AGraduateCourseinAppliedCryptography. August 17, 2015

AGraduateCourseinAppliedCryptography Dan Boneh Victor Shoup August 17, 2015

Preface Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. Cryptographic systems are an integral part of standard protocols, most notably the Transport Layer Security (TLS) protocol, making it relatively easy to incorporate strong encryption into a wide range of applications. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error. No amount of unit testing will uncover a security vulnerability in a cryptosystem. Instead, to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it. We often need to introduce certain plausible assumptions to push our security arguments through. This book is about exactly that: constructing practical cryptosystems for which we can argue security under plausible assumptions. The book covers many constructions for di erent tasks in cryptography. For each task we define a precise security goal that we aim to achieve and then present constructions that achieve the required goal. To analyze the constructions, we develop a unified framework for doing cryptographic proofs. A reader who masters this framework will be capable of applying it to new constructions that may not be covered in the book. Throughout the book we present many case studies to survey how deployed systems operate. We describe common mistakes to avoid as well as attacks on real-world systems that illustrate the importance of rigor in cryptography. We end every chapter with a fun application that applies the ideas in the chapter in some unexpected way. Intended audience and how to use this book The book is intended to be self contained. Some supplementary material covering basic facts from probability theory and algebra is provided in the appendices. The book is divided into three parts. The first part develops symmetric encryption which explains how two parties, Alice and Bob, can securely exchange information when they have a shared key unknown to the attacker. The second part develops the concepts of public-key encryption and digital signatures, which allows Alice and Bob to do the same, but without having a shared, secret key. The third part is about cryptographic protocols, such as protocols for user identification, key exchange, and secure computation. A beginning reader can read though the book to learn how cryptographic systems work and why they are secure. Every security theorem in the book is followed by a proof idea that explains at a high level why the scheme is secure. On a first read one can skip over the detailed proofs 2

without losing continuity. A beginning reader may also skip over the mathematical details sections that explore nuances of certain definitions. An advanced reader may enjoy reading the detailed proofs to learn how to do proofs in cryptography. At the end of every chapter you will find many exercises that explore additional aspects of the material covered in the chapter. Some exercises rehearse what was learned, but many exercises expand on the material and discuss topics not covered in the chapter. Status of the book The current draft only contains part I. Parts II and III are forthcoming. We hope you enjoy this write-up. Please send us comments and let us know if you find typos or mistakes. Citations: While the current draft is mostly complete, we still do not include citations and references to the many works on which this book is based. Those will be coming soon and will be presented in the Notes section at the end of every chapter. Dan Boneh and Victor Shoup August, 2015 3

Contents 1 Introduction 15 1.1 Historic ciphers....................................... 15 1.2 Terminology used throughout the book.......................... 15 I Secret key cryptography 17 2 Encryption 18 2.1 Introduction......................................... 18 2.2 Shannon ciphers and perfect security........................... 19 2.2.1 Definition of a Shannon cipher.......................... 19 2.2.2 Perfect security................................... 21 2.2.3 The bad news.................................... 26 2.3 Computational ciphers and semantic security...................... 27 2.3.1 Definition of a computational cipher....................... 27 2.3.2 Definition of semantic security.......................... 29 2.3.3 Connections to weaker notions of security.................... 32 2.3.4 Consequences of semantic security........................ 36 2.3.5 Bit guessing: an alternative characterization of semantic security....... 39 2.4 Mathematical details.................................... 41 2.4.1 Negligible, super-poly, and poly-bounded functions............... 42 2.4.2 Computational ciphers: the formalities...................... 43 2.4.3 E cient adversaries and attack games...................... 46 2.4.4 Semantic security: the formalities......................... 48 2.5 A fun application: anonymous routing.......................... 48 2.6 Notes............................................ 51 2.7 Exercises.......................................... 51 3 Stream ciphers 58 3.1 Pseudo-random generators................................. 58 3.1.1 Definition of a pseudo-random generator..................... 59 3.1.2 Mathematical details................................ 61 3.2 Stream ciphers: encryption with a PRG......................... 61 3.3 Stream cipher limitations: attacks on the one time pad................. 65 3.3.1 The two-time pad is insecure........................... 65 4

3.3.2 The one-time pad is malleable.......................... 66 3.4 Composing PRGs...................................... 67 3.4.1 A parallel construction............................... 67 3.4.2 A sequential construction: the Blum-Micali method.............. 72 3.4.3 Mathematical details................................ 75 3.5 The next bit test...................................... 77 3.6 Case study: the Salsa and ChaCha PRGs........................ 80 3.7 Case study: linear generators............................... 83 3.7.1 An example cryptanalysis: linear congruential generators........... 83 3.7.2 The subset sum generator............................. 86 3.8 Case study: cryptanalysis of the DVD encryption system............... 87 3.9 Case study: cryptanalysis of the RC4 stream cipher.................. 89 3.9.1 Security of RC4................................... 91 3.10 Generating random bits in practice............................ 93 3.11 A broader perspective: computational indistinguishability............... 94 3.11.1 Mathematical details................................ 99 3.12 A fun application: coin flipping and commitments................... 99 3.13 Notes............................................ 101 3.14 Exercises.......................................... 101 4 Block ciphers 107 4.1 Block ciphers: basic definitions and properties...................... 107 4.1.1 Some implications of security........................... 109 4.1.2 E cient implementation of random permutations................ 112 4.1.3 Strongly secure block ciphers........................... 112 4.1.4 Using a block cipher directly for encryption................... 113 4.1.5 Mathematical details................................ 118 4.2 Constructing block ciphers in practice.......................... 118 4.2.1 Case study: DES.................................. 120 4.2.2 Exhaustive search on DES: the DES challenges................. 124 4.2.3 Strengthening ciphers against exhaustive search: the 3E construction..... 126 4.2.4 Case study: AES.................................. 128 4.3 Sophisticated attacks on block ciphers.......................... 133 4.3.1 Algorithmic attacks................................ 134 4.3.2 Side-channel attacks................................ 137 4.3.3 Fault-injection attacks on AES.......................... 141 4.3.4 Quantum exhaustive search attacks........................ 142 4.4 Pseudo-random functions: basic definitions and properties............... 143 4.4.1 Definitions..................................... 143 4.4.2 E cient implementation of random functions.................. 144 4.4.3 When is a secure block cipher a secure PRF?.................. 145 4.4.4 Constructing PRGs from PRFs.......................... 149 4.4.5 Mathematical details................................ 151 4.5 Constructing block ciphers from PRFs.......................... 151 4.6 The tree construction: from PRGs to PRFs....................... 158 4.6.1 Variable length tree construction......................... 162 5

4.7 The ideal cipher model................................... 164 4.7.1 Formal definitions................................. 164 4.7.2 Exhaustive search in the ideal cipher model................... 165 4.7.3 The Even-Mansour block cipher and the EX construction........... 168 4.7.4 Proof of the Even-Mansour and EX theorems.................. 169 4.8 Fun application: comparing information without revealing it.............. 175 4.9 Notes............................................ 177 4.10 Exercises.......................................... 177 5 Chosen Plaintext Attack 184 5.1 Introduction......................................... 184 5.2 Security against multi-key attacks............................ 186 5.3 Semantic security against chosen plaintext attack.................... 188 5.4 Building CPA secure ciphers................................ 189 5.4.1 A generic hybrid construction........................... 190 5.4.2 Counter mode................................... 195 5.4.3 CBC mode..................................... 199 5.4.4 Case study: CBC padding in TLS 1.0...................... 204 5.4.5 Concrete parameters and a comparison of counter and CBC modes...... 205 5.5 Nonce-based encryption.................................. 206 5.5.1 Nonce-based generic hybrid encryption...................... 208 5.5.2 Nonce-based Counter mode............................ 208 5.5.3 Nonce-based CBC mode.............................. 209 5.6 A fun application: revocation schemes.......................... 209 5.7 Notes............................................ 210 5.8 Exercises.......................................... 210 6 Message integrity 215 6.1 Definition of a message authentication code....................... 217 6.1.1 Mathematical details................................ 220 6.2 MAC verification queries do not help the attacker.................... 220 6.3 Constructing MACs from PRFs.............................. 223 6.4 Prefix-free PRFs for long messages............................ 225 6.4.1 The CBC prefix-free secure PRF......................... 225 6.4.2 The cascade prefix-free secure PRF........................ 229 6.4.3 Extension attacks: CBC and cascade are insecure MACs............ 230 6.5 From prefix-free secure PRF to fully secure PRF (method 1): encrypted PRF.... 231 6.5.1 ECBC and NMAC: MACs for variable length inputs.............. 232 6.6 From prefix-free secure PRF to fully secure PRF (method 2): prefix-free encodings. 234 6.6.1 Prefix free encodings................................ 235 6.7 From prefix-free secure PRF to fully secure PRF (method 3): CMAC......... 236 6.8 Converting a block-wise PRF to bit-wise PRF...................... 239 6.9 Case study: ANSI CBC-MAC............................... 240 6.10 Case study: CMAC..................................... 240 6.11 PMAC: a parallel MAC.................................. 242 6.12 A fun application: searching on encrypted data..................... 245 6

6.13 Notes............................................ 245 6.14 Exercises.......................................... 245 7 Message integrity from universal hashing 250 7.1 Universal hash functions (UHFs)............................. 251 7.1.1 Multi-query UHFs................................. 252 7.1.2 Mathematical details................................ 253 7.2 Constructing UHFs..................................... 253 7.2.1 Construction 1: UHFs using polynomials.................... 253 7.2.2 Construction 2: CBC and cascade are computational UHFs.......... 255 7.2.3 Construction 3: a parallel UHF from a small PRF............... 258 7.3 PRF-UHF composition: constructing MACs using UHFs................ 260 7.3.1 Using PRF-UHF composition: ECBC and NMAC security........... 263 7.3.2 Using PRF-UHF composition with polynomial UHFs.............. 263 7.3.3 Using PRF-UHF composition: PMAC 0 security................. 264 7.4 The Carter-Wegman MAC................................. 265 7.4.1 Using Carter-Wegman with polynomial UHFs.................. 271 7.5 Nonce-based MACs..................................... 271 7.5.1 Secure nonce-based MACs............................. 272 7.6 Unconditionally secure one-time MACs.......................... 273 7.6.1 Pairwise unpredictable functions......................... 273 7.6.2 Building unpredictable functions......................... 274 7.6.3 From PUFs to unconditionally secure one-time MACs............. 275 7.7 A fun application: timing attacks............................. 275 7.8 Notes............................................ 275 7.9 Exercises.......................................... 275 8 Message integrity from collision resistant hashing 285 8.1 Definition of collision resistant hashing.......................... 288 8.1.1 Mathematical details................................ 288 8.2 Building a MAC for large messages............................ 289 8.3 Birthday attacks on collision resistant hash functions.................. 291 8.4 The Merkle-Damgård paradigm.............................. 293 8.4.1 Joux s attack.................................... 295 8.5 Building Compression Functions............................. 296 8.5.1 A simple but ine cient compression function.................. 297 8.5.2 Davies-Meyer compression functions....................... 297 8.5.3 Collision resistance of Davies-Meyer....................... 299 8.6 Case study: SHA-256................................... 300 8.6.1 Other Merkle-Damgård hash functions...................... 302 8.7 Case study: HMAC.................................... 304 8.7.1 Security of two-key nest.............................. 305 8.7.2 The HMAC standard............................... 307 8.7.3 Davies-Meyer is a secure PRF in the ideal cipher model............ 308 8.8 The Sponge Construction and SHA3........................... 310 8.8.1 The sponge construction.............................. 311 7

8.8.2 Case study: SHA3, SHAKE256, and SHAKE512................ 316 8.9 Key derivation and the random oracle model...................... 317 8.9.1 The key derivation problem............................ 317 8.9.2 Random oracles: a useful heuristic........................ 320 8.9.3 Random oracles: safe modes of operation.................... 324 8.9.4 The leftover hash lemma.............................. 326 8.9.5 Case study: HKDF................................. 327 8.10 Security without collision resistance........................... 328 8.10.1 Second preimage resistance............................ 328 8.10.2 Randomized hash functions: target collision resistance............. 329 8.10.3 TCR from 2nd-preimage resistance........................ 330 8.10.4 Using target collision resistance.......................... 333 8.11 A fun application: commitment schemes......................... 335 8.12 Notes............................................ 335 8.13 Exercises.......................................... 335 9 Authenticated Encryption 342 9.1 Authenticated encryption: definitions.......................... 343 9.2 Chosen ciphertext attacks................................. 345 9.2.1 Chosen ciphertext attacks: a motivating example................ 345 9.2.2 Chosen ciphertext attacks: definition....................... 347 9.2.3 Authenticated encryption implies chosen ciphertext security.......... 348 9.3 Encryption as an abstract interface............................ 349 9.4 Authenticated encryption ciphers from generic composition.............. 351 9.4.1 Encrypt-then-MAC................................. 351 9.4.2 MAC-then-encrypt is not generally secure: padding oracle attacks on SSL.. 353 9.4.3 More padding oracle attacks............................ 356 9.4.4 Secure instances of MAC-then-encrypt...................... 357 9.4.5 Encrypt-then-MAC or MAC-then-encrypt?................... 361 9.5 Nonce-based authenticated encryption with associated data.............. 361 9.6 Case study: Galois counter mode (GCM)........................ 363 9.7 Case study: the TLS 1.3 record protocol......................... 366 9.8 Case study: an attack on non-atomic decryption in SSH................ 368 9.9 Case study: 802.11b WEP, a badly broken system................... 370 9.10 Case study: IPsec...................................... 373 9.11 A fun application: private information retrieval..................... 378 9.12 Notes............................................ 378 9.13 Exercises.......................................... 378 II Public key cryptography 384 10 Public key tools 386 10.1 A toy problem: anonymous key exchange........................ 386 10.2 Trapdoor function schemes................................ 387 10.2.1 Key exchange using a one-way trapdoor function scheme............ 388 8

10.3 A trapdoor function scheme based on RSA....................... 388 10.3.1 Key exchange based on the RSA assumption.................. 390 10.3.2 Mathematical details................................ 391 10.4 Trapdoor function-pair schemes.............................. 391 10.4.1 Key exchange using an unpredictable trapdoor function-pair scheme..... 392 10.5 A trapdoor function-pair scheme based on discrete logarithms............. 392 10.5.1 Key exchange based on the CDH and DDH assumptions............ 396 10.5.2 Mathematical details................................ 396 10.5.3 Decision Di e-hellman.............................. 397 10.6 Attacks on the anonymous Di e-hellman protocol................... 397 10.7 Merkle puzzles: a partial solution to key exchange using block ciphers........ 398 10.8 Collision resistant hash functions from number-theoretic primitves.......... 401 10.8.1 The representation problem............................ 401 10.9 Notes............................................ 401 10.10Chapter summary..................................... 401 10.11Exercises.......................................... 401 11 Public key encryption 402 11.1 Introduction......................................... 402 11.1.1 Two further examples............................... 403 11.2 Security against eavesdropping.............................. 403 11.2.1 Mathematical details................................ 404 11.3 Encryption based on trapdoor function schemes and RSA............... 404 11.3.1 Instatiating E TF with RSA............................ 408 11.4 ElGamal encryption.................................... 409 11.4.1 ElGamal and random oracles........................... 410 11.4.2 ElGamal and secure key derivation functions.................. 412 11.5 Implications of semantic security............................. 414 11.5.1 Semantic security against chosen plaintext attack................ 414 11.5.2 Encryption as an abstract service......................... 416 12 Chosen ciphertext secure public key encryption 418 12.1 Introduction......................................... 418 12.2 CCA secure encryption from trapdoor function schemes and RSA........... 419 12.2.1 Instatiating E TF with RSA............................ 423 12.3 Implications of CCA security............................... 423 12.3.1 CCA security against chosen plaintext attack.................. 423 12.3.2 Encryption as an abstract service......................... 423 12.4 CCA secure ElGamal encryption............................. 424 12.4.1 CCA security for basic ElGamal encryption................... 424 12.4.2 Twin ElGamal encryption............................. 428 12.4.3 CCA security without random oracles...................... 433 12.5 CCA security via a generic transformation........................ 439 12.5.1 Instantiation with ElGamal............................ 441 12.5.2 Instantiation with a trapdoor function scheme................. 443 12.6 OAEP+........................................... 444 9

12.6.1 Instantiating OAEP+ with RSA......................... 452 12.7 Case study: PKCS1 version 1.5.............................. 453 12.8 Case study: PGP...................................... 453 12.9 Case study: P1363..................................... 453 12.9.1 Case study:..................................... 453 12.10Chapter Summary..................................... 454 12.11Exercises.......................................... 454 13 Digital signatures 455 13.1 Definition of a digital signature.............................. 457 13.1.1 Secure signatures.................................. 457 13.1.2 Mathematical details................................ 459 13.1.3 Security against multi-key attacks........................ 460 13.2 Extending the message space with collision resistance.................. 461 13.2.1 Extending the message space using TCR functions............... 462 13.3 Repeated one-way functions: a simple lemma...................... 463 13.4 Signatures from trapdoor functions: the full domain hash............... 464 13.4.1 Signatures based on the RSA trapdoor function................. 466 13.4.2 Security of RSA-FDH................................ 467 13.4.3 A tight security proof in the random oracle model............... 471 13.4.4 Case study: PKCS1 v1.5.............................. 473 13.5 Signatures secure without random oracles........................ 474 13.5.1 The basic GHR signature system......................... 476 13.5.2 The strong RSA assumption........................... 477 13.5.3 Security of the basic GHR system........................ 478 13.5.4 Chameleon hashing................................. 479 13.5.5 The full GHR signature system.......................... 480 13.6 Signcryption: combining signatures and encryption................... 484 13.7 Case study: legal aspects of digital signatures...................... 484 13.8 Further topics........................................ 485 13.9 Notes............................................ 485 13.10Chapter summary..................................... 485 13.11Exercises.......................................... 485 14 Fast signatures from one-way functions 488 14.1 Lamport signatures..................................... 488 14.1.1 A general Lamport framework.......................... 490 14.1.2 Optimized Lamport................................ 492 14.2 HORS signatures: Lamport in the random oracle model................ 493 14.2.1 Merkle-HORS: reducing the public key size................... 496 14.3 Comparing one-time signatures.............................. 496 14.4 Applications of one-time signatures............................ 498 14.4.1 Online/o ine signatures from one-time signatures............... 498 14.4.2 Authenticating streamed data with one-time signatures............ 499 14.5 Merkle stateless signatures: many-time signatures from one-time signatures..................... 499 10

14.5.1 Extending the number of signatures from a q-time signature.......... 501 14.5.2 The complete Merkle stateless signature system................. 503 14.5.3 Stateful Merkle signatures............................. 508 14.5.4 Comparing Merkle constructions......................... 509 14.6 Notes............................................ 510 14.7 Chapter summary..................................... 510 14.8 Exercises.......................................... 510 15 Analysis of number theoretic assumptions 512 15.1 How reasonable are the factoring and RSA assumptions?................ 512 15.1.1 Quadratic resudousity assumption........................ 512 15.2 How reasonable are the DL and CDH assumptions?................... 512 15.2.1 The Baby step giant step algorithm....................... 513 15.2.2 The Pohlig-Hellman algorithm.......................... 513 15.2.3 Information leakage................................ 516 15.2.4 Random self-reducibility.............................. 516 15.3 Discrete log in Z p...................................... 518 15.3.1 The number field sieve............................... 518 15.3.2 Discrete-log records in Z p............................. 519 15.4 How reasonable is decision Di e-hellman?........................ 519 15.5 Quantum attacks on number theoretic problems..................... 520 15.6 Side channel attacks.................................... 520 15.7 Notes............................................ 520 15.8 Chapter summary..................................... 520 15.9 Exercises.......................................... 520 16 Elliptic curve cryptography and pairings 521 16.1 The group of points of an elliptic curve.......................... 521 16.2 Pairings........................................... 521 16.3 Signature schemes from pairings............................. 521 16.4 Advanced encryption schemes from pairings....................... 521 16.4.1 Identity based encryption............................. 521 16.4.2 Attribute based encryption............................ 521 17 Lattice based cryptography 522 17.1 Integer lattices....................................... 522 17.2 Hard problems on lattices................................. 522 17.2.1 The SIS problem.................................. 522 17.2.2 The learning with errors (LWE) problem.................... 522 17.3 Signatures from lattice problems............................. 522 17.4 Public-key encryption using lattices............................ 522 11

III Protocols 523 18 Identification protocols 525 18.1 Definitions.......................................... 527 18.2 Password protocols: security against direct attacks................... 528 18.2.1 Weak passwords and dictionary attacks..................... 529 18.2.2 Preventing dictionary attacks: salts, peppers, and slow hashing........ 531 18.2.3 More password management issues........................ 534 18.2.4 Case study: UNIX and Windows passwords................... 535 18.3 One time passwords: security against eavesdropping.................. 536 18.3.1 The SecurID system................................ 538 18.3.2 The S/key system................................. 539 18.4 Challenge-response: security against active attacks................... 541 18.4.1 Challenge-response protocols........................... 543 18.4.2 Concurrent attacks versus sequential attacks.................. 545 18.5 Notes............................................ 545 18.6 Chapter summary..................................... 546 18.7 Exercises.......................................... 546 19 Signatures from identification protocols 550 19.1 Schnorr s identification protocol.............................. 550 19.2 Honest verifier zero knowledge and security against eavesdropping.......... 554 19.3 The Guillou-Quisquater identification protocol..................... 556 19.4 From identification protocols to signatures........................ 559 19.4.1 -protocols..................................... 559 19.4.2 Signature construction............................... 560 19.4.3 The Schnorr signature scheme........................... 562 19.4.4 The GQ signature scheme............................. 565 19.5 Secure against active attacks: OR proofs......................... 566 19.6 Okamoto s identification protocol............................. 570 19.7 Case study: the digital signature standard (DSS).................... 574 19.7.1 Comparing signature schemes........................... 574 19.8 Notes............................................ 574 19.9 Chapter summary..................................... 574 19.10Exercises.......................................... 574 20 Authenticated Key Exchange 575 20.1 Introduction......................................... 575 20.2 Identification and AKE.................................. 577 20.3 An encryption-based protocol............................... 578 20.3.1 Insecure variations................................. 580 20.3.2 Summary...................................... 586 20.4 Forward secrecy and an ephemeral encryption-based protocol............. 586 20.4.1 Insecure variations................................. 588 20.5 Formal definitions..................................... 592 20.6 Security of protocol EBKE................................. 596 12

20.7 Security of protocol EEBKE................................. 597 20.8 Explicit key confirmation................................. 598 20.9 Identity protection..................................... 599 20.9.1 Insecure variations................................. 601 20.10One-sided authenticated key exchange.......................... 602 20.10.1 One-sided authenticated variants of protocols EBKE and EEBKE......... 603 20.10.2 Real-world security: phishing attacks....................... 604 20.11Password authenticated key exchange.......................... 606 20.11.1 Protocol PAKE 0................................... 607 20.11.2 Protocol PAKE 1................................... 608 20.11.3 Protocol PAKE 2................................... 610 20.11.4 Protocol PAKE + 2................................... 612 20.11.5 Explicit key confirmation............................. 614 20.11.6 Generic protection against server compromise.................. 614 20.11.7 Phishing again................................... 614 20.12Case studies......................................... 615 20.12.1 SSL......................................... 615 20.12.2 IKE2......................................... 615 20.13Further topics........................................ 615 20.14Notes............................................ 615 20.15Chapter Summary..................................... 615 20.16Exercises.......................................... 615 21 Key establishment with online Trusted Third Parties 616 21.1 A key exchange protocol with an online TTP...................... 617 21.2 Insecure variations of protocol OnlineTTP........................ 619 21.3 Security proof for protocol OnlineTTP.......................... 624 21.4 Case study: Kerberos V5................................. 624 21.5 O ine TTP vs. Online TTP............................... 628 21.6 Notes............................................ 629 21.7 Chapter summary..................................... 629 21.8 Exercises.......................................... 629 22 Two-party and multi-party secure computation 630 22.1 Yao s two party protocol.................................. 630 22.2 Multi-party secure computation.............................. 630 IV Appendices 631 A Basic number theory 632 A.1 Cyclic groups........................................ 632 A.2 Arithmetic modulo primes................................. 632 A.2.1 Basic concepts................................... 632 A.2.2 Structure of Z p................................... 633 A.2.3 Quadratic residues................................. 633 13

A.2.4 Computing in Z p.................................. 634 A.2.5 Summary: arithmetic modulo primes....................... 634 A.3 Arithmetic modulo composites.............................. 635 B Basic probability theory 637 B.1 Birthday Paradox...................................... 637 B.1.1 More collision bounds............................... 639 B.1.2 A simple distinguisher............................... 639 C Basic complexity theory 641 D Probabilistic algorithms 642 14

Part I Secret key cryptography 17

Chapter 2 Encryption Roughly speaking, encryption is the problem of how two parties can communicate in secret in the presence of an eavesdropper. The main goals of this chapter are to develop a meaningful and useful definition of what we are trying to achieve, and to take some first steps in actually achieving it. 2.1 Introduction Suppose Alice and Bob share a secret key k, and Alice wants to transmit a message m to Bob over a network while maintaining the secrecy of m in the presence of an eavesdropping adversary. This chapter begins the development of basic techniques to solve this problem. Besides transmitting a message over a network, these same techniques allow Alice to store a file on a disk so that no one with access to the disk can read the file, but Alice herself can read the file at a later time. We should stress that while the techniques we develop to solve this fundamental problem are important and interesting, they do not by themselves solve all problems related to secure communication. The techniques only provide secrecy in the situation where Alice transmits a single message per key. If Alice wants to secretly transmit several messages using the same key, then she must use methods developed in Chapter 5. The techniques do not provide any assurances of message integrity: if the attacker has the ability to modify the bits of the ciphertext while it travels from Alice to Bob, then Bob may not realize that this happened, and accept a message other than the one that Alice sent. We will discuss techniques for providing message integrity in Chapter 6. The techniques do not provide a mechanism that allow Alice and Bob to come to share a secret key in the first place. Maybe they are able to do this using some secure network (or a physical, face-to-face meeting) at some point in time, while the message is sent at some later time when Alice and Bob must communicate over an insecure network. However, with an appropriate infrastructure in place, there are also protocols that allow Alice and Bob to exchange a secret key even over an insecure network: such protocols are discussed in Chapters 20 and 21. 18

2.2 Shannon ciphers and perfect security 2.2.1 Definition of a Shannon cipher The basic mechanism for encrypting a message using a shared secret key is called a cipher (or encryption scheme). In this section, we introduce a slightly simplified notion of a cipher, which we call a Shannon cipher. A Shannon cipher is a pair E =(E,D) of functions. The function E (the encryption function) takes as input a key k and a message m (also called a plaintext), and produces as output a ciphertext c. That is, c = E(k, m), and we say that c is the encryption of m under k. The function D (the decryption function) takes as input a key k and a ciphertext c, and produces a message m. That is, m = D(k, c), and we say that m is the decryption of c under k. We require that decryption undoes encryption; that is, the cipher must satisfy the following correctness property: for all keys k and all messages m, we have D(k, E(k, m) )=m. To be slightly more formal, let us assume that K is the set of all keys (the key space), M is the set of all messages (the message space), and that C is the set of all ciphertexts (the ciphertext space). With this notation, we can write: E : K M!C, D : K C!M. Also, we shall say that E is defined over (K, M, C). Suppose Alice and Bob want to use such a cipher so that Alice can send a message to Bob. The idea is that Alice and Bob must somehow agree in advance of a key k 2K. Assuming this is done, then when Alice wants to send a message m 2Mto Bob, she encrypts m under k, obtaining the ciphertext c = E(k, m) 2C, and then sends c to Bob via some communication network. Upon receiving c, Bob decrypts c under k, and the correctness property ensures that D(k, c) is the same as Alice s original message m. For this to work, we have to assume that c is not tampered with in transit from Alice to Bob. Of course, the goal, intuitively, is that an eavesdropper, who may obtain c while it is in transit, does not learn too much about Alice s message m this intuitive notion is what the formal definition of security, which we explore below, will capture. In practice, keys, messages, and ciphertexts are often sequences of bytes. Keys are usually of some fixed length; for example, 16-byte (i.e., 128-bit) keys are very common. Messages and ciphertexts may be sequences of bytes of some fixed length, or of variable length. For example, a message may be a 1GB video file, a 10MB music file, a 1KB email message, or even a single bit encoding a yes or no vote in an electronic election. 19

Keys, messages, and ciphertexts may also be other types of mathematical objects, such as integers, or tuples of integers (perhaps lying in some specified interval), or other, more sophisticated types of mathematical objects (polynomials, matrices, or group elements). Regardless of how fancy these mathematical objects are, in practice, they must at some point be represented as sequences of bytes for purposes of storage in, and transmission between, computers. For simplicity, in our mathematical treatment of ciphers, we shall assume that K, M, and C are sets of finite size. While this simplifies the theory, it means that if a real-world system allows messages of unbounded length, we will (somewhat artificially) impose a (large) upper bound on legal message lengths. To exercise the above terminology, we take another look at some of the example ciphers discussed in Chapter 1. Example 2.1. A one-time pad is a Shannon cipher E =(E,D), where the keys, messages, and ciphertexts are bit strings of the same length; that is, E is defined over (K, M, C), where K := M := C := {0, 1} L, for some fixed parameter L. For a key k 2{0, 1} L and a message m 2{0, 1} L the encryption function is defined as follows: E(k, m) := k m, and for a key k 2{0, 1} L and ciphertext c 2{0, 1} L, the decryption function is defined as follows: D(k, m) := k c. Here, denotes bit-wise exclusive-or, or in other words, component-wise addition modulo 2, and satisfies the following algebraic laws: for all bit vectors x, y, z 2{0, 1} L,wehave x y = y x, x (y z) =(x y) z, x 0 L = x, and x x =0 L. These properties follow immediately from the corresponding properties for addition modulo 2. Using these properties, it is easy to check that the correctness property holds for E: for all k, m 2 {0, 1} L,wehave D(k, E(k, m) )=D(k, k m) =k (k m) =(k k) m =0 L m = m. The encryption and decryption functions happen to be the same in this case, but of course, not all ciphers have this property. 2 Example 2.2. A variable length one-time pad is a Shannon cipher E =(E,D), where the keys are bit strings of some fixed length L, while messages and ciphertexts are variable length bit strings, of length at most L. Thus,E is defined over (K, M, C), where K := {0, 1} L and M := C := {0, 1} applel. for some parameter L. Here, {0, 1} applel denotes the set of all bit strings of length at most L (including the empty string). For a key k 2{0, 1} L and a message m 2{0, 1} applel of length `, the encryption function is defined as follows: E(k, m) := k[0.. ` 1] m, 20

and for a key k 2{0, 1} L and ciphertext c 2{0, 1} applel of length `, the decryption function is defined as follows: D(k, m) := k[0.. ` 1] c. Here, k[0.. ` 1] denotes the truncation of k to its first ` bits. The reader may verify that the correctness property holds for E. 2 Example 2.3. A substitution cipher is a Shannon cipher E =(E,D) of the following form. Let be a finite alphabet of symbols (e.g., the letters A Z, plus a space symbol, ). The message space M and the ciphertext space C are both sequences of symbols from of some fixed length L: M := C := L. The key space K consists of all permutations on ; that is, each k 2Kis a one-to-one function from onto itself. Note that K is a very large set; indeed, K =! (for = 27, K 1.09 10 28 ). Encryption of a message m 2 L under a key k 2K(a permutation on ) is defined as follows E(k, m) := k(m[0]),k(m[1]),...,k(m[l 1]), where m[i] denotes the ith entry of m (counting from zero), and k(m[i]) denotes the application of the permutation k to the symbol m[i]. Thus, to encrypt m under k, we simply apply the permutation k component-wise to the sequence m. Decryption of a ciphertext c 2 L under a key k 2Kis defined as follows: D(k, c) := k 1 (c[0]),k 1 (c[1]),...,k 1 (c[l 1]). Here, k 1 is the inverse permutation of k, and to decrypt c under k, we simply apply k 1 componentwise to the sequence c. The correctness property is easily verified: for a message m 2 L and key k 2K,wehave D(k, E(k, m) )=D(k, (k(m[0]),k(m[1]),...,k(m[l 1]) ) =(k 1 (k(m[0])),k 1 (k(m[1])),...,k 1 (k(m[l 1]))) =(m[0],m[1],...,m[l 1]) = m. 2 Example 2.4 (additive one-time pad). We may also define a addition mod n variation of the one-time pad. This is a cipher E =(E,D), defined over (K, M, C), where K := M := C := {0,...,n 1}, wheren is a positive integer. Encryption and decryption are defined as follows: E(k, m) := m + k mod n D(k, c) := c k mod n. The reader may easily verify that the correctness property holds for E. 2 2.2.2 Perfect security So far, we have just defined the basic syntax and correctness requirements of a Shannon cipher. Next, we address the question: what is a secure cipher? Intuitively, the answer is that a secure cipher is one for which an encrypted message remains well hidden, even after seeing its encryption. However, turning this intuitive answer into one that is both mathematically meaningful and practically relevant is a real challenge. Indeed, although ciphers have been used for centuries, it 21

is only in the last few decades that mathematically acceptable definitions of security have been developed. In this section, we develop the mathematical notion of perfect security this is the gold standard for security (at least, when we are only worried about encrypting a single message and do not care about integrity). We will also see that it is possible to achieve this level of security; indeed, we will show that the one-time pad satisfies the definition. However, the one-time pad is not very practical, in the sense that the keys must be as long as the messages: if Alice wants to send a 1GB file to Bob, they must already share a 1GB key! Unfortunately, this cannot be avoided: we will also prove that any perfectly secure cipher must have a key space at least as large as its message space. This fact provides the motivation for developing a definition of security that is weaker, but that is acceptable from a practical point of view, and which allows one to encrypt long messages using short keys. If Alice encrypts a message m under a key k, and an eavesdropping adversary obtains the ciphertext c, Alice only has a hope of keeping m secret if the key k is hard to guess, and that means, at the very least, that the key k should be chosen at random from a large key space. To say that m is well hidden must at least mean that it is hard to completely determine m from c, without knowledge of k; however, this is not really enough. Even though the adversary may not know k, we assume that he does know the encryption algorithm and the distribution of k. In fact, we will assume that when a message is encrypted, the key k is always chosen at random, uniformly from among all keys in the key space. The adversary may also have some knowledge of the message encrypted because of circumstances, he may know that the set of possible messages is quite small, and he may know something about how likely each possible message is. For example, suppose he knows the message m is either m 0 = "ATTACK AT DAWN" or m 1 = "ATTACK AT DUSK", and that based on the adversary s available intelligence, Alice is equally likely to choose either one of these two messages. This, without seeing the ciphertext c, the adversary would only have a 50% chance of guessing which message Alice sent. But we are assuming the adversary does know c. Even with this knowledge, both messages may be possible; that is, there may exist keys k 0 and k 1 such that E(k 0,m 0 )=c and E(k 1,m 1 )=c, so he cannot be sure if m = m 0 or m = m 1. However, he can still guess. Perhaps it is a property of the cipher that there are 800 keys k 0 such that E(k 0,m 0 )=c, and 600 keys k 1 such that E(k 1,m 1 )=c. If that is the case, the adversary s best guess would be that m = m 0. Indeed, the probability that this guess is correct is equal to 800/(800 + 600) 57%, which is better than the 50% chance he would have without knowledge of the ciphertext. Our formal definition of perfect security expressly rules out the possibility that knowledge of the ciphertext increases the probability of guessing the encrypted message, or for that matter, determining any property of the message whatsoever. Without further ado, we formally define perfect security. In this definition, we will consider a probabilistic experiment in which is key is drawn uniformly from the key space. We write k to denote the random variable representing this random key. For a message m, E(k,m) is another random variable, which represents the application of the encryption function to our random key and the message m. Thus, every message m gives rise to a di erent random variable E(k,m). Definition 2.1 (perfect security). Let E =(E,D) be a Shannon cipher defined over (K, M, C). Consider a probabilistic experiment in which the random variable k is uniformly distributed over K. Ifforallm 0,m 1 2M,andallc 2C, we have Pr[E(k,m 0 )=c] =Pr[E(k,m 1 )=c], 22