Documente Academic
Documente Profesional
Documente Cultură
DFSC 1317
Cryptography usage
2 / 56
Cryptography usage
2 / 56
Cryptography usage
2 / 56
Cryptography usage
security protocol to securely transmit your credit card number to the server SSL uses cryptography
3 / 56
Cryptography usage
4 / 56
Privacy
The goal is to ensure that the adversary does not see or obtain the data (message) M . Example: M could be a credit card number being sent by shopper Alice to server Bob and we want to ensure attackers dont learn it.
6 / 56
7 / 56
Bob (Bank)
8 / 56
Medical databases
Doctor Get Alice FA Database Alice Bob Alice Bob FA FB
FA FB
Reads FA Modies FA to FA
Put: Alice, FA
9 / 56
Medical databases
Doctor Get Alice FA Database Alice Bob Alice Bob FA FB
FA FB
Reads FA Modies FA to FA
Put: Alice, FA
9 / 56
Medical databases
Doctor Get Alice FA Database Alice Bob Alice Bob FA FB
FA FB
Reads FA Modies FA to FA
Put: Alice, FA
doctor is authorized to get Alices le are not modied in transit FA , FA FA is really sent by database is really sent by (authorized) doctor FA
9 / 56
Ideal World
11 / 56
Ideal World
Cryptonium pipe: Cannot see inside or alter content. All our goals would be achieved!
11 / 56
Ideal World
Cryptonium pipe: Cannot see inside or alter content. All our goals would be achieved! But cryptonium is only available on planet Crypton and is in short supply.
11 / 56
Cryptographic schemes
12 / 56
Cryptographic schemes
12 / 56
Cryptographic schemes
13 / 56
Cryptographic schemes
14 / 56
Cryptographic schemes
Our concerns:
How to dene security goals? How to design E , D ? How to gain condence that E , D achieve our goals?
15 / 56
possibilities is innite.
17 / 56
Early history
Substitution ciphers/Caesar ciphers: Ke = Kd = : , a secret permutation e.g., = {A, B , C , . . .} and is as follows: ( ) A E B A C Z D U
18 / 56
Early history
Substitution ciphers/Caesar ciphers: Ke = Kd = : , a secret permutation e.g., = {A, B , C , . . .} and is as follows: ( ) A E B A C Z D U
E (CAB ) = (C ) (A) (B ) =Z E A D (ZEA) = 1 (Z ) 1 (E ) 1 (A) =C A B Not very secure! (Common newspaper puzzle)
18 / 56
19 / 56
20 / 56
K chosen at random from {0, 1}k For any M {0, 1}k EK (M ) = K M DK (C ) = K C Theorem (Shannon): OTP is perfectly secure as long as only one message encrypted.
Perfect secrecy, a notion Shannon denes, captures mathematical impossibility of breaking an encryption scheme.
Security of a practical system must rely not on the impossibility but on the computational diculty of breaking the system.
(Practical = more message bits than key bits)
21 / 56
Rather than: It is impossible to break the scheme We might be able to say: No attack using 2160 time succeeds with probability 220
I.e., Attacks can exist as long as cost to mount them is prohibitive, where Cost = computing time/memory, $$$
22 / 56
Scheme 1.1
24 / 56
Scheme 1.1
bug!
24 / 56
bug!
24 / 56
bug! bug!
24 / 56
bug! bug!
24 / 56
bug! bug!
deploy
24 / 56
bug! bug!
deploy
bug!
24 / 56
Good cryptography
of security goals
25 / 56
Dening security
A great deal of design tries to produces schemes without rst asking: What exactly is the security goal? This leads to schemes that are complex, unclear, and wrong.
26 / 56
Dening Security
28 / 56
Dening Security
What does it mean for an encryption scheme to provide privacy? Does it mean that given C = EKe (M ), adversary cannot
recover M ? recover the rst bit of M ? ...
28 / 56
Dening Security
What does it mean for an encryption scheme to provide privacy? Does it mean that given C = EKe (M ), adversary cannot
recover M ? recover the rst bit of M ? ...
We will provide a formal denition for privacy, justify it, and show it implies the above (and more).
28 / 56
29 / 56
29 / 56
29 / 56
29 / 56
But this is very slow ... Prohibitive if N is large (e.g., 400 digits)
29 / 56
Gauss couldnt gure out how Nor does anyone know now
Nobody today knows how to factor a 400 digit number in a practical amount of time.
30 / 56
Provable Security
Provide
A scheme A proof of security
The proof establishes something like: The only way to break the scheme is to factor a large number or, put another way If an adversary breaks the scheme, it must have found a fast factoring algorithm.
31 / 56
Provable Security
32 / 56
Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...
33 / 56
Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...
Features:
Few such primitives Bugs rare Design an art, condence by history.
33 / 56
Examples:
Factoring: Given large N = pq , nd p , q Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, ...
Features:
Few such primitives Bugs rare Design an art, condence by history.
33 / 56
Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution, . . .
34 / 56
Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution, . . . Features:
Lots of them Bugs common in practice
34 / 56
Lego Approach
We typically design high-level primitives from atomic ones Atomic primitive Transformer High-level primitive History shows that the Transformer is usually the weak link:
Atomic primitives secure, yet Higher level primitive insecure
35 / 56
Provable security
Enables us to get transformers for which we can guarantee Atomic primitive secure High-level primitive secure
I.e., If attacker breaks encryption scheme then they are smarter than Gauss.
36 / 56
37 / 56
Cryptography uses
Number theory Combinatorics Modern algebra
Probability theory
38 / 56
40 / 56
41 / 56
41 / 56
Internet Gambling
42 / 56
Internet Gambling
42 / 56
Internet Gambling
Will you play? Casino can cheat. It returns Crypto can x this!
42 / 56
, T for some T = g
Security today
theft, ...
43 / 56