Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Published byClare McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography."— Presentation transcript:

1 CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography

2 CS555Spring 2012/Topic 42 Outline and Readings Outline Principles of Modern Cryptography Computational Security Ciphertext indistinguishability security Readings: Katz and Lindell: 1.4, 3.1, 3.2

3 CS526Fall 2011/Topic 23 Kerckhoffs's Principle Kerckhoffs's Principle: –The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience Shannon's maxim: "The enemy knows the system.“ Open design; Security by obscurity doesn’t work Should assume that the adversary knows the algorithm; the only secret the adversary is assumed to not know is the key –Reverse engineering, careful review of algorithm, etc. What is the difference between the algorithm and the key?

4 Formulation of Exact Definitions Formal definitions of security are essential prerequisites of cryptography –Design: without a definition, doesn’t know whether a design achieves it –Usage: without a definition, doesn’t know whether using a crypto primitive in a setting is suitable –Study: when comparing different schemes, need to know what kinds of security they provide CS555Spring 2012/Topic 44

5 What Does A Security Definition Looks Like? Define what is insecurity (i.e., what is considered to be a break) Define what is the power of the adversary A cryptographic scheme for a given task is secure if no adversary of a specific power can achieve a specified break. CS555Spring 2012/Topic 45

6 Defining Secure Encryption Adversary should not be able to 1.Recover the key 2.Find the plaintext corresponding to a ciphertext 3.Cannot determine any character of the plaintext 4.Can derive any meaningful information about the plaintext 5.Can compute any function of the plaintext CS555Spring 2012/Topic 46

7 CS526Fall 2011/Topic 27 Adversarial Models for Ciphers The language of the plaintext and the nature of the cipher are assumed to be known to the adversary. Ciphertext-only attack : The adversary knows only a number of ciphertexts. Known-plaintext attack : The adversary knows some pairs of ciphertext and corresponding plaintext. Chosen-plaintext attack: The adversary can choose a number of messages and obtain the ciphertexts Chosen-ciphertext attack: The adversary can choose a number of ciphertexts and obtain the plaintexts. What kinds of attacks have we considered so far? When would these attacks be relevant in wireless communications?

8 Reliance on Precise Assumptions Assumptions (under which a scheme is secure) must be precisely stated –To validate the assumption –To compare different schemes; it is desirable to rely on weaker assumptions –To facilitate formal security proofs CS555Spring 2012/Topic 48

9 How to Tell Whether a Definition is Good Needs to tell whether the mathematical formulation matches the real world situation –Whether in real world the adversary have more power. E.g., power analysis attacks, side channel attacks –Whether the adversary is able to achieve a different goal, which should be considered to be a break E.g., data privacy: k-anonymity, Use the following tools –Appeal to intuition –Prove equivalence –Use examples CS555Spring 2012/Topic 49

10 Rigorous Proofs of Security Intuitions can often be wrong when considering security/cryptography –Bugs/errors can be very subtle The reductionist approach A Theorem looks like: Assume that X is true (e.g., certain problem is hard), Construction Y is secure according to the given definition, Proof looks like: Given an adversary A that breaks Y according to the definition, using A we can construct something that falsifies X CS555Spring 2012/Topic 410

11 Towards Computational Security Perfect secrecy is too difficult to achieve. The computational approach uses two relaxations: –Security is only preserved against efficient (computationally bounded) adversaries Adversary can only run in feasible amount of time –Adversaries can potentially succeed with some very small probability (that we can ignore the case it actually happens) CS555Spring 2012/Topic 411

12 The Concrete Approach Quantifies the security by explicitly bounding the maximum success probability of adversary running with certain time: –“A scheme is (t,  )-secure if every adversary running for time at most t succeeds in breaking the scheme with probability at most  ” One may also bound t number of computations, CPU cycles, etc. –Example: a strong encryption scheme with n-bit keys may be expected to be (t, t/2 n )-secure. N=128, t=2 60, then  = 2 -68. (# of seconds since big bang is 2 58 ) Makes more sense with symmetric encryption schemes. CS555Spring 2012/Topic 412

13 The Asymptotic Approach A cryptosystem has a security parameter –E.g., number of bits in the RSA algorithm (1024,2048,…) –Typically, the key depends on the security parameter –The bigger the security parameter, the longer the key, the more time it takes to use the cryptosystem, and the more difficult it is to break the scheme –The crypto system runs in time polynomial in the security parameter Security parameter is often written as an input 1 n –“A scheme is secure if every PPT adversary succeeds in breaking the scheme with only negligible probability” CS555Spring 2012/Topic 413

14 Efficient Computation Efficient computation is equated with Probabilistic Polynomial Time (PPT) –The algorithm has access to sequence of unbiased coins –Often times, the time is polynomial in the security parameter Both the crypto scheme and the adversary are assumed to be PPT CS555Spring 2012/Topic 414

15 Negligible Probability Want the adversary’s success probability to be small, but the probability is a function of the security parameter n Wants to say that a function f(n) is small when n grows. –What functions is very small when n grows? –1/f(n) should be a function that increases fast with n A function f is negligible if for every polynomial p(  ) there exists an N such that for all integers n>N, it holds that f(n)<1/p(n) CS555Spring 2012/Topic 415

16 Examples of Negligible Functions Examples: –2 -n ; 2 -sqrt(n ); n -log n Given two negligible functions f and g –The function f+g is negligible –The function p(n) f(n) is negligible for any polynomial p(n) Given a negligible function f, one can choose a security parameter n that is not too large to make f(n) so small that it can be safely ignored CS555Spring 2012/Topic 416

17 Symmetric-key Encryption A symmetric-key encryption scheme is comprised of three algorithms –GenInput: security parameter 1 n k  Gen(1 n )Assume, wlog, that |k| > n –EncInput: key k, plaintext m c  Enc k (m) –DecInput:key k, ciphertext c m := Dec k (m) –If for k output by Gen(1n), Enc is defined only for messages of length l (n), this is called a fixed-length encrpytion scheme CS 555Topic 117 Requirement:  k  m [ Dec k (Enc k (m)) = m ]

18 Defining Security Desire “semantic security”, i.e., having access to the ciphertext does not help adversary to compute any function of the plaintext. –Difficult to use Equivalent notion: Adversary cannot distinguish between the ciphertexts of two plaintexts CS555Spring 2012/Topic 418

19 Recall: Perfect Secrecy via Adversarial Indistinguishability Define an experiment called PrivK eav : –Involving an Adversary and a Challenger –Instantiated with an Adv algorithm A, and an encryption scheme  = (Gen, Enc, Dec) CS555Spring 2012/Topic 319 Challenger Adversary k  Gen() b  R {0,1} chooses m 0, m 1  M m 0, m 1 C=E k [m b ] b’  {0,1} PrivK eav = 1 if b=b’, and PrivK eav = 0 if b  b’ For every adversary, PrivK eav = 1 holds with prob 1/2

20 Towards IND Security Modify the formulation of perfect secrecy using PrivK eav in the following ways –Adversaries run in polynomial time –Adversaries might determine which message is encrypted with probability negligibly better than ½ –Require two messages m 0 and m 1 to be the same length Most encryption schemes do not hide length of messages CS555Spring 2012/Topic 420

21 IND Security An encryption scheme  = (Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversary A, there exists a negligible function negl such that Pr[PrivK eav A,  =1]  ½ + negl(n) Equivalently, any adversary would behave the same way whether it sees the encryption of m 0 or m 1 | Pr[output(PrivK eav A,  (n,0)) = 1] - Pr[output(PrivK eav A,  (n,1)) = 1] |  negl(n) CS555Spring 2012/Topic 421

22 CS555Spring 2012/Topic 422 Coming Attractions … Pseudorandomness Pseudo Random Number Generator Stream Ciphers Reading: Katz & Lindell: 3.3 and 3.4

Download ppt "CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.

CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptanalysis. The Speaker  Chuck Easttom  

Cryptanalysis. The Speaker  Chuck Easttom  

Similar presentations

Ads by Google