Lecture 1: Perfect Security

Similar documents
COMP4109 : Applied Cryptography

Goals of Modern Cryptography

ISA 562: Information Security, Theory and Practice. Lecture 1

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Cryptography. Lecture 03

Worksheet - Reading Guide for Keys and Passwords

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Lecture 07: Private-key Encryption. Private-key Encryption

Cryptography Worksheet

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography CS 555. Topic 1: Course Overview & What is Cryptography

2 Secure Communication in Private Key Setting

Cryptography. Andreas Hülsing. 6 September 2016

Computer Security CS 526

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Defining Encryption. Lecture 2. Simulation & Indistinguishability

1 Achieving IND-CPA security

Information Security CS526

1 One-Time Pad. 1.1 One-Time Pad Definition

Information Security CS526

CSC 580 Cryptography and Computer Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

2 What does it mean that a crypto system is secure?

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

Cryptography Introduction to Computer Security. Chapter 8

CPSC 467: Cryptography and Computer Security

2/7/2013. CS 472 Network and System Security. Mohammad Almalag Lecture 2 January 22, Introduction To Cryptography

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Introduction to Cryptography. Lecture 1. Benny Pinkas. Administrative Details. Bibliography. In the Library

Introduction to Cryptography. Lecture 1

CS 161 Computer Security

CS61A Lecture #39: Cryptography

Security: Cryptography

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Introduction to Cryptography in Blockchain Technology. December 23, 2018

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Elliptic Curve Cryptography

1 Identification protocols

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 15: Public Key Encryption: I

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

P2_L8 - Hashes Page 1

CS 161 Computer Security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Private-Key Encryption

CPSC 467b: Cryptography and Computer Security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Traditional Symmetric-Key Ciphers. A Biswas, IT, BESU Shibpur

CPSC 467b: Cryptography and Computer Security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

1 Defining Message authentication

Introduction to Cryptology ENEE 459E/CMSC 498R. Lecture 1 1/26/2017

1 Brief Overview Of the talk

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography Lesson Plan

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

CPSC 467b: Cryptography and Computer Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Bob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption

Introduction to Cryptology. Lecture 2

Cryptographic Hash Functions

Shared Secret = Trust

Cryptography Introduction

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

symmetric cryptography s642 computer security adam everspaugh

CS 161 Computer Security

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Cryptography ThreeB. Ed Crowley. Fall 08

NETWORK SECURITY & CRYPTOGRAPHY

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

CS 161 Computer Security

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Classic Cryptography: From Caesar to the Hot Line

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Message Authentication ( 消息认证 )

Recap. Definition (Encryption: Caesar Cipher)

B) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

CHAPTER 1 INTRODUCTION TO CRYPTOGRAPHY. Badran Awad Computer Department Palestine Technical college

What did we talk about last time? Public key cryptography A little number theory

Behrang Noohi. 22 July Behrang Noohi (QMUL) 1 / 18

Authentication CHAPTER 17

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

CPSC 467: Cryptography and Computer Security

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Computational Security, Stream and Block Cipher Functions

Transcription:

CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave a broad overview of a lot of the ideas and concepts used. Today, we took a closer look at the definition of what security really means. While the exact meaning may vary depending on context (for example, preserving message privacy vs. message authentication), there are 3 common traits that we look for in a definition of security: The definition provides strong guarantees about the security of our information The definition is achievable (there is some way to implement it) The definition is achievable in a practical, efficient way The first definition of security we saw was Shannon s perfect security : when transmitting a message, any 3rd party eavesdropper will learn nothing about the message (except its length) just from intercepting the cipher text. Clearly, this provides some strong guarantees about our information s security and satisfies the first bullet point. Today, we ll take a more formal look at perfect security and see that while it is achievable, it is not achievable in any efficient way. 2 Formal Definitions We consider there to be three parties: Alice, Bob, and Eve. Alice starts with a message m (the plain text), encrypts it using some encryption algorithm E into a different message c (the cipher text), and sends it to Bob (Eve, the third party attacker, will be able to see c and attempt to figure out things about the original plain text from that). When Bob receives the cipher text, he ll use a decryption algorithm D to recover the original message. One of the main principles underlying cryptography mentioned last class was Kerckhoff s Principle: a cryptographic system shouldn t rely on the attacker not knowing the system to be secure. Because of this, we need to use some form of private information keys when encrypting our messages and not simply rely on the attacker not discovering which encryption and decryption algorithms we ve chosen. There are two ways we can use keys; in private key encryption, both our encryption algorithm and decryption algorithm take a secret key as an additional argument, randomly chosen and known only to Alice and 1-1

Bob. Public key encryption is similar, but we use different keys to encrypt and decrypt, and the encryption key is made public (for example, RSA). We re primarily going to be considering private key encryption in this course. Formally, we refer to the set of algorithms Alice and Bob use to communicate as an encryption scheme, and define it like this: An encryption scheme π(gen, Enc, Dec) with message space M and key space K, consists of 3 algorithms: Gen, the key generation algorithm, takes no input and produces a key k K Enc, the encryption algorithm, takes a key k K and a message m M as input and produces a cipher text c Dec, the decryption algorithm, takes a key k K and a cipher text c as input and produces a plain text m M 3 More on Encryption Schemes One question that arose in class was: if the key generation algorithm takes no input and Alice and Bob run it independently, how can they ensure that they are encrypting/decrypting the message with the same key? The answer was that Gen doesn t really take no input, but rather takes a small input and produces a much larger key as an output. Alice and Bob have to meet each other once to communicate this shared small input, but their goal is to get a much larger key from that shared small input and to be able to communicate securely without meeting for many messages in the future. Which of the algorithms in an encryption scheme are randomized, and which are deterministic? Gen, the key generation algorithm, must be randomized. Otherwise our encryption scheme relies on security by obscurity. Dec, our decryption algorithm, must be deterministic. If the same cipher text c and the same key k could be decrypted to two distinct values, one of those would not be the original message Alice encrypted and our decryption algorithm could give us the wrong message. Enc, the encryption algorithm, is a little more complicated. It could be deterministic - for example, the Caesar cipher is fully deterministic given a message and a key (the key being how many letters to shift by). However, a deterministic encryption algorithm will cause certain problems. If we encrypt two identical messages deterministically, they 1-2

will get mapped to the same cipher text. This means that if an attacker is watching and knows our encryption scheme, she will know that we sent the same message twice. This could be a huge problem (imagine you re a military general, and you know your enemy is planning to attack either Cape Horn or Bora Bora - knowing that the two words they sent in a message are the same tells you exactly which destination the enemy will attack!) So deterministic algorithms will need a new key for every message they send, causing practical concerns, and most encryption algorithms we see in this class will not be deterministic. Instead, the same message-key pair (m, k) may get encrypted as any number of different cipher texts c 1, c 2,... c n (but all of those will decrypt to m) 4 Goals of an Encryption Scheme We ve talked in general about what we want our encryption scheme to do, but how do we formally define these goals? Using perfect security as our definition of security, there are two properties we want from our encryption scheme. 1. Correctness Pr[ k Gen c = Enc(k,m) Dec(k,c) = m ] = 1 This means that if we encrypt any message with a random key, our decryption algorithm must be guaranteed to give us back the original message. 2. Perfect Security An encryption scheme π is perfectly secure if m 1, m 2 M {k Gen c 1 = Enc(k,m 1 ) : c 1 } = {k Gen c 2 = Enc(k,m) : c 2 } (The first formula refers to the distribution of all cipher texts c 1 reached by randomly choosing k and encrypting message m 1, the second is the same but for m 2 ) So any two messages need to lead to the same distribution of cipher texts when encrypted, or in other words cipher texts c, Pr(c 1 = c) = Pr(c 2 = c). Another way of looking at this is that if you re given a cipher text c and told that it was either encrypted from m 1 or m 2, you shouldn t be able to tell which one. 5 Perfectly Secure Encryption Schemes Two of the early encryption schemes we learned about, the Caesar cipher and the substitution cipher, clearly fail at being perfectly secure. If the first two letters of m are the same, the first two letters of c will be as well, and if they re different, the first two letters of c will be different, so for example, aa and ab will have completely different 1-3

distributions of cipher texts, violating perfect security. However, if we only encrypt one letter with a Caesar cipher, that s completely secure. Whatever letter we encrypt, there s a 1 chance of it turning into each of the letters of the alphabet. Similarly, if we encrypt 26 each letter with a different Caesar cipher, it will be perfectly secure. This leads us to a perfectly secure encryption scheme: The One Time Pad Definition: M = K = {0, 1} n Gen is chosen uniformly at random from the key space E(m, k) = m k D(c, k) = c k The one time pad is correct because c k = m k k = m. Proof that the one time pad is secure: Take any two messages m 1, m 2. For any cipher text which is not an n-bit binary string, both m 1 and m 2 have no chance of being encrypted as that string. For each cipher text c {0, 1} n, E(m 1, k) = c iff k = m 1 c, which has a 1 chance. The exact same result 2 n holds for m 2 as k = m 2 c also has a 1 chance. Therefore, both m 2 n 1 and m 2 will have a uniform distribution of their cipher texts and the one time pad is perfectly secure. 6 Bad News Unfortunately, one time pad requires a key of length equal to the message, which defeats the purpose to some extent; if Alice and Bob could securely exchange an n-bit key, why not just securely exchange an n-bit message? Even more unfortunately, this is not unique to one time pad. Theorem: K M in any perfectly secure encryption scheme. Proof: Assume not. Then take any message m 1 and key k and let c = E(m 1, k). Now, let S D (c) be the set of all messages that can be decrypted from cipher text c. Since D is deterministic, S D (c) K < M, meaning that some message m 2 is never encrypted as c for any choice of key. But this means that m 1 and m 2 have different distributions of cipher texts, since m 1 has some positive probability of being encrypted as c and m 2 1-4

has no chance of being encrypted as c. Thus, if K < M, our encryption scheme is not perfectly secure, violating our assumption. For this reason, perfect security is an unrealistic goal. Instead of information theoretic absolute security, we ll be looking more at schemes which are hard to break because of computational difficulty. We ll take some known hard problem such as factoring and transform it into a primitive such as an encryption scheme so that if the encryption scheme were broken, the attacker would also be able to solve the hard problem, which is not believed possible. 1-5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback