Embed Size (px)
Citation preview
2
Pagina del corso:
http://www.dziembowski.net/Studenti/Critto/
Orario di ricevimento: giovedi dalle 16.00 alle 18.00
Avviso: per favore inviatemi una email (all' indirizzo: stefan at dziembowski dot net) con il vostro nome e cognome.
Libri di testo:
Libro principale: • Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
Altri libri:• Doug Stinson Cryptography Theory and Practice, Third Edition • Shafi Goldwasser and Mihir Bellare Lecture Notes on Cryptography• Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook
of Applied Cryptography
3
What is this course about?
Cryptography
In the past:
the art of encrypting messages (mostly for the military applications).
Now:
the science of securing digital communication and transactions (encryption, authentication, digital signatures, e-cash, auctions, etc..)
Lots of applications in e-commerce!
4
What is this course not about?
This course is not about:
• number theory,• complexity theory,
• security of the internet, firewalls, viruses, trojans, etc...
• implementation details,
• history of cryptography.
5
Plan of the course
1. Introduction to the basic concepts2. Symmetric-key encryption and
authentication3. Public-key encryption4. Signature schemes5. Key management techniques6. Advanced topics (zero-knowledge, e-
cash, distributed cryptography)
6
The basic goal: secure communication:
1. Secrecy:
insecure link
eavesdrops
Eve
Alice Bob
internet,phone line, etc.
7
Encryption schemes (a very general picture)
Encryption scheme (cipher) = encryption & decryption
encryption ciphertext c decryption mplaintext m
should not learn mIn the past:
a text in natural language.Now:
a string of bits.
8
?
“should not learn m” ? It’s not clear what it means...
1. What does the adversary know about the scheme?2. How many ciphertexts can she see?3. What is her a priori knowledge about m?4. How are the messages m chosen?5. What is the computational power of the adversary?6. What is the goal of the adversary?
• compute m? • learn “some information about m”? • …
9
Art vs. science
In the past:
lack of precise definitions, ad-hoc design, usually insecure.
Nowadays:
formal definitions, systematic design, very secure constructions.
10
Kerckhoffs' principle
Auguste Kerckhoffs (1883):The enemy knows the system
The cipher should remain secure even if the adversary knows the specification of the cipher.
The only thing that is secret is a
short key k
that is usually chosen uniformly at random
11
A more refined picture
plaintext m encryption ciphertext c decryption m
key k key k
How did Alice and Bob establish k?For a moment say: they met and generated it together.
(Of course Bob can use the same method to send messages to Alice.)(That’s why it’s called the symmetric setting)
12
Kerckhoffs' principle – the motivation (1/3)
In commercial products: it is unrealistic to assume that the design details
remain secret (reverse-engineering!)
For example:In 1987 RSA designed a cipher called RC4.Its specification was a trade secret.In 1994 a C code of RC4 was posted on a
cypherpunk mailing list
13
Kerckhoffs' principle – the motivation (2/3)
Short keys are easier to protect, generate and replaced.
Example:During the World War II the Amercian Army
used the Navajo Indians as “encryption devices”.
This system contradicted the Kerkhoffs’ principle, and hence it had an obvious problem:What to do if the enemy captures one of the Navajos?
14
Kerckhoffs' principle – the motivation (3/3)
1. The design details can be discussed and analyzed in public.
2. It corresponds nicely to the open-source ideology.3. The schemes can become parts of industrial
standards.
Not respecting this principle =
``security by obscurity”.
15
A mathematical view
16
How to define security?
For a moment let’s say:
the adversary broke the scheme if he managed to
``decrypt some ciphertext c’’,without knowing the key.
(warning: in general, this definition is too weak)
17
Shift cipher
18
Security of the shift cipherQ: How to break the shift cipher?
A: Check all possible keys
This is called a brute force attack.
Moral: the key space needs to be large!
19
Substitution cipher
A B C D E F G H I J K L M N O P R S T U W V X Y Z
A B C D E F G H I J K L M N O P R S T U W V X Y Z
20
How to break the substitution cipher?
Use statistical patterns of the language.
For example: the frequency tables.
Texts of 50 characters can usually be broken this way.
21
Other famous historical ciphersVigenère cipher:
Blaise de Vigenère(1523 - 1596)
Leon Battista Alberti(1404 – 1472)
Enigma
Marian Rejewski(1905 - 1980)
Alan Turing(1912-1954)
22
Defining “security of an encryption scheme” is non-trivial.
Experiment (m – a message)1. the key k is chosen randomly2. message m is encrypted using k:
c := Enck(m)3. c is given to the adversary
Idea 1The adversary should not be able to compute k.
Idea 2The adversary should not be able to compute m.
Idea 3The adversary should not be able to compute any information about m.
Idea 4The adversary should not be able to compute any additional information about m.
makes more sense
23
How to formalize it?
Probability-theoretic approach:
IdeaThe adversary should not be able to compute any additional information about m.
24
A perfectly secret scheme: one-time pad
Gilbert Vernam
(1890 –1960)
25
Problem with one-time pad
Each key cannot be used more than once!
This is because:
26
independent independent
this we know this we have to show
here we use the assumption
QED
27
Practicality?Generally, the one-time pad is not very practical, since:
• the key has to be as long as the total length of the encrypted messages,• it is hard to generate truly random strings.
However, it is sometimes used (e.g. in the military applications), because of the following advantages:
• perfect secrecy,• short messages can be encrypted using pencil and paper .
In the 1960s the Americans and the Soviets established a hotline that was encrypted using the one-time pad.
(additional advantage: they didn’t need to share their secret encryption methods)
a KGB one-time pad hiddenin a walnut shell
28
Venona project (1946 – 1980)American National Security Agency decrypted Soviet messages that were transmitted in the 1940s.That was possible because the Soviets reused the keys in the one-time pad scheme.
(1953)
Ethel and Julius Rosenberg
29
One time-pad is optimal in the class of perfectly secret schemes
m_0 m_1 m_2 . . .
k_0 Enc(k_0,m_0) Enc(k_0,m_1) Enc(k_0,m_2)
k_1 Enc(k_1,m_0) Enc(k_1,m_1) Enc(k_1,m_2)
k_2 Enc(k_2,m_0) Enc(k_2,m_1) Enc(k_2,m_2)
.
.
.
30
m_0 m_1 m_2 . . .
k_0 Enc(k_0,m_0) Enc(k_0,m_1) Enc(k_0,m_2)
k_1 Enc(k_1,m_0) Enc(k_1,m_1) Enc(k_1,m_2)
k_2 Enc(k_2,m_0) Enc(k_2,m_1) Enc(k_2,m_2)
31
The basic goal: secure communication:
2. Integrity:
M
interferes with the transmission
Eve
Alice Bob
How can Bob be sure that M really comes from Alice?
32
Does encryption guarantee message integrity?
Idea:
1. Alice encrypts m and sends c=Enc(k,m) to Bob.2. Bob computes Dec(k,m), and if it “makes sense” accepts it.
Intuiton: only Alice knows k, so nobody else can produce a valid
ciphertext.
It does not work!
Example: one-time pad.
33
Message authentication
Alice Bob
(m, t=Tagk(m))
Eve can see (m, t=Tagk(m))
She should not be able to compute a valid tag t’ on any other message m’.
k k
mverifies ift=Tagk(m)
34
How to define security of such a scheme?
35
36
. . .. . .
?
For examplep = 2107- 1
37
38
Can we reuse the same key many times?
39
Outlook
Secure communication = encryption and authentication.
We defined security of encryption and authentication using the probability-theoretic language.
We constructed such ``perfectly secure’’ schemes.
Problem: the keys need to be large and can be used at most once.
But it can be shown that they are ``the best we can achieve’’.
Can we go home and relax?
maybe the definitionsare too strong?
40
What to do?
We required thatM and EncK(M)
are independent,
Maybe it is enough to require thatM and EncK(M)
are independent from the “practical point of view’’?
How can this be formalized?
We will use the complexity theory!
