15-349

Introduction to Computer and Network Security

Iliano Cervesato

26 August 2008 – Modern Cryptography

2

Where we are

Course intro Cryptography

Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols

Program/OS security & trust Networks security Beyond technology

3

Outline

Cryptographic schemes Design principles

Confusion and diffusion Randomization Kerchoff’s principle

Mathematical foundations Computational complexity One-way functions Trapdoors

What is a secure cipher?

4

(Symmetric) Encryption Schemes

(K, E, D)

Key generation algorithm K : {0,1}

Encryption algorithm E : {0,1} x {0,1} {0,1}

Ek : {0,1} {0,1}

Decryption algorithm D: {0,1} x {0,1} {0,1}

Dk : {0,1} {0,1}

5

What makes a cipher good ?

behaves as expectedFunctionally sound

based on mathematicsConfusion and diffusion

examined by expertsOpen design

stood the test of timeMoore’s law

6

Functional requirements

E, D : {0,1}n x {0,1} {0,1}n

Dk(Ek(m)) = m For every k, Ek is an injection with inverse Dk

Ek(m) is easy to compute, given m and k

Dk(x) is easy to compute, given x and k

Polynomial in max{n,} - often linear

If x = Ek(m), it is hard to find m without k Exponential in

7

Confusion and Diffusion

Confusion Replace symbol with

another Hide plaintext symbols

Diffusion Mix up symbols Spread plaintext

around

WHATANI

ZZZJUCL

WHATANI

ANWIHAT

Modern ciphers are a combination

8

Augmenting diffusion

Make it harder for attackerRepeated encryptions of same text

are different

RandomizationEk : {0,1} x {0,1} {0,1}

Dk : {0,1} {0,1}

It must be that >

Part of all modern ciphers

9

Open Design

Kerchoff’s Principle (1883)The security of a cryptosystem must not depend on keeping the algorithm secret

No security by obscurity

Better Lots of smart but innocuous people dissect

it Than a single smart malicious

10

Shannon’s criteria

1. Strength of cipher proportional to effort

2. Keys should be simple

3. Implementation should be simple

4. Errors should not propagate

5. Size of ciphertext same as plaintext

11

Critique to Shannon’s Criteria

Shannon’s criteria based on manual process

1. Strength of cipher proportional to effort Strength should be depend on value, cost, time

2. Keys should be simple Not necessarily

3. Implementation should be simple Efficient!

4. Errors should not propagate Yes, many countermeasures nowadays

5. Size of ciphertext same as plaintext Not necessarily

Computers allow powerful automation

12

Computational problems

Finite space of solutions Always decidable

Can grow in size (n) Bigger size, bigger solution space

Questions How hard is it to find a solution? How hard is it to verify a solution?

“Hard” = amount of time Generic algorithms

– Best algorithm possible Not special cases!

13

Computational classes

P Finding solution polynomial in n

– Element lookup in list – O(n)– Sorting a list – O(n2)

Verifying solution also polynomial in n

NP Verifying solution polynomial in n

Finding solution may not be polynomial in n– Polynomial if we can “guess”– Polynomial if we can try solutions in parallel

EXP Finding solution exponential in n

Verifying solution may not be polynomial in n

14

Computational complexity

P NP EXP P EXP

P = NP ? Open problem Believed false

n n2

n3

n100

PNPEXP

2n

22n

15

NP-Complete problems

In NP As hard or harder than any other NP problem

Represent all NP problems– If polynomial solution exists, all NP problems have

one• P = NP

– If not, no NP-complete problem has one• P NP

Characteristics Always solvable Verifying solution is polynomial No known polynomial way to find solution

Exponential as far as we know

16

Computation in practice

Bounded by time If a small polynomial instance is solvable

Slightly larger instance also solvable Possibly with tomorrow’s technology

If a small exponential instance is solvable Slightly larger instance may not be solvable

Maybe not even with tomorrow’s technology

… but Moore’s law is exponential? Physical limitations Can always choose a big enough instance

17

NP-Completeness and Crypto

Require attacker to solve an NP-complete problem to find plaintext Exponential work in n But …

Crumbles if P = NP May be easy for small n Side channel attacks Advances in technology

– But Moore’s law is exponential ??

Trends in cryptography Rely on problems that are harder than NP

Quantum cryptography

18

One-way functions

Easy to compute f(i) o Evaluation in P

Linear

Hard to invert f-1(o) I Inverse is NP-

complete

Foundations of Hashing

finput output

Easy – P

Hard – NP

19

One-way functions with trapdoor Easy to compute

f(i,t) o Encryption in P

Linear

Hard to invert normally f-1(o) i Decryption without key is NP-complete

Easy to invert through trapdoor f-1(o,t) i Decryption with key in P

Linear

Foundations of Encryption Digital signatures

finput output

Easy – P

Hard – NP

Easy – P

trapdoor

20

Some NP-complete Problems

Boolean satisfiability Is there an assignment of boolean value that make a

formula in conjunctive normal form true? Knapsack

Is there a way to fill a bag of a given size completely with objects of various sizes?

Cliques Does a graph have a complete subgraph of a given

size? Discrete logarithm

Is there a such that ga mod n = b Integer factorization

What are the prime factors of number n?

21

When is a Cipher Secure?

Polynomial adversary cannot tell a real encryption box from a fake one

m

x

Ek(_)

m

x

Ek(0)

22

Formal Definition

Let E: {0,1} x {0,1} {0,1}

A(x m) = 1 iff x = Ek(m) A algorithm polynomial in key length

xm = Ek(m)

(K,E,D) is a secure encryption scheme if polynomial p(_) s.t. > k {0,1}

Pr[A(xm m) = 1] - Pr[A(x0 m) = 1] < 1/p()

23

Key length

The strength of a cipher is given by the length of the key Strength is non-polynomial in

10% longer key requires much more than 10% extra work

Often each extra bit doubles the effort

To get a stronger cipher, make key longer! Guideline for modern ciphers

Ciphers with variable key length– RSA– AES

Not sufficient for bad ciphers!