battista Bellaso) 首次描述了这种密码，尽管它被错误地归因于 19 世纪的密码学家 Blaise de Vigenère (Singh 2000)。它是一种通过使用基于关键字字母选择的一系列不同的单字母密码来加密字母文本的方法。 Bellaso 还添加了使用任何关键字的概念，从而使替代字母表的选择难以计算。本质上，Vigenère 密码使用带有关键字的白板。所以，让我们假设你有单词书，并且你想加密它。您有一个用于加密的关键字，该关键字是dog. 你想要明文的第一个字母， $b$ 在 tabula recta 的左侧，第一个字母或您的关键字 $d$ 在顶端。然后是密文的第一个字母 $e$. 然后你拿你的明文的第二个字母， $o$ ，并将其与关键字的第二个字母对齐， $o$ ，生成密文的第二个字母， $c$. 书中的下一个 0 将与 $\mathrm{g}$ 在狗身上，生产 $\mathrm{u}$. 现在您已经到达关键字的末尾，您可以从 $d$ 重新开始。所以 $k$ 在书中与 $d$ 在狗中，生成密文的最后一个字母，即 $n$. 因此，使用带有关键字 dog 的 Vigenère，明文 book 变成密文 ecun。
多年来，Vigenère 被认为非常坚固，甚至牢不可破。然而，在 19 世纪，弗里德里布·卡西斯基 (Friedrich Kasiski) 发表了破解维吉尼亚密码的技术。我们将在本书后面讨论密码分析时重新讨论这一点。习惯数学符号很重要。在这里，使用 $P$ 对于纯文本， $C$ 对于密文，和 $K$ 对于 key，我们可以将 Vigenère 视为与 Caesar 非常相似，但有一个重要区别：价值 $K$ 变化。
$$
\mathrm{Ci}=\mathrm{Pi}+\mathrm{Ki}(\bmod 26)
$$
这 $i$ 用明文的当前字母和密文的当前字母表示当前密钥。请注意，许多来源使用 $M$ (用于消息) 而不是 $P$ (对于纯文本) 以这种表示法。让我们假设您想要的词:
运行密钥密码是 Vigenère 的一种变体，它只是使用一长串随机字符作为密钥，这使得破译更加困难。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CISS3341

Posted on 2023年3月30日2023年3月30日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|MESSAGING PROTOCOLS

A messaging protocol must be able to deal with three processes: Establishing a state for a conversation, encrypting messages and decrypting messages. We shall use stateful encryption, something that we wanted to avoid in Chapters 7 and 8 , but which now will be needed. Also, we must generate keys.

For convenience, the definition of messaging protocols comes in two parts: the algorithms and the correctness requirement, with some notation in between. Correctness essentially implies that if two parties running the protocol agree on the context for the conversation and what they have sent and received through the network, they will also agree on the messages sent and received.
Definition 13.1. A basic messaging protocol $\mathrm{SM}=\left(\mathfrak{P}, \mathfrak{F}, \mathcal{K}, \mathcal{H}, \mathcal{E}_m, \mathcal{D}_m\right)$ consists of a set of plaintexts $\mathfrak{F}$, a set of associated data $\mathfrak{F}$, and four algorithms:

The key generation algorithm $\mathcal{K}$ takes no input and outputs a public key $p k$ and a secret key $s k$.
The interactive handshake algorithm $\mathcal{H}$ takes as input a role $\rho \in{0,1}$, associated data $a d$, a key pair $\left(p k_\rho, s k_\rho\right)$ and a public key $p k_{1-\rho}$. It alternates between sending and receiving signals, initially sending if $\rho=$ 0 , otherwise initially receiving. Eventually, it either outputs a state st or the special symbol $\perp$ signifying failure.
The encryption algorithm $\mathcal{E}_m$ takes as input a secret key sk, a state st, per-message associated data $a d^m$ and a message $m \in \mathfrak{P}$, and outputs either the special symbol $\perp$, or a state $s t^{\prime}$ and a ciphertext $c$.
The decryption algorithm $\mathcal{D}_m$ takes as input a secret key sk, a state $s t$, per-message associated data $a d^m$ and $c$. It outputs either the special symbol $\perp$, or a state $s t^{\prime}$ and a message $m \in \mathfrak{F}$.

The algorithms may also output $\perp$, and they will if given an input state $\perp$.
An instance of SM with role $\rho$, associated data ad, key pair $\left(p k_\rho, s k_\rho\right)$ and $p k_{1-\rho}$ is described by signals $\hat{c}1, \hat{c}_2, \ldots, \hat{c}{\hat{l}}$, events $\left(\rho_i, a d_i^m, m_i, c_i\right), i=$ $1,2, \ldots, l$, and states $s t_0, s t_1, \ldots, s t_l$, where

$\mathcal{H}$ with input $\left(\rho, a d, p k_\rho, s k_\rho, p k_{1-\rho}\right)$ sends/receives (receives/sends) the signals $\hat{c}1, \hat{c}_2, \ldots, \hat{c}{\hat{l}}$ and outputs the state $s t_0$;
and for $i=1,2, \ldots, l$ we have either
$\rho_i=\rho$ and $\mathcal{E}m\left(s k, s t{i-1}, a d_i^m, m_i\right)$ output $\left(s t_i, c_i\right)$ (encryption); or
$\rho_i=1-\rho$ and $\mathcal{D}m\left(s k, s t{i-1}, a d_i^m, c_i\right)$ output $\left(s t_i, m_i\right)$ (decryption).

数学代写|密码学作业代写Cryptography代考|Practical Mathematical Cryptography

We shall consider four examples. The first two examples are channel protocols. We studied a variant of the first example in Section 7.4. The second example uses session key evolution to achieve stronger security in some contexts.
The third example is a natural combination of public key encryption and digital signatures, which we looked at in Section 9.4. It is our first messaging protocol. In some sense, this example is very similar to the first example.
The fourth example is another natural combination of a key exchange scheme and a channel protocol. Depending on which channel protocol we use, the composition is either suitable for short-lived or longer-lived instances.
The third and fourth examples use compositional constructions, where simpler constructions are composed to form new constructions. As previously mentioned, composition seems very natural, but can be quite subtle. Security properties do not compose nicely in general, but sometimes they do.

Channel As we saw in Section 7.4 there are a number of ways to realise a channel protocol. The following example is probably the simplest possible method. The channel protocol simply encrypts any message with the symmetric cryptosystem, encoding the sender and its order in the associated data. The recipient encodes its belief about the sender and the sender’s order in the associated data it uses. It does not achieve any kind of security if more than one instance uses the same role, the same key and the same associated data.
Example 13.2. Let $\Sigma=\left(\mathfrak{K}_s, \mathfrak{P}, \mathfrak{F}_0, \mathfrak{C}, \mathcal{E}_s, \mathcal{D}_s\right)$ be a symmetric cryptosystem, with ${0,1} \times \mathbb{Z} \times \mathfrak{F} \times \mathfrak{F} \subseteq \mathfrak{F}_0$. The channel is SC-SYM $=\left(\mathfrak{P}, \mathfrak{F}, \mathfrak{K}_s, \mathcal{H}, \mathcal{E}_m, \mathcal{D}_m\right)$, where the algorithms all take the key $k$ and state $\left(\rho, a d, j, j^{\prime}\right) \in{0,1} \times \mathfrak{F} \times$ $\mathbb{Z} \times \mathbb{Z}$ as input, and work as follows:

The encryption algorithm $\mathcal{E}_m$ also takes $a d^m$ and $m$ as input, computes $c \leftarrow \mathcal{E}_s\left(k,\left(\rho, j, a d, a d^m\right), m\right)$ and outputs $\left(\rho, a d, j+1, j^{\prime}\right)$ and $c$.
The decryption algorithm $\mathcal{D}_m$ also takes $a d^m$ and $c$ as input and computes $m \leftarrow \mathcal{D}_s\left(k,\left(\rho, j^{\prime}, a d, a d^m\right), c\right)$. If $m=\perp$, the algorithm outputs $\perp$. Otherwise, it outputs $\left(\rho, a d, j, j^{\prime}+1\right)$ and $m$.
This is a simple channel and $\mathcal{H}(\rho, a d, k)$ outputs the state $(\rho, a d, 0,0)$.
This causal order of this channel is the minimal causal order, since the two directions are treated independently.

密码学代写

数学代写|密码学作业代写Cryptography代考|MESSAGING PROTOCOLS

消息传递协议必须能够处理三个过程：建立对话状态、加密消息和解密消息。我们将使用状态加密，这是我们在第 7 章和第 8 章中想要避免的东西，但现在需要它。此外，我们必须生成密钥。
为方便起见，消息协议的定义分为两部分：算法和正确性要求，中间有一些符号。正确性本质上意味着如果运行该协议的两方就对话的上下文以及他们通过网络发送和接收的内容达成一致，他们也会就发送和接收的消息达成一致。
定义 13.1。一个基本的消息传递协议 $\mathrm{SM}=\left(\mathfrak{P}, \mathfrak{F}, \mathcal{K}, \mathcal{H}, \mathcal{E}_m, \mathcal{D}_m\right)$ 由一组明文组成 $\mathfrak{F}$ ，一组关联数据 $\mathfrak{F}$ ，以及四种算法:

密钥生成算法 $\mathcal{K}$ 不接受输入并输出公钥 $p k$ 和一把秘钥 $s k$.
交互式握手算法 $\mathcal{H}$ 将角色作为输入 $\rho \in 0,1$, 关联数据 $a d_r$ 一对密钥 $\left(p k_\rho, s k_\rho\right)$ 和一个公钥 $p k_{1-\rho}$. 它在发送和接收信号之间交替，如果 $\rho=0$ ，否则最初接收。最终，它要么输出状态 st，要么输出特殊符号上表示失败。
加密算法 $\mathcal{E}_m$ 将密钥 sk、状态 st、每条消息关联的数据作为输入 $a d^m$ 和一条消息 $m \in \mathfrak{P}$, 并输出特殊符号上，或者一个状态 $s t^{\prime}$ 和密文 $c$.
解密算法 $\mathcal{D}m$ 将密钥 sk 作为输入，一个状态 $s t$, 每条消息关联数据 $a d^m$ 和 $c$. 它输出特殊符号, 或者一个状态 $s t^{\prime}$ 和一条消息 $m \in \mathfrak{F}$. 算法也可能输出，如果给定一个输入状态，他们就会. 具有角色的 SM 实例 $\rho$ ，关联数据广告，密钥对 $\left(p k\rho, s k_\rho\right)$ 和 $p k_{1-\rho}$ 由信号描述 $\hat{c} 1, \hat{c}_2, \ldots, \hat{c} \hat{l}$ ，事件 $\left(\rho_i, a d_i^m, m_i, c_i\right), i=1,2, \ldots, l$, 和状态 $s t_0, s t_1, \ldots, s t_l$ ，在哪里
$\mathcal{H}$ 有输入 $\left(\rho, a d, p k_\rho, s k_\rho, p k_{1-\rho}\right.$ )发送/接收 (接收/发送) 信号 $\hat{c} 1, \hat{c}_2, \ldots, \hat{c} \hat{l}$ 并输出状态 $s t_0$ ；并为 $i=1,2, \ldots, l$ 我们要么
$\rho_i=\rho$ 和 $\mathcal{E} m\left(s k, s t i-1, a d_i^m, m_i\right)$ 输出 $\left(s t_i, c_i\right)$ (加密) ; 或者
$\rho_i=1-\rho$ 和 $\mathcal{D} m\left(s k, s t i-1, a d_i^m, c_i\right)$ 输出 $\left(s t_i, m_i\right)$ (解密)。

数学代写|密码学作业代写Cryptography代考|Practical Mathematical Cryptography

我们将考虑四个例子。前两个示例是通道协议。我们研究了第 7.4 节中第一个示例的变体。第二个示例使用会话密钥演化在某些情况下实现更强的安全性。
第三个例子是公钥加密和数字签名的自然结合，我们在第 9.4 节中看到过。这是我们的第一个消息传递协议。从某种意义上说，这个例子与第一个例子非常相似。
第四个例子是密钥交换方案和信道协议的另一个自然组合。根据我们使用的通道协议，该组合适用于短期或长期实例。
第三个和第四个示例使用组合结构，其中将较简单的结构组合成新的结构。如前所述，构图看起来很自然，但也可能非常微妙。安全属性通常不会很好地组合，但有时它们会。
通道正如我们在 7.4 节中看到的，有许多方法可以实现通道协议。以下示例可能是最简单的方法。通道协议简单地使用对称密码系统加密任何消息，在相关数据中对发送者及其顺序进行编码。接收方在其使用的关联数据中编码其对发送方的信念和发送方的订单。如果多个实例使用相同的角色、相同的密钥和相同的关联数据，则它不会实现任何类型的安全性。
例 13.2。让 $\Sigma=\left(\mathfrak{K}_s, \mathfrak{P}, \mathfrak{F}_0, \mathfrak{C}, \mathcal{E}_s, \mathcal{D}_s\right)$ 是一个对称的密码系统，有 $0,1 \times \mathbb{Z} \times \mathfrak{F} \times \mathfrak{F} \subseteq \mathfrak{F}_0$. 通道是 SC-SYM $=\left(\mathfrak{P}, \mathfrak{F}, \mathfrak{K}_s, \mathcal{H}, \mathcal{E}_m, \mathcal{D}_m\right)$ ，算法都采用密钥 $k$ 和状态 $\left(\rho, a d, j, j^{\prime}\right) \in 0,1 \times \mathfrak{F} \times \mathbb{Z} \times \mathbb{Z}$ 作为输入，并按如下方式工作:

加密算法 $\mathcal{E}_m$ 也需要 $a d^m$ 和 $m$ 作为输入，计算 $c \leftarrow \mathcal{E}_s\left(k,\left(\rho, j, a d, a d^m\right), m\right)$ 和输出 $\left(\rho, a d, j+1, j^{\prime}\right)$ 和 $c$. 法输出 $\perp$. 否则，它输出 $\left(\rho, a d, j, j^{\prime}+1\right)$ 和 $m$.
这是一个简单的频道 $\mathcal{H}(\rho, a d, k)$ 输出状态 $(\rho, a d, 0,0)$.
此通道的因果顺序是最小因果顺序，因为两个方向是独立处理的。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CS388

Posted on 2023年3月30日2023年3月30日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|DISTRIBUTED DECRYPTION

Sometimes we need to decrypt ciphertexts, but we consider it too risky for a single party to have the decryption key. Distributed decryption allows us to mitigate this risk by sharing the decryption key among several parties and having them cooperate to compute the decryption. We also want robustness so that none of the parties can renege on their responsibilities.

The obvious approach is to use secret sharing and multi-party computation. We secret share the decryption key and express the decryption algorithm in terms of a algebraic circuit. However, we can do better.

The fundamental operation in many cryptosystems is exponentiation in a group $G$ of prime order $p$. We have a secret exponent $b \in{0,1,2, \ldots, p-1}$ and want to compute $x^b$ for some $x \in G$. We use a $t$-out-of- $l$ Shamir secret sharing of $b$. For a set $\mathfrak{L}0$ of at least $t$ players and shares $\left.f\right|{\mathfrak{L}0}$, we get $$ \sum{P \in \mathfrak{U}0} \rho{P, \mathfrak{I}0} f(P) \equiv b \quad(\bmod p) \quad \text { and } \quad \prod{P \in \mathfrak{U}0} x^{\rho{P, \mathfrak{L}0} f(P)}=\prod{P \in \mathfrak{U}0}\left(x^{f(P)}\right)^{\rho{P, \mathfrak{L}_0}}
$$
If sufficiently many players compute $x^{f(P)}, x^b$ can be reconstructed.
Definition 12.7. Let $\mathrm{PKE}=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ be a public key encryption scheme. $\mathrm{A}$ distributed decryption scheme for PKE and a set of players $\mathfrak{U}$ consists of three algorithms $(\mathcal{D} \mathcal{K}, \mathcal{D} \mathcal{D}, \mathcal{D} \mathcal{R})$

The key distribution algorithm $\mathcal{D} \mathcal{K}$ takes as input a decryption key $d k$ and outputs a decryption key sharing $d$ and a public commitment $p c$.
The distributed decryption algorithm $\mathcal{D} \mathcal{D}$ takes as input a player $P$, a decryption key share $d(P)$, associated data $a d$ and a ciphertext $c$ and outputs either a decryption share $m s$ or the special symbol $\perp$.
The reconstruction algorithm $\mathcal{D} \mathcal{R}$ takes as input a public commitment $p c$, a set of players $\mathfrak{L}_0$, associated data $a d$, a ciphertext $c$ and a set of decryption shares $\left{\left(P, m s_P\right) \mid P \in \mathfrak{U}_0\right}$. It outputs either a message $m$, or the special symbol $\perp$, or $\perp$ and $\mathfrak{U}_1 \subseteq \mathfrak{U}_0$.

We say that $(\mathcal{D} \mathcal{K}, \mathcal{D} \mathcal{D}, \mathcal{D R})$ is correct for an access structure $\mathfrak{A}$ if for any $\mathfrak{U}0 \subseteq \mathfrak{U}$, any $(e k, d k)$ output by $\mathcal{K}$, any decryption key sharing $d$ and public commitment $p c$ output by $\mathcal{D} \mathcal{K}(d k)$, any associated data ad $\in \mathfrak{F}{e k}$ and message $m \in \mathfrak{M}_{e k}$ and ciphertext $c$ output by $\mathcal{E}(e k, a d, m)$, and any decryption shares $m_P$ output by $\mathcal{D} \mathcal{D}(P, d(P), a d, c)$ for $P \in \mathfrak{U}_0$, we have that
$$
\mathcal{D} \mathcal{R}\left(p c, \mathfrak{U}_0, a d, c,\left{\left(P, m s_P\right) \mid P \in \mathfrak{U}_0\right}\right)=m
$$

数学代写|密码学作业代写Cryptography代考|Messaging Protocols

The original cryptographic problem is to have a secure conversation over an insecure channel, for reasonable values of secure, and we have briefly discussed the problem. We shall now formalise the problem and study solutions in detail.
The most extensive discussions were in Section 7.4 and Section 9.4. We build on these discussions and increase precision and the level of security we shall achieve. We shall also consider a greater variety of solutions.

We have previously distinguished between channels and messaging protocols, with the implicit understanding that channels are symmetric cryptosystems, while messaging protocols model multiple parties, though only two-party conversations. One goal for our work is to unify these treatments.

Unfortunately, there is a huge variety in messaging protocol design, and many of the variants have fairly subtle differences in security properties. Unlike the case for symmetric and public key encryption and digital signatures, it seems difficult to give an account of security notions for messaging protocols that is both exhaustive and of limited complexity. Unlike the case for key exchange, where we aimed for a somewhat comprehensive framework for security notions, we shall aim for a much simpler framework for messaging protocols, although there will be sufficient complexity left.

To guide our choices, we shall consider three reasonable classes of messaging protocols, for three distinct applications, and with concrete examples for each class. The first class is short-term, high-bandwidth, low-latency communications, such as establishing a short-term connection to a server. The second is long-term high-bandwidth, low-latency communications, such as establishing a long-term link between a remote sensor and a server. And the third is long-term, medium-bandwidth communications where latency is not crucial, such as text-based human-to-human messaging.

We shall make one crucial restriction on our messaging protocols. There should only be network traffic when establishing a conversation or when a message is sent, and each message sent should correspond to exactly one network message. This limits the types of security we can achieve. For instance, Alice cannot know if Bob has received a message until Bob responds with a message of his own. This choice is deliberate, with the assumption that applications can build such functionality and security on top of a messaging protocol.

密码学代写

数学代写|密码学作业代写Cryptography代考|DISTRIBUTED DECRYPTION

有时我们需要解密密文，但我们认为单方拥有解密密钥的风险太大。分布式解密允许我们通过在多方之间共享解密密钥并让他们合作计算解密来减轻这种风险。我们还需要稳健性，以便任何一方都不能违背自己的责任。
显而易见的方法是使用秘密共享和多方计算。我们秘密共享解密密钥并用代数电路表示解密算法。然而，我们可以做得更好。
许多密码系统的基本操作是在一个群中求幕 $G$ 素数 $p$. 我们有一个秘密指数 $b \in 0,1,2, \ldots, p-1$ 并想计算 $x^b$ 对于一些 $x \in G$. 我们使用一个 $t$-在……之外-l沙米尔的秘密分享 $b$. 对于一套 $\mathfrak{L} 0$ 至少 $t$ 球员和股份 $f \mid \mathcal{L} 0$, 我们得到
$\sum P \in \mathfrak{U} 0 \rho P, \mathfrak{I} 0 f(P) \equiv b \quad(\bmod p) \quad$ and $\quad \prod P \in \mathfrak{U} 0 x^{\rho P, \mathfrak{L} 0 f(P)}=\prod P \in \mathfrak{U} 0\left(x^{f(P)}\right)^{\rho P}$
如果足够多的玩家计算 $x^{f(P)}, x^b$ 可以重建。
定义 12.7。让 $\mathrm{PKE}=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ 是一个公钥加密方案。APKE分布式解密方案及一组播放器 $\mathfrak{U}$ 由三种算法组成 $(\mathcal{D} \mathcal{K}, \mathcal{D D}, \mathcal{D} \mathcal{R})$

密钥分发算法 $\mathcal{D K}$ 将解密密钥作为输入 $d k$ 并输出解密密钥共享 $d$ 和公开承诺 $p c$.
分布式解密算法 $\mathcal{D} \mathcal{D}$ 将玩家作为输入 $P$ ，一个解密密钥份额 $d(P)$, 关联数据 $a d$ 和密文 $c$ 并输出解密份额 $m s$ 或特殊符号上.
重建算法 $\mathcal{D} \mathcal{R}$ 将公开承诺作为输入 $p c_r$ 一组玩家 $\mathfrak{L}0$ ，关联数据 $a d_r$ 一个密文 $c$ 和一组解密共享和 $\mathfrak{U}_1 \subseteq \mathfrak{U}_0$. 我们说 $(\mathcal{D K}, \mathcal{D D}, \mathcal{D} \mathcal{R})$ 对于访问结构是正确的 $\mathfrak{A}$ 如果有的话 $\mathfrak{U} 0 \subseteq \mathfrak{U} ＼mathrm{~ ，任何 ~}(e k, d k)$ 输出方式 $\mathcal{K}$ ，任何解密密钥共享 $d$ 和公开承诺 $p c$ 输出方式 $\mathcal{D K}(d k)$ ，任何关联的数据广告 $\in \mathfrak{F} e k$ 和消息 $m \in \mathfrak{M}{e k}$ 和密文 $c$ 输出方式 $\mathcal{E}(e k, a d, m)$ ，以及任何解密共享 $m_P$ 输出方式 $\mathcal{D} \mathcal{D}(P, d(P), a d, c)$ 为了 $P \in \mathfrak{U}_0$.

数学代写|密码学作业代写Cryptography代考|Messaging Protocols

最初的密码学问题是在不安全的通道上进行安全对话，以获得合理的安全值，我们已经简要讨论了这个问题。我们现在将问题形式化并详细研究解决方案。
最广泛的讨论在第 7.4 节和第 9.4 节中。我们以这些讨论为基础，提高精确度和我们将达到的安全级别。我们还将考虑更多种类的解决方案。

我们之前已经区分了通道和消息传递协议，隐含的理解是通道是对称密码系统，而消息传递协议模拟多方，尽管只是两方对话。我们工作的一个目标是统一这些治疗方法。

不幸的是，消息传递协议的设计千差万别，而且许多变体在安全属性上都有相当细微的差异。与对称和公钥加密以及数字签名的情况不同，似乎很难对既详尽又复杂度有限的消息传递协议的安全概念进行说明。与密钥交换的情况不同，我们的目标是为安全概念建立一个比较全面的框架，我们的目标是为消息传递协议建立一个更简单的框架，尽管还有足够的复杂性。

为了指导我们的选择，我们将考虑三种合理的消息传递协议类别，用于三种不同的应用程序，并为每个类别提供具体示例。第一类是短期、高带宽、低延迟的通信，例如与服务器建立短期连接。第二种是长期高带宽、低延迟的通信，比如在远程传感器和服务器之间建立长期链接。第三种是延迟不重要的长期、中等带宽通信，例如基于文本的人与人之间的消息传递。

我们将对我们的消息协议做出一个重要的限制。只有在建立对话或发送消息时才会有网络流量，并且发送的每条消息都应恰好对应一条网络消息。这限制了我们可以实现的安全类型。例如，在 Bob 用他自己的消息响应之前，Alice 无法知道 Bob 是否收到消息。这种选择是经过深思熟虑的，假设应用程序可以在消息传递协议之上构建此类功能和安全性。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|MATH212

Posted on 2023年3月17日2023年3月17日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|CONTINUOUS KEY EXCHANGE

It is sometimes desirable to refresh keys often, to reduce the consequences of session key compromise. This also speeds up recovery time if the key compromise was a one-time event, in particular if the compromise was not detected.
Remark. This is a somewhat obscure threat model, but it is not unrealistic. One example is an adversary using an unknown implementation flaw to compromise a terminal without detection. A subsequent update to the terminal fixes the flaw and as a side effect removes the terminal from the adversary’s control. If the key material is not then refreshed, the adversary retains access to the terminal’s communications.

The natural way to refresh keys is to exchange keys continously. But at the same time, it is also desirable to have as few network exchanges as possible. It would therefore be good if the continuous key exchange could piggy-back on the regular network exchanges. (The amount of data sent over the network still increases, but there is sometimes a non-trivial per-message cost involved in network communications, and avoiding it is good.)

The natural thing to do now is to use a two-round key exchange, but this can only achieve implicit authentication. That is in some sense acceptable, because we anyway intend to use the session key immediately, thereby conferring explicit authentication on the session key.

In a conversation between Alice and Bob, the idea would be that Alice sends her initiator message to Alice. Bob responds with a responder message and a key confirmation token but also sends his own intiator message. Alice responds with her own key confirmation token, a message encrypted under the session key, a responder message for Bob’s initiator message, and her own second initiator message. And so it goes.

In principle, Bob could have sent an encrypted message along with his first responder message, but at that point in time he does not actually know that Alice is present. For the subsequent key exchanges, it makes sense to be a bit more aggressive, sending messages encrypted under a session key together with the responder message that establishes the session key, provided we tie the session key to previous session keys, perhaps by including a complete or partial network history in the key exchange associated data.

数学代写|密码学作业代写Cryptography代考|Witness Relations

Our statements shall simply be set elements belonging to some set $X$. The true statements are defined to be the statements belonging to some subset $L \subseteq X$. The subset $L$ is usually called a language.

Remark. In mathematical logic the set $X$ is usually the set of strings of symbols from some alphabet. The set $L$ is the subset of strings generated from a set of axioms and some interesting rules, with the pious hope that the strings of the language can be interpreted as true mathematical statements. While we shall consider other sets, we retain this use of language.

When we have a statement in a language, we will often need a piece of evidence for this fact. This piece of evidence will be called a witness.

We now define these structures precisely. Consider a set $X$ of statements, a subset (language) $L \subseteq X$, a set $W$ (witnesses) and a relation $R \subseteq X \times W$. We say that $R$ is a witness relation for $L$ if for any $x \in X, x \in L$ if and only if there exists a witness $w \in W$ such that $x R w$.

Given this, proving that a witness exists proves that a statement $x \in X$ belongs to $L$. Proving that we know a witness is a stronger statement.

Remark. Sometimes, we shall assume that the tuple $(X, L, W, R)$ comes equipped with probability distributions on $X, L, X \backslash L$ and $W$, along with suitable algorithms for sampling according to these distributions.

Example 11.1. Let $l$ be an integer and let $X$ be the set of pairs of graphs with $l$ vertices ${1,2, \ldots, l}$. Let $L \subseteq X$ be the pairs with isomorphic graphs. Let $W$ be the set of permutations on ${1,2, \ldots, l}$. Let $R$ be the relation defined by $\left(G_0, G_1\right) R \pi$ if and only if $\pi$ is a isomorphism from $G_0$ to $G_1$.

Example 11.2. Let $l$ be an integer and let $X$ be the set of graphs with $l$ vertices ${1,2, \ldots, l}$. Let $L$ be the set of Hamiltonian graphs with $l$ vertices. Let $W$ be the set of cycles for graphs with $l$ vertices. Let $R$ be the relation defined by $x R w$ if and only if $w$ is an Hamiltonian cycle on $x$.

密码学代写

数学代写|密码学作业代写Cryptography代考|CONTINUOUS KEY EXCHANGE

有时需要经常刷新密钥，以减少会话密钥泄露的后果。如果密钥泄露是一次性事件，尤其是在未检测到泄露的情况下，这也会加快恢复时间。
评论。这是一个有些晦涩的威胁模型，但并非不切实际。一个例子是对手使用未知的实施缺陷在不被发现的情况下破坏终端。随后对终端的更新修复了该缺陷，并作为副作用将终端从对手的控制中移除。如果随后不刷新密钥材料，则对手将保留对终端通信的访问权限。

刷新密钥的自然方式是不断地交换密钥。但与此同时，网络交换越少越好。因此，如果连续的密钥交换可以搭载在常规网络交换上，那就太好了。（通过网络发送的数据量仍在增加，但网络通信中有时会涉及不小的每条消息成本，避免这种情况是好的。）

现在自然要做的是使用两轮密钥交换，但这只能实现隐式认证。这在某种意义上是可以接受的，因为我们无论如何都打算立即使用会话密钥，从而对会话密钥进行显式身份验证。

在 Alice 和 Bob 之间的对话中，想法是 Alice 将她的发起者消息发送给 Alice。Bob 使用响应者消息和密钥确认令牌进行响应，但也发送他自己的发起者消息。Alice 用她自己的密钥确认令牌、一条在会话密钥下加密的消息、Bob 的发起者消息的响应者消息以及她自己的第二个发起者消息进行响应。事情就是这样。

原则上，Bob 可以连同他的第一响应者消息一起发送一条加密消息，但在那个时间点他实际上并不知道 Alice 在场。对于后续的密钥交换，更积极一些是有意义的，发送在会话密钥下加密的消息以及建立会话密钥的响应消息，前提是我们将会话密钥与先前的会话密钥相关联，也许通过包括一个完整的会话密钥或密钥交换相关数据中的部分网络历史记录。

数学代写|密码学作业代写Cryptography代考|Witness Relations

我们的陈述应该只是属于某个集合的集合元素 $X$. 真语句被定义为属于某个子集的语句 $L \subseteq X$. 子集 $L$ 通常被称为语言。
评论。在数理逻辑中集合 $X$ 通常是来自某个字母表的一组符号串。套装 $L$ 是从一组公理和一些有趣的规则生成的字符串的子集，虔诚地莃望语言的字符串可以解释为真正的数学语句。虽然我们将考虑其他集合，但我们保留了这种语言用法。
当我们有一种语言的陈述时，我们通常需要一些证据来证明这一事实。这份证据将被称为证人。
我们现在精确地定义这些结构。考虑一组 $X$ 语句的子集 (语言) $L \subseteq X$ ，一套 $W$ (证人) 和关系 $R \subseteq X \times W$. 我们说 $R$ 是见证人关系 $L$ 如果有的话 $x \in X, x \in L$ 当且仅当存在证人 $w \in W$ 这样 $x R w$
鉴于此，证明证人存在证明了一个陈述 $x \in X$ 属于 $L$. 证明我们认识证人是更有力的陈述。
评论。有时，我们假设元组 $(X, L, W, R)$ 配备了概率分布 $X, L, X \backslash L$ 和 $W$ ，以及根据这些分布进行采样的合适算法。
例 11.1。让 $l$ 是一个整数，让 $X$ 是图对的集合 $l$ 顶点 $1,2, \ldots, l$. 让 $L \subseteq X$ 是具有同构图的对。让 $W$ 是排列的集合 $1,2, \ldots, l$. 让 $R$ 是定义的关系 $\left(G_0, G_1\right) R \pi$ 当且仅当 $\pi$ 是同构的 $G_0$ 到 $G_1$.
例 11.2。让 $l$ 是一个整数，让 $X$ 是图形的集合 $l$ 顶点 $1,2, \ldots, l$. 让 $L$ 是哈密顿图的集合 $l$ 顶点。让 $W$ 是图的循环集 $l$ 顶点。让 $R$ 是定义的关系 $x R w$ 当且仅当 $w$ 是哈密顿循环 $x$.

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|MATH307

Posted on 2023年3月17日2023年3月17日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|SINGLE-MESSAGE KEY EXCHANGE

In many communications networks the latency is non-trivial. It is therefore important to minimise the number of messages sent between parties in a protocol. The example protocols we have looked at so far are two- and threemessage protocols. It is worthwhile investigating if we can do key exchange in a single message. Unfortunately, it can be proven that we cannot achieve strong authentication with a single message, nor can we achieve security against long-term key reveals, unless we allow long-term keys to change.

Example 10.11. Let $\mathrm{KEM}=(\mathcal{K K}, \mathcal{K} \mathcal{E}, \mathcal{K} \mathcal{D})$ be a key encapsulation mechanism for $\mathfrak{R}$ with associated data from $\mathfrak{F}$ and let $\operatorname{SIG}=(\mathcal{K}, \mathcal{S}, \mathcal{V})$ be a signature scheme. We construct the following key exchange protocol $\mathrm{KEX}=(\mathfrak{R}, \mathcal{K}, \mathcal{I}, \mathcal{R})$ :

The key generation protocol $\mathcal{K}$ computes $(e k, d k) \leftarrow \mathcal{K},(v k, s k) \leftarrow \mathcal{K}$ and outputs the public key $(e k, v k)$ and the private key $(d k, s k)$.
The initiator algorithm takes as input $a d,(e k, v k),\left(e k^{\prime}, v k^{\prime}\right)$ and $(d k, s k)$, computes $(c, k) \leftarrow \mathcal{K} \mathcal{E}\left(e k^{\prime},\left(a d, e k, v k, e k^{\prime}, v k^{\prime}\right)\right)$ and $\sigma \leftarrow \mathcal{S}(s k, c)$, sends $(c, \sigma)$ and outputs $k$.
The responder algorithm takes as input $a d,(e k, v k),\left(e k^{\prime}, v k^{\prime}\right)$ and $\left(d k^{\prime}, s k^{\prime}\right)$. When it receives $m=(c, \sigma)$, it checks that $\mathcal{V}(v k, c)=1$ and computes $k \leftarrow \mathcal{K} \mathcal{D}\left(d k,\left(a d, e k, v k, e k^{\prime}, v k^{\prime}\right), c\right)$. If the signature verification or the decryption fails, it outputs $\perp$. Otherwise it outputs $k$.
Exercise 10.19. Show that the above protocol is a key exchange protocol.
Proposition 10.23. Let $\mathcal{A}$ be a non-invasive $\left(\tau, 1, l_u, l_s\right)$-adversary against the above key exchange protocol KEX. Then there exists a $\left(\tau_1^{\prime}, l_s, l_s\right)$-adversary $\mathcal{B}1$ against $\mathrm{KEM}$ and a $\left(\tau_2^{\prime}, l_s\right)$-adversary $\mathcal{B}_2$ against $\mathrm{SIG}$, where $\tau_1^{\prime}$ and $\tau_2^{\prime}$ are essentially equal to $\tau$, such that $$ \operatorname{Ad}{\mathrm{KEM}}^{\text {keX-s-w }}(\mathcal{A}) \leq 2 \mathbf{C o l}{\text {KEM }}\left(l_s\right)+2 l_u \mathbf{A d} \mathbf{v}{\text {KEM }}^{\text {ror-caa }}\left(\mathcal{B}1\right)+2 \mathbf{A d} \mathbf{v}{\mathrm{SIG}}^{\text {suf-mu-cma }}\left(\mathcal{B}_2\right)
$$

数学代写|密码学作业代写Cryptography代考|SINGLE-SIDED AUTHENTICATION

Defining single-sided security is in some sense easy. The key generation algorithm is run once and the resulting key pair is made public. The party that does not authenticate will use this key pair. That is, the non-authenticating users are equivalent to a single user that has had its long-term key revealed.
However, it is better to design a dedicated protocol for single-sided authentication. We say that a protocol is a single-sided authentication key exchange protocol if there is a special key pair $\left(p k_{\perp}, s k_{\perp}\right)$, the initiator role only accepts $\left(p k_{\perp}, s k_{\perp}\right)$ as its key pair, the responder role only accepts $p k_{\perp}$ as its initiator public key, and $p k_{\perp}$ is never accepted as a responder public key. In practice,the initiator role simply does not take an initiator key pair as input, and the responder role does not take an initiator public key.

With respect to security notions, we simply consider the special key pair $\left(p k_{\perp}, s k_{\perp}\right)$ to be revealed, which means that we can reuse partnering notions, authentication predicates and freshness predicates.

Exercise 10.25. A single user suffices. Let $\mathcal{A}$ be a $\left(\tau, 1, l_u, l_s\right)$-adversary against a single-sided authentication key exchange protocol KEX. Show that there exists a $\left(\tau^{\prime}, 1,1, l_s\right)$-adversary $\mathcal{B}$ against KEX, where $\tau^{\prime}$ is essentially equal to $\tau$, and
$$
\mathbf{A d}{\mathrm{KEX}}^{\mathrm{kex}}(\mathcal{A}) \leq l_u \mathbf{A} \mathbf{d} \mathbf{v}{\mathrm{KEX}}^{\mathrm{kex}}(\mathcal{B})
$$
Hint: Compare with Proposition 10.7 from Section 10.2.4.
The best known single-sided authentication protocol is derived from a KEM. The initiator creates an encapsulation and the responder decapsulates.
Example 10.12. Given a key encapsulation mechanism $\mathrm{KEM}=(\mathcal{K K}, \mathcal{K} \mathcal{E}, \mathcal{K} \mathcal{D})$ with key set $\mathfrak{R}_s$ and associated data set $\mathfrak{F}$, we define the following key exchange protocol $\mathrm{KEX}=\left(\mathfrak{R}_s, \mathcal{K}, \mathcal{I}, \mathcal{R}\right):$

The key generation protocol $\mathcal{K}$ is identical to the key encapsulation scheme’s key generation protocol, where the public key is the encapsulation key and the secret key is the decapsulation key.
The initiator algorithm takes as input associated data ad and a public key $p k$. It computes $(c, k) \leftarrow \mathcal{K} \mathcal{E}(p k, a d)$. It sends $c$ and outputs $k$.
The responder algorithm takes as input associated data ad and a key pair $(p k, s k)$. When it receives $c$, it computes $k \leftarrow \mathcal{K} \mathcal{D}(s k, a d, c)$. If the decapsulation fails, it outputs $\perp$. Otherwise it ouputs $k$.

密码学代写

数学代写|密码学作业代写Cryptography代考|SINGLE-MESSAGE KEY EXCHANGE

在许多通信网络中，延迟是非常重要的。因此，重要的是尽量减少协议中各方之间发送的消息数量。到目前为止，我们看到的示例协议是两个和三个消息协议。我们是否可以在单个消息中进行密钥交换值得研究。不幸的是，可以证明我们无法通过单个消息实现强身份验证，也无法实现针对长期密钥泄露的安全性，除非我们允许更改长期密钥。
例 10.11。让 $K E M=(\mathcal{K K}, \mathcal{K} \mathcal{E}, \mathcal{K} \mathcal{D})$ 是一个关键的封装机制 $\Re$ 相关数据来自 $\mathfrak{F}$ 然后让 $\mathrm{SIG}=(\mathcal{K}, \mathcal{S}, \mathcal{V})$ 是一个签名方案。我们构建以下密钥交换协议 $\mathrm{KEX}=(\Re, \mathcal{K}, \mathcal{I}, \mathcal{R})$ :

密钥生成协议 $\mathcal{K}$ 计算 $(e k, d k) \leftarrow \mathcal{K},(v k, s k) \leftarrow \mathcal{K}$ 并输出公钥 $(e k, v k)$ 和私钥 $(d k, s k)$.
发起者算法作为输入 $a d,(e k, v k),\left(e k^{\prime}, v k^{\prime}\right)$ 和 $(d k, s k)$, 计算 $(c, k) \leftarrow \mathcal{K} \mathcal{E}\left(e k^{\prime},\left(a d, e k, v k, e k^{\prime}, v k^{\prime}\right)\right)$ 和 $\sigma \leftarrow \mathcal{S}(s k, c)$ ，发送 $(c, \sigma)$ 和输出 $k$.
响应者算法作为输入 $a d,(e k, v k),\left(e k^{\prime}, v k^{\prime}\right)$ 和 $\left(d k^{\prime}, s k^{\prime}\right)$. 当它收到 $m=(c, \sigma)$, 它检查 $\mathcal{V}(v k, c)=1$ 并计算 $k \leftarrow \mathcal{K} \mathcal{D}\left(d k,\left(a d, e k, v k, e k^{\prime}, v k^{\prime}\right), c\right)$. 如果签名验证或解密失败，则输出 . 否则输出 $k$.
练习 10.19。证明上述协议是一个密钥交换协议。
提案 10.23。让 $\mathcal{A}$ 是一个非侵入性的 $\left(\tau, 1, l_u, l_s\right)$ – 针对上述密钥交换协议 KEX 的对手。那么存在一个 $\left(\tau_1^{\prime}, l_s, l_s\right)$-对手 $\mathcal{B} 1$ 反对KEM和一个 $\left(\tau_2^{\prime}, l_s\right)$-对手 $\mathcal{B}_2$ 反对 $\mathrm{SIG}$ ，在哪里 $\tau_1^{\prime}$ 和 $\tau_2^{\prime}$ 本质上等于 $\tau$ ，这样
$$
\operatorname{AdKEM}^{\mathrm{keX}-\mathrm{s}-\mathrm{w}}(\mathcal{A}) \leq 2 \text { ColKEM }\left(l_s\right)+2 l_u \mathbf{A d v K E M}^{\text {ror-caa }}(\mathcal{B} 1)+2 \mathbf{A d v S I G} \text { suf-mu-cma }
$$

数学代写|密码学作业代写Cryptography代考|SINGLE-SIDED AUTHENTICATION

从某种意义上说，定义单边安全性很容易。密钥生成算法运行一次，生成的密钥对公开。末进行身份验证的一方将使用此密钥对。也就是说，非身份验证用户等同于已公开其长期密钥的单个用户。
但是，最好为单方认证设计一个专用协议。如果有一个特殊的密钥对，我们说一个协议是一个单边认证密钥交换协议 $\left(p k_{\perp}, s k_{\perp}\right)$ ，发起者角色只接受 $\left(p k_{\perp}, s k_{\perp}\right)$ 作为它的密钥对，响应者角色只接受 $p k_{\perp}$ 作为其发起者公钥，以及 $p k_{\perp}$ 永远不会被接受为响应者公钥。在实践中，发起者角色根本不接受发起者密钥对作为输入，响应者角色也不接受发起者公钥。
关于安全概念，我们简单地考虑特殊密钥对 $\left(p k_{\perp}, s k_{\perp}\right)$ 被揭示，这意味着我们可以重用合作概念、身份验证谓词和新鲜度谓词。
练习 10.25。一个用户就足够了。让 $\mathcal{A}$ 是一个 $\left(\tau, 1, l_u, l_s\right)$-对抗单边认证密钥交换协议 KEX 的对手。证明存在一个 $\left(\tau^{\prime}, 1,1, l_s\right)$-对手 $\mathcal{B}$ 针对 KEX，其中 $\tau^{\prime}$ 本质上等于 $\tau$ ，和 $\$ \$$
Imathbf ${A \mathrm{~d}}{$ Imathrm ${K E X}} \wedge{$ Imathrm ${$ kex $}}(I m a t h c a \mid{A}) ~ V e q ~ I _u ~ I m a t h b f{A}|m a t h b f{d}| m a t h b f{v}$ ${\backslash m a t h r m{K E X}} \wedge{\backslash m a t h r m{k e x}}(\backslash m a t h c a l{B})$ $\$ \$$
提示: 与第 10.2 .4 节中的命题 10.7 进行比较。
最著名的单方身份验证协议源自 KEM 发起者创建封装，响应者解封装。
例 10.12。给定一个密钥封装机制 $\mathrm{KEM}=(\mathcal{K K}, \mathcal{K} \mathcal{E}, \mathcal{K} \mathcal{D})$ 带钥题组 $\Re_s$ 和相关数据集 $\mathfrak{F}$ ，我们定义以下密钥交换协议 $\mathrm{KEX}=\left(\Re_s, \mathcal{K}, \mathcal{I}, \mathcal{R}\right):$

密钥生成协议 $\mathcal{K}$ 与密钥封装方案的密钥生成协议相同，其中公钥是封装密钥，秘密密钥是解封装密钥。
发起者算法将关联数据广告和公钥作为输入 $p k$. 它计算 $(c, k) \leftarrow \mathcal{K} \mathcal{E}(p k, a d)$. 它发送 $c$ 和输出 $k$.
响应者算法将相关数据广告和密钥对作为输入 $(p k, s k)$. 当它收到 $c$, 它计算 $k \leftarrow \mathcal{K} \mathcal{D}(s k, a d, c)$. 如果解封装失败，则输出 $\perp$. 否则输出 $k$.

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CIS556

Posted on 2023年2月17日2023年2月17日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|Simple Homomorphic Counting

We shall now consider a different way to do counting, using a grouphomomorphic cryptosystem. Consider first a yes/no election, where the result is the number of yes ballots cast. The idea is to encode yes and no as group elements. To count the encrypted ballots, we use the cryptosystem’s operation to combine all the ciphertexts into a single ciphertext and then decrypt it. The decryption is then a product of powers of the two elements used to encode yes and no, with the powers being the number of yes and no ballots cast.

Example 8.32. Let $l_0$ be a positive integer, and let $\mathfrak{F}$ be as in Example 8.18, but with the additional requirement that for each tuple, there are distinct public elements $g_0, g_1 \in \mathfrak{P}$ such that one of them has order greater than $l_0$. Let $\operatorname{PKE}{\mathfrak{F}}=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ be the corresponding group-homomorphic cryptosystem. The voting scheme $\operatorname{VOTE}{\mathfrak{F}}$ with ballot set ${0,1}$ and associated data set $\mathfrak{F}$, for the counting function $f\left(v_1 v_2 \ldots v_l\right)=\sum_i v_i$ that sums the ballots, is:

The setup algorithm $\mathcal{V S}$ computes $(e k, d k) \leftarrow \mathcal{K}$ and outputs $(e k, d k)$.
The casting algorithm $\mathcal{C B}$ takes as input a casting key $e k$, associated data $a d$ and a ballot $v$, computes $c \leftarrow \mathcal{E}\left(e k, g_v\right)$, and outputs $c$.
The counting algorithm $\mathcal{V C}$ takes as input a counting key $d k$ and a list of encrypted ballots $c_1, c_2, \ldots, c_l$. It computes $x \leftarrow \mathcal{D}\left(d k, \prod_i c_i\right)$, finds $k$ such that $x=g_0^{l-k} g_1^k$ and outputs $k$.

This scheme is $l_0$-correct, since if $(e k, d k)$ was output by $\mathcal{K}$ and $c_i \leftarrow$ $\mathcal{E}\left(e k, g_{v_i}\right)$ for $i=1,2, \ldots, l$, then
$$
\mathcal{D}\left(d k, \prod_i c_i\right)=\prod_i \mathcal{D}\left(d k, c_i\right)=\prod_i g_{v_i}=g_0^{l-\sum_i{ }^{v_i}} g_1 \sum_i{ }^{v_i} .
$$
One possible cryptosystem is ElGamal over some group $G$, as in Example 8.11. Typically, $g_0$ would be 1 and $g_1$ would be a generator for the group. Of course, in order to recover the election result, we need to compute $\log _{g_1} x$, which is easy since the discrete logarithm will be small.

It would be nice to generalise this scheme to a one-out-of- $\nu$ election, where you can vote for one out of $\nu$ candidates. The obvious idea is to have $\nu$ group elements $g_1, g_2, \ldots, g_\nu$ chosen so that if $0 \leq k_i<l_0$ for $i=1,2, \ldots, \nu$, then $g_1^{k_1} g_2^{k_2} \ldots g_\nu^{k_\nu}=1$ implies $k_1=k_2=\cdots=k_\nu=0$. In general, when $\nu$ becomes large it becomes hard to recover $k_1, k_2, \ldots, k_k$ from the group element. However, for some specific group structures $\nu$ can be usefully large.

数学代写|密码学作业代写Cryptography代考|DEFINING SECURITY

Before we can arrive at a security definition for digital signatures, we must first discuss the adversary’s goal and the adversary’s capabilities. Note the similarity between signatures and message authentication codes.

We begin with the adversary’s capabilities. The adversary will be able to see valid signatures on some messages, but the question is how the messages are chosen. The adversary can probably influence the messages signed, so we allow the adversary to choose the messages, a chosen message attack.

The natural adversarial goal is to forge a valid signature on some message. Yet again, we have to decide how this message is chosen, and again it makes sense to allow the adversary to choose the message. Like for message authentication codes, we do have one choice left. Is it sufficient for the adversary to come up with a new signature on a message it already has a signature for, or must it be able to forge a signature for a new message? Again, as for message authentication codes, the latter seems sufficient for most applications, while for security proofs we will often need the former.

Definition 9.1. A $\left(\tau, l_s\right)$-adversary against a signature scheme SIG is an interactive algorithm $\mathcal{A}$ that interacts with the experiment in Figure $9.1$ making at most $l_s$ chosen message queries, and where the runtime of the adversary and the experiment is at most $\tau$.

The existential unforgeability advantage and the strong unforgeability advantage of this adversary are defined to be
$$
\operatorname{Adv}{\mathrm{SIG}}^{\text {euf-cma }}(\mathcal{A})=\operatorname{Pr}[E] \quad \text { and } \quad \mathbf{A d v}{\mathrm{SIG}}^{\text {suf }-\mathrm{cma}}(\mathcal{A})=\operatorname{Pr}[F]
$$
where $E$ is the event that $m_0 \notin C_0$ and $\mathcal{V}\left(v k, m_0, \sigma_0\right)=1$, and $F$ is the event that $\left(m_0, \sigma_0\right) \notin C_1$ and $\mathcal{V}\left(v k, m_0, \sigma_0\right)=1$.
We say that the pair $\left(m_0, \sigma_0\right)$ is a forgery, and also that $\mathcal{A}$ is a forger.

密码学代写

数学代写|密码学作业代写Cryptography代考|Simple Homomorphic Counting

我们现在将考虑使用群同态密码系统进行计数的不同方法。首先考虑是/否选举，结果是投赞成票的数量。这个想法是将 yes 和 no 编码为组元素。为了计算加密的选票，我们使用密码系统的操作将所有密文组合成一个密文，然后对其进行解密。解密然后是用于编码是和否的两个元素的幂的乘积，幂是投出的是和否选票的数量。
示例 8.32。让 $l_0$ 是一个正整数，并且让 $\mathfrak{F}$ 与例 $8.18$ 一样，但额外要求每个元组都有不同的公共元素 $g_0, g_1 \in \mathfrak{P}$ 这样其中一个的阶数大于 $l_0$. 让PKE $\mathfrak{F}=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ 是相应的群同态密码系统。投票方案 VOTE $\mathfrak{F}$ 有选票 0,1 和相关数据集 $\mathfrak{F}$ ，对于计数函数 $f\left(v_1 v_2 \ldots v_l\right)=\sum_i v_i$ 对选票求和的是:

设置算法 $\mathcal{V} \mathcal{S}_{\text {计算 }}(e k, d k) \leftarrow \mathcal{K}$ 和输出 $(e k, d k)$.
铸造算法 $\mathcal{C B}$ 将铸造钥匙作为输入 $e k$, 关联数据 $a d$ 和一张选票 $v$, 计算 $c \leftarrow \mathcal{E}\left(e k, g_v\right)$, 和输出 $c$.
计数算法 $\mathcal{C C}$ 将计数键作为输入 $d k$ 和加密选票列表 $c_1, c_2, \ldots, c_l$. 它计算 $x \leftarrow \mathcal{D}\left(d k, \prod_i c_i\right)$, 发现 $k$ 这样 $x=g_0^{l-k} g_1^k$ 和输出 $k$.
这个方案是 $l_0$-正确，因为如果 $(e k, d k)$ 由输出 $\mathcal{K}$ 和 $c_i \leftarrow \mathcal{E}\left(e k, g_{v_i}\right)$ 为了 $i=1,2, \ldots, l$ ，然后
$$
\mathcal{D}\left(d k, \prod_i c_i\right)=\prod_i \mathcal{D}\left(d k, c_i\right)=\prod_i g_{v_i}=g_0^{l-\sum_i^{v_i}} g_1 \sum_i^{v_i} .
$$
一种可能的密码系统是 ElGamal over some group $G$ ，如例 $8.11$ 所示。通常， $g_0$ 将是 1 和 $g_1$ 将成为该集团的发电机。当然，为了恢复选举结果，我们需要计算 $\log {g_1} x$ ，这很容易，因为离散对数很小。最好将此方案概括为一个单独的方案 $\nu$ 选举，在那里你可以投票选出一个 $\nu$ 候选人。显而易见的想法是 $\nu$ 群元素 $g_1, g_2, \ldots, g\nu$ 选择这样如果 $0 \leq k_i<l_0$ 为了 $i=1,2, \ldots, \nu$ ，然后 $g_1^{k_1} g_2^{k_2} \ldots g_\nu^{k_\nu}=1$ 暗示 $k_1=k_2=\cdots=k_\nu=0$. 一般来说，当 $\nu$ 变大就很难恢复 $k_1, k_2, \ldots, k_k$ 从组元素。但是，对于某些特定的组结构 $\nu$ 可以有用地大。

数学代写|密码学作业代写Cryptography代考|DEFINING SECURITY

在我们得出数字签名的安全定义之前，我们必须首先讨论对手的目标和对手的能力。请注意签名和消息验证码之间的相似性。
我们从对手的能力开始。对手将能够看到某些消息的有效签名，但问题是如何选择消息。对手可能会影响签名的消息，因此我们允许对手选择消息，即选择消息攻击。
自然的对抗目标是在某些消息上伪造一个有效的签名。再一次，我们必须决定如何选择这条消息，让对手选择消息也是有意义的。与消息验证码一样，我们确实只有一种选择。对手在已有签名的消息上提出新签名是否足够，或者它是否必须能够为新消息伪造签名? 同样，对于消息验证码，后者似乎对大多数应用程序来说就足够了，而对于安全证明，我们通常需要前者。
定义 9.1。 $\mathrm{A}\left(\tau, l_s\right)$-针对签名方案的对手 SIG 是一种交互式算法 $\mathcal{A}$ 与图中的实验交互 $9.1$ 最多做 $l_s$ 选择的消息查询，以及对手和实验的运行时间最多的地方 $\tau$.
这个对手的存在性不可伪造性优势和强不可伪造性优势被定义为
$$
\operatorname{Adv} \mathrm{SIG}^{\text {euf-cma }}(\mathcal{A})=\operatorname{Pr}[E] \quad \text { and } \quad \mathbf{A d v S I G}{ }^{\text {suf }-\mathrm{cma}}(\mathcal{A})=\operatorname{Pr}[F]
$$
在哪里 $E$ 是事件 $m_0 \notin C_0$ 和 $\mathcal{V}\left(v k, m_0, \sigma_0\right)=1$ ，和 $F$ 是事件 $\left(m_0, \sigma_0\right) \notin C_1$ 和 $\mathcal{V}\left(v k, m_0, \sigma_0\right)=1$
我们说这对 $\left(m_0, \sigma_0\right)$ 是伪造的，而且 $\mathcal{A}$ 是伪造者。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CS171

Posted on 2023年2月17日2023年2月17日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|CRYPTOGRAPHIC VOTING

An election is a process in which a set of voters come together to agree upon a result. Usually, this process consists of voters casting ballots, which somebody then counts to produce the result. We call this process a voting system.

How the result is computed from the cast ballots is encoded in a counting function. We usually represent the cast ballots as a string of ballots, so the counting function is a function from a set of strings of ballots to the set of results (which we conveniently leave undefined for the moment).

We shall assume that there is a total order on the ballot set. This allows us to sort a string of ballots. Counting should be independent of the order in which ballots are counted. For any string of ballots $v_1 v_2 \ldots v_l$, let $v_1^{\prime} v_2^{\prime} \ldots v_l^{\prime}$ be the corresponding sorted string of ballots. Then $f\left(v_1 \ldots v_l\right)=f\left(v_1^{\prime} \ldots v_l^{\prime}\right)$.
It is convenient to consider not only strings of ballots but also strings of ballots and the special symbol $\perp$. We extend any counting function to such strings, by first removing the $\perp$ symbols from the string and then evaluating the counting function on the result. With respect to sorting, we shall arbitrarily declare that $\perp$ is sorted before any ballot.

We will sometimes need our counting function to have a somewhat technical property, which essentially says that if the counting function agrees for two equal-length ballot strings, then regardless of what ballots we add to the two initial ballot strings, the counting function will continue to agree. When combined with the fact that the counting function does not care about the order of ballots in the string, this becomes a strong property of counting functions.
Definition 8.12. A counting function $f$ is additive if for any two ballot strings $v, v^{\prime}$ of equal length, if $f(v)=f\left(v^{\prime}\right)$, then $f\left(v v^{\prime \prime}\right)=f\left(v^{\prime} v^{\prime \prime}\right)$ for any string $v^{\prime \prime}$.
Example 8.28. The simplest possible election is the yes/no election. Typically, we encode these values as 1 and 0 , and the counting function can be
$$
f_1\left(v_1 v_2 \ldots v_l\right)= \begin{cases}0 & \sum_i v_il / 2, \text { and } \ \perp & \text { otherwise. }\end{cases}
$$

数学代写|密码学作业代写Cryptography代考|Simple Voting Scheme

The following is in some sense the cryptographic analogue of the traditional postal voting system, where the ballot is placed inside an envelope and identifying information is written on the outside of the envelope. The idea is that the encryption plays the role of the envelope.

We immediately note that unlike a ballot enclosed in an envelope, an encrypted ballot can be trivially and perfectly duplicated. This will cause confidentiality attacks, where an adversary attempts to use a chosen ciphertext query to duplicate a challenge ballot and thereby reveal the challenge bit. We use associated data to prevent this sort of attack.

Example 8.31. Let $\mathrm{PKE}=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ be a public key cryptosystem with message space $\mathfrak{F}$ and associated data $\mathfrak{F}$.
The simple cryptographic voting scheme VOTE $=(\mathfrak{P}, \mathfrak{F}, \mathcal{V} \mathcal{S}, \mathcal{C B}, \mathcal{V C})$ is:

The setup algorithm $\mathcal{V} \mathcal{S}$ computes $(e k, d k) \leftarrow \mathcal{K}$ and outputs $(e k, d k)$.
The casting algorithm $\mathcal{C B}$ takes as input a casting key ek, associated data $a d$ and a ballot $v$, computes $c \leftarrow \mathcal{E}(e k, a d, v)$, and outputs $(a d, c)$.
The count algorithm $\mathcal{V C}$ takes as input a counting key $d k$ and encrypted ballots $\left(a d_1, c_1\right),\left(a d_2, c_2\right), \ldots,\left(a d_l, c_l\right)$. It computes $v_i \leftarrow \mathcal{D}\left(d k, a d_i, c_i\right)$ for $i=1,2, \ldots, l$ and outputs the sorting of the string $v_1 v_2 \ldots v_l$.

Exercise 8.46. Prove that the above scheme is correct with respect to the counting function that simply sorts its argument.

Exercise 8.47. Suppose the encrypted ballot does not include the associated data. Give an adversary with trivial runtime and advantage 1.

Proposition 8.20. Suppose every ballot in $\mathfrak{P}$ has the same length. Let $\mathcal{A}$ be $a\left(\tau, l_v, l_c, l_d\right)$-adversary adversary against indistinguishability for VOTE. Then there exists a $\left(\tau^{\prime}, l_c, l_d\right)$-adversary $\mathcal{B}$ against indistinguishability for $\mathrm{PKE}$, with $\tau^{\prime}$ essentially equal to $\tau$, and
$$
\operatorname{Ad}{\mathbf{v O T E}}^{\text {ind }}(\mathcal{A})=\mathbf{A d v}{\mathrm{PKE}}^{\text {ind-cca }}(\mathcal{B})
$$

密码学代写

数学代写|密码学作业代写Cryptography代考|CRYPTOGRAPHIC VOTING

选举是一组选民聚集在一起就结果达成一致的过程。通常，这个过程包括选民投票，然后有人计算结果。我们称这个过程为投票系统。
如何从投票中计算出结果被编码在一个计数函数中。我们通常将投票表示为一串选票，因此计数函数是从一组选票到结果集的函数 (我们暂时不定义)。
我们假设在选票集上有一个总顺序。这允许我们对一串选票进行排序。计票应独立于计票顺序。对于任何一串选票 $v_1 v_2 \ldots v_l$ ，让 $v_1^{\prime} v_2^{\prime} \ldots v_l^{\prime}$ 是相应的排序选票串。然后 $f\left(v_1 \ldots v_l\right)=f\left(v_1^{\prime} \ldots v_l^{\prime}\right)$.
不仅考虑选票串，还考虑选票串和特殊符号，很方便 $\perp$. 我们通过首先删除 $从$ 字符串中提取符号，然后对结果计算计数函数。关于排序，我们将任意声明上在任何投票之前进行排序。
有时我们需要我们的计数函数具有某种技术特性，这实质上是说如果计数函数同意两个等长的选票串，那么无论我们向两个初始选票串添加什么选票，计数函数都将继续同意。结合计数函数不关心字符串中选票顺序的事实，这成为计数函数的强大属性。
定义 8.12。计数功能 $f$ 如果对于任何两个选票字符串，则为加法 $v, v^{\prime}$ 长度相等，如果 $f(v)=f\left(v^{\prime}\right)$ ，然后 $f\left(v v^{\prime \prime}\right)=f\left(v^{\prime} v^{\prime \prime}\right)$ 对于任何字符串 $v^{\prime \prime}$.
示例 8.28。最简单的可能选举是是/否选举。通常，我们将这些值编码为 1 和 0 ，计数函数可以是
$f_1\left(v_1 v_2 \ldots v_l\right)=\left{0 \quad \sum_i v_i l / 2\right.$, and $\perp$ otherwise.

数学代写|密码学作业代写Cryptography代考|Simple Voting Scheme

以下在某种意义上是传统邮政投票系统的密码模拟，其中选票放在信封内，识别信息写在信封外面。这个想法是加密扮演信封的角色。
我们立即注意到，与装在信封中的选票不同，加密选票可以轻松完美地复制。这将导致机密性攻击，在这种情况下，对手会尝试使用选定的密文查询来复制挑战选票，从而揭示挑战位。我们使用关联数据来防止此豸攻桊。
例 8.31。让PKE $=(\mathcal{K}, \mathcal{E}, \mathcal{D})$ 是具有消息空间的公钥密码系统 $\mathfrak{F}$ 和相关数据 $\mathfrak{F}$.
简单的加密投票方案 VOTE $=(\mathfrak{P}, \mathfrak{F}, \mathcal{V S}, \mathcal{C B}, \mathcal{V C})$ 是:

设置算法 $\mathcal{S}$ 计算 $(e k, d k) \leftarrow \mathcal{K}$ 和输出 $(e k, d k)$.
铸造算法 $\mathcal{C B}$ 将铸造密钥 ek 作为输入，关联数据 $a d$ 和一张选票 $v$, 计算 $c \leftarrow \mathcal{E}(e k, a d, v)$ ，和输出 $(a d, c)$.
计数算法 $\mathcal{V}$ 将计数键作为输入 $d k$ 和加密选票 $\left(a d_1, c_1\right),\left(a d_2, c_2\right), \ldots,\left(a d_l, c_l\right)$. 它计算 $v_i \leftarrow \mathcal{D}\left(d k, a d_i, c_i\right)$ 为了 $i=1,2, \ldots, l$ 并输出字符串的排序 $v_1 v_2 \ldots v_l$.
练习 8.46。证明上述方案对于简单排序其参数的计数函数是正确的。
练习 8.47。假设加密选票不包含相关数据。给对手带来微不足道的运行时间和优势 1 。
提案 8.20。假设每张选票自具有相同的长度。让 $\mathcal{A}$ 是 $a\left(\tau, l_v, l_c, l_d\right)$-adversary 对手反对投票的不可区分性。那么存在一个 $\left(\tau^{\prime}, l_c, l_d\right)$-对手 $\mathcal{B}$ 反对不可区分性PKE，和 $\tau^{\prime}$ 本质上等于 $\tau$ ，和
$\operatorname{Ad} \mathbf{v O T E} \mathbf{F}^{\text {ind }}(\mathcal{A})=\mathbf{A d v P K E}{ }^{\text {ind-cca }}(\mathcal{B})$

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CS709

Posted on 2023年2月17日2023年2月17日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|Equivocable and Extractable

This commitment scheme is based on Paillier encryption from Example 8.17, and the commitment algorithm is a variant of Paillier encryption. The commitment key contains a Paillier ciphertext, and by varying the message encrypted we can “trapdoor” commitment keys, so that either we can open a commitment to any value, or extract the committed message from a commitment.
These properties are interesting because of their application in security proofs. Great care must be taken using any such commitment scheme.

Let $p, q$ be distinct large primes such that $(p-1) / 2$ and $(q-1) / 2$ are also primes distinct from $p$ and $q$. Let $n=p q$. Let $k$ be a positive integer and let $S=\left{0,1, \ldots, n^2 2^k\right}$. Note that $n$ is relatively prime to the order of $\mathbb{Z}_n^*$.
Exercise 8.43. Let $-n^2<\nu<n^2$. Compute the statistical distance between the uniform distribution on $\left{0,1, \ldots, n^2 2^k\right}$ and the uniform distribution on $\left{\nu, \nu+1, \ldots, n^2 2^k+\nu\right}$. How does it behave as $k$ grows?

For almost all $r \in \mathbb{Z}{n^2}^,-r^2$ has maximal order. To generate a commitment key, first generate an RSA modulus $n$ satisfying the requirements. Sample $r \leftarrow \mathbb{Z}{n^2}^$ and compute $g \leftarrow-r^2$. The commitment key is $(n, g)$.

To commit to a message $m \in \mathbb{Z}_n$, sample $r \leftarrow S$, and compute the commitment $u \leftarrow g^r(1+n)^m$. The opening is $r$.
To verify that $o$ is an opening of $u$ to $m$, check that $u=g^o(1+n)^m$.
Equivocable A commitment scheme is equivocable if we can generate the commitment key in a particular way, which will give us a “trapdoor” that allows us to open a commitment to any message, in such a way that the opening is indistinguishable from the “correct” opening.

Formally, we have two additional algorithms: an equivocable commitment key generator $\mathcal{C K}_{e q}$ that outputs an equivocable commitment key and a “trapdoor”; and an equivocate algorithm $\mathcal{C Q}$ that on input of a commitment key, a “trapdoor”, a commitment, an opening to a message and a target message, outputs an opening of the commitment to the target message. An equivocable commitment key must provide statistical hiding.

Sample $r \leftarrow \mathbb{Z}_{n^2}^*$ and $b \leftarrow{0,1, \ldots, n-1}$ such that $\operatorname{gcd}(b, n)=1$, and let
$$
g=-r^{2 n}(1+n)^b
$$

数学代写|密码学作业代写Cryptography代考|Group Homomorphic

We shall now consider a class of commitment schemes where the set of commitments, the message set and the randomness set have group structures and the commit algorithm is essentially a group homomorphism. This gives us a group homomorphic commitment scheme, which is useful.

The two commitment schemes we shall consider are very similar, and both rely on a cyclic group of prime order $p$. The commitment key contains one or two group elements. A commitment to a message in $\mathbb{Z}_p$ uses a single random value from $\mathbb{Z}_p$, which is sampled from the uniform distribution. The opening of the commitment is the random value. We shall use the notation $\mathcal{C C}(m ; o)$ to denote a commitment to $m$ with opening $o$.

These schemes are group homomorphic in the sense that for any commitments $u_1, u_2$ with openings $\left(m_1, o_1\right)$ and $\left(m_2, o_2\right)$, then for any $\alpha_1, \alpha_2 \in \mathbb{Z}_p$ we have that $\mathcal{C O}\left(u_1^{\alpha_1} u_2^{\alpha_2}, \alpha_1 m_1+\alpha_2 m_2, \alpha_1 o_1+\alpha_2 o_2\right)=1$. Also, for any commitment $u$ to a message $m$, there is a unique opening o such that $\mathcal{C O}(c k, u, m, o)=1$.

ElGamal-based construction The first commitment scheme is a small modification of the commitment scheme from Example $8.23$ using the ElGamal encryption scheme as the underlying public key cryptosystem. The commitment key is a group element $y$. To commit to a value $m \in \mathbb{Z}_p$, the commitment algorithm chooses a random value $o \in \mathbb{Z}_p$ and computes $x \leftarrow g^o$ and $w \leftarrow y^o g^m$. The commitment is $u=(x, w)$.
The only difference is that we encrypt $g^m$, not $m$ as in Exercise 8.40.

By Exercise $8.40$ the commitment scheme is unconditionally binding. and an adversary against hiding for the commitment scheme is an adversary against ElGamal, which becomes a distinguisher for Decision Diffie-Hellman.
Pedersen commitments The second commitment scheme is the Pedersen commitment scheme from Example 8.24. By Exercise $8.41$ the commitment scheme is perfectly hiding, and an adversary against binding for the commitment scheme can be turned into discrete logarithm solver.

密码学代写

数学代写|密码学作业代写Cryptography代考|Equivocable and Extractable

此承诺方案基于示例 $8.17$ 中的 Paillier 加密，并且承诺算法是 Paillier 加密的变体。承诺密钥包含一个 Paillier 密文，通过改变加密的消息，我们可以“陷进”承诺密钥，这样我们就可以打开对任何值的承诺，或者从承诺中提取承诺的消息。
这些属性很有趣，因为它们在安全证明中的应用。使用任何此类承诺计划都必须非常小心。
让 $p, q$ 是不同的大素数使得 $(p-1) / 2$ 和 $(q-1) / 2$ 也是不同的素数 $p$ 和 $q$. 让 $n=p q$. 让 $k$ 是一个正整数并且让 $S=\backslash l e f t\left{0,1, \backslash d o t s, n^{\wedge} 22^{\wedge} k \backslash r i g h t\right}$. . 注意 $n$ 相对于 $\mathbb{Z}n^$. 练习 8.43。让 $-n^2<\nu{e q}$ 输出一个模棱两可的承诺密钥和一个”活板门”; 和一个模棱两可的算法 $\mathcal{C Q}$ 在输入承诺密钥、“陷门”、承诺、对消息的打开和目标消息时，输出对目标消息的承诺的打开。一个模棱两可的承诺密钥必须提供统计隐藏。
样本 $r \leftarrow \mathbb{Z}_{n^2}^$ 和 $b \leftarrow 0,1, \ldots, n-1$ 这样 $\operatorname{gcd}(b, n)=1$ ，然后让
$$
g=-r^{2 n}(1+n)^b
$$

数学代写|密码学作业代写Cryptography代考|Group Homomorphic

我们现在将考虑一类承诺方案，其中承诺集、消息集和随机集具有组结构，并且提交算法本质上是一个组同态。这给了我们一个很有用的群同态承诺方案。
我们要考虑的两个承诺方案非常相似，都依赖于素数阶的循环群 $p$. 承诺密钥包含一个或两个组元素。对信息的承诺 $\mathbb{Z}_p$ 使用来自 $\mathbb{Z}_p$ ，它是从均匀分布中采样的。承诺的开放是随机值。我们将使用符号 $\mathcal{C C}(m ; o)$ 表示承诺 $m$ 带开口 $o$.
这些方案是群同态的，因为对于任何承诺 $u_1, u_2$ 有开口 $\left(m_1, o_1\right)$ 和 $\left(m_2, o_2\right)$ ，那么对于任何留言 $m$ ，有一个独特的开口 o 使得 $\mathcal{C O}(c k, u, m, o)=1$.
基于 ElGamal 的构建第一个承诺方案是对 Example 中的承诺方案的一个小修改8.23使用 ElGamal 加密方案作为底层公钥密码系统。承诺键是一个组元素 $y$. 致力于一个价值 $m \in \mathbb{Z}_p$ ，承诺算法选择一个随机值 $o \in \mathbb{Z}_p$ 并计算 $x \leftarrow g^o$ 和 $w \leftarrow y^o g^m$. 承诺是 $u=(x, w)$.
唯一的区别是我们加密 $g^m$ ，不是 $m$ 如练习 8.40。
通过运动 $8.40$ 承诺计划具有无条件约束力。反对隐藏承诺方案的对手是反对 ElGamal 的对手，后者成为决策 Diffie-Hellman 的区分器。
Pedersen 承诺第二个承诺方案是示例 $8.24$ 中的 Pedersen 承诺方案。通过运动8.41承诺方案是完全隐藏的，反对绑定承诺方案的对手可以变成离散对数求解器。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

金融工程代写

非参数统计代写

非参数统计指的是一种统计方法，其中不假设数据来自于由少数参数决定的规定模型；这种模型的例子包括正态分布模型和线性回归模型。

广义线性模型代考

广义线性模型（GLM）归属统计学领域，是一种应用灵活的线性回归模型。该模型允许因变量的偏差分布有除了正态分布之外的其它分布。

有限元方法代写

随机分析代写

时间序列分析代写

回归分析代写

MATLAB代写

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写

数学代写|密码学作业代写Cryptography代考|CS388H

Posted on 2023年2月1日2023年2月1日 by statistics-lab

如果你也在怎样代写密码学Cryptography这个学科遇到相关的难题，请随时右上角联系我们的24/7代写客服。

我们提供的密码学Cryptography及其相关学科的代写，服务范围广, 其中包括但不限于:

Statistical Inference 统计推断
Statistical Computing 统计计算
Advanced Probability Theory 高等概率论
Advanced Mathematical Statistics 高等数理统计学
(Generalized) Linear Models 广义线性模型
Statistical Machine Learning 统计机器学习
Longitudinal Data Analysis 纵向数据分析
Foundations of Data Science 数据科学基础

数学代写|密码学作业代写Cryptography代考|Multiple Keys

In practice a system that uses symmetric cryptosystems is unlikely to confine itself to a single key. Usually, there is a huge number of keys, even when there is not a huge number of users. Studying systems with more than one key is therefore important.

It is possible to design variants of the security games where the experiment has multiple independent keys, and the adversary may choose which key the experiment should use when answering a query.

As usual, these multi-key notions contain the single-key notions as special cases. Conversely, we can prove that any adversary against the multi-key notions can be turned into an adversary against a single-key notion, and the advantage of the multi-key adversary is at most that of the single-key adversary times the number of keys.

Exercise 7.12. Define a multi-key variant of ror-cca, state a precise variant of the above informal claim and use a hybrid argument to prove the statement.
Another multi-key variant is to allow key reveal, where the adversary may learn a subset of the keys, chosen adaptively. The immediate problem is that the adversary cannot first ask for any challenge ciphertexts under some key, and then later ask for the key, since this will immediately reveal the challenge bit. The underlying problem is that revealing ciphertexts commits the experiment to a certain key, which is difficult to reveal. Most of the natural generalisations of the theorems we have proven for the single-key case are hard to prove for the multi-key case with key compromise. Stateful encryption is one approach to achieve multi-key security with key compromise which we shall investigate later.

数学代写|密码学作业代写Cryptography代考|Stream Ciphers

We shall only consider what is often called synchronious or additive stream ciphers, where a key stream generator expands a key and an initialisation vector into a string of symbols which is then added to the message (which is interpreted as a string of symbols). Traditionally, stream ciphers were bit oriented, but we can take the alphabet to be any group.

Definition 7.9. Let $f: \mathfrak{R} \times \mathfrak{V} \rightarrow G^N$ be a key stream generator. A $\left(\tau, l_c\right)$ adversary against $f$ is an interactive algorithm $\mathcal{A}$ that interacts with the experiment in Figure $7.12$ making at most $l_c$ queries to the experiment, and where the runtime of the adversary and the experiment is at most $\tau$.
The advantage of this adversary is defined to be
$$
\operatorname{Ad}_f^{\mathrm{kgg}}(\mathcal{A})=2|\operatorname{Pr}[E]-1 / 2|,
$$
where $E$ is the event that $b^{\prime}$ output by $\mathcal{A}$ equals the experiment’s $b$.
We will only compute as many key stream elements as is needed. The key stream must be computed by some algorithm whose cost is essentially linear in the number of key stream elements computed.

Remark. Sometimes we want a pseudo-random generator $f: \mathfrak{K} \rightarrow G^N$. Since there is no initialisation vector, each key expands into a single key stream. The security game is the single-query variant of the key stream security game.
Remark. There is a stronger notion of security for key stream generators, where the adversary is allowed to specify the initialisation vector to be used (a pseudo-random function). This is usually too strong a requirement, since it is not needed and may make key stream generator design harder. An interme-diate variant is to specify some fixed sequence of initialisation vectors, which is often easy to design for and has advantages in many applications.

密码学代写

数学代写|密码学作业代写Cryptography代考|Multiple Keys

实际上，使用对称密码系统的系统不太可能将自己限制在单个密钥上。通常，即使没有大量的用户，也会有大量的密钥。因此，研究具有多个密钥的系统非常重要。

可以设计实验具有多个独立密钥的安全游戏变体，对手可以选择实验在回答查询时应使用哪个密钥。

像往常一样，这些多键概念包含单键概念作为特例。反过来，我们可以证明，任何对抗多键概念的对手都可以变成对抗单键概念的对手，而多键对手的优势最多是单键对手的优势乘以键。

练习 7.12。定义 ror-cca 的多键变体，陈述上述非正式声明的精确变体，并使用混合论证来证明该陈述。
另一个多密钥变体是允许密钥显示，其中对手可以学习自适应选择的密钥子集。直接的问题是对手不能先在某个密钥下询问任何挑战密文，然后再询问密钥，因为这将立即揭示挑战位。潜在的问题是揭示密文将实验提交给某个难以揭示的密钥。我们已经为单密钥情况证明的定理的大多数自然推广对于具有密钥妥协的多密钥情况很难证明。状态加密是通过密钥泄露实现多密钥安全的一种方法，我们稍后将对此进行研究。

数学代写|密码学作业代写Cryptography代考|Stream Ciphers

我们将只考虑通常称为同步或附加流密码的东西，其中密钥流生成器将密钥和初始化向量扩展为一串符号，然后将其添加到消息中（被解释为一串符号）。传统上，流密码是面向位的，但我们可以将字母表视为任何组。
定义 7.9。让 $f: \mathfrak{R} \times \mathfrak{V} \rightarrow G^N$ 成为密钥流生成器。一种 $\left(\tau, l_c\right)$ 对手反对 $f$ 是一种交互式算法 $\mathcal{A}$ 与图中的实验交互 $7.12$ 最多做 $l_c$ 对实验的查询，以及对手和实验的运行时间最多在哪里 $\tau$. 这个对手的优势被定义为
$$
\operatorname{Ad}_f^{\mathrm{kgg}}(\mathcal{A})=2|\operatorname{Pr}[E]-1 / 2|,
$$
在哪里 $E$ 是事件 $b^{\prime}$ 输出方式 $\mathcal{A}$ 等于实验的 $b$.
我们将只计算所需数量的关键流元素。密锏流必须通过某种算法来计算，该算法的成本基本上与计算的密钥流元素的数量成线性关系。
评论。有时我们想要一个伪随机生成器 $f: \mathfrak{K} \rightarrow G^N$. 由于没有初始化向量，每个密钥都会扩展为一个密钥流。安全游戏是密钥流安全游戏的单一查询变体。
评论。密钥流生成器有更强的安全概念，其中允许对手指定要使用的初始化向量（伪随机函数）。这通常是一个太强的要求，因为它不是必需的并且可能使密钥流生成器的设计更加困难。一个中间变体是指定一些固定的初始化向量序列，这通常很容易设计并且在许多应用程序中具有优势。

统计代写请认准statistics-lab™. statistics-lab™为您的留学生涯保驾护航。

R语言代写	问卷设计与分析代写
PYTHON代写	回归分析与线性模型代写
MATLAB代写	方差分析与试验设计代写
STATA代写	机器学习/统计学习代写
SPSS代写	计量经济学代写
EVIEWS代写	时间序列分析代写
EXCEL代写	深度学习代写
SQL代写	各种数据建模与可视化代写