1. Introduction to Cryptography
David Brumley
Carnegie Mellon University
Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is great!

2. Cryptography is Everywhere
Secure communication:
web traffic: HTTPS
wireless traffic: i WPA2 (and WEP), GSM, Bluetooth
Encrypting files on disk: EFS, TrueCrypt
Content protection:
CSS (DVD), AACS (Blue-Ray)
User authentication
Kerberos, HTTP Digest
… and much much more

3. Goal: Protect Alice’s Communications with Bob
Public Channel
Alice E D
Bob
Eve
Eve is a very powerful, smart person (say any polynomial time alg)
message m = “I {Love,Hate} you”
In this slide, I explain the motivating scenario of sending a message across a public channel.
The channel may be monitored. In fact, we typically assume a very powerful adversary. For those who know what it means, we would assume any polynomial time alg.
We add an encryption (E) algorithm and decryption (D) algorithm. These two algorithms should protect the overall message from Eve.

4. History of Cryptography
David Kahn, “The code breakers” (1996)

5. Caesar Cipher: c = m + 3 A B C D E F G H I J K L M N O P Q R
Julius Caesar
100 BC- 44 BC
A B C D E F G H I J K L M N O P Q R
S T U V W X Y Z
In this slide, we show a caesar cipher is simply a mapping where the ciphertext is the message + 3 letters.

6. How would you attack messages encrypted with a substitution cipher?

7. Attacking Substitution Ciphers
Trick 1:
Word Frequency
Most common: e,t,a,o,i,n Least common: j,x,q,z
Trick 2:
Letter Frequency
Most common: e, t, a, o, i, n. Least common: j,x,q,z
Also works for bi-grams, tri-grams, etc.
image source: wikipedia

8. Jvl mlwclk yr jvl owmwez twp yusl w zyduo pjdcluj mqil zydkplmr
Jvl mlwclk yr jvl owmwez twp yusl w zyduo pjdcluj mqil zydkplmr. Hdj jvlz tykilc vwkc jy mlwku jvl wkj yr vwsiquo, tvqsv vlmflc mlwc jvlg jy oklwjulpp. Zyd vwnl jvl fyjlujqwm jy cy jvl pwgl. Zydk plsklj fwpptykc qp: JYWPJ

9. Classical Approach: Iterated Design
Scheme 1
Broken
Scheme 2
Broken
Scheme 3
Deploy
Broken
...
No way to say anything is secure (and you may not know when broken)

10. Iterated design was only one we knew until 1945
Claude Shannon:

11. Claude Shannon Formally define: Beyond iterated design: Proof!
security goals
adversarial models
security of system wrt goals
Beyond iterated design: Proof!

12. Cryptosystem m m or error c c’ ke kd Alice E Bob D Var Description m
Message (aka plaintext). From the message space M c
Ciphertext. From the ciphertext space C E
Encryption Algorithm D
Decryption Algorithm ke
Encryption key. From the key space K kd
Decryption. Also from the key space K
On this slide, in addition to noting variables et al, we talk about private key and public key cryptosystems. We also talk about how Decryption can return error, and note that this will be necessary when encrypting and we want integrity.

13. Symmetric Cryptography
m or error
Alice E c’ ke
Bob D kd
On this slide, in addition to noting variables et al, we talk about private key and public key cryptosystems. We also talk about how Decryption can return error, and note that this will be necessary when encrypting and we want integrity.
k = ke = kd
Everyone who knows k knows the full secret

14. Asymmetric Cryptography
m or error
Bob E c’ ke
Alice D kd
On this slide, in addition to noting variables et al, we talk about private key and public key cryptosystems. We also talk about how Decryption can return error, and note that this will be necessary when encrypting and we want integrity.
ke != kd
Encryption Example:
Alice generates private (kd)/public(ke) keypair.
Sends Bob public key
To encrypt a message to Alice, Bob computes c = E(m,ke)
To decrypt, Alice computes m = D(c’, kd)

15. But all is not encryption
Message Authentication Code: Only people with the private key k could have sent the message.
m||s
Alice S V
Bob
Eve
(tries to alter m without detection)
Verify(m, s, Kverify) =?= true
Message m “I love you, Bob”
s = Sign(m, Ksign)

16. An interesting story...

17. 1974 A student enrolls in the Computer Security course @ Stanford
Proposes idea for public key crypto. Professor shoots it down
Picture:

18. 1975 Submits a paper to the Communications of the ACM
“I am sorry to have to inform you that the paper is not in the main stream of present cryptography thinking and I would not recommend that it be published in the Communications of the ACM. Experience shows that it is extremely dangerous to transmit key information in the clear."

19. Today Ralph Merkle: A Father of Cryptography
Picture:

20. everyone shares same secret k
Covered in this class
everyone shares same secret k
Only 1 party has a secret
Symmetric Trust Model
Asymmetric Trust Model
Message Privacy
Private key encryption
Stream Ciphers
Block Ciphers
Asymmetric encryption (aka public key)
Message Authenticity and Integrity
Message Authenticity Code (MAC)
Digital Signature Scheme
Principle 1: All algorithms public
Principle 2: Security is determined only by key size
Principle 3: If you roll your own, it will be insecure

21. Eve should not be able to learn m.
Security Goals
m or error m
Public Channel c c’
Alice E D
Bob
Eve ke ke
Cryptonium Pipe
One Goal: Privacy
Eve should not be able to learn m.

22. Not even 1 bit...
Alice
Bob
M = “I {Love,Hate} you”
Eve
Security guarantees should hold for all messages, not just a particular kind of message.
Suppose there are two possible messages that differ on one bit, e.g., whether Alice Loves or Hates Bob. Privacy means Eve still should not be able to determine which message was sent.

23. Alice Bob Eve Eve’s Possible Powers
Ciphertext only: only access to ciphertext
Known Plaintext Attack (KPA): Access to a <message,ciphertext> list
Chosen Plaintext Attack (CPA): Ability to have messages encrypted.
Chosen Ciphertext Attack (CCA): Ability to have ciphertexts decrypted
Note: Only success if you can gain information on ciphertext not queried

24. Symmetric Cryptography
Defn: A symmetric key cipher consists of 3 polynomial time algorithms:
KeyGen(l): A randomized algorithm that returns a key of length l. l is called the security parameter.
E(k,m): A potentially randomized alg. that encrypts m with k. It returns a c in C
D(k,c): An always deterministic alg. that decrypts c with key k. It returns an m in M. (Or Error)
And (correctness condition)
Type Signature

25. The One Time Pad Miller, 1882 and Vernam, 1917 m: 1 k: c: 1 k: 1 m:
\begin{align*}
E(k,m) &= k \oplus m = c\\
D(k,c) &= k \oplus c = m\\
\end{align*}
M = C = K = {0,1}n m: 1 k: \[
\begin{split}
D(k,E(k,m)) &= D(k, k \oplus m)\\
&= k \oplus (k \oplus m)\\
&= 0 \oplus m \\
&= m
\end{split} \] c: 1 k: 1 m:

26. The One Time Pad Miller, 1882 and Vernam, 1917 Is it a cipher?
\begin{align*}
E(k,m) &= k \oplus m = c\\
D(k,c) &= k \oplus c = m\\
\end{align*}
Is it a cipher?
Efficient
Correct \[
\begin{split}
D(k,E(k,m)) &= D(k, k \oplus m)\\
&= k \oplus (k \oplus m)\\
&= 0 \oplus m \\
&= m
\end{split} \]

27. Question Given m and c encrypted with an OTP, can you compute the key?
Yes, the key is k = m ⊕ c
I can only compute half the bits
Yes, the key is k = m ⊕ m
The answer is clearly 2. This is but one example of material taken from Dan Boneh.

28. Perfect Secrecy [Shannon1945] (Information Theoretic Secrecy)
Defn Perfect Secrecy (informal): We’re no better off determining the plaintext when given the ciphertext.
Alice
Bob
Eve
Eve observes everything but the c. Guesses m1
Eve observes c. Guesses m2
Goal:
\Pr[m = m_1] = \Pr[m = m_2]

29. Example
Alice
Bob
Eve
Suppose there are 3 possible messages Alice may send:
m1: The attack is at 1pm. The probability of this message is 1/2
m2: The attack is at 2pm. The probability of this message is 1/4
m3: The attack is at 3pm. The probability of this message is 1/4 M m1 m2 m3
Pr[M=m]
1/4

30. Perfect Secrecy [Shannon1945] (Information Theoretic Secrecy)
Defn Perfect Secrecy (formal):
\begin{split}
&\forall m_0, m_1 \in M. \text{~where~} |m_0| = |m_1|\\
&\forall c \in C.\\
&\Pr{[E(k,m_0) = c]} = \Pr{[E(k,m_1) = c]}
\end{split}
Note there are many equiv. defn’s to this one. Two from Introduction to Modern Cryptography include:
\Pr[M=m| C = c] = Pr[M = m]
and
\Pr[C=c | M=m] = Pr[C=c]
The intuition here is that if any two messages are equally likely for a ciphertext, then it can’t be the case we can distinguish between them. We do this over all pairs.

31. Question
How many OTP keys map m to c? 1 2
Depends on m
Answer is 1

32. Good News: OTP has Perfect Secrecy
Thm: The One Time Pad is Perfectly Secure
Must show: where |M| = {0,1}m
Intuition: Say that M = {00,01,10,11}, and m = 11. The adversary receives c = 10. It asks itself whether the plaintext was m0 or m1 (e.g., 01 or 10). It reasons:
if m0, then k = m0  c = 01  10 = 11.
if m1, then k = m1  c = 10  10 = 00.
But all keys are equally likely, so it doesn’t know which case it could be.
\begin{align}
\Pr[E(k,m_0) = c] &= \Pr[k \oplus m_0 = c] \\
& = \frac{|k \in \{0,1\}^m : k \oplus m_0 = c|}{\{0,1\}^m}\\
& = \frac{1}{2^m}\\
\Pr[E(k,m_1) = c] &= \Pr[k \oplus m_1 = c] \\
& = \frac{|k \in \{0,1\}^m : k \oplus m_1 = c|}{\{0,1\}^m}\\
& = \frac{1}{2^m}
\end{align}
Therefore, $\Pr[E(k,m_0) = c] = \Pr[E(k,m_1) = c]$
In this proof, highlight that we are given c.
Then we fix an m_0.
The probability that that m_0 is encrypted to c is the number of unique keys that would map m to c.
By the previous slide, we know there is only one such key. So the probability E(k,m_0) = C = ½^m
Similarly for Pr[E(k,m_1).

33. Good News: OTP has Perfect Secrecy
Thm: The One Time Pad is Perfectly Secure Must show: where |M| = |K| = {0,1}m Proof:
\begin{align}
\Pr[E(k,m_0) = c] &= \Pr[k \oplus m_0 = c] \\
& = \frac{|k \in \{0,1\}^m : k \oplus m_0 = c|}{\{0,1\}^m}\\
& = \frac{1}{2^m}\\
\Pr[E(k,m_1) = c] &= \Pr[k \oplus m_1 = c] \\
& = \frac{|k \in \{0,1\}^m : k \oplus m_1 = c|}{\{0,1\}^m}\\
& = \frac{1}{2^m}
\end{align}
Therefore, $\Pr[E(k,m_0) = c] = \Pr[E(k,m_1) = c]$
In this proof, highlight that we are given c.
Then we fix an m_0.
The probability that that m_0 is encrypted to c is the number of unique keys that would map m to c.
By the previous slide, we know there is only one such key out of the 2^m possible keys. So the probability E(k,m_0) = C = ½^m
Similarly for Pr[E(k,m_1).

34. Two Time Pad is Insecure
Two Time Pad: c1 = m1  k c2 = m2  k Eavesdropper gets c1 and c2. What is the problem?
Enough redundancy in ASCII (and english) that
m1  m2 is enough to know m1 and m2
c1  c2 = m1  m2

35. All keys must be equally likely
Let M={000,001} Let K = {000, 001, 010, 011, 100, 101, 110, 111} Note that if K is randomly selected as 000, then M = C. This is not a weakness! If we did not allow a message to encrypt to itself, then some ciphertexts are more likely, which is bad.
Two possible messages
8 keys

36. In practice, we usually shoot for computational security.
The “Bad News” Theorem
Theorem: Perfect secrecy requires |K| >= |M|
Computational security means two different things here. There is the notion of “enough” security, e.g., it would take 2^80 years to crack the cipher with todays technology. There is also a theoretic notion, e.g., no polynomial time algorithm could break the cipher.
What this means is the OTP is really the best we can do.
In practice, we usually shoot for computational security.

37. The OTP provides perfect secrecy. ......But is that enough?

38. No Integrity ⊕ ? ? Eve enc ( ⊕k ) m m ⊕ k evil dec ( ⊕k ) m ⊕ evil

39. No Integrity ⊕ Eve enc ( ⊕k ) From: Bob From: Bob
dec ( ⊕k )
From: Eve
From: Eve

40. Eve should not be able to alter m without detection.
Security Goals
m or error m
Public Channel c c’
Alice E D
Bob
Eve ke ke
read/write access
Goal 2: Integrity
Eve should not be able to alter m without detection.

41. Detecting Flipped Bits
Alice
Bob
(read/write)
M = “I {Love,Hate} you”
Receives M’
Eve
Bob should be able to determine if M=M’ Ex: Eve should not be able to flip Alice’s message without detection (even when Eve doesn’t know content of M)

42. Eve should not be able to forge messages as Alice
m or error m
Public Channel c c’
Alice E D
Bob
Eve ke ke
read/write access
Goal 3: Authenticity
Eve should not be able to forge messages as Alice

43. Detecting Flipped Bits
Alice
Bob
(read/write)
Eve
M = “I Love you, signed Alice”
Bob should be able to determine M wasn’t sent from Alice

44. Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity
m or error m
Public Channel c c’
Alice E D
Bob
Eve ke ke
read/write access
Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity

45. Summary Cryptography is a awesome tool Perfect secrecy and OTP
But not a complete solution to security
Authenticity, Integrity, Secrecy
Perfect secrecy and OTP
Good news and Bad News
Secrecy  Privacy?

46. Questions?

47. END

48. Continuous stream of data
Stream Ciphers
Continuous stream of data

49. Block Ciphers Block of data Analogous to secure communication:
Server
Block of data
No eavesdropping
No tampering
Analogous to secure communication:
Alice today sends a message to Alice tomorrow

50. Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity
Public Channel M M
Alice
Bob
Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity

52. But crypto can do much more
Alice signature
Digital signatures

53. But crypto can do much more
Digital signatures
Anonymous communication
Who did I just talk to?
Bob

54. But crypto can do much more
Digital signatures
Anonymous communication
Anonymous digital cash
Can I spend a “digital coin” without anyone knowing who I am?
How to prevent double spending?
Who was that? 1$
Internet
(anon. comm.)

55. Algorithms: Standardized and Public
Cryptosystem m c E kd ke c’
Bob D
m or error
Alice
E: Encryption Algorithm D: Decryption Algorithm
ke: Encryption Key
kd: Decryption Key
Algorithms: Standardized and Public

56. Private. Length of key determines security
Cryptosystem m c E kd ke c’
Bob D
m or error
Alice
E: Encryption Algorithm D: Decryption Algorithm
ke: Encryption Key
kd: Decryption Key
Private. Length of key determines security

57. Symmetric and Asymmetric Cryptosystemkd ke c’
Bob D
m or error
Alice
E: Encryption Algorithm D: Decryption Algorithm
ke: Encryption Key
kd: Decryption Key
Symmetric (shared key) : ke = kd Asymmetric (public key) : ke public, kd private

58. Quiz What were the three properties crypto tries to achieve? Privacy
Integrity
Authenticity

59. Mathematical properties in terms of security parameter
A rigorous science
The three steps in cryptography:
Precisely specify threat model
Propose a construction
Prove that breaking construction under threat mode will solve an underlying hard problem
Mathematical properties in terms of security parameter
Example: define what it means to forge signatures, give construction, show that forging signatures is as hard as factoring.

60. A rigorous science The three steps in cryptography:
Precisely specify threat model
Propose a construction
Prove that breaking construction under threat mode will solve an underlying hard problem
The #1 Rule Never role your own crypto.
(including inventing your own protocol)
Mathematical properties in terms of security parameter k
Example: define what it means to forge signatures, give construction, show that forging signatures is as hard as factoring.

61. Domain of Security Problems
Computer Security
Domain of Security Problems
Math
Crypto
How do write software that can protect private information like Ke, KD?
How do we know implementation of E and D are correct?
How do we build networks that are secure, reliable, and available?
How do we ensure only Alice can access her keys?

62. History of Cryptography
David Kahn, “The code breakers” (1996)

63. Early History: Substitution Cipher
Ke = Kd = π: Σ  Σ
e.g., Σ = {a,b,c,...} or {1,2,3,..} etc.
π is a permutation
Eπ(CAB) = π(C) π(A) π(B)
= Z E A σ A B C D
π(σ) E Z U
Dπ(ZEA) = π-1 (Z) π-1 (E) π-1(A)
= C A B
Complete Insecure!

64. Attacking Substitution Ciphers
How would you break a message encrypted with the substitution cipher?
Analyze the ciphertext (CT attack)!
Frequency of letters
“e” 12.7%, “t” 9.1%, “a” 8.1%, ...
Pairs of letters: “he”, “an”, “in”, “th”, ...

65. An Example B 36 N 34 U 33 P 32 C 26  E NC 11 PU 10 UB UN 9  IN UKB 6
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFOFEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVFZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR B 36 N 34 U 33 P 32 C 26
 E NC 11 PU 10 UB UN 9
 IN
UKB 6
RVN
FZI 4
 THE
 AT T
 A
trigrams
digrams

66. Broken by an effort led by our friend Alan Turing
WWII: Enigma
Broken by an effort led by our friend Alan Turing

67. Classical Approach: Iterated Design
Scheme 1
Broken
Scheme 2
Broken
Scheme 3
Deploy
Broken
...
No way to say anything is secure (and you may not know when broken)

68. Iterated design was only one known until 1945

69. Modern Cryptography: 1945 with Shannon
Claude Shannon:
Modern Cryptography: 1945 with Shannon
Formally define security goals, adversarial models, and security of system
Beyond iterated design: Proof by reduction that cryptosystem achieves goals

70. Proving Information Theoretic Secrecy
Given: \[
\begin{split}
\Pr{[E(k,m) = c]} = \frac{ k \in K \text{~s.t.~} E(k, m) = c}{|K|}
\end{split} \]
Fact:
One way to think about the fact is what if it were the case that the probability of a key
So, if
Then perfectly secure. \[
\forall m,c : \#\{k \in K: E(k,m) = c\} = \text{constant} \]

71. Stream Ciphers
PRNG’s and amplifying secrets

72. Amplifying Randomness
Problem: Perfect cipher requires |K| >= |M| To make practical: replace “random” key with “pseudo-random” key generated by a pseudo-random (number) generator (PRG)
\text{Let~} S: \{0,1\}^s \text{~and~} K: \{0,1\}^k\\
G: S \impl K \text{~where~} k \gg s

73. Stream Ciphers: A Practical OTPk
PRG expansion
G(k) m c

74. Question Can a stream cipher have perfect secrecy?
Yes, if the PRG is secure
No, there are no ciphers with perfect secrecy
No, the key size is shorter than the message

75. PRG Security
One requirement: Output of PRG is unpredictable (mimics a perfect source of randomness) Suppose PRG is predictable: Then insecure.
Even predicting 1 bit is insecure
\exists i. G(k)|_{1,\ldots,i} \xrightarrow{\text{Alg}} G(k)|_{i+1,\ldots,n}
predict these bits of insecure G
G(k)
i bits
gives i bits m
From c
From

76. PRG Security
Goal: Output of PRG is unpredictable (mimics a perfect source of randomness) Predictable: PRG G is predictable if there is an efficient alg Adv for non-negligible ε (for now, ε> 1/230) Unpredictable: PRG is unpredictable if not predictable for all i
\Pr{[\Adv{(G(k)|_{i,\ldots,i}}) = G(k)|_{i+1}]} > \frac{1}{2} + \epsilon

77. Negligible Functions Practical:
Something is negligible if it is very small constant.
Non-negligible: 230 (one GB of data)
Negligible: 280 (age of universe in seconds: 260)
Formally:
A function ε: Z≥0  R≥0 is negligible if it approaches 0 faster than the reciprocal of any polynomial.
\forall n \in \mathbb{N}. \exists n_c : \epsilon(n) \leq n^{-c} \qquad \forall n \geq n_c

78. Weak PRGs Linear congruence generators GNU libc random()
Look random (see Art of Programming)
But are predictable
GNU libc random()
Kerberos v4 did and was broken

79. Two Time Pad is Insecure
Two Time Pad: c1 = m1  k c2 = m2  k Eavesdropper gets c1 and c2. What is the problem?
Enough redundancy in ASCII (and english) that
m1  m2 is enough to know m1 and m2
c1  c2 = m1  m2

80. Real World Examples Project Venona (~1942-1945) WEP 802.11b
Russians used same OTP twice  break by American and British cryptographers
WEP b
Disk Encryption
MS-PPTP (Windows NT)

81. Only IV changed per message
WEP b
Only IV changed per message m
crc(m) k k
PRG(IV || k)
Wireless Card
Access Point IV c
Length of IV: 24 bits
Repeat after 224 ≈ 16M frames
Some cards reset to 0 after power cycle
Best attacks reduce to 106
802.11b is an example of a two-time pad

82. PRG output different per message
A better approach
PRG output different per message
PRG(k)
... m1 m2 m2 k k
Wireless Card
Access Point
Each message has a unique key Best method: use WPA2
Use PRG(k) to generate a key per message.

83. Disk Encryption m1  k m1 m2  k m2 Dear Alice: You are my sunshine.
Dear Grace: You are my sunshine.
m2  k
Dear Grace: You are my sunshine. m2
Suppose we encrypt a note to alice. Then open it up and edit it, changing to eve. You can tell where the change was.
Attacker knows where messages are same, and where different!

84. Two Time Pad Never use the same stream cipher key twice!
Network traffic: Pick a new key each time, and a separate key for client and server
Disk encryption: don’t use stream cipher

85. for b=0,1: Wb := [ event that EXP(b)=1 ]
Chal.
Adv. A
m0 , m1  M : |m0| = |m1|
kK
c  E(k, mb)
b’  {0,1}
for b=0,1: Wb := [ event that EXP(b)=1 ]
AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | ∈ [0,1]
Security for:
Chosen Plaintext Attack (CPA)
IND-CPA Game

86. OTP is semantically secureb
Chal.
Adv. A
m0 , m1  M : |m0| = |m1|
kK
c  k⊕m0 or c  k⊕m1
b’  {0,1}
The same holds for any predicate P for which you can construct m0,m1 efficiently.
For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] | = 0