Modern Cryptography
COMP 443 / 543Chapter 1
Alptekin K¨up¸c¨u
Computer Science and Engineering Ko¸c University
Outline of the Course
Historical Perspective
Theoretically UNBREAKABLE System
Defining (symmetric) Encryption
One-way Functions, Hash Functions, Pseudo-Random Number Generators
Public-key (asymmetric) Encryption
Digital Signatures Random Oracle Model
Zero-Knowledge Proofs
Protocols using Cryptography (e.g., SSL, BitTorrent)
Uses of Cryptography
Military
Anti-military
Electronic payments (e.g., Amazon)
Checking e-mail (e.g., Gmail)
Operating Systems (e.g., file sharing)
DVD protection
File encryption
Uses of Cryptography
Military
Anti-military
Electronic payments (e.g., Amazon)
Checking e-mail (e.g., Gmail)
Operating Systems (e.g., file sharing)
DVD protection
File encryption
Many more complex protocols using cryptography (e.g., BitTorrent)
Encryption (private-key, secret-key, symmetric)
Algorithms Key generation Encryption Decryption SpacesKey spaceK
Message space M
Ciphertext space C
Properties
Correctness
Hidden from Eavesdropper
Assumptions Key pre-shared
Key unknown to attacker
Onlykey and plaintext unknown to attacker
Security through obscurity
Reverse engineering
Easier to change keys than algorithms
Encryption (private-key, secret-key, symmetric)
Algorithms Key generation Encryption Decryption SpacesKey spaceK
Message space M
Ciphertext space C
Properties
Correctness
Hidden from Eavesdropper
Assumptions Key pre-shared
Key unknown to attacker
Onlykey and plaintext unknown to attacker
Security through obscurity
Reverse engineering
Easier to change keys than algorithms
Open cryptographic design
Encryption (private-key, secret-key, symmetric)
Algorithms Key generation Encryption Decryption SpacesKey spaceK
Message space M
Ciphertext space C
Properties
Correctness
Assumptions Key pre-shared
Key unknown to attacker
Onlykey and plaintext unknown to attacker
Security through obscurity
Reverse engineering
Easier to change keys than algorithms
Encryption (private-key, secret-key, symmetric)
Algorithms Key generation Encryption Decryption SpacesKey spaceK
Message space M
Ciphertext space C
Properties
Correctness
Hidden from Eavesdropper
Assumptions Key pre-shared
Key unknown to attacker
Onlykey and plaintext unknown to attacker
Security through obscurity
Reverse engineering
Easier to change keys than algorithms
Open cryptographic design
Caesar Cipher
Rotate 3
ciphertextcharacter = plaintextcharacter + 3 mod 26(why 26?)
Enc(merhaba d¨unyalı) = ?
Dec(EHJLQWKHDWWDFNQRZ) = ?
KeyGen, Enc, Dec algorithms ?
Why so easy to break?
Because there isno secret key!
Caesar Cipher
Rotate 3
ciphertextcharacter = plaintextcharacter + 3 mod 26 (why 26?)
Enc(merhaba d¨unyalı) = ?
Dec(EHJLQWKHDWWDFNQRZ) = ?
KeyGen, Enc, Dec algorithms ?
Why so easy to break?
Because there isno secret key!
The key generation algorithm isdeterministic!
Caesar Cipher
Rotate 3
ciphertextcharacter = plaintextcharacter + 3 mod 26 (why 26?)
Enc(merhaba d¨unyalı) = ?
Dec(EHJLQWKHDWWDFNQRZ) = ?
KeyGen, Enc, Dec algorithms ?
Why so easy to break?
Because there isno secret key!
Caesar Cipher
Rotate 3
ciphertextcharacter = plaintextcharacter + 3 mod 26 (why 26?)
Enc(merhaba d¨unyalı) = ?
Dec(EHJLQWKHDWWDFNQRZ) = ?
KeyGen, Enc, Dec algorithms ?
Why so easy to break?
Because there isno secret key!
The key generation algorithm isdeterministic!
Caesar Cipher
Rotate 3
ciphertextcharacter = plaintextcharacter + 3 mod 26 (why 26?)
Enc(merhaba d¨unyalı) = ?
Dec(EHJLQWKHDWWDFNQRZ) = ?
KeyGen, Enc, Dec algorithms ?
Why so easy to break?
Because there isno secret key!
General Shift Cipher
Rotate R (= 3⇒ Caesar)
ciphertextcharacter = plaintextcharacter + R mod 26
What is the key and the key space?
How to crack?
Exhaustive search of 26 possible keys.
Why so easy to break?
Because thekey space is too small!
General Shift Cipher
Rotate R (= 3⇒ Caesar)
ciphertextcharacter = plaintextcharacter + R mod 26
What is the key and the key space?
How to crack?
Exhaustive search of 26 possible keys.
Why so easy to break?
General Shift Cipher
Rotate R (= 3⇒ Caesar)
ciphertextcharacter = plaintextcharacter + R mod 26
What is the key and the key space?
How to crack?
Exhaustive search of 26 possible keys.
Why so easy to break?
Because thekey space is too small!
General Shift Cipher
Rotate R (= 3⇒ Caesar)
ciphertextcharacter = plaintextcharacter + R mod 26
What is the key and the key space?
How to crack?
Exhaustive search of 26 possible keys.
Why so easy to break?
Substitution Cipher
Substitute each character with another character, initially chosen at random.
e.g., A with C, B with Z, C with H ...
What is the key and the key space?
How to crack?
Exhaustive search requires 26! tries; does not work.
Still easy to break using frequency analysis attacks, why?
Because the frequency of characters in the ciphertext match frequency of those in the plaintext⇒ use frequency information about the plaintext that is well-known.
Substitution Cipher
Substitute each character with another character, initially chosen at random.
e.g., A with C, B with Z, C with H ...
What is the key and the key space?
How to crack?
Exhaustive search requires 26! tries; does not work.
Still easy to break using frequency analysis attacks, why?
Substitution Cipher
Substitute each character with another character, initially chosen at random.
e.g., A with C, B with Z, C with H ...
What is the key and the key space?
How to crack?
Exhaustive search requires 26! tries; does not work.
Still easy to break using frequency analysis attacks, why?
Because the frequency of characters in the ciphertext match frequency of those in the plaintext⇒ use frequency information about the plaintext that is well-known.
Substitution Cipher
Substitute each character with another character, initially chosen at random.
e.g., A with C, B with Z, C with H ...
What is the key and the key space?
How to crack?
Exhaustive search requires 26! tries; does not work.
Still easy to break using frequency analysis attacks, why?
Vigenere (Poly-alphabetic substitution) Cipher
Substitute each character with another character, initially chosen at random. This mapping changes depending on the key.
e.g., A with C when key is Z and with T when key is F, ... B with Z when key is Z and with G when key is F...
What is the key and the key space?
How to crack?
Simple frequency analysis does not work. But if key length is k characters, group ciphertext into k equivalence classes and perform frequency analysis for each class.
What about known-plaintext attack?
Then all these schemes trivially break. How??
Vigenere (Poly-alphabetic substitution) Cipher
Substitute each character with another character, initially chosen at random. This mapping changes depending on the key.
e.g., A with C when key is Z and with T when key is F, ... B with Z when key is Z and with G when key is F...
What is the key and the key space?
How to crack?
Simple frequency analysis does not work. But if key length is k characters, group ciphertext into k equivalence classes and perform frequency analysis for each class.
What about known-plaintext attack?
Vigenere (Poly-alphabetic substitution) Cipher
Substitute each character with another character, initially chosen at random. This mapping changes depending on the key.
e.g., A with C when key is Z and with T when key is F, ... B with Z when key is Z and with G when key is F...
What is the key and the key space?
How to crack?
Simple frequency analysis does not work. But if key length is k characters, group ciphertext into k equivalence classes and perform frequency analysis for each class.
What aboutknown-plaintext attack?
Then all these schemes trivially break. How??
Vigenere (Poly-alphabetic substitution) Cipher
Substitute each character with another character, initially chosen at random. This mapping changes depending on the key.
e.g., A with C when key is Z and with T when key is F, ... B with Z when key is Z and with G when key is F...
What is the key and the key space?
How to crack?
Simple frequency analysis does not work. But if key length is k characters, group ciphertext into k equivalence classes and perform frequency analysis for each class.
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Which security level one needs depends on the application!!
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Which security level one needs depends on the application!!
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Which security level one needs depends on the application!!
Possible Attacks ( = Adversarial Model )
Ciphertext only (single or multiple) ( = Eavesdropper) (passive)
Easy (especially with wireless)
Known-plaintext (passive)
Known protocol
Published decryption later on (e.g., earnings)
Chosen plaintext (CPA) (active) Chosen ciphertext (CCA) (active)
Generally differentiate between CCA-1 and CCA-2 (later) When said only CCA, assume CCA-2
Active attacks used in WW2 (see textbook)
Modern Cryptography
Principle 1
Precise and formal definition (of security) must be presented.
Principle 2
Assumptions must be completely and clearly stated, and should be minimal and basic.
Principle 3
Rigorous proof of security must be given.
Principle 1: Defining Security
If we do not know what to achieve, how do we realize when and whether or not is is achieved?
When the cryptographic construction is used in another system, how do we know it fits without knowing the definition?
How can we compare two different constructions?
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from
Formal Definition of Secure Encryption
An encryption scheme is secure if
no adversary can find the secret key when given the ciphertext
Enc(x) = x
no adversary can find the plaintext that corresponds to the ciphertext
Enc(x) = most (or even part) of x
e.g., salary information without the rightmost digit.
no adversary can determine any character of the plaintext that corresponds to the ciphertext
But reveals whether or not salary>10000TL
no adversary can derive any meaningful information about the plaintext from the ciphertext
Can you define meaningful? It may be application-specific.
no adversary can compute any function of the plaintext from the ciphertext
Good, now formalize this.
Formal Definition of Security
A formal definition of security must also define
1 What is considered a break?
e.g., finding key or computing if salary >10000TL
2 What are the adversary’s powers?
e.g., ciphertext-only attack vs. known-plaintext attack
3 What are the adversary’s computational resources?
unbounded vs. probabilistic polynomial time
Good Definition of Security
Agooddefinition of security shall be
mathematical
so that it is precise so that it is comparable
intuitive
equivalent to similar intuitive definitions
exemplified
a survivor of test of time
Principle 2: Clear Assumptions
Validation or invalidation of an assumption should be possible. This result reflects to the proof of security.
Assumptions may help comparing schemes. “Standard” assumptions are preferable.
Older assumptions Simpler assumptions Shared assumptions
In modern cryptography, nothing can be proven
Principle 3: Rigorous Proofs
Yes, bugs do exist, but occur, in general, during non-adversarial usage.
With cryptography, there are specialized adversaries (akin to viruses)
Huge gains
Sophisticated attackers Huge losses (e.g., bank)
Typical proof of a scheme X will show, using aconstructive argument, that if X is broken, some assumption Y will be violated. In other words, the proof must show:
if there exists an algorithm A for breaking X, thenwe construct an algorithm B for breaking Y
if A is efficient, then so is B
the proof cannot present A (in which case X is already broken), but mustpresent (pseudocode of) B.
Final Words
Coding assignment may be given on cracking the ciphers presented in this lecture.
Remember,cheating =F (no second chance will be given)
Solve end-of-chapter exercises 1.3 - 1.6
Finish reading Chapters 1 and 2 Read about mathematical background
Appendices A and B of textbook
