Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 2 Arpita Patra © Arpita Patra.

Published byValentine French Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 2 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 2 Arpita Patra © Arpita Patra

2 Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) Scope Scientific Basis (Formal Def. + Precise Assumption + Rigorous Proof) End-users >> Secure Communication in Secret Key Setting Secret Key Encryption (SKE) >> Learn From the Blunders of Classical SKE Algorithms of SKE (in general in crypto) must be PUBLIC Secret Key Space Must be large enough to fail brute force No ad-hoc algorithm without definition and proof

3 Today’s Goal Do Secure Communication in a ‘modern’ way ditching the ‘classic’ approach Formulate a formal definition (threat + break model) Identify assumptions needed and build a construction Prove security of the construction relative to the definition and assumption

4 Secure Communication in Private Key Setting
Encryption Decryption ?? k k Secret key k shared in advance (by “some” mechanism) m is the plain-text c is the cipher-text (scrambled message) Need: An encryption scheme (Gen, Enc, Dec) - Private (Secret) Key Encryption- Keys are private to the sender and the receiver - Symmetric Key Encryption- The same key is used for encryption and decryption

5 Syntax of Secret Key Encryption (SKE)
Key-generation Algorithm: Gen() > Outputs a key k chosen according to some probability distribution. > MUST be a Randomized algorithm 2. Encryption Algorithm: Enck(m) > c  Enck(m) when randomized and c:=Enck(m) when deterministic > Deterministic/Randomized algorithm Gen is not randomized. Kerchoffs Principle the security should hold when all algorithms are public. The adversary also knows which key will be output by the Gen. No Security can be obtained. 3. Decryption Algorithm: Deck(c) > Outputs m:= Deck(c) > Usually deterministic

6 Syntax of SKE SKE is specified using (Gen, Enc, Dec) and M
Key space (K): > Set of all possible keys output by algorithm Gen 2. Plaintext / message space (M): > Set of all possible “legal” message (i.e. those supported by Enc) 3. Ciphertext space (C): M is independent of the scheme so it should be a part of the description. Other sets are subsumed in the triple algorithms description. > Set of all cipher-texts output by algorithm Enc SKE is specified using (Gen, Enc, Dec) and M

7 Formal Definition of Security
Two components of a security definition: Threat: >> Who is your threat? >> Who do you want to protect from? >> Cultivate your enemy a.k.a adversary in crypto language. >> Look out in practical scenarios / be an adversary >> Unless you know your adv, no hope of defeating him Break: >> What are you afraid of losing? >> What do you want to protect? >> If you don’t know what to protect then how to do you when or if you are protecting it?

8 Threat Model computationally? - How powerful
> Best is to have no assumption on the computing power of the adv. a.k.a unbounded powerful adversary > Give him any so-called hard problem (factoring etc), he solves in no time > Strongest adversary that we can think of in terms of computing power - What are his capabilities (in terms of attacking a secure communication protocol)? m c Enc ?? k k > Attacker/adv. can eavesdrop/tap the ciphertext during transit- Passive or Eavesdropper > Ciphertext Only Attack (COA) Can you think of a smarter attack?

9 Threat Model Randomized Unbounded Powerful COA
- Can sample random coins? (deterministic or randomized) > Randomness is absolute necessity in Crypto; it is practical and Good guys use randomness often. Why not adversary? > Good to be liberal in terms of giving more power to adversary Randomized Unbounded Powerful COA

10 Break Model Attempt I>> Secret key ? Then Enc(m) = m is secure
Attempt II>> Entire Message? Then Enc(m) leaking most significant 10 bits is secure; m: bank password| amazon password| Recall what do we mean by break. Attempt III>> No additional info about the message irrespective of prior information? Right Notion Need basics of Discrete Probability Theory How to formalise?

11 Discrete Probability Background
> U: Finite set; e.g. {0,1} > Probability Distribution on U specifies the probabilities of the occurrence of the elements of U - e.g Probability Distribution on U = {0,1}: Pr(0) = ½ , Pr(1) = ½ Pr(0) = 0 , Pr(1) = 1 Probability distribution: Probability distribution Pr over U is a function Pr: U ⟶ [0,1] such that Σ Pr(x) = 1 x in U Recall what do we mean by break. > Uniform Probability Distribution on U: Pr(x) = 1/|U| for every x

12 Discrete Probability Background
Event: Occurrence of one or more elements of U is called an event - e.g Consider Uniform Distribution on U = {0,1}4 - Let A = occurrence of elements of U with msb two bits as 01 - Pr(A) = 1/4 Union Bound: For events A1 and A2 Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2] (extend for more than 2) Conditional probability: probability that one event occurs, assuming some other event occurred. - Pr(A | B) = Pr(A ∧ B) / Pr(B) - For independent A, B: Pr(A | B) = Pr(A) and Pr(A ∧ B) = Pr(A) . Pr(B)

13 Discrete Probability Background
Law of total probability: Let E1, …, En are a partition of all possibilities of events. Then for any event A: Pr[A] = i Pr[A ∧ Ei] = i Pr[A | Ei] · Pr[Ei] Bayes’s Theorem: If Pr(B) ≠ 0 then Pr(A | B) = Pr(B | A) . Pr(A) / Pr(B) Random Variable: variable that takes on (discrete) values from a finite set with certain probabilities (defined with respect to a finite set) Recall what do we mean by break. Probability distribution for a random variable: specifies the probabilities with which the variable takes on each possible value of a finite set - Each probability must be between 0 and 1 - The probabilities must sum to 1 Done!!

14 Formulating Definition for SKE=(Gen,Enc,Dec)
All the distributions are known to Prob. Dist. Of C depends on dist. of M and K ilu ihu Prob. Dist. Of M and K are independent M C K Random Variable M K C Prob. Dist. Recall what do we mean by break. - Determined by external factors - Depends on Gen Choose a message m, according to the given dist. - Generate a key k using Gen - Compute c  Enck(m) Pr(M = ilu) = .7 Pr(M = ihu) = .3 Pr(K = k) = Pr(Gen outputs k)

15 Numerical Example - - - - - - - M = {a b c d} K = {k1 k2 k3}
4 - 3 10 - 3 20 - 3 10 - 1 4 - 1 2 - 1 4 - .26 .26 .26 .21 Enc What is the probability distribution on the cipher-text space C ? Pr [C = 1] : Pr [M = b] Pr [K = k2] + Pr [M = c] Pr [K = k3] + Pr [M = d] Pr [K = k1] = Pr [C = 2] : Pr [M = c] Pr [K = k1] + Pr [M = d] Pr [K = k2] + Pr [M = d] Pr [K = k3] = Pr [C = 3] : Pr [M = a] Pr [K = k1] + Pr [M = a] Pr [K = k2] + Pr [M = b] Pr [K = k3] = Pr [C = 4] : Pr [M = a] Pr [K = k3] + Pr [M = b] Pr [K = k1] + Pr [M = c] Pr [K = k2] =

16 Threat & Break Model Perfect Security!!!!
What is the point in tapping over channel. I better watch the cricket match today Threat & Break Model Randomized Unbounded Powerful COA No additional info about the message should be leaked from the ciphertext irrespective of the prior information that the adv has Perfect Security!!!! What captures the prior information of the attacker about m ? - Probability distribution on the plain-text space M - The probability distribution {Pr[M = m]} Observing the cipher-text c should not change the attacker’s knowledge about the distribution of the plaintext - Mathematically, Pr[M = m | C = c] = Pr[M = m]

17 Perfectly-secure Encryption : Formal Definition
Definition (Perfectly-secure Encryption): An encryption scheme (Gen, Enc, Dec) over a plaintext space M is perfectly-secure if for every probability distribution over M, every plain-text m  M and every cipher-text c  C, the following holds: Pr [M = m | C = c] = Pr [M = m] Posteriori probability that m is encrypted in c a priori probability that m might be communicated Probably the first formal definition of security - C. E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4): , 1949.

18 What have we done so far.. No assumption!!
Formulate a formal definition (threat + break model) Identify assumptions needed and build a construction Prove security of the construction relative to the definition and assumption No assumption!!

19 Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l k k Dec m:= ck Enc c:= mk k R K m  M c c  C m Gen Correctness: Deck( ) Enck(m) = m Vernam Cipher [1917]: But Shannon proved its security after formulating perfect security

20 Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l k k Dec m:= ck Enc c:= mk k R K m  M c c  C m Gen Theorem (Security): Vernam Cipher is perfectly-secure Proof: To prove Pr[M = m | C = c] = Pr[M = m] For arbitrary c and m, Pr[C = c | M = m] = Pr[K = c  m] = 1/2l Pr[C = c] = Σ Pr[C = c | M = m] Pr[M = m] (irrespective of p. d. over M) m in M = 1/2l Σ Pr[M = m] = 1/2l m in M

21 Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l k k Dec m:= ck Enc c:= mk k R K m  M c c  C m Gen Pr[C = c | M = m ] Pr[M = m] Pr[M = m | C = c] = (Bayes' Theorem) Pr[C = c] Historical Use of Vernam Cipher: Redline between White House & Kremlin during Cold war. = Pr[M = m]

22 What have we done so far.. Formulate a formal definition (threat + break model) Identify assumptions needed and build a construction Prove security of the construction relative to the definition and assumption

23 Vernam Cipher is not all that nice because..
How long is the key? length is as long as the message - For long messages hard to agree on long key - What happens the parties cannot predict the message size in advance One-time Pad (OTP) Can we reuse the keys for multiple messages? No!! VENONA Project: US & UK decrypted Russian Plaintext exploiting the use of same key to pad many messages - c = m  k, c’ = m’  k - c  c’ = m  m’ Adversary learns the difference! - Perfect security breaks down  Let us design another scheme that overcomes the drawbacks.. Alas! Inherent problems..

24 Chalk & Talk Assignment
Various Perfect Security Definitions and their Equivalence Definition II: Pr [C = c | M = m] = Pr [C = c | M = m’] Definition I: Pr [M = m | C = c] = Pr [M = m] Definition III: KL Chapter 2 Define it

25 ≈ ≈ ≈ ≈Shannon Next class…
Various Perfect Security Definitions and their Equivalence Definition II: Pr [C = c | M = m] = Pr [C = c | M = m’] Definition I: Pr [M = m | C = c] = Pr [M = m] Definition III: KL Chapter 2 ≈Shannon Define it Definition IV:

26

Download ppt "Cryptography Lecture 2 Arpita Patra © Arpita Patra."

Similar presentations

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CIS 5371 Cryptography Introduction.

CIS 5371 Cryptography Introduction.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Lectures so far: Today’s lecture: Discrete probability Proving things

Lectures so far: Today’s lecture: Discrete probability Proving things
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.

Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 

1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 

Similar presentations

Ads by Google