Cryptography Lecture 2 Arpita Patra

Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise Assumption + Rigorous Proof) o End-users >> Secure Communication in Secret Key Setting Secret Key Encryption (SKE) >> Learn From the Blunders of Classical SKE o Algorithms of SKE (in general in crypto) must be PUBLIC o Secret Key Space Must be large enough to fail brute force o No ad-hoc algorithm without definition and proof

Today’s Goal -Do Secure Communication in a ‘modern’ way ditching the ‘classic’ approach o Formulate a formal definition (threat + break model) o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption

Secure Communication in Private Key Setting o Secret key k shared in advance (by “some” mechanism) k k ?? m o m is the plain-text EncryptionDecryption mc o c is the cipher-text (scrambled message) m Need: An encryption scheme (Gen, Enc, Dec) - Private (Secret) Key Encryption- Keys are private to the sender and the receiver - Symmetric Key Encryption- The same key is used for encryption and decryption

Syntax of Secret Key Encryption (SKE) 1.Key-generation Algorithm: Gen() 2. Encryption Algorithm: Enc k (m) 3. Decryption Algorithm: Dec k (c) > MUST be a Randomized algorithm > Outputs a key k chosen according to some probability distribution. > Deterministic/Randomized algorithm > c  Enc k (m) when randomized and c:=Enc k (m) when deterministic > Usually deterministic > Outputs m:= Dec k (c)

Syntax of SKE > Set of all possible keys output by algorithm Gen 1.Key space ( K ): 2. Plaintext / message space ( M ): > Set of all possible “legal” message (i.e. those supported by Enc) 3. Ciphertext space ( C ): > Set of all cipher-texts output by algorithm Enc SKE is specified using (Gen, Enc, Dec) and M

Formal Definition of Security Two components of a security definition: Break: Threat:>> Who is your threat? >> Who do you want to protect from? >> Cultivate your enemy a.k.a adversary in crypto language. >> Look out in practical scenarios / be an adversary >> Unless you know your adv, no hope of defeating him >> What are you afraid of losing? >> What do you want to protect? >> If you don’t know what to protect then how to do you when or if you are protecting it?

Threat Model - How powerful - What are his capabilities (in terms of attacking a secure communication protocol)? computationally? > Best is to have no assumption on the computing power of the adv. a.k.a unbounded powerful adversary > Give him any so-called hard problem (factoring etc), he solves in no time > Strongest adversary that we can think of in terms of computing power k k ?? Enc m c > Attacker/adv. can eavesdrop/tap the ciphertext during transit- Passive or Eavesdropper Can you think of a smarter attack? > Ciphertext Only Attack (COA)

Threat Model - Can sample random coins? (deterministic or randomized) > Randomness is absolute necessity in Crypto; it is practical and Good guys use randomness often. Why not adversary? > Good to be liberal in terms of giving more power to adversary -Randomized -Unbounded Powerful -COA

Break Model Attempt I>> Secret key ? Then Enc(m) = m is secure Attempt II>> Entire Message? Then Enc(m) leaking most significant 10 bits is secure; m: bank password| amazon password| Attempt III>> No additional info about the message irrespective of prior information? Right Notion How to formalise? Need basics of Discrete Probability Theory

Discrete Probability Background > U: Finite set; e.g. {0,1} > Probability Distribution on U specifies the probabilities of the occurrence of the elements of U - e.g Probability Distribution on U = {0,1}: Pr(0) = ½, Pr(1) = ½ Pr(0) = 0, Pr(1) = 1 Probability distribution: Probability distribution Pr over U is a function Pr: U [0,1] such that Σ Pr(x) = 1 x in U > Uniform Probability Distribution on U: Pr(x) = 1/|U| for every x

Discrete Probability Background Event: Occurrence of one or more elements of U is called an event - e.g Consider Uniform Distribution on U = {0,1} 4 - Let A = occurrence of elements of U with msb two bits as 01 - Pr(A) = 1/4 Union Bound: For events A 1 and A 2 Pr [ A 1 ∪ A 2 ] ≤ Pr[A 1 ] + Pr[A 2 ] (extend for more than 2) Conditional probability: probability that one event occurs, assuming some other event occurred.

Discrete Probability Background Random Variable: variable that takes on (discrete) values from a finite set with certain probabilities (defined with respect to a finite set) Probability distribution for a random variable: specifies the probabilities with which the variable takes on each possible value of a finite set - Each probability must be between 0 and 1 - The probabilities must sum to 1 Done!!

Formulating Definition for SKE=(Gen,Enc,Dec) C K M M Random Variable K C ilu ihu Pr(M = ilu) =.7 Pr(M = ihu) =.3 Prob. Dist. Pr(K = k) = Pr(Gen outputs k) - Determined by external factors - Depends on Gen-Choose a message m, according to the given dist. - Generate a key k using Gen - Compute c  Enc k (m) All the distributions are known to Prob. Dist. Of M and K are independent Prob. Dist. Of C depends on dist. of M and K

Numerical Example M = {a b c d} K = {k 1 k 2 k 3 } Enc Pr [C = 1] : Pr [C = 2] : Pr [M = b] Pr [K = k 2 ] + Pr [M = c] Pr [K = k 3 ] + Pr [M = d] Pr [K = k 1 ] = Pr [M = c] Pr [K = k 1 ] + Pr [M = d] Pr [K = k 2 ] + Pr [M = d] Pr [K = k 3 ] = Pr [M = a] Pr [K = k 1 ] + Pr [M = a] Pr [K = k 2 ] + Pr [M = b] Pr [K = k 3 ] = Pr [M = a] Pr [K = k 3 ] + Pr [M = b] Pr [K = k 1 ] + Pr [M = c] Pr [K = k 2 ] =  What is the probability distribution on the cipher-text space C ? Pr [C = 3] : Pr [C = 4] : C = { }.26.21

Threat & Break Model -Randomized -Unbounded Powerful -COA No additional info about the message should be leaked from the ciphertext irrespective of the prior information that the adv has  What captures the prior information of the attacker about m ? - Probability distribution on the plain-text space M - The probability distribution {Pr[M = m]}  Observing the cipher-text c should not change the attacker’s knowledge about the distribution of the plaintext - Mathematically, Pr[M = m | C = c] = Pr[M = m] What is the point in tapping over channel. I better watch the cricket match today Perfect Security!!!!

Perfectly-secure Encryption : Formal Definition Definition (Perfectly-secure Encryption): An encryption scheme (Gen, Enc, Dec) over a plaintext space M is perfectly-secure if for every probability distribution over M, every plain-text m  M and every cipher-text c  C, the following holds: Pr [M = m | C = c] = Pr [M = m] Posteriori probability that m is encrypted in c a priori probability that m might be communicated  Probably the first formal definition of security - C. E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4): , 1949.

What have we done so far.. No assumption!! o Formulate a formal definition (threat + break model) o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption

Perfectly-secure Encryption- Construction M = K = C = {0, 1} l Gen k  R K m  M k c Enc c:= m  k k Dec m:= c  k c  C m Correctness:Enc k (m)Dec k ( )= m Vernam Cipher [1917]: But Shannon proved its security after formulating perfect security

Perfectly-secure Encryption- Construction M = K = C = {0, 1} l Gen k  R K m  M k c Enc c:= m  k k Dec m:= c  k c  C m Theorem (Security):Vernam Cipher is perfectly-secure To prove Pr[M = m | C = c] = Pr[M = m] Proof: For arbitrary c and m, Pr[C = c | M = m] = Pr[K = c  m] = 1/2 l Pr[C = c] m in M (irrespective of p. d. over M ) = 1/2 l Σ Pr[M = m] m in M = 1/2 l = Σ Pr[C = c | M = m] Pr[M = m]

Perfectly-secure Encryption- Construction M = K = C = {0, 1} l Gen k  R K m  M k c Enc c:= m  k k Dec m:= c  k c  C m Pr[M = m | C = c] = Pr[C = c | M = m ] Pr[M = m] Pr[C = c] = Pr[M = m] Historical Use of Vernam Cipher: Redline between White House & Kremlin during Cold war. (Bayes' Theorem)

What have we done so far.. o Formulate a formal definition (threat + break model) o Identify assumptions needed and build a construction o Prove security of the construction relative to the definition and assumption

Vernam Cipher is not all that nice because.. o How long is the key? o Can we reuse the keys for multiple messages? No!! length is as long as the message - For long messages hard to agree on long key - What happens the parties cannot predict the message size in advance - c = m  k, c’ = m’  k - c  c’ = m  m’ Adversary learns the difference! - Perfect security breaks down  One-time Pad (OTP) VENONA Project: US & UK decrypted Russian Plaintext exploiting the use of same key to pad many messages Let us design another scheme that overcomes the drawbacks.. Alas! Inherent problems..

Chalk & Talk Assignment o Various Perfect Security Definitions and their Equivalence Define it Definition I: Pr [M = m | C = c] = Pr [M = m] Definition II: Pr [C = c | M = m] = Pr [C = c | M = m’] Definition III: KL Chapter 2

Next class… o Various Perfect Security Definitions and their Equivalence Define it Definition I: Pr [M = m | C = c] = Pr [M = m] Definition II: Pr [C = c | M = m] = Pr [C = c | M = m’] Definition III: KL Chapter 2 Definition IV: