






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The main principles and paradigms that distinguish modern cryptography from classical cryptography. It emphasizes the importance of precise definitions of security, rigorous proofs of security, and the need for assumptions to be precisely stated. Modern cryptography provides a mathematical formulation of real-world security problems, ensuring security against any efficient adversary.
Typology: Study notes
1 / 10
This page cannot be seen from the preview
Don't miss anything!







18 Introduction to Modern Cryptography
The history of classical encryption schemes is fascinating, both with respect to the methods used as well as the influence of cryptography and cryptanalysis on world history (in World War II, for example). Here, we have only tried to give a taste of some of the more basic methods, with a focus on what modern cryptography can learn from these attempts.
The previous section has given a taste of historical cryptography. It is fair to say that, historically, cryptography was more of an art than any sort of science: schemes were designed in an ad-hoc manner and then evaluated based on their perceived complexity or cleverness. Unfortunately, as we have seen, all such schemes (no matter how clever) were eventually broken. Modern cryptography, now resting on firmer and more scientific founda- tions, gives hope of breaking out of the endless cycle of constructing schemes and watching them get broken. In this section we outline the main principles and paradigms that distinguish modern cryptography from classical cryptog- raphy. We identify three main principles:
We now discuss each of these principles in greater depth.
One of the key intellectual contributions of modern cryptography has been the realization that formal definitions of security are essential prerequisites
Introduction 19
for the design, usage, or study of any cryptographic primitive or protocol. Let us explain each of these in turn:
(^5) Of course, things are rarely this simple.
Introduction 21
Even though we have now hit upon the correct requirement for secure encryp- tion, conceptually speaking, it remains to state this requirement mathemat- ically and formally, and this is in itself a non-trivial task (one that we will address in detail in Chapters 2 and 3). As noted in the “final answer”, above, our formal definition must also spec- ify the attack model: i.e., whether we assume a ciphertext-only attack or a chosen-plaintext attack. This illustrates a general principle used when formu- lating cryptographic definitions. Specifically, in order to fully define security of some cryptographic task, there are two distinct issues that must be ex- plicitly addressed. The first is what is considered to be a break, and the second is what is assumed regarding the power of the adversary. The break is exactly what we have discussed above; i.e., an encryption scheme is con- sidered broken if an adversary learns some function of the plaintext from a ciphertext. The power of the adversary relates to assumptions regarding the actions the adversary is assumed to be able to take, as well as the adversary’s computational power. The former refers to considerations such as whether the adversary is assumed only to be able to eavesdrop on encrypted messages
22 Introduction to Modern Cryptography
(i.e., a ciphertext-only attack), or whether we assume that the adversary can also actively request encryptions of any plaintext that it likes (i.e., carry out a chosen-plaintext attack). A second issue that must be considered is the computational power of the adversary. For all of this book, except Chapter 2, we will want to ensure security against any efficient adversary, by which we mean any adversary running in polynomial time. (A full discussion of this point appears in Section 3.1.2. For now, it suffices to say that an “efficient” strategy is one that can be carried out in a lifetime. Thus “feasible” is ar- guably a more accurate term.) When translating this into concrete terms, we might require security against any adversary utilizing decades of computing time on a supercomputer. In summary, any definition of security will take the following general form:
A cryptographic scheme for a given task is secure if no adversary of a specified power can achieve a specified break.
We stress that the definition never assumes anything about the adversary’s strategy. This is an important distinction: we are willing to assume something about the adversary’s capabilities (e.g., that it is able to mount a chosen- plaintext attack but not a chosen-ciphertext attack), but we are not willing to assume anything about how it uses its abilities. We call this the “arbitrary adversary principle”: security must be guaranteed for any adversary within the class of adversaries having the specified power. This principle is impor- tant because it is impossible to foresee what strategies might be used in an adversarial attack (and history has proven that attempts to do so are doomed to failure).
Mathematics and the real world. A definition of security essentially pro- vides a mathematical formulation of a real-world problem. If the mathemati- cal definition does not appropriately model the real world, then the definition may be useless. For example, if the adversarial power under consideration is too weak (and, in practice, adversaries have more power), or the break is such that it allows real attacks that were not foreseen (like one of the early answers regarding encryption), then “real security” is not obtained, even if a “mathematically-secure” construction is used. In short, a definition of se- curity must accurately model the real world in order for it to deliver on its mathematical promise of security. It is quite common, in fact, for a widely-accepted definition to be ill-suited for some new application. As one notable example, there are encryption schemes that were proven secure (relative to some definition like the ones we have discussed above) and then implemented on smart-cards. Due to physical properties of the smart-cards, it was possible for an adversary to monitor the power usage of the smart-card (e.g., how this power usage fluctuated over time) as the encryption scheme was being run, and it turned out that this information could be used to determine the key. There was nothing wrong with the security definition or the proof that the scheme satisfied this
24 Introduction to Modern Cryptography
(b) A proof of the equivalence of two definitions (in case the new definition has a greater intuitive appeal). (c) Giving examples of large classes of [problems that can be solved using a given definition of computation].
In some sense, Turing faced the exact same problem as cryptographers. He developed a mathematical model of computation but needed to somehow be convinced that the model was a good one. Likewise, cryptographers define notions of security and need to be convinced that their definitions imply mean- ingful security guarantees in the real world. As with Turing, they may employ the following tools to become convinced:
In addition to all of the above, and perhaps most importantly, we rely on the test of time and the fact that with time, the scrutiny and investigation of both researchers and practitioners testifies to the soundness of a definition.
Most modern cryptographic constructions cannot be proven secure uncon- ditionally. Indeed, proofs of this sort would require resolving questions in the theory of computational complexity that seem far from being answered today. The result of this unfortunate state of affairs is that security typically relies upon some assumption. The second principle of modern cryptography states that assumptions must be precisely stated. This is for three main reasons:
Introduction 25
If the assumption being relied upon is not precisely stated and presented, it cannot be studied and (potentially) refuted. Thus, a pre-condition to raising our confidence in an assumption is having a precise statement of what exactly is assumed.
One observation is that it is always possible to just assume that a construc- tion itself is secure. If security is well defined, this is also a precise assumption (and the proof of security for the construction is trivial)! Of course, this is not accepted practice in cryptography for a number of reasons. First of all, as noted above, an assumption that has been tested over the years is preferable to a new assumption that is introduced just to prove a given construction secure. Second, there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute. So, for example, an assumption of the type that some mathematical problem is hard to solve is simpler to study and work with than an assumption that an encryp- tion schemes satisfies a complex (and possibly unnatural) security definition. When a simple assumption is studied at length and still no refutation is found, we have greater confidence in its being correct. Another advantage of relying on “lower-level” assumptions (rather than just assuming a construction is se- cure) is that these low-level assumptions can typically be shared amongst a number of constructions. If a specific instantiation of the assumption turns out to be false, it can simply be replaced (within any higher-level construction based on that assumption) by a different instantiation of that assumption. The above methodology is used throughout this book. For example, Chap- ters 3 and 4 show how to achieve secure communication (in a number of ways),
Introduction 27
Construction Y can be used as a sub-routine to violate Assumption X. We will have more to say about this in Section 3.1.3.
The combination of the above three principles constitutes a rigorous ap- proach to cryptography that is distinct from the ad-hoc approach of classical cryptography. The ad-hoc approach may fail on any one of the above three principles, but often ignores them all. Unfortunately, ad hoc solutions are still designed and deployed by those who wish to obtain a “quick and dirty” solu- tion to a problem (or by those who are just simply unaware). We hope that this book will contribute to an awareness of the importance of the rigorous approach, and its success in developing new, mathematically-secure schemes.
In this chapter, we have studied just a few of the known historical ciphers. There are many others of both historical and mathematical interest, and we refer the reader to textbooks by Stinson [138] or Trappe and Washington [139] for further details. The role of these schemes in history (and specifically in the history of war) is a fascinating subject that is covered in the book by Kahn [81]. We discussed the differences between the historical, non-rigorous approach to cryptography (as exemplified by historical ciphers) and a rigorous approach based on precise definitions and proofs. Shannon [127] was the first to take the latter approach. Modern cryptography, which relies on (computational) assumptions in addition to definitions and proofs, was begun in the seminal paper by Goldwasser and Micali [69]. We will study this in Chapter 3.
1.1 Decrypt the ciphertext provided at the end of the section on mono- alphabetic substitution.
1.2 Provide a formal definition of the Gen, Enc, and Dec algorithms for both the mono-alphabetic substitution and Vigen`ere ciphers.