Introduction to Cryptography

DFSC 1317

Cryptography usage

Did you use any cryptography

today?

2 / 56

Cryptography usage

Did you use any cryptography

today?

over the last week?

2 / 56

Cryptography usage

Did you use any cryptography

today?

over the last week?

over the Christmas break?

2 / 56

Cryptography usage

https invokes the Secure Socket Layer (SSL) communication

security protocol to securely transmit your credit card number to the server SSL uses cryptography
3 / 56

Cryptography usage

Other uses of cryptography

ATM machines On-line banking

Remote login and le transfer using SSH

4 / 56

What is cryptography about?

Adversary: clever person with powerful computer Goals:

Data privacy Data integrity and authenticity
5 / 56

Privacy

The goal is to ensure that the adversary does not see or obtain the data (message) M . Example: M could be a credit card number being sent by shopper Alice to server Bob and we want to ensure attackers dont learn it.
6 / 56

Integrity and authenticity

The goal is to ensure that

M really originates with Alice and not someone else M has not been modied in transit

7 / 56

Integrity and authenticity example

Alice Alice Pay $100 to Charlie

-

Bob (Bank)

Adversary Eve might

Modify Charlie to Eve Modify $100 to $1000

Integrity prevents such attacks.

8 / 56

Medical databases
Doctor Get Alice FA  Database Alice Bob Alice Bob FA FB
FA FB

Reads FA Modies FA to FA

Put: Alice, FA

9 / 56

Medical databases
Doctor Get Alice FA  Database Alice Bob Alice Bob FA FB
FA FB

Reads FA Modies FA to FA

Put: Alice, FA

contain condential information and we want to Privacy: FA , FA

ensure the adversary does not obtain them

9 / 56

Medical databases
Doctor Get Alice FA  Database Alice Bob Alice Bob FA FB
FA FB

Reads FA Modies FA to FA

Put: Alice, FA

contain condential information and we want to Privacy: FA , FA

ensure the adversary does not obtain them

Integrity and authenticity: Need to ensure

doctor is authorized to get Alices le are not modied in transit FA , FA FA is really sent by database is really sent by (authorized) doctor FA
9 / 56

What is cryptography about?

Adversary: clever person with powerful computer Goals:

Data privacy Data integrity and authenticity
10 / 56

Ideal World

Cryptonium pipe: Cannot see inside or alter content.

11 / 56

Ideal World

Cryptonium pipe: Cannot see inside or alter content. All our goals would be achieved!

11 / 56

Ideal World

Cryptonium pipe: Cannot see inside or alter content. All our goals would be achieved! But cryptonium is only available on planet Crypton and is in short supply.
11 / 56

Cryptographic schemes

E : encryption algorithm D : decryption algorithm

Ke : encryption key Kd : decryption key

12 / 56

Cryptographic schemes

E : encryption algorithm D : decryption algorithm

Ke : encryption key Kd : decryption key

Algorithms: standardized, implemented, public!

12 / 56

Cryptographic schemes

E : encryption algorithm D : decryption algorithm Settings:

Ke : encryption key Kd : decryption key

public-key (assymmetric): Ke public, Kd secret private-key (symmetric): Ke = Kd secret

13 / 56

Cryptographic schemes

E : encryption algorithm D : decryption algorithm

Ke : encryption key Kd : decryption key

How do keys get distributed? Magic, for now!

14 / 56

Cryptographic schemes

Our concerns:
How to dene security goals? How to design E , D ? How to gain condence that E , D achieve our goals?

15 / 56

Why is cryptography hard?

One cannot anticipate an adversary strategy in advance; number of

possibilities is innite.

Testing is not possible in this setting.

17 / 56

Early history
Substitution ciphers/Caesar ciphers: Ke = Kd = : , a secret permutation e.g., = {A, B , C , . . .} and is as follows: ( ) A E B A C Z D U

E (CAB ) = (C ) (A) (B ) =Z E A D (ZEA) = 1 (Z ) 1 (E ) 1 (A) =C A B

18 / 56

Early history
Substitution ciphers/Caesar ciphers: Ke = Kd = : , a secret permutation e.g., = {A, B , C , . . .} and is as follows: ( ) A E B A C Z D U

E (CAB ) = (C ) (A) (B ) =Z E A D (ZEA) = 1 (Z ) 1 (E ) 1 (A) =C A B Not very secure! (Common newspaper puzzle)
18 / 56

The age of machines

Enigma: German World War II machine

Broken by British in an eort led by Turing

19 / 56

Shannon and One-Time-Pad (OTP) Encryption

Ke = Kd = K {0, 1}k
$

K chosen at random from {0, 1}k For any M {0, 1}k EK (M ) = K M DK (C ) = K C

20 / 56

Shannon and One-Time-Pad (OTP) Encryption

Ke = Kd = K {0, 1}k
$

K chosen at random from {0, 1}k For any M {0, 1}k EK (M ) = K M DK (C ) = K C Theorem (Shannon): OTP is perfectly secure as long as only one message encrypted.
Perfect secrecy, a notion Shannon denes, captures mathematical impossibility of breaking an encryption scheme.

Fact: if |M | > |K |, then no scheme is perfectly secure.

20 / 56

Modern Cryptography: A Computational Science

Security of a practical system must rely not on the impossibility but on the computational diculty of breaking the system.
(Practical = more message bits than key bits)

21 / 56

Modern Cryptography: A Computational Science

Rather than: It is impossible to break the scheme We might be able to say: No attack using 2160 time succeeds with probability 220
I.e., Attacks can exist as long as cost to mount them is prohibitive, where Cost = computing time/memory, $$$

22 / 56

Classical Approach: Iterated design

Scheme 1.1

24 / 56

Classical Approach: Iterated design

Scheme 1.1

bug!

24 / 56

Classical Approach: Iterated design

Scheme 1.1 Scheme 1.2

bug!

24 / 56

Classical Approach: Iterated design

Scheme 1.1 Scheme 1.2

bug! bug!

24 / 56

Classical Approach: Iterated design

Scheme 1.1 Scheme 1.2 . . . Scheme 1.n

bug! bug!

24 / 56

Classical Approach: Iterated design

Scheme 1.1 Scheme 1.2 . . . Scheme 1.n

bug! bug!

deploy

24 / 56

Classical Approach: Iterated design

Scheme 1.1 Scheme 1.2 . . . Scheme 1.n

bug! bug!

deploy

bug!

24 / 56

Good cryptography

Understanding the goals: Formal adversarial models and denitions

of security goals

Beyond iterated design: Proof by reduction that a construction

achieves its goal

25 / 56

Dening security

A great deal of design tries to produces schemes without rst asking: What exactly is the security goal? This leads to schemes that are complex, unclear, and wrong.

26 / 56

Dening Security

What does it mean for an encryption scheme to provide privacy?

28 / 56

Dening Security

What does it mean for an encryption scheme to provide privacy? Does it mean that given C = EKe (M ), adversary cannot
recover M ? recover the rst bit of M ? ...

recover the XOR of the rst and the last bits of M ?

28 / 56

Dening Security

What does it mean for an encryption scheme to provide privacy? Does it mean that given C = EKe (M ), adversary cannot
recover M ? recover the rst bit of M ? ...

recover the XOR of the rst and the last bits of M ?

We will provide a formal denition for privacy, justify it, and show it implies the above (and more).

28 / 56

The factoring problem

Input: Composite integer N Desired output: prime factors of N Example: Input: 85 Output:

29 / 56

The factoring problem

Input: Composite integer N Desired output: prime factors of N Example: Input: 85 Output: 17, 5

29 / 56

The factoring problem

Input: Composite integer N Desired output: prime factors of N Example: Input: 85 Output: 17, 5 Can we write a factoring program?

29 / 56

The factoring problem

Input: Composite integer N Desired output: prime factors of N Example: Input: 85 Output: 17, 5 Can we write a factoring program? Easy! / / N a product of 2 primes For i = 2, 3, . . . , N do If N mod i = 0 then return i Alg Factor(N )

29 / 56

The factoring problem

Input: Composite integer N Desired output: prime factors of N Example: Input: 85 Output: 17, 5 Can we write a factoring program? Easy! / / N a product of 2 primes For i = 2, 3, . . . , N do If N mod i = 0 then return i Alg Factor(N )

But this is very slow ... Prohibitive if N is large (e.g., 400 digits)
29 / 56

Can we factor fast?

Gauss couldnt gure out how Nor does anyone know now

Nobody today knows how to factor a 400 digit number in a practical amount of time.

30 / 56

Provable Security

Provide
A scheme A proof of security

The proof establishes something like: The only way to break the scheme is to factor a large number or, put another way If an adversary breaks the scheme, it must have found a fast factoring algorithm.

31 / 56

Provable Security

Bug in scheme implies

attacker has found a way to factor fast attacker is smarter than Gauss and smarter than all living mathematicians...

32 / 56

Atomic Primitives or Problems

Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...

33 / 56

Atomic Primitives or Problems

Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...

Features:
Few such primitives Bugs rare Design an art, condence by history.

33 / 56

Atomic Primitives or Problems

Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...

Features:
Few such primitives Bugs rare Design an art, condence by history.

Drawback: Dont directly solve any security problem.

33 / 56

Higher Level Primitives

Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution, . . .

34 / 56

Higher Level Primitives

Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution, . . . Features:
Lots of them Bugs common in practice

34 / 56

Lego Approach

We typically design high-level primitives from atomic ones Atomic primitive Transformer High-level primitive History shows that the Transformer is usually the weak link:
Atomic primitives secure, yet Higher level primitive insecure

35 / 56

Provable security

Enables us to get transformers for which we can guarantee Atomic primitive secure High-level primitive secure

I.e., If attacker breaks encryption scheme then they are smarter than Gauss.

36 / 56

Provable security in practice

Proven-secure schemes in use (SSL, SSH, IPSec, . . . ):

HMAC OAEP ... ECIES

37 / 56

New uses for old mathematics

Cryptography uses
Number theory Combinatorics Modern algebra

Probability theory

38 / 56

Cryptography beyond communication security

Parties 1, 2, 3, . . . , n. Party i has the integer xi {0, . . . , M 1} They want to know x1 + . . . + xn n but each party i wants to keep its own xi private. x=

40 / 56

Cryptography beyond communication security

Parties 1, 2, 3, . . . , n. Party i has the integer xi {0, . . . , M 1} They want to know x1 + . . . + xn n but each party i wants to keep its own xi private. x= Usage: xi = score of student i on homework 1 xi = vote of party i for proposition X on ballot . . .
40 / 56

Cryptography beyond communication security

Parties 1, 2, 3, . . . , n. Party i has the integer xi {0, . . . , M 1} They want to know x1 + . . . + xn n but each party i wants to keep its own xi private. x= Trusted Party Solution:

41 / 56

Cryptography beyond communication security

Parties 1, 2, 3, . . . , n. Party i has the integer xi {0, . . . , M 1} They want to know x1 + . . . + xn n but each party i wants to keep its own xi private. x= Trusted Party Solution: Secure Computation: Allows us to accomplish objective without a trusted party, using only (secure) communication between parties.

41 / 56

Internet Gambling

Will you play?

42 / 56

Internet Gambling

Will you play? Casino can cheat. It returns , T for some T = g

42 / 56

Internet Gambling

Will you play? Casino can cheat. It returns Crypto can x this!
42 / 56

, T for some T = g

Security today

Millions of dollars of loss due to credit-card fraud, phishing, identity

theft, ...

Lack of privacy: Enormous amounts of information about each of

us is collected and harvested by businesses dedicated to this purpose

Cryptography is a central tool in getting more security and privacy

43 / 56