Contents. Foundations of cryptography

Size: px

Start display at page:

Download "Contents. Foundations of cryptography"

Abigayle Gilmore
7 years ago
Views:

1 Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations Introduction to complexity theory Harald Baier Cryptography h_da, Summer Term

2 Models for evaluating security 3 common models: Unconditional security Provable security Computational security Further models: Complexity-theoretic security Harald Baier Cryptography h_da, Summer Term

3 Unconditional security Also called perfect secrecy (in the context of encryption) or information-theoretic security. Assumption: Adversary has unlimited computational power. Definition: Observing the ciphertext does not reveal any information about the underlying plaintext to the adversary. Key questions: Will a perfect secret scheme be broken in the future? Are there perfect secret encryption schemes? Are public key encryption schemes perfect secret? What is about common symmetric encryption (e.g. DES, AES)? Harald Baier Cryptography h_da, Summer Term

4 Provable security Also called practical security. A cryptographic method can be shown to be 'essentially' as difficult as a well-known and 'supposedly' difficult problem Essential means that a polynomial time mapping exists. Supposedly means that the problem has long been studied thoroughly by many experts. Remarks: The proof is only relative to the supposedly difficult problem. However, one may focus on few problems. Typical well-known and supposedly difficult problems? Harald Baier Cryptography h_da, Summer Term

5 Computational security A cryptographic method cannot be defeated in practice, because the computational amount is too large: Based on the best currently-known attack. Problem has long been studied thoroughly by many experts. A sufficient large security margin is used. Security threshold: The currently best-known attack requires N basic (i.e. non-trivial) operations: N is very large (currently 100 bit, i.e. about 2^{100}). Examples for basic non-trivial operations: AES encryption, exponentiation modulo n, group operation in a finite field. Most systems of practical relevance belong to this class. Harald Baier Cryptography h_da, Summer Term

6 Security considerations Does a provably secure scheme become insecure in the future? Does a computationally secure scheme become insecure in the future? Why do we not restrict on perfect secure schemes? Harald Baier Cryptography h_da, Summer Term

7 Attacker models Ciphertext-only attack Known-plaintext attack (Adaptive) chosen-plaintext attack (Adaptive) chosen-ciphertext attack Harald Baier Cryptography h_da, Summer Term

8 Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations Introduction to complexity theory Harald Baier Cryptography h_da, Summer Term

9 Probability considerations Why is it important to consider probabilities? Kerkhoff's principle Weakest attacker model: Aim: Adversary shall get as few as possible information about the plaintext or key if he sees ciphertexts Hence: What is the probability that a certain plaintext was encrypted to get the observed ciphertext? Terms and properties: Random variable Elementary event (Example: Toss of a coin) Sum of all elementary events' probabilities is equal to Harald Baier Cryptography h_da, Summer Term

10 Probability distributions on plaintexts, keys, ciphertexts Probability distribution on P: Random variable is denoted by M Values of M are plaintext units p(m = m): Probability that plaintext unit m is encrypted Example: P = {a,b,c,...,z} Probability distribution is letter frequency German text: p(m = e) = Which probability distribution on K? Which probability distribution on C? Harald Baier Cryptography h_da, Summer Term

11 Probability distribution: Example set up (1/2) Set of plaintext units P = { a, b, c,d } p(m=a) = 1/4, p(m=b) = 3/10, p(m=c) = 3/20, p(m=d) = 3/10 Sum of all elemantary probabilities is equal to Set of keys K = { k 1, k 2, k 3 } p(k=k 1 ) = 1/4, p(k=k 2 ) = 1/2, p(k=k 3 ) = 1/4 Is it a good probability distribution? Set of ciphertext units C How many ciphertext units do we need? We choose C = Harald Baier Cryptography h_da, Summer Term

12 Probability distribution: Example set up (2/2) Encryption functions: a b c d k k k The attacker observes C = 3: Does he get information about the plaintext or key? Conditional probabilities of plaintexts: p(m = c C = 3) = p(m = d C = 3) = p(m = b C = 3) = p(m = a C = 3) = Harald Baier Cryptography h_da, Summer Term

13 Computing the probability distribution of ciphertexts Basic assumption: Keys are chosen independently of plaintexts As a formula: p(m=m AND K=k) = p(m=m) * p(k=k) Probability that ciphertext unit c appears: In our Example: p(c=1) = p(c=2) = p(c=3) = p(c=4) = Harald Baier Cryptography h_da, Summer Term

14 Conditional probabilities Probability under assumption that another condition holds Example: Probability that C = c is the encryption result under the condition that plaintext M = m is chosen Symbol: p( C=c M=m ) Definition: p( C=c M=m ) := p( C=c AND M=m ) / p( M=m ) As a formula: p( C=1 M=a ) = p( C=1 M=b ) = p( C=1 M=c ) = p( C=1 M=d ) = Harald Baier Cryptography h_da, Summer Term

15 However, in practice... the attacker wants to compute p( M=m C=c ) Probability that plaintext M=m was used if C=c is observed Bayes' rule: p( C=c ) * p( M=m C=c ) = p( M=m ) * p( C=c M=m ) The attacker knows/computes the following probabilities: p( M=m ): Probability distribution on P is known. p( C=c ): Probability distribution on C is computable. p( C=c M=m ): Conditional probabilities are computable. Example: p( M=a C=3 ) = Harald Baier Cryptography h_da, Summer Term

16 A formal definition of perfect secrecy An encryption scheme is perfect secret, if p( M=m C=c ) = p( M=m ) for all plaintexts m and all ciphertexts c. Remember: Even an attacker with unlimited computing power is not able to break a perfect secret scheme. The attacker does not learn anything about the plaintext when observing ciphertexts. How do we determine if a given encryption scheme is perfect secret? Harald Baier Cryptography h_da, Summer Term

17 Shannon's theorem Let (P, C, K, E, D) be an encryption scheme with P = C = K < and p(m=m) > 0 for all plaintext units m The encryption scheme is perfect secret if and only if The probability distribution on K is the equal distribution (i.e. each key is chosen with probability 1/ K ). For each plaintext unit m and each ciphertext unit c there is one and only one encryption key e with E e (m) = c. Disadvantage: Key is at least as long as message Harald Baier Cryptography h_da, Summer Term

18 Are there perfect secret schemes? YES. Examples: Vigenere cipher, if key word length = plaintext length Most common example: Vernam one time pad One time pad: P = C = K = { 0, 1 } n Encryption: c = m XOR e Decryption: m = c XOR e Key: Random, equal distributed bit string of length n Commonly used to exchange military or diplomatic messages Harald Baier Cryptography h_da, Summer Term

19 Encryption schemes in practice Main disadvantages of perfect secret schemes: Key is at least as long as the message. Keys must be unique for each message (ephemeral keys). Key exchange problem for long keys. Wide spread encryption schemes are 'only' computationally secure. Main advantages of common symmetric schemes: Short key for long messages. The same key may be used for different plaintext units. Harald Baier Cryptography h_da, Summer Term

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions