Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 1 Stefan Dziembowski

Published byNoel Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 1 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 1 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 2 Pagina del corso: http://www.dziembowski.net/Studenti/Critto/ Orario di ricevimento: giovedi dalle 16.00 alle 18.00 Avviso: per favore inviatemi una email (all' indirizzo: stefan at dziembowski dot net) con il vostro nome e cognome. Libri di testo : Libro principale: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography Altri libri: Doug Stinson Cryptography Theory and Practice, Third Edition Shafi Goldwasser and Mihir Bellare Lecture Notes on Cryptography Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography

3 3 What is this course about? Cryptography In the past: the art of encrypting messages (mostly for the military applications). Now: the science of securing digital communication and transactions (encryption, authentication, digital signatures, e-cash, auctions, etc..) Lots of applications in e-commerce!

4 4 What is this course not about? This course is not about: number theory, complexity theory, security of the internet, firewalls, viruses, trojans, etc... implementation details, history of cryptography.

5 5 Plan of the course 1.Introduction to the basic concepts 2.Symmetric-key encryption and authentication 3.Public-key encryption 4.Signature schemes 5.Key management techniques 6.Advanced topics (zero-knowledge, e- cash, distributed cryptography)

6 6 The basic goal: secure communication: 1. Secrecy: insecure link eavesdrops Eve AliceBob internet, phone line, etc.

7 7 Encryption schemes (a very general picture) Encryption scheme (cipher) = encryption & decryption encryptionciphertext cdecryptionm plaintext m should not learn m In the past: a text in natural language. Now: a string of bits.

8 8 ? “should not learn m” ? It’s not clear what it means... 1.What does the adversary know about the scheme? 2.How many ciphertexts can she see? 3.What is her a priori knowledge about m? 4.How are the messages m chosen? 5.What is the computational power of the adversary? 6.What is the goal of the adversary? compute m? learn “some information about m”? …

9 9 Art vs. science In the past: lack of precise definitions, ad-hoc design, usually insecure. Nowadays: formal definitions, systematic design, very secure constructions.

10 10 Kerckhoffs' principle Auguste Kerckhoffs (1883): The enemy knows the system The cipher should remain secure even if the adversary knows the specification of the cipher. The only thing that is secret is a short key k that is usually chosen uniformly at random

11 11 A more refined picture plaintext mencryptionciphertext cdecryptionm key k How did Alice and Bob establish k? For a moment say: they met and generated it together. (Of course Bob can use the same method to send messages to Alice.) (That’s why it’s called the symmetric setting)

12 12 Kerckhoffs' principle – the motivation (1/3) In commercial products: it is unrealistic to assume that the design details remain secret (reverse-engineering!) For example: In 1987 RSA designed a cipher called RC4. Its specification was a trade secret. In 1994 a C code of RC4 was posted on a cypherpunk mailing list

13 13 Kerckhoffs' principle – the motivation (2/3) Short keys are easier to protect, generate and replaced. Example : During the World War II the Amercian Army used the Navajo Indians as “encryption devices”. This system contradicted the Kerkhoffs’ principle, and hence it had an obvious problem: What to do if the enemy captures one of the Navajos?

14 14 Kerckhoffs' principle – the motivation (3/3) 1.The design details can be discussed and analyzed in public. 2.It corresponds nicely to the open-source ideology. 3.The schemes can become parts of industrial standards. Not respecting this principle = ``security by obscurity”.

15 15 A mathematical view

16 16 How to define security? For a moment let’s say: the adversary broke the scheme if he managed to ``decrypt some ciphertext c’’, without knowing the key. (warning: in general, this definition is too weak)

17 17 Shift cipher

18 18 Security of the shift cipher Q: How to break the shift cipher? A: Check all possible keys This is called a brute force attack. Moral: the key space needs to be large!

19 19 Substitution cipher ABCDEFGHIJKLMNOPRSTUWVXYZ ABCDEFGHIJKLMNOPRSTUWVXYZ

20 20 How to break the substitution cipher? Use statistical patterns of the language. For example: the frequency tables. Texts of 50 characters can usually be broken this way.

21 21 Other famous historical ciphers Vigenère cipher: Blaise de Vigenère (1523 - 1596) Leon Battista Alberti (1404 – 1472) Enigma Marian Rejewski (1905 - 1980) Alan Turing (1912-1954)

22 22 Defining “security of an encryption scheme” is non-trivial. Experiment (m – a message) 1.the key k is chosen randomly 2.message m is encrypted using k: c := Enc k (m) 3.c is given to the adversary Idea 1 The adversary should not be able to compute k. Idea 2 The adversary should not be able to compute m. Idea 3 The adversary should not be able to compute any information about m. Idea 4 The adversary should not be able to compute any additional information about m. makes more sense

23 23 How to formalize it? Probability-theoretic approach: Idea The adversary should not be able to compute any additional information about m.

24 24 A perfectly secret scheme: one-time pad Gilbert Vernam (1890 –1960)

25 25 Problem with one-time pad Each key cannot be used more than once! This is because:

26 26 independent this we know this we have to show here we use the assumption QED

27 27 Practicality? Generally, the one-time pad is not very practical, since: the key has to be as long as the total length of the encrypted messages, it is hard to generate truly random strings. However, it is sometimes used (e.g. in the military applications), because of the following advantages: perfect secrecy, short messages can be encrypted using pencil and paper. In the 1960s the Americans and the Soviets established a hotline that was encrypted using the one-time pad. (additional advantage: they didn’t need to share their secret encryption methods) a KGB one-time pad hidden in a walnut shell

28 28 Venona project (1946 – 1980) American National Security Agency decrypted Soviet messages that were transmitted in the 1940s. That was possible because the Soviets reused the keys in the one-time pad scheme. (1953) Ethel and Julius Rosenberg

29 29 One time-pad is optimal in the class of perfectly secret schemes m_0m_1m_2... k_0Enc(k_0,m_0)Enc(k_0,m_1)Enc(k_0,m_2) k_1Enc(k_1,m_0)Enc(k_1,m_1)Enc(k_1,m_2) k_2Enc(k_2,m_0)Enc(k_2,m_1)Enc(k_2,m_2)...

30 30 m_0m_1m_2... k_0Enc(k_0,m_0)Enc(k_0,m_1)Enc(k_0,m_2) k_1Enc(k_1,m_0)Enc(k_1,m_1)Enc(k_1,m_2) k_2Enc(k_2,m_0)Enc(k_2,m_1)Enc(k_2,m_2)

31 31 The basic goal: secure communication: 2. Integrity: M interferes with the transmission Eve AliceBob How can Bob be sure that M really comes from Alice?

32 32 Does encryption guarantee message integrity? Idea: 1.Alice encrypts m and sends c=Enc(k,m) to Bob. 2.Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad.

33 33 Message authentication AliceBob (m, t=Tag k (m)) Eve can see (m, t=Tag k (m)) She should not be able to compute a valid tag t’ on any other message m’. k k m verifies if t=Tag k (m)

34 34 How to define security of such a scheme?

35 35

36 36... ? For example p = 2 107 - 1

37 37

38 38 Can we reuse the same key many times?

39 39 Outlook Secure communication = encryption and authentication. We defined security of encryption and authentication using the probability-theoretic language. We constructed such ``perfectly secure’’ schemes. Problem: the keys need to be large and can be used at most once. But it can be shown that they are ``the best we can achieve’’. Can we go home and relax? maybe the definitions are too strong?

40 40 What to do? We required that M and Enc K (M) are independent, Maybe it is enough to require that M and Enc K (M) are independent from the “practical point of view’’? How can this be formalized? We will use the complexity theory!

Download ppt "Cryptography Lecture 1 Stefan Dziembowski"

Similar presentations

Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Cryptography Introduction Last Updated: Aug 20, 2013.

Cryptography Introduction Last Updated: Aug 20, 2013.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.

CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Lecture 1 Introduction to Cryptography Stefan Dziembowski University of Rome La Sapienza BiSS 2009 Bertinoro International Spring School 2-6 March 2009.

Lecture 1 Introduction to Cryptography Stefan Dziembowski University of Rome La Sapienza BiSS 2009 Bertinoro International Spring School 2-6 March 2009.
Introduction to Modern Cryptography Instructor: Amos Fiat Strongly based on presentation and class by Benny Chor School of Computer Science Tel- Aviv Univ.

Introduction to Modern Cryptography Instructor: Amos Fiat Strongly based on presentation and class by Benny Chor School of Computer Science Tel- Aviv Univ.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
CS426Fall 2010/Lecture 21 Computer Security CS 426 Lecture 2 Cryptography: Terminology & Classic Ciphers.

CS426Fall 2010/Lecture 21 Computer Security CS 426 Lecture 2 Cryptography: Terminology & Classic Ciphers.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google