Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering A Primer on Modern Cryptography (1) Author: Ahmad Boorghany Instructor: Dr. Rasool Jalili 1 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Definition of Modern Cryptography  Evolution from Classic to Modern Cryptography  Principles of Modern Cryptography  Exact Definitions  Precise Assumptions  Rigorous Proofs of Security  An Introduction to Theory of Complexity  Course Topics Outline 2 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Modern Cryptography and its relation to classic cryptography 3 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Concise Oxford Dictionary (2006):  Cryptography is the art of writing or solving codes. Classically, cryptography  Focused solely on secret communication  Seen as an art, relied on creativity and personal skill  Used only by military and intelligence Classic Cryptography 4 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 In the late 20 th century, cryptography deals with  message authentication, digital signatures, protocols for exchanging secret keys, authentication protocols, electronic auctions and elections, digital cash, and more. Nowadays, cryptography is almost everywhere:  ATM machines  Online banking  All HTTPS websites  Remote login and file transfer (SSH, …)  Mobile communications (GSM, …)  Wireless networking (Wi-Fi, WiMAX, …) Modern Cryptography 5 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 An encrypted web communication (HTTPS) Cryptography is Everywhere! 6 / 38

Introduction to Modern Cryptography Sharif University Spring ,748 Android apps use cryptography (encryption), however, 10,327 (88%) get it wrong [EBFK13] Cryptography is Everywhere! (cont.) 7 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Katz and Lindell [KL08]:  (Modern) Cryptography is the scientific study of techniques for securing digital information, transactions, and distributed computations. Definition of Modern Cryptography Image courtesy of AmazonAmazon 8 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Cryptography Concerns Image courtesy of MicrosoftMicrosoft 9 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Cryptography Concerns (cont.) Image courtesy of MicrosoftMicrosoft 10 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Classic Ciphers 11 / 38 What is its key length? However, not very secure!

Introduction to Modern Cryptography Sharif University Spring 2015 Enigma: German World War II machine Broken by British in an effort led by Turing Classic Ciphers (cont.) Images courtesy of Wikipedia and Louise DadeWikipediaLouise Dade 12 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 One-time-pad (OTP) Encryption 13 / 38 Proven by Shannon

Introduction to Modern Cryptography Sharif University Spring 2015 Principles of Modern Cryptography 14 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Security of a “practical” system must rely not on the impossibility but on the computational difficulty of breaking the system.  “Practical” = more message bits than key bits Rather than: “It is impossible to break the scheme” We might be able to say: “Attacks can exist as long as cost to mount them is prohibitive” Modern Cryptography: A Computational Science Image courtesy of mynextbrain.commynextbrain.com 15 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 A sample security proposition:  Cannot be broken with probability better than 10 −30 in 200 years, using the fastest available supercomputer. Cryptography is now not just mathematics; it needs to draw on computer science:  (Computational) Complexity Theory  Design of Algorithms Modern Cryptography: A Computational Science (cont.) Image courtesy of snookerbacker.comsnookerbacker.com 16 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Concrete vs. Asymptotic Security 17 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Auguste Kerckhoffs in the late 19th century:  The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. Why?  Easier to maintain secrecy of a short key rather than an algorithm  Algorithm parts may be leaked: insider or reverse eng.  Key revocation/reissue is easier than algorithm revocation/reissue!  Different people communication: different keys or different algorithms? Kerckhoffs’ principle Image courtesy of WikipediaWikipedia 18 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Why exact definitions for security?  Importance for design - To know what to design - Not to provide more than what needed: efficiency - (different definitions with different security levels are usually proposed for any crypto concept)  Importance for usage - Application designers match their requirement with what a scheme provide - More precise application verification - Not to use the most secure scheme if not needed: efficiency  Importance for study - Comparing different schemes - More precise efficiency/security trade-off  Needed for security proofs (later) Modern Crypto Principles: Exact Definitions 19 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Most modern cryptographic constructions cannot be proven secure unconditionally. Thus, rely on some assumptions:  Hardness of mathematical problems  Hardness of cryptographic primitives Why precise assumptions?  Validation of the assumption - Reliable assumptions should be examined and tested a lot without being successfully refuted. - The hardness of an assumption may be implied by another widely- believed hard assumption. - Both above need precise assumptions. Modern Crypto Principles: Precise Assumptions 20 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Why precise assumptions?  Comparison of schemes - Scheme A relies on assumption X - Scheme B relies on assumption Y - (Stronger) assumption X implies (weaker) assumption Y - Scheme B is better X may become invalid while Y still holds, but not vice versa. - If X and Y incomparable: (Usually) more-studied/simpler assumption is better.  Needed for security proofs (later) Modern Crypto Principles: Precise Assumptions (cont.) 21 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Why a security proof?  Countless examples of unproven schemes that were broken - Sometimes immediately - Sometimes years after being presented or deployed  Security testing is different than software testing - Cannot anticipate an adversary strategy  Experience shown that intuition here is disastrous. Modern Crypto Principles: Rigorous Proofs of Security 22 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Modern Crypto Principles: Rigorous Proofs of Security (cont.) Image courtesy of derf.netderf.net 23 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Integer Factorization is hard  (after exact formulation) If an scheme is provably-secure assuming hardness of factorization:  Bug in the scheme implies - attacker has found a way to factor fast - attacker is smarter than Gauss - and smarter than all living mathematicians Example Assumptions: Mathematical Problem 24 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Block cipher primitives: DES, AES,... Hash functions: MD5, SHA1, SHA2,... Features:  Few such primitives  Bugs rare  Design an art, confidence by history. Drawback: Don’t directly solve any security problem. Example Assumptions: Crypto Primitives 25 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution,... Features:  Lots of them  Bugs common in practice History shows that building schemes from primitives is usually the weak link:  AES or SHA-2 secure, yet  Higher level scheme insecure Example Assumptions: Crypto Primitives (cont.) 26 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Theory of Complexity An Introduction 27 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Computation in cryptography is done by algorithms. But, what is an algorithm?  Wikipedia: a step-by-step procedure for calculations.  Oxford dictionary: a process or set of rules to be followed in calculations or other problem-solving operations, especially by a computer. We need a precise definition for algorithm/computation. Formal definition: An algorithm = A Turing machine Computation Model 28 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 What is a Turing machine?  Semantics:  An automata with access to an infinite tape.  Initially, the input on the tape.  Upon halting (if any), tape content is the output. Turing Machines Image courtesy of its designer 29 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Turing Machines (cont.) 30 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Turing Machines (cont.) Some text from WikipediaWikipedia 31 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Course Topics (tentative) 32 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Preliminaries (1 sess.)  Some fundamental concepts from complexity theory  Deeper look on security definition and model  Games as a useful tool for security definition and proof  Primitives (1 sess.)  Mathematical notions for crypto primitives, e.g., one-way functions (OWF) and trapdoor permutations (TDP)  Pseudo-randomness (1 sess.)  The notions of randomness and pseudo-randomness  Mathematical notions to capture pseudo-random primitives, e.g., pseudo-random generators (PRNG) and pseudo-random functions (PRF) Course Topics 33 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Simple cryptographic proofs (1 sess.)  Constructing and proving secure primitives, e.g., PRFs from PRGs  Samples of security definitions, attack models, and security proofs.  Symmetric encryption (2 sess.)  Minimal full-fledged security definition for encryption (CPA)  Simple encryption scheme built upon PRFs  Provably-secure operation modes  Stronger notions of security for symmetric encryption (CCA). Course Topics (cont.) 34 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Hash functions and message authentication codes (2 sess.)  Universal and collision-resistant hash function (CRHF)  Provably-secure message authentication codes  Provably-secure hash functions from other primitives, such as block ciphers.  Secure MACs using PRFs, CRHFs, and block ciphers.  Asymmetric (public-key) encryption (3 sess.)  Different definitions for different levels of security for a public-key encryption scheme (CPA, CCA, CCA2, etc.)  Constructions: RSA, El-Gamal, GM, etc. Course Topics (cont.) 35 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Mathematics of public-key cryptography (2 sess.)  Quick review on mathematical backgrounds, i.e., group theory, factoring, discrete logarithm problems, elliptic curves, etc.  Applied provably-secure schemes (1 sess.)  Applications of provably-secure schemes  Authenticated encryption schemes and hybrid encryption Course Topics (cont.) 36 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  Other topics  Digital signature schemes (2 sess.)  Simulation-based security definitions (3 sess.)  Random oracle model (2 sess.)  Identification and key distribution (3 sess.)  Two-party and multi-party computation (3 sess.)  Quantum and post-quantum cryptography (1 sess.)  Review of other not-covered topics (1 sess.) Course Topics (cont.) 37 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Questions? 38 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 [KL08]Katz, Jonathan, and Yehuda Lindell. Introduction to modern cryptography: principles and protocols. CRC Press, [EBFK13]Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. "An empirical study of cryptographic misuse in Android applications." In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp ACM, References 39 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Backup Slides 40 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 A Multi-tape Turing Machine Image courtesy of jflap.orgjflap.org 41 / 38

Introduction to Modern Cryptography Sharif University Spring 2015  JFLAP Simulator Image courtesy of jflap.orgjflap.org 42 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 A Randomized Turing Machine Image courtesy of its designer 43 / 38