Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern...

Upload
cliffordcobb 
Category
Documents

view
220 
download
0
Embed Size (px)
description
Transcript of Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern...
Cryptography
Lecture 2
Arpita Patra
Recall>> Crypto: Past and Present (aka Classical vs. Modern Cryto)
o Scopeo Scientific Basis (Formal Def. + Precise Assumption + Rigorous Proof)o Endusers
>> Secure Communication in Secret Key Setting
Secret Key Encryption (SKE)
>> Learn From the Blunders of Classical SKE
o Algorithms of SKE (in general in crypto) must be PUBLICo Secret Key Space Must be large enough to fail brute forceo No adhoc algorithm without definition and proof
Today’s Goal Do Secure Communication in a ‘modern’ way ditching the ‘classic’ approach
o Formulate a formal definition (threat + break model)o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption
Secure Communication in Private Key Setting
o Secret key k shared in advance (by “some” mechanism)
k k??
m
o m is the plaintext
Encryption
Decryption
m c
o c is the ciphertext (scrambled message)
m
Need: An encryption scheme (Gen, Enc, Dec) Private (Secret) Key Encryption Keys are private to the sender and the receiver  Symmetric Key Encryption The same key is used for encryption and decryption
Syntax of Secret Key Encryption (SKE)
1. Keygeneration Algorithm: Gen()
2. Encryption Algorithm: Enck(m)
3. Decryption Algorithm: Deck(c)
> MUST be a Randomized algorithm
> Outputs a key k chosen according to some probability distribution.
> Deterministic/Randomized algorithm> c Enck(m) when randomized and c:=Enck(m) when deterministic
> Usually deterministic > Outputs m:= Deck(c)
Syntax of SKE
> Set of all possible keys output by algorithm Gen1. Key space (K):
2. Plaintext / message space (M):> Set of all possible “legal” message (i.e. those supported by Enc)
3. Ciphertext space (C):> Set of all ciphertexts output by algorithm Enc
SKE is specified using (Gen, Enc, Dec) and M
Formal Definition of SecurityTwo components of a security definition:
Break:
Threat: >> Who is your threat? >> Who do you want to protect from? >> Cultivate your enemy a.k.a adversary in crypto language.>> Look out in practical scenarios / be an adversary>> Unless you know your adv, no hope of defeating him
>> What are you afraid of losing? >> What do you want to protect?>> If you don’t know what to protect then how to do you when or if you are protecting it?
Threat Model How powerful
 What are his capabilities (in terms of attacking a secure communication protocol)?
computationally? > Best is to have no assumption on the computing power of the adv. a.k.a unbounded powerful adversary > Give him any socalled hard problem (factoring etc), he solves in no time
> Strongest adversary that we can think of in terms of computing power
k k??
Encm c
> Attacker/adv. can eavesdrop/tap the ciphertext during transit Passive or Eavesdropper
Can you think of a smarter attack? > Ciphertext Only Attack (COA)
Threat Model Can sample random coins? (deterministic or randomized)> Randomness is absolute necessity in Crypto; it is practical and Good guys
use randomness often. Why not adversary?> Good to be liberal in terms of giving more power to adversary
 Randomized Unbounded Powerful COA
Break Model
Attempt I>> Secret key ? Then Enc(m) = m is secure
Attempt II>> Entire Message?Then Enc(m) leaking most significant 10 bits is secure; m: bank password amazon password
Attempt III>> No additional info about the message irrespective of prior information?
Right NotionHow to formalise?
Need basics of Discrete Probability Theory
Discrete Probability Background> U: Finite set; e.g. {0,1}
> Probability Distribution on U specifies the probabilities of the occurrence of the elements of U
 e.g Probability Distribution on U = {0,1}: Pr(0) = ½ , Pr(1) = ½
Pr(0) = 0 , Pr(1) = 1
Probability distribution: Probability distribution Pr over U is a function
Pr: U ⟶ [0,1] such that Σ Pr(x) = 1x in U
> Uniform Probability Distribution on U: Pr(x) = 1/U for every x
Discrete Probability BackgroundEvent: Occurrence of one or more elements of U is called an event
 e.g Consider Uniform Distribution on U = {0,1}4
 Let A = occurrence of elements of U with msb two bits as 01
 Pr(A) = 1/4
Union Bound: For events A1 and A2 Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2] (extend for more than 2)
Conditional probability: probability that one event occurs, assuming some other event occurred.
 Pr(A  B) = Pr(A B) / Pr(B)  For independent A, B: Pr(A  B) = Pr(A) and Pr(A B) = Pr(A) . Pr(B)
Discrete Probability Background
Bayes’s Theorem: If Pr(B) 0 then
Pr(A  B) = Pr(B A) . Pr(A) / Pr(B)
Random Variable: variable that takes on (discrete) values from a finite set with certain probabilities (defined with respect to a finite set)
Probability distribution for a random variable: specifies the probabilities with which the variable takes on each possible value of a finite set
 Each probability must be between 0 and 1 The probabilities must sum to 1
Done!!
Law of total probability: Let E1, …, En are a partition of all possibilities of events. Then for any event A: Pr[A] = i Pr[A Ei] = i Pr[A  Ei] · Pr[Ei]
Formulating Definition for SKE=(Gen,Enc,Dec)
CKM
MRandom Variable K C
iluihu
Pr(M = ilu) = .7Pr(M = ihu) = .3
Prob. Dist.
Pr(K = k) = Pr(Gen outputs k)
 Determined by external factors
 Depends on Gen
 Choose a message m, according to the given dist.
 Generate a key k using Gen Compute c Enck(m)
All the distributions are known to
Prob. Dist. Of M and K
are independe
nt
Prob. Dist. Of C depends on dist. of M and K
Numerical ExampleM = {a b c d} 1
43
10 3
203
10
K = {k1 k2 k3} 1
414
12
Enc
Pr [C = 1] :
Pr [C = 2] :
Pr [M = b] Pr [K = k2] + Pr [M = c] Pr [K = k3] + Pr [M = d] Pr [K = k1] = 0.2625 Pr [M = c] Pr [K = k1] + Pr [M = d] Pr [K = k2] + Pr [M = d] Pr [K = k3] = 0.2625
Pr [M = a] Pr [K = k1] + Pr [M = a] Pr [K = k2] + Pr [M = b] Pr [K = k3] = 0.2625
Pr [M = a] Pr [K = k3] + Pr [M = b] Pr [K = k1] + Pr [M = c] Pr [K = k2] = 0.2125
What is the probability distribution on the ciphertext space C ?
Pr [C = 3] :
Pr [C = 4] :
C = {1 2 3 4} .2
6.26
.26
.21
Threat & Break Model
 Randomized Unbounded Powerful COA
No additional info about the message should be leaked from the ciphertext irrespective of the prior information that the adv has
What captures the prior information of the attacker about m ? Probability distribution on the plaintext space M The probability distribution {Pr[M = m]}
Observing the ciphertext c should not change the attacker’s knowledge about the distribution of the plaintext
 Mathematically, Pr[M = m  C = c] = Pr[M = m]
What is the point in tapping over channel. I better watch the cricket match today
Perfect Security!!!!
Perfectlysecure Encryption : Formal DefinitionDefinition (Perfectlysecure Encryption): An encryption
scheme (Gen, Enc, Dec) over a plaintext space M is perfectlysecure if for every probability distribution over M, every plaintext m M and every ciphertext c C, the following holds:Pr [M = m  C = c] = Pr [M =
m]Posteriori probability that m
is encrypted in ca priori probability that m
might be communicated
Probably the first formal definition of security
 C. E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4): 656715, 1949.
What have we done so far..
No assumption!!
o Formulate a formal definition (threat + break model)o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption
Perfectlysecure Encryption Construction
M = K = C = {0, 1}l
Gen k R K m M
k
c Encc:= mk
k
Decm:= ck
c C m
Correctness: Enck(m)Deck( ) = m
Vernam Cipher [1917]: But
Shannon proved its security after
formulating perfect security
Perfectlysecure Encryption Construction M = K = C = {0, 1}l
Gen k R K m M
k
c Encc:= mk
k
Decm:= ck
c C m
Theorem (Security):
Vernam Cipher is perfectlysecureTo prove Pr[M = m  C = c] = Pr[M = m]Proof:
For arbitrary c and m, Pr[C = c  M = m]= Pr[K = c m] = 1/2l
Pr[C = c]m in M
(irrespective of p. d. over M)
= 1/2l Σ Pr[M = m] m in M
= 1/2l
= Σ Pr[C = c  M = m] Pr[M = m]
Perfectlysecure Encryption Construction M = K = C = {0, 1}l
Gen k R K m M
k
c Encc:= mk
k
Decm:= ck
c C m
Pr[M = m  C = c] = Pr[C = c  M = m ] Pr[M = m]
Pr[C = c]
= Pr[M = m] Historical Use of Vernam Cipher:
Redline between White
House & Kremlin during
Cold war.
(Bayes' Theorem)
What have we done so far..
o Formulate a formal definition (threat + break model)o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption
Vernam Cipher is not all that nice because..o How long is the key?
o Can we reuse the keys for multiple messages? No!!
length is as long as the message
 For long messages hard to agree on long key What happens the parties cannot predict the message size in advance
 c = m k, c’ = m’ k c c’ = m m’ Adversary learns the difference!
 Perfect security breaks down
Onetime Pad (OTP)VENONA
Project: US & UK decrypted
Russian Plaintext
exploiting the use of same
key to pad many messages Let us design another scheme that overcomes the
drawbacks..Alas! Inherent problems..
Chalk & Talk Assignmento Various Perfect Security Definitions and their Equivalence
Define it
Definition I:Pr [M = m  C = c] = Pr [M =
m]
Definition II:Pr [C = c  M = m] = Pr [C = c  M
= m’]
Definition III:KL Chapter 2
≈
≈
≈
Next class…o Various Perfect Security Definitions and their Equivalence
Define it
Definition I:Pr [M = m  C = c] = Pr [M =
m]
Definition II:Pr [C = c  M = m] = Pr [C = c  M
= m’]
Definition III:KL Chapter 2
≈
≈
≈Definition IV:
Shannon