CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz

HW1  Will be posted shortly  Work in teams –Both students should contribute to all problems –JCE fair game for the exam

Defining secrecy (take 1)  Even an adversary running for an unbounded amount of time learns nothing about the message from the ciphertext  Perfect secrecy  Formally, for all distributions over the message space, all m, and all c: Pr[M=m | C=c] = Pr[M=m]

One-time pad and proof of security

Properties of the one-time pad?  Achieves perfect secrecy –No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext  (Essentially) useless in practice… –Long key length –Can only be used once (hence the name!) –Insecure against known-plaintext attacks  These are inherent limitations of perfect secrecy

Computational secrecy

 We can overcome the limitations of perfect secrecy by (slightly) relaxing the definition  Instead of requiring total secrecy against unbounded adversaries, require secrecy against time-bounded adversaries except with some small probability –E.g., secrecy for 100 years, except with probability  How to define formally?

A simpler characterization  Perfect secrecy is equivalent to the following, simpler definition: –Given a ciphertext C which is known to be an encryption of either M 0 or M 1, no adversary can guess correctly which message was encrypted with probability better than ½  Computational security!  Is this definition too strong? Why not? running for 100 years

The take-home message  Weakening the definition slightly allows us to construct much more efficient schemes!  Strictly speaking, no longer 100% absolutely guaranteed to be secure –Security of encryption now depends on security of building blocks (which are analyzed extensively, and are assumed to be secure) –Given enough time, the scheme can be broken

Attacks  So far, we have been considering only passive eavesdropping of a single ciphertext –AKA, ciphertext-only attack  In practice, stronger attacks often need to be considered –Known plaintext –Chosen plaintext –Chosen ciphertext (includes chosen plaintext attacks)

Minimum requirements  The minimum level of security nowadays is security against chosen-plaintext attacks  But security against chosen-ciphertext attacks (or even stronger) is often necessary for certain applications –Make sure you are aware of this when deploying encryption!  We will revisit this after discussing message authentication

Randomized encryption  Can a deterministic encryption scheme be secure against chosen-plaintext attacks?  To be secure against chosen-plaintext attack, encryption must be randomized  Moral: always use randomized encryption!