Download presentation
Presentation is loading. Please wait.
1
Cryptography Lecture 1 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net
2
2 Pagina del corso: http://www.dziembowski.net/Studenti/Critto/ Orario di ricevimento: giovedi dalle 16.00 alle 18.00 Avviso: per favore inviatemi una email (all' indirizzo: stefan at dziembowski dot net) con il vostro nome e cognome. Libri di testo : Libro principale: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography Altri libri: Doug Stinson Cryptography Theory and Practice, Third Edition Shafi Goldwasser and Mihir Bellare Lecture Notes on Cryptography Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography
3
3 What is this course about? Cryptography In the past: the art of encrypting messages (mostly for the military applications). Now: the science of securing digital communication and transactions (encryption, authentication, digital signatures, e-cash, auctions, etc..) Lots of applications in e-commerce!
4
4 What is this course not about? This course is not about: number theory, complexity theory, security of the internet, firewalls, viruses, trojans, etc... implementation details, history of cryptography.
5
5 Plan of the course 1.Introduction to the basic concepts 2.Symmetric-key encryption and authentication 3.Public-key encryption 4.Signature schemes 5.Key management techniques 6.Advanced topics (zero-knowledge, e- cash, distributed cryptography)
6
6 The basic goal: secure communication: 1. Secrecy: insecure link eavesdrops Eve AliceBob internet, phone line, etc.
7
7 Encryption schemes (a very general picture) Encryption scheme (cipher) = encryption & decryption encryptionciphertext cdecryptionm plaintext m should not learn m In the past: a text in natural language. Now: a string of bits.
8
8 ? “should not learn m” ? It’s not clear what it means... 1.What does the adversary know about the scheme? 2.How many ciphertexts can she see? 3.What is her a priori knowledge about m? 4.How are the messages m chosen? 5.What is the computational power of the adversary? 6.What is the goal of the adversary? compute m? learn “some information about m”? …
9
9 Art vs. science In the past: lack of precise definitions, ad-hoc design, usually insecure. Nowadays: formal definitions, systematic design, very secure constructions.
10
10 Kerckhoffs' principle Auguste Kerckhoffs (1883): The enemy knows the system The cipher should remain secure even if the adversary knows the specification of the cipher. The only thing that is secret is a short key k that is usually chosen uniformly at random
11
11 A more refined picture plaintext mencryptionciphertext cdecryptionm key k How did Alice and Bob establish k? For a moment say: they met and generated it together. (Of course Bob can use the same method to send messages to Alice.) (That’s why it’s called the symmetric setting)
12
12 Kerckhoffs' principle – the motivation (1/3) In commercial products: it is unrealistic to assume that the design details remain secret (reverse-engineering!) For example: In 1987 RSA designed a cipher called RC4. Its specification was a trade secret. In 1994 a C code of RC4 was posted on a cypherpunk mailing list
13
13 Kerckhoffs' principle – the motivation (2/3) Short keys are easier to protect, generate and replaced. Example : During the World War II the Amercian Army used the Navajo Indians as “encryption devices”. This system contradicted the Kerkhoffs’ principle, and hence it had an obvious problem: What to do if the enemy captures one of the Navajos?
14
14 Kerckhoffs' principle – the motivation (3/3) 1.The design details can be discussed and analyzed in public. 2.It corresponds nicely to the open-source ideology. 3.The schemes can become parts of industrial standards. Not respecting this principle = ``security by obscurity”.
15
15 A mathematical view
16
16 How to define security? For a moment let’s say: the adversary broke the scheme if he managed to ``decrypt some ciphertext c’’, without knowing the key. (warning: in general, this definition is too weak)
17
17 Shift cipher
18
18 Security of the shift cipher Q: How to break the shift cipher? A: Check all possible keys This is called a brute force attack. Moral: the key space needs to be large!
19
19 Substitution cipher ABCDEFGHIJKLMNOPRSTUWVXYZ ABCDEFGHIJKLMNOPRSTUWVXYZ
20
20 How to break the substitution cipher? Use statistical patterns of the language. For example: the frequency tables. Texts of 50 characters can usually be broken this way.
21
21 Other famous historical ciphers Vigenère cipher: Blaise de Vigenère (1523 - 1596) Leon Battista Alberti (1404 – 1472) Enigma Marian Rejewski (1905 - 1980) Alan Turing (1912-1954)
22
22 Defining “security of an encryption scheme” is non-trivial. Experiment (m – a message) 1.the key k is chosen randomly 2.message m is encrypted using k: c := Enc k (m) 3.c is given to the adversary Idea 1 The adversary should not be able to compute k. Idea 2 The adversary should not be able to compute m. Idea 3 The adversary should not be able to compute any information about m. Idea 4 The adversary should not be able to compute any additional information about m. makes more sense
23
23 How to formalize it? Probability-theoretic approach: Idea The adversary should not be able to compute any additional information about m.
24
24 A perfectly secret scheme: one-time pad Gilbert Vernam (1890 –1960)
25
25 Problem with one-time pad Each key cannot be used more than once! This is because:
26
26 independent this we know this we have to show here we use the assumption QED
27
27 Practicality? Generally, the one-time pad is not very practical, since: the key has to be as long as the total length of the encrypted messages, it is hard to generate truly random strings. However, it is sometimes used (e.g. in the military applications), because of the following advantages: perfect secrecy, short messages can be encrypted using pencil and paper. In the 1960s the Americans and the Soviets established a hotline that was encrypted using the one-time pad. (additional advantage: they didn’t need to share their secret encryption methods) a KGB one-time pad hidden in a walnut shell
28
28 Venona project (1946 – 1980) American National Security Agency decrypted Soviet messages that were transmitted in the 1940s. That was possible because the Soviets reused the keys in the one-time pad scheme. (1953) Ethel and Julius Rosenberg
29
29 One time-pad is optimal in the class of perfectly secret schemes m_0m_1m_2... k_0Enc(k_0,m_0)Enc(k_0,m_1)Enc(k_0,m_2) k_1Enc(k_1,m_0)Enc(k_1,m_1)Enc(k_1,m_2) k_2Enc(k_2,m_0)Enc(k_2,m_1)Enc(k_2,m_2)...
30
30 m_0m_1m_2... k_0Enc(k_0,m_0)Enc(k_0,m_1)Enc(k_0,m_2) k_1Enc(k_1,m_0)Enc(k_1,m_1)Enc(k_1,m_2) k_2Enc(k_2,m_0)Enc(k_2,m_1)Enc(k_2,m_2)
31
31 The basic goal: secure communication: 2. Integrity: M interferes with the transmission Eve AliceBob How can Bob be sure that M really comes from Alice?
32
32 Does encryption guarantee message integrity? Idea: 1.Alice encrypts m and sends c=Enc(k,m) to Bob. 2.Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad.
33
33 Message authentication AliceBob (m, t=Tag k (m)) Eve can see (m, t=Tag k (m)) She should not be able to compute a valid tag t’ on any other message m’. k k m verifies if t=Tag k (m)
34
34 How to define security of such a scheme?
35
35
36
36... ? For example p = 2 107 - 1
37
37
38
38 Can we reuse the same key many times?
39
39 Outlook Secure communication = encryption and authentication. We defined security of encryption and authentication using the probability-theoretic language. We constructed such ``perfectly secure’’ schemes. Problem: the keys need to be large and can be used at most once. But it can be shown that they are ``the best we can achieve’’. Can we go home and relax? maybe the definitions are too strong?
40
40 What to do? We required that M and Enc K (M) are independent, Maybe it is enough to require that M and Enc K (M) are independent from the “practical point of view’’? How can this be formalized? We will use the complexity theory!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.