1 / 40

Cryptography

Cryptography. Lecture 1 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Pagina del corso : http://www.dziembowski.net/Studenti/Critto/ Orario di ricevimento :  giovedi dalle 16.00 alle 18 .00

Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography Lecture 1Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net

  2. Pagina del corso: http://www.dziembowski.net/Studenti/Critto/ Orario di ricevimento:  giovedi dalle 16.00 alle 18.00 Avviso: per favore inviatemi una email (all' indirizzo: stefan at dziembowski dot net) con il vostro nome e cognome.         Libri di testo: Libro principale: • Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography Altri libri: • Doug Stinson Cryptography Theory and Practice, Third Edition • Shafi Goldwasser and Mihir Bellare Lecture Notes on Cryptography • Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography

  3. What is this course about? Cryptography In the past:the art of encrypting messages (mostly for the military applications). Now:the science of securing digital communication and transactions (encryption, authentication, digital signatures, e-cash, auctions, etc..) Lots of applications in e-commerce!

  4. What is this course not about? This course is not about: • number theory, • complexity theory, • security of the internet, firewalls, viruses, trojans, etc... • implementation details, • history of cryptography.

  5. Plan of the course • Introduction to the basic concepts • Symmetric-key encryption and authentication • Public-key encryption • Signature schemes • Key management techniques • Advanced topics (zero-knowledge, e-cash, distributed cryptography)

  6. The basic goal: secure communication: 1. Secrecy: internet, phone line, etc. insecure link Alice Bob eavesdrops Eve

  7. plaintext m Encryption schemes (a very general picture) Encryption scheme (cipher) = encryption & decryption encryption ciphertext c decryption m In the past:a text in natural language. Now: a string of bits. should not learn m

  8. “should not learn m” ? It’s not clear what it means... • What does the adversary know about the scheme? • How many ciphertexts can she see? • What is her a priori knowledge about m? • How are the messages m chosen? • What is the computational power of the adversary? • What is the goal of the adversary? • compute m? • learn “some information about m”? • … ?

  9. Art vs. science In the past: lack of precise definitions, ad-hoc design, usually insecure. Nowadays: formal definitions, systematic design, very secure constructions.

  10. Kerckhoffs' principle Auguste Kerckhoffs (1883): The enemy knows the system The cipher should remain secure even if the adversary knows the specification of the cipher. The only thing that is secret is a short keyk that is usually chosen uniformly at random

  11. How did Alice and Bob establish k? For a moment say: they met and generated it together. A more refined picture plaintext m encryption ciphertext c decryption m key k key k (Of course Bob can use the same method to send messages to Alice.) (That’s why it’s called the symmetric setting)

  12. Kerckhoffs' principle – the motivation (1/3) In commercial products: it is unrealistic to assume that the design details remain secret (reverse-engineering!) For example: In 1987RSA designed a cipher called RC4. Its specification was a trade secret. In 1994 a C code ofRC4 was posted on a cypherpunk mailing list

  13. Kerckhoffs' principle – the motivation (2/3) Short keys are easier to protect, generate and replaced. Example: During the World War II the Amercian Army used the Navajo Indians as “encryption devices”. This system contradicted the Kerkhoffs’ principle, and hence it had an obvious problem:What to do if the enemy captures one of the Navajos?

  14. Kerckhoffs' principle – the motivation (3/3) • The design details can be discussed and analyzed in public. • It corresponds nicely to the open-source ideology. • The schemes can become parts of industrial standards. Not respecting this principle = ``security by obscurity”.

  15. A mathematical view

  16. How to define security? For a moment let’s say: the adversary broke the scheme if he managed to ``decrypt some ciphertext c’’, without knowing the key. (warning: in general, this definition is too weak)

  17. Shift cipher

  18. Security of the shift cipher Q: How to break the shift cipher? A:Check all possible keys This is called a brute force attack. Moral:the key space needs to be large!

  19. Substitution cipher

  20. How to break the substitution cipher? Use statistical patterns of the language. For example: the frequency tables. Texts of 50 characters can usually be broken this way.

  21. Other famous historical ciphers Vigenère cipher: Blaise de Vigenère(1523 - 1596) Leon Battista Alberti(1404 – 1472) Enigma Marian Rejewski(1905 - 1980) Alan Turing(1912-1954)

  22. Defining “security of an encryption scheme” is non-trivial. Idea 1The adversary should not be able to compute k. Experiment (m – a message) • the key k is chosen randomly • message m is encrypted using k:c := Enck(m) • c is given to the adversary Idea 2The adversary should not be able to compute m. Idea 3The adversary should not be able to compute any information about m. Idea 4 The adversary should not be able to compute any additional information about m. makes more sense

  23. How to formalize it? Idea The adversary should not be able to compute any additional information about m. Probability-theoretic approach:

  24. A perfectly secret scheme: one-time pad Gilbert Vernam (1890 –1960)

  25. Problem with one-time pad Each key cannot be used more than once! This is because:

  26. independent independent this we have to show this we know here we use the assumption QED

  27. Practicality? • Generally, the one-time pad is not very practical, since: • the key has to be as long as the total length of the encrypted messages, • it is hard to generate truly random strings. In the 1960s the Americans and the Soviets established a hotline that was encrypted using the one-time pad. (additional advantage: they didn’t need to share their secret encryption methods) • However, it is sometimes used (e.g. in the military applications), because of the following advantages: • perfect secrecy, • short messages can be encrypted using pencil and paper . a KGB one-time pad hidden in a walnut shell

  28. Venona project (1946 – 1980) American National Security Agency decrypted Soviet messages that were transmitted in the 1940s. That was possible because the Soviets reused the keys in the one-time pad scheme. (1953) Ethel and Julius Rosenberg

  29. One time-pad is optimal in the class of perfectly secret schemes

  30. The basic goal: secure communication: 2. Integrity: M Alice Bob interferes with the transmission How can Bob be sure that M really comes from Alice? Eve

  31. Does encryption guarantee message integrity? Idea: • Alice encrypts m and sends c=Enc(k,m) to Bob. • Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad.

  32. Message authentication verifies if t=Tagk(m) (m, t=Tagk(m)) m Alice Bob k k Eve can see (m, t=Tagk(m)) She should not be able to compute a valid tag t’ on any other message m’.

  33. How to define security of such a scheme?

  34. For example p = 2107- 1 . . . ? . . .

  35. Can we reuse the same key many times?

  36. maybe the definitions are too strong? Outlook Secure communication = encryption and authentication. We defined security of encryption and authentication using the probability-theoretic language. We constructed such ``perfectly secure’’ schemes. Problem: the keys need to be large and can be used at most once. But it can be shown that they are ``the best we can achieve’’. Can we go home and relax?

  37. What to do? We required that M and EncK(M) are independent, Maybe it is enough to require that M and EncK(M) are independent from the “practical point of view’’? How can this be formalized? We will use the complexity theory!

More Related