CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz

Some examples  (Shift cipher)  (Substitution cipher)  (Vigenere cipher)

Moral of the story?  Key space should be large –Necessary, but not sufficient  Don’t use “simple” schemes  Thoroughly analyze schemes before using –Better yet, use schemes that other, smarter people have already analyzed…

Re-thinking the problem  What do we mean by security? –I.e., not being able to determine the key?? –Types of attacks  Perfect security –One-time pad  Computational security –Block ciphers and modes of encryption –DES and AES

Notions of Security  What constitutes a “break”?  What kind of attacks?  Note: always assume adversary knows full details of the scheme (except the key…) –Never aim for “security through obscurity”

Security goals?  Adversary unable to recover the key –Necessary, but meaningless on its own…  Adversary unable to recover entire plaintext –Good, but is it enough?  Adversary unable to determine any information at all about the plaintext –Sounds great! –Can we achieve it?

One-time pad  (One-time pad)

Properties of one-time pad?  Achieves perfect secrecy (proof) –No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext  (Essentially) useless in practice… –Long key length –Can only be used once (hence the name!)

Weaken security guarantee?  Instead of requiring that no adversary can learn anything about the plaintext…  …require that no adversary running in any “reasonable amount of time” can learn anything about the plaintext except with “very small probability” –“Reasonable time” = 10 6 years –“Very small probability” = –Computational security

Simpler characterization?  Equivalent to the following, simpler definition: –Given a ciphertext C which is known to be an encryption of either M 0 or M 1, an adversary cannot guess which one was actually encrypted –More precisely, no adversary running in reasonable amount of time can guess correctly with probability significantly better than ½.

The take-home message  Weakening the definition slightly allows us to construct much more efficient schemes!  Strictly speaking, no longer 100% absolutely guaranteed to be secure –Security of encryption now depends on security of building blocks (which are analyzed extensively, and are assumed to be secure) –Given enough time, the scheme can be broken

Security?  We now have a working definition of what it means for encryption to be secure  What sort of attacks should we consider?

Attacks  Ciphertext only  Known plaintext  Chosen plaintext  Chosen ciphertext (includes chosen plaintext attacks)

Attacks…  A typical standard is security against chosen-plaintext attacks  Security against chosen-ciphertext attacks is increasingly required  Note that the one-time pad is insecure against known-plaintext attack

Randomized encryption  To be secure against chosen-plaintext attack, encryption must be randomized –We will see later how this comes into play

Block ciphers  Keyed permutation; input/output length  Large key space  Modeled as a (family of) random permutations…  Example – “trivial” encryption: –C = F K (m) –This is not randomized…