Introduction - Introduction to Cryptography - Lecture Notes, Study notes of Cryptography and System Security

Lecture notes from Introduction to Cryptography. This lecture includes: Introduction, Modern Cryptography, Private Key Encryption, Syntax of Encryption, Encryption Algorithm, Decryption Algorithm, Kerckhoffs Principle, Caesars Cipher, Ciphertext

Typology: Study notes

2013/2014

Uploaded on 01/29/2014

sundar
sundar 🇮🇳

4.7

(9)

104 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Introduction
1.1 Cryptography and Modern Cryptography
The Concise Oxford Dictionary (2006) defines cryptography as the art of
writing or solving codes. This definition may be historically accurate, but it
does not capture the essence of modern cryptography. First, it focuses solely
on the problem of secret communication. This is evidenced by the fact that
the definition specifies “codes”, elsewhere defined as “a system of pre-arranged
signals, especially used to ensure secrecy in transmitting messages”. Second,
the definition refers to cryptography as an art form. Indeed, until the 20th
century (and arguably until late in that century), cryptography was an art.
Constructing good codes, or breaking existing ones, relied on creativity and
personal skill. There was very little theory that could be relied upon and
there was not even a well-defined notion of what constitutes a good co de.
In the late 20th century, this picture of cryptography radically changed. A
rich theory emerged, enabling the rigorous study of cryptography as a sci-
ence. Furthermore, the field of cryptography now encompasses much more
than secret communication. For example, it deals with the problems of mes-
sage authentication, digital signatures, protocols for exchanging secret keys,
authentication protocols, electronic auctions and elections, digital cash and
more. In fact, modern cryptography can be said to be concerned with prob-
lems that may arise in any distributed computation that may come under
internal or external attack. Without attempting to provide a perfect defi-
nition of modern cryptography, we would say that it is the scientific study
of techniques for securing digital information, transactions, and distributed
computations.
Another very important difference between classical cryptography (say, be-
fore the 1980s) and modern cryptography relates to who uses it. Historically,
the major consumers of cryptography were military and intelligence organi-
zations. Today, however, cryptography is everywhere! Security mechanisms
that rely on cryptography are an integral part of almost any computer sys-
tem. Users (often unknowingly) rely on cryptography every time they access
a secured website. Cryptographic methods are used to enforce access control
in multi-user operating systems, and to prevent thieves from extracting trade
secrets from stolen laptops. Software protection methods employ encryption,
authentication, and other tools to prevent copying. The list goes on and on.
3
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download Introduction - Introduction to Cryptography - Lecture Notes and more Study notes Cryptography and System Security in PDF only on Docsity!

Introduction

1.1 Cryptography and Modern Cryptography

The Concise Oxford Dictionary (2006) defines cryptography as the art of writing or solving codes. This definition may be historically accurate, but it does not capture the essence of modern cryptography. First, it focuses solely on the problem of secret communication. This is evidenced by the fact that the definition specifies “codes”, elsewhere defined as “a system of pre-arranged signals, especially used to ensure secrecy in transmitting messages”. Second, the definition refers to cryptography as an art form. Indeed, until the 20th century (and arguably until late in that century), cryptography was an art. Constructing good codes, or breaking existing ones, relied on creativity and personal skill. There was very little theory that could be relied upon and there was not even a well-defined notion of what constitutes a good code. In the late 20th century, this picture of cryptography radically changed. A rich theory emerged, enabling the rigorous study of cryptography as a sci- ence. Furthermore, the field of cryptography now encompasses much more than secret communication. For example, it deals with the problems of mes- sage authentication, digital signatures, protocols for exchanging secret keys, authentication protocols, electronic auctions and elections, digital cash and more. In fact, modern cryptography can be said to be concerned with prob- lems that may arise in any distributed computation that may come under internal or external attack. Without attempting to provide a perfect defi- nition of modern cryptography, we would say that it is the scientific study of techniques for securing digital information, transactions, and distributed computations. Another very important difference between classical cryptography (say, be- fore the 1980s) and modern cryptography relates to who uses it. Historically, the major consumers of cryptography were military and intelligence organi- zations. Today, however, cryptography is everywhere! Security mechanisms that rely on cryptography are an integral part of almost any computer sys- tem. Users (often unknowingly) rely on cryptography every time they access a secured website. Cryptographic methods are used to enforce access control in multi-user operating systems, and to prevent thieves from extracting trade secrets from stolen laptops. Software protection methods employ encryption, authentication, and other tools to prevent copying. The list goes on and on.

4 Introduction to Modern Cryptography

In short, cryptography has gone from an art form that dealt with secret communication for the military to a science that helps to secure systems for ordinary people all across the globe. This also means that cryptography is becoming a more and more central topic within computer science. The focus of this book is modern cryptography. Yet we will begin our study by examining the state of cryptography before the changes mentioned above. Besides allowing us to ease into the material, it will also provide an understanding of where cryptography has come from so that we can later appreciate how much it has changed. The study of “classical cryptography” — replete with ad-hoc constructions of codes, and relatively simple ways to break them — serves as good motivation for the more rigorous approach that we will be taking in the rest of the book.^1

1.2 The Setting of Private-Key Encryption

As noted above, cryptography was historically concerned with secret com- munication. Specifically, cryptography was concerned with the construction of ciphers (now called encryption schemes) for providing secret communica- tion between two parties sharing some information in advance. The setting in which the communicating parties share some secret information in advance is now known as the private-key (or the symmetric-key) setting. Before describ- ing some historical ciphers, we discuss the private-key setting and encryption in more general terms. In the private-key setting, two parties share some secret information called a key, and use this key when they wish to communicate secretly with each other. A party sending a message uses the key to encrypt (or “scramble”) the message before it is sent, and the receiver uses the same key to decrypt (or “unscramble”) and recover the message upon receipt. The message itself is called the plaintext, and the “scrambled” information that is actually trans- mitted from the sender to the receiver is called the ciphertext; see Figure 1.1. The shared key serves to distinguish the communicating parties from any other parties who may be eavesdropping on their communication (assumed to take place over a public channel). In this setting, the same key is used to convert the plaintext into a ciphertext and back. This explains why this setting is also known as the symmetric-key setting, where the symmetry lies in the fact that both parties hold the same key which is used for both encryption and decryption. This is in contrast to

(^1) This is our primary intent in presenting this material and, as such, this chapter should not be taken as a representative historical account. The reader interested in the history of cryptography should consult the references at the end of this chapter.

6 Introduction to Modern Cryptography

  1. The encryption algorithm Enc takes as input a key k and a plaintext message m and outputs a ciphertext c. We denote by Enck(m) the encryption of the plaintext m using the key k.
  2. The decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a plaintext m. We denote the decryption of the ciphertext c using the key k by Deck(c).

The set of all possible keys output by the key-generation algorithm is called the key space and is denoted by K. Almost always, Gen simply chooses a key uniformly at random from the key space (in fact, one can assume without loss of generality that this is the case). The set of all “legal” messages (i.e., those supported by the encryption algorithm) is denoted M and is called the plaintext (or message) space. Since any ciphertext is obtained by encrypting some plaintext under some key, the sets K and M together define a set of all possible ciphertexts denoted by C. An encryption scheme is fully defined by specifying the three algorithms (Gen, Enc, Dec) and the plaintext space M. The basic correctness requirement of any encryption scheme is that for every key k output by Gen and every plaintext message m ∈ M, it holds that

Deck(Enck(m)) = m.

In words, decrypting a ciphertext (using the appropriate key) yields the orig- inal message that was encrypted. Recapping our earlier discussion, an encryption scheme would be used by two parties who wish to communicate as follows. First, Gen is run to obtain a key k that the parties share. When one party wants to send a plaintext m to the other, he computes c := Enck(m) and sends the resulting ciphertext c over the public channel to the other party.^2 Upon receiving c, the other party computes m := Deck(c) to recover the original plaintext.

Keys and Kerckhoffs’ principle. As is clear from the above formulation, if an eavesdropping adversary knows the algorithm Dec as well as the key k shared by the two communicating parties, then that adversary will be able to decrypt all communication between these parties. It is for this reason that the communicating parties must share the key k secretly, and keep k com- pletely secret from everyone else. But maybe they should keep the decryption algorithm Dec a secret, too? For that matter, perhaps all the algorithms constituting the encryption scheme (i.e., Gen and Enc as well) should be kept secret? (Note that the plaintext space M is typically assumed to be known, e.g., it may consist of English-language sentences.) In the late 19th century, Auguste Kerckhoffs gave his opinion on this matter in a paper he published outlining important design principles for military

(^2) Throughout the book, we use “:=” to denote the assignment operation. A list of common notation can be found in the back of the book.

Introduction 7

ciphers. One of the most important of these principles (now known simply as Kerckhoffs’ principle) is the following:

The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.

In other words, the encryption scheme itself should not be kept secret, and so only the key should constitute the secret information shared by the com- municating parties. Kerckhoffs’ intention was that an encryption scheme should be designed so as to be secure even if an adversary knows the details of all the component algorithms of the scheme, as long as the adversary doesn’t know the key being used. Stated differently, Kerckhoffs’ principle demands that security rely solely on the secrecy of the key. But why? There are three primary arguments in favor of Kerckhoffs’ principle. The first is that it is much easier for the parties to maintain secrecy of a short key than to maintain secrecy of an algorithm. It is easier to share a short (say, 100-bit) string and store this string securely than it is to share and securely store a program that is thousands of times larger. Furthermore, details of an algorithm can be leaked (perhaps by an insider) or learned through reverse engineering; this is unlikely when the secret information takes the form of a randomly-generated string. A second argument in favor of Kerckhoffs’ principle is that in case the key is exposed, it will be much easier for the honest parties to change the key than to replace the algorithm being used. Actually, it is good security practice to refresh a key frequently even when it has not been exposed, and it would be much more cumbersome to replace the software being used instead. Finally, in case many pairs of people (say, within a company) need to en- crypt their communication, it will be significantly easier for all parties to use the same algorithm/program, but different keys, than for everyone to use a different program (which would furthermore depend on the party with whom they are communicating). Today, Kerckhoffs’ principle is understood as not only advocating that secu- rity should not rely on secrecy of the algorithms being used, but also demand- ing that these algorithms be made public. This stands in stark contrast to the notion of “security by obscurity” which is the idea that improved security can be achieved by keeping a cryptographic algorithm hidden. Some of the ad- vantages of “open cryptographic design”, where algorithm specifications are made public, include the following:

  1. Published designs undergo public scrutiny and are therefore likely to be stronger. Many years of experience have demonstrated that it is very difficult to construct good cryptographic schemes. Therefore, our confidence in the security of a scheme is much higher if it has been extensively studied (by experts other than the designers of the scheme themselves) and no weaknesses have been found.

Introduction 9

The first two attacks described above are clearly realistic. A ciphertext-only attack is the easiest to carry out in practice; the only thing the adversary needs is to eavesdrop on the public communication line over which encrypted mes- sages are sent. In a known-plaintext attack it is assumed that the adversary somehow also obtains the plaintext messages corresponding to the ciphertexts that it viewed. This is often realistic because not all encrypted messages are confidential, at least not indefinitely. As a trivial example, two parties may always encrypt a “hello” message whenever they begin communicating. As a more complex example, encryption may be used to keep quarterly earn- ings results secret until their release date. In this case, anyone eavesdropping and obtaining the ciphertext will later obtain the corresponding plaintext. Any reasonable encryption scheme must therefore remain secure against an adversary that can launch a known-plaintext attack. The two latter active attacks may seem somewhat strange and require jus- tification. (When do parties encrypt and decrypt whatever an adversary wishes?) We defer a more detailed discussion of these attacks to the place in the text where security against these attacks is formally defined: Section 3. for chosen-plaintext attacks and Section 3.7 for chosen-ciphertext attacks. Different applications of encryption may require the encryption scheme to be resilient to different types of attacks. It is not always the case that an encryption scheme secure against the “strongest” type of attack should be used, since it may be less efficient than an encryption scheme secure against “weaker” attacks. Therefore, the latter may be preferred if it suffices for the application at hand.

1.3 Historical Ciphers and Their Cryptanalysis

In our study of “classical cryptography” we will examine some historical ci- phers and show that they are completely insecure. As stated earlier, our main aims in presenting this material are (1) to highlight the weaknesses of an “ad-hoc” approach to cryptography, and thus motivate the modern, rigorous approach that will be discussed in the following section, and (2) to demon- strate that “simple approaches” to achieving secure encryption are unlikely to succeed, and show why this is the case. Along the way, we will present some central principles of cryptography which can be learned from the weaknesses of these historical schemes. In this section (and this section only), plaintext characters are written in lower case and ciphertext characters are written in UPPER CASE. When de- scribing attacks on schemes, we always apply Kerckhoffs’ principle and assume that the scheme is known to the adversary (but the key being used is not).

10 Introduction to Modern Cryptography

Caesar’s cipher. One of the oldest recorded ciphers, known as Caesar’s cipher, is described in “De Vita Caesarum, Divus Iulius” (“The Lives of the Caesars, The Deified Julius”), written in approximately 110 C.E.:

There are also letters of his to Cicero, as well as to his intimates on private affairs, and in the latter, if he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others.

That is, Julius Caesar encrypted by rotating the letters of the alphabet by 3 places: a was replaced with D, b with E, and so on. Of course, at the end of the alphabet, the letters wrap around and so x was replaced with A, y with B, and z with C. For example, the short message begin the attack now, with spaces removed, would be encrypted as:

EHJLQWKHDWWDFNQRZ

making it unintelligible. An immediate problem with this cipher is that the method is fixed. Thus, anyone learning how Caesar encrypted his messages would be able to decrypt effortlessly. This can be seen also if one tries to fit Caesar’s cipher into the syntax of encryption described earlier: the key-generation algorithm Gen is trivial (that is, it does nothing) and there is no secret key to speak of. Interestingly, a variant of this cipher called ROT-13 (where the shift is 13 places instead of 3) is widely used nowadays in various online forums. It is understood that this does not provide any cryptographic security, and ROT- 13 is used merely to ensure that the text (say, a movie spoiler) is unintelligible unless the reader of a message consciously chooses to decrypt it.

The shift cipher and the sufficient key space principle. Caesar’s cipher suffers from the fact that encryption is always done in the same way, and there is no secret key. The shift cipher is similar to Caesar’s cipher, but a secret key is introduced.^3 Specifically, in the shift cipher the key k is a number between 0 and 25. Then, to encrypt, letters are rotated by k places as in Caesar’s cipher. Mapping this to the syntax of encryption described earlier, this means that algorithm Gen outputs a random number k in the set { 0 ,... , 25 }; algorithm Enc takes a key k and a plaintext written using English letters and shifts each letter of the plaintext forward k positions (wrapping around from z to a); and algorithm Dec takes a key k and a ciphertext written using English letters and shifts every letter of the ciphertext backward k positions (this time wrapping around from a to z). The plaintext message space M is defined to be

(^3) In some books, “Caesar’s cipher” and “shift cipher” are used interchangeably.

12 Introduction to Modern Cryptography

behind mono-alphabetic substitution is to map each plaintext character to a different ciphertext character in an arbitrary manner, subject only to the fact that the mapping must be one-to-one in order to enable decryption. The key space thus consists of all permutations of the alphabet, meaning that the size of the key space is 26! = 26 · 25 · 24 · · · 2 · 1 (or approximately 2^88 ) if we are working with the English alphabet. As an example, the key

a b c d e f g h i j k l m n o p q r s t u v w x y z X E U A D N B K V M R O C Q F S Y H W G L Z I J P T

in which a maps to X, etc., would encrypt the message tellhimaboutme to GDOOKVCXEFLGCD. A brute force attack on the key space for this cipher takes much longer than a lifetime, even using the most powerful computer known today. However, this does not necessarily mean that the cipher is secure. In fact, as we will show now, it is easy to break this scheme even though it has a very large key space. Assume that English-language text is being encrypted (i.e., the text is grammatically-correct English writing, not just text written using characters of the English alphabet). It is then possible to attack the mono-alphabetic substitution cipher by utilizing statistical patterns of the English language (of course, the same attack works for any language). The two properties of this cipher that are utilized in the attack are as follows:

  1. In this cipher, the mapping of each letter is fixed, and so if e is mapped to D, then every appearance of e in the plaintext will result in the ap- pearance of D in the ciphertext.
  2. The probability distribution of individual letters in the English language (or any other) is known. That is, the average frequency counts of the dif- ferent English letters are quite invariant over different texts. Of course, the longer the text, the closer the frequency counts will be to the av- erage. However, even relatively short texts (consisting of only tens of words) have distributions that are “close enough” to the average.

The attack works by tabulating the probability distribution of the ciphertext and then comparing it to the known probability distribution of letters in English text (see Figure 1.2). The probability distribution being tabulated in the attack is simply the frequency count of each letter in the ciphertext (i.e., a table saying that A appeared 4 times, B appeared 11 times, and so on). Then, we make an initial guess of the mapping defined by the key based on the frequency counts. For example, since e is the most frequent letter in English, we will guess that the most frequent character in the ciphertext corresponds to the plaintext character e, and so on. Unless the ciphertext is quite long, some of the guesses are likely to be wrong. Even for quite short ciphertexts, however, the guesses will be good enough to enable relatively quick decryption (especially utilizing other knowledge of the English language, such as the fact

Introduction 13

0.

2.

4.

6.

8.

10.

12.

14.

a b c d e f g h i j k l m n o p q r s t u v w x y z 8.2 1.5 2.8 4.2 12.7 2.2 2.0 6.1 7.0 0.1 0.8 4.0 2.4 6.7 7.5 1.9 0.1 6.0 6.3 9.0 2.8 1.0 2.4 2.0 0.1 0. Letter

Percentage

FIGURE 1.2: Average letter frequencies for English-language text.

that between t and e, the character h is likely to appear, and the fact that u generally follows q). Actually, it should not be very surprising that the mono-alphabetic substi- tution cipher can be quickly broken, since puzzles based on this cipher appear in newspapers (and are solved by some people before their morning coffee)! We recommend that you try to decipher the following message — this should help convince you how easy the attack is to carry out (of course, you should use Figure 1.2 to help you):

JGRMQOYGHMVBJWRWQFPWHGFFDQGFPFZRKBEEBJIZQQOCIBZKLFAFGQVFZFWWE OGWOPFGFHWOLPHLRLOLFDMFGQWBLWBWQOLKFWBYLBLYLFSFLJGRMQBOLWJVFP FWQVHQWFFPQOQVFPQOCFPOGFWFJIGFQVHLHLROQVFGWJVFPFOLFHGQVQVFILE OGQILHQFQGIQVVOSFAFGBWQVHQWIJVWJVFPFWHGFIWIHZZRQGBABHZQOCGFHX

We conclude that, although the mono-alphabetic cipher has a very large key space, it is still completely insecure.

An improved attack on the shift cipher. We can use character frequency tables to give an improved attack on the shift cipher. Specifically, our previous attack on the shift cipher required us to decrypt the ciphertext using each possible key, and then check to see which key results in a plaintext that “makes sense”. A drawback of this approach is that it is difficult to automate, since it is difficult for a computer to check whether some plaintext “makes sense”. (We do not claim this is impossible, as it can certainly be done using a dictionary of valid English words. We only claim that it is not trivial.) Moreover, there may be cases — we will see one below — where the plaintext characters are

Introduction 15

(The key need not be an actual English word.) This is exactly the same as encrypting the first, fifth, ninth, and so on characters with the shift cipher and key k = 3, the second, sixth, tenth, and so on characters with key k = 1, the third, seventh, and so on characters with k = 6 and the fourth, eighth, and so on characters with k = 5. Thus, it is a repeated shift cipher using different keys. Notice that in the above example l is mapped once to R and once to Q. Furthermore, the ciphertext character F is sometimes obtained from e and sometimes from a. Thus, the character frequencies in the ciphertext are “smoothed”, as desired. If the key is a sufficiently-long word (chosen at random), then cracking this cipher seems to be a daunting task. Indeed, it was considered by many to be an unbreakable cipher, and although it was invented in the 16th century a systematic attack on the scheme was only devised hundreds of years later.

Breaking the Vigenere cipher. A first observation in attacking the Vi- genere cipher is that if the length of the key is known, then the task is relatively easy. Specifically, say the length of the key is t (this is sometimes called the period). Then the ciphertext can be divided into t parts where each part can be viewed as being encrypted using a single instance of the shift cipher. That is, let k = k 1 ,... , kt be the key (each ki is a letter of the alphabet) and let c 1 , c 2 ,... be the ciphertext characters. Then, for every j (1 ≤ j ≤ t) the set of characters cj , cj+t, cj+2t,...

were all encrypted by a shift cipher using key kj. All that remains is therefore to determine, for each j, which of the 26 possible keys is the correct one. This is not as trivial as in the case of the shift cipher, because by guessing a single letter of the key it is no longer possible to determine if the decryption “makes sense”. Furthermore, checking for all values of j simultaneously would require a brute force search through 26t^ different possible keys (which is infeasible for t greater than, say, 15). Nevertheless, we can still use the statistical method described earlier. That is, for every set of ciphertext characters relating to a given key (that is, for each value of j), it is possible to tabulate the frequency of each ciphertext character and then check which of the 26 possible shifts yields the “right” probability distribution. Since this can be carried out separately for each key, the attack can be carried out very quickly; all that is required is to build t frequency tables (one for each of the subsets of the characters) and compare them to the real probability distribution. An alternate, somewhat easier approach, is to use the improved method for attacking the shift cipher that we showed earlier. Recall that this improved attack does not rely on checking for a plaintext that “makes sense”, but only relies on the underlying probability distribution of characters in the plaintext. Either of the above approaches give successful attacks when the key length is known. It remains to show how to determine the length of the key. Kasiski’s method, published in the mid-19th century, gives one approach for solving this problem. The first step is to identify repeated patterns of length 2

16 Introduction to Modern Cryptography

or 3 in the ciphertext. These are likely to be due to certain bigrams or trigrams that appear very often in the English language. For example, consider the word “the” that appears very often in English text. Clearly, “the” will be mapped to different ciphertext characters, depending on its position in the text. However, if it appears twice in the same relative position, then it will be mapped to the same ciphertext characters. For example, if it appears in positions t + j and 2t + i (where i 6 = j) then it will be mapped to different characters each time. However, if it appears in positions t + j and 2t + j, then it will be mapped to the same ciphertext characters. In a long enough text, there is a good chance that “the” will be mapped repeatedly to the same ciphertext characters. Consider the following concrete example with the key beads (spaces have been added for clarity):

Plaintext: the man and the woman retrieved the letter from the post office Key: bea dsb ead sbe adsbe adsbeadsb ean sdeads bead sbe adsb eadbea Ciphertext: VMF QTP FOH MJJ XSFCS SIMTNFZXF YIS EIYUIK HWPQ MJJ QSLV TGJKGF

The word the is mapped sometimes to VMF, sometimes to MJJ and sometimes to YIS. However, it is mapped twice to MJJ, and in a long enough text it is likely that it would be mapped multiple times to each of the possibilities. The main observation of Kasiski is that the distance between such multiple appearances (except for some coincidental ones) is a multiple of the period length. (In the above example, the period length is 5 and the distance between the two appearances of MJJ is 40, which is 8 times the period length.) There- fore, the greatest common divisor of all the distances between the repeated sequences should yield the period length t or a multiple thereof. An alternative approach called the index of coincidence method, is a bit more algorithmic and hence easier to automate. Recall that if the key-length is t, then the ciphertext characters

c 1 , c1+t, c1+2t,...

are encrypted using the same shift. This means that the frequencies of the characters in this sequence are expected to be identical to the character fre- quencies of standard English text except in some shifted order. In more detail: let qi denote the frequency of the ith English letter in the sequence above (once again, this is simply the number of occurrences of the ith letter divided by the total number of letters in the sequence). If the shift used here is k 1 (this is just the first character of the key), then we expect qi+k 1 to be roughly equal to pi for all i, where pi is again the frequency of the ith letter in stan- dard English text. But this means that the sequence p 0 ,... , p 25 is just the sequence q 0 ,... , q 25 shifted by k 1 places. As a consequence, we expect that (see Equation (1.1)): ∑^25

i=

q i^2 =

∑^25

i=

p^2 i ≈ 0. 065.

18 Introduction to Modern Cryptography

  1. Designing secure ciphers is a hard task: The Vigen`ere cipher remained unbroken for a long time, partially due to its presumed complexity. Far more complex schemes have also been used, such as the German Enigma. Nevertheless, this complexity does not imply security and all historical ciphers can be completely broken. In general, it is very hard to design a secure encryption scheme, and such design should be left to experts.

The history of classical encryption schemes is fascinating, both with respect to the methods used as well as the influence of cryptography and cryptanalysis on world history (in World War II, for example). Here, we have only tried to give a taste of some of the more basic methods, with a focus on what modern cryptography can learn from these attempts.

1.4 The Basic Principles of Modern Cryptography

The previous section has given a taste of historical cryptography. It is fair to say that, historically, cryptography was more of an art than any sort of science: schemes were designed in an ad-hoc manner and then evaluated based on their perceived complexity or cleverness. Unfortunately, as we have seen, all such schemes (no matter how clever) were eventually broken. Modern cryptography, now resting on firmer and more scientific founda- tions, gives hope of breaking out of the endless cycle of constructing schemes and watching them get broken. In this section we outline the main principles and paradigms that distinguish modern cryptography from classical cryptog- raphy. We identify three main principles:

  1. Principle 1 — the first step in solving any cryptographic problem is the formulation of a rigorous and precise definition of security.
  2. Principle 2 — when the security of a cryptographic construction relies on an unproven assumption, this assumption must be precisely stated. Furthermore, the assumption should be as minimal as possible.
  3. Principle 3 — cryptographic constructions should be accompanied by a rigorous proof of security with respect to a definition formulated accord- ing to principle 1, and relative to an assumption stated as in principle 2 (if an assumption is needed at all).

We now discuss each of these principles in greater depth.

1.4.1 Principle 1 – Formulation of Exact Definitions

One of the key intellectual contributions of modern cryptography has been the realization that formal definitions of security are essential prerequisites

Introduction 19

for the design, usage, or study of any cryptographic primitive or protocol. Let us explain each of these in turn:

  1. Importance for design: Say we are interested in constructing a secure encryption scheme. If we do not have a firm understanding of what it is we want to achieve, how can we possibly know whether (or when) we have achieved it? Having an exact definition in mind enables us to better direct our design efforts, as well as to evaluate the quality of what we build, thereby improving the end construction. In particular, it is much better to define what is needed first and then begin the design phase, rather than to come up with a post facto definition of what has been achieved once the design is complete. The latter approach risks having the design phase end when the designers’ patience is tried (rather than when the goal has been met), or may result in a construction that achieves more than is needed and is thus less efficient than a better solution.
  2. Importance for usage: Say we want to use an encryption scheme within some larger system. How do we know which encryption scheme to use? If presented with a candidate encryption scheme, how can we tell whether it suffices for our application? Having a precise definition of the security achieved by a given scheme (coupled with a security proof relative to a formally-stated assumption as discussed in principles 2 and 3) allows us to answer these questions. Specifically, we can define the security that we desire in our system (see point 1, above), and then verify whether the definition satisfied by a given encryption scheme suffices for our purposes. Alternatively, we can specify the definition that we need the encryption scheme to satisfy, and look for an encryption scheme satis- fying this definition. Note that it may not be wise to choose the “most secure” scheme, since a weaker notion of security may suffice for our application and we may then be able to use a more efficient scheme.
  3. Importance for study: Given two encryption schemes, how can we com- pare them? Without any definition of security, the only point of com- parison is efficiency, but efficiency alone is a poor criterion since a highly efficient scheme that is completely insecure is of no use. Precise specifi- cation of the level of security achieved by a scheme offers another point of comparison. If two schemes are equally efficient but the first one satisfies a stronger definition of security than the second, then the first is preferable.^5 There may also be a trade-off between security and effi- ciency (see the previous two points), but at least with precise definitions we can understand what this trade-off entails.

(^5) Of course, things are rarely this simple.

Introduction 21

  1. Answer 3 — an encryption scheme is secure if no adversary can deter- mine any character of the plaintext that corresponds to the ciphertext. This already looks like an excellent definition. However, other subtleties can arise. Going back to the example of the employment contract, it may be impossible to determine the actual salary or even any digit thereof. However, should the encryption scheme be considered secure if it leaks whether the encrypted salary is greater than or less than $100,000 per year? Clearly not. This leads us to the next suggestion.
  2. Answer 4 — an encryption scheme is secure if no adversary can de- rive any meaningful information about the plaintext from the ciphertext. This is already close to the actual definition. However, it is lacking in one respect: it does not define what it means for information to be “meaningful”. Different information may be meaningful in different ap- plications. This leads to a very important principle regarding definitions of security for cryptographic primitives: definitions of security should suffice for all potential applications. This is essential because one can never know what applications may arise in the future. Furthermore, im- plementations typically become part of general cryptographic libraries which are then used in may different contexts and for many different applications. Security should ideally be guaranteed for all possible uses.
  3. The final answer — an encryption scheme is secure if no adversary can compute any function of the plaintext from the ciphertext. This provides a very strong guarantee and, when formulated properly, is considered today to be the “right” definition of security for encryption. Even here, there are questions regarding the attack model that should be consid- ered, and how this aspect of security should be defined.

Even though we have now hit upon the correct requirement for secure encryp- tion, conceptually speaking, it remains to state this requirement mathemat- ically and formally, and this is in itself a non-trivial task (one that we will address in detail in Chapters 2 and 3). As noted in the “final answer”, above, our formal definition must also spec- ify the attack model: i.e., whether we assume a ciphertext-only attack or a chosen-plaintext attack. This illustrates a general principle used when formu- lating cryptographic definitions. Specifically, in order to fully define security of some cryptographic task, there are two distinct issues that must be ex- plicitly addressed. The first is what is considered to be a break, and the second is what is assumed regarding the power of the adversary. The break is exactly what we have discussed above; i.e., an encryption scheme is con- sidered broken if an adversary learns some function of the plaintext from a ciphertext. The power of the adversary relates to assumptions regarding the actions the adversary is assumed to be able to take, as well as the adversary’s computational power. The former refers to considerations such as whether the adversary is assumed only to be able to eavesdrop on encrypted messages

22 Introduction to Modern Cryptography

(i.e., a ciphertext-only attack), or whether we assume that the adversary can also actively request encryptions of any plaintext that it likes (i.e., carry out a chosen-plaintext attack). A second issue that must be considered is the computational power of the adversary. For all of this book, except Chapter 2, we will want to ensure security against any efficient adversary, by which we mean any adversary running in polynomial time. (A full discussion of this point appears in Section 3.1.2. For now, it suffices to say that an “efficient” strategy is one that can be carried out in a lifetime. Thus “feasible” is ar- guably a more accurate term.) When translating this into concrete terms, we might require security against any adversary utilizing decades of computing time on a supercomputer. In summary, any definition of security will take the following general form:

A cryptographic scheme for a given task is secure if no adversary of a specified power can achieve a specified break.

We stress that the definition never assumes anything about the adversary’s strategy. This is an important distinction: we are willing to assume something about the adversary’s capabilities (e.g., that it is able to mount a chosen- plaintext attack but not a chosen-ciphertext attack), but we are not willing to assume anything about how it uses its abilities. We call this the “arbitrary adversary principle”: security must be guaranteed for any adversary within the class of adversaries having the specified power. This principle is impor- tant because it is impossible to foresee what strategies might be used in an adversarial attack (and history has proven that attempts to do so are doomed to failure).

Mathematics and the real world. A definition of security essentially pro- vides a mathematical formulation of a real-world problem. If the mathemati- cal definition does not appropriately model the real world, then the definition may be useless. For example, if the adversarial power under consideration is too weak (and, in practice, adversaries have more power), or the break is such that it allows real attacks that were not foreseen (like one of the early answers regarding encryption), then “real security” is not obtained, even if a “mathematically-secure” construction is used. In short, a definition of se- curity must accurately model the real world in order for it to deliver on its mathematical promise of security. It is quite common, in fact, for a widely-accepted definition to be ill-suited for some new application. As one notable example, there are encryption schemes that were proven secure (relative to some definition like the ones we have discussed above) and then implemented on smart-cards. Due to physical properties of the smart-cards, it was possible for an adversary to monitor the power usage of the smart-card (e.g., how this power usage fluctuated over time) as the encryption scheme was being run, and it turned out that this information could be used to determine the key. There was nothing wrong with the security definition or the proof that the scheme satisfied this