Principles of modern cryptography

Introduction Syntax of encryption Kerckhoffs’ Principle Ancient history Basic Principles

Introduction

The Setting of Private-Key Encryption

Foundations of CryptographyComputer Science Department

Wellesley College

September 1, 2016


Table of contents

Introduction

Syntax of encryption

Kerckho↵s’ Principle

Ancient history

Basic Principles


Then and now

• Historically, cryptography focusedon the the art of secretcommunication.

• Much has changed in the last thirtyyears. Cryptography is used toaddress a number of otherconsiderations.


The basic setting of private-key encryption

• In a private-key setting, twoparties share some secretinformation called a key.

• The party sending aplaintext message uses thekey to encrypt the messagebefore it is sent.

• The receiver uses the samekey to decrypt the ciphertext

message upon receipt inorder to recover theplaintext.


Important safety tip

• An implicit assumption in anysystem using private-key encryptionis that the communicating partieshave some way of initially sharing akey in a secret manner.

• In military settings, communicatingparties physically met in a securelocation in order to agree upon akey.

• Not so easy when purchasing a firstedition on ebay.


The syntax of encryption

A private-key encryption scheme is comprised of three algorithms:

1. The key-generation algorithm Gen is a probabilistic algorithmthat outputs a key k chosen according to some distributionthat is determined by the scheme.

2. The encryption algorithm Enc takes as input a key k and aplaintext message m and outputs a ciphertext c denoted byEnck(m).

3. The decryption algorithm Dec takes as input a key k and aciphertext c and outputs a plaintext m, denoted by Deck(c).


Time and space

• The set of all possible keys outputby the key generation algorithm iscalled the key space and is denotedby K.

• Almost always, Gen choose a keyuniformly at random from the keyspace (in fact, one can assumeWLOG this is the case).

• The set of all “legal” messages isdenote M and is called theplaintext space.

• The sets K and M together definethe possible ciphertexts denoted byC.


Perfectly correct

• We assume that encryption schemes are perfectly correct,meaning that for all k 2 K,m 2M, and any c Enck(m),Deck(c) = m with probability 1.

• This implies that we may assume Dec is deterministic (sinceDeck(c) must give the same output every time it is run) andwrite m := Deck(c) to denote the decryption process.


Well, duh

• It is clear that if the adversaryknows the algorithm Dec and thekey k shared by two communicatingparties, then all is lost.

• Best to keep the key a secret. Butwhat about the algorithm? Forthat matter, why not keep Gen andEnc a secret as well. (The plaintextspace would be harder to hide.)


Kerckho↵s’ principle

The cipher method must not be required to be secret, and it must

be able to fall into the hands of the enemy without inconvenience.

1

1Why?


Attack scenarios

• CipherText-only attack: The adversary just observes one ormore ciphertexts and attempts to determine the plaintext(s).

• Known-plaintext attack: The adversary learns one or morepairs of plaintext/ciphertext encrypted under the same key.The aim is to then determine the plaintext of other ciphertext.

• Chosen-plaintext attack: The adversary has the ability toobtain the encryption of plaintext of its choice.

• Chosen-ciphertext attack: The adversary is given thecapability to obtain decryption of ciphertexts of its choice.The aim is to determine the plaintext that was encrypted insome other ciphertext that the adversary is unable to obtaindirectly.)


Substitution ciphers

Julius Caesar used a system that cyclically mapped letters to thethird letter in the alphabet.

plain: meet me after the toga party

CIPHER: PHHW PH DIWU WKH WRJD SDUMB

Of course, a shift may be of any amount:

c = Enck(m) = (p + k) mod 26.

p = Deckc = (c � k) mod 26.


Brute-force cryptanalysis

• Here we guessed that theencryption scheme wasCaesar cipher (Remember:The enemy knows thesystem being used.)

• We use the fact that the keyspace is small and theplaintext is easilyrecognizable.

PHHW PH DIWHU WKH WRJD SDUWB

KEY

1 oggv og chvgt vjg vqic rctva

2 nffu nf bgufs uif uphb qbsuz

3 meet me after the toga party

4 ldds ld zesdq sgd snfz ozqsx

5 kccr kc ydrcp rfc rmey nyprw

6 jbbq jb xcqbo qeb qldx mxoqv

7 iaap ia wbpan pda pkcw lwnpu

8 hzzo hz vaozm ocz ojbv kvmot

9 gyyn gy uznyl nby niau julns

10 fxxm fx tymxk max mhzt itkmr

11 ewwl ew sxlwj lzw lgys hsjlq

12 dvvk dv rwkvi kyv kfxr grikp

13 cuuj cu qvjuh jxu jewq fqhjo

14 btti bt puitg iwt idvp epgin

15 assh as othsf hvs hcuo dofhm

16 zrrg zr nsgre gur gbtn cnegl

17 yqqf yq mrfqd ftq fasm bmdfk

18 xppe xp lqepc esp ezrl alcej

19 wood wo kpdob dro dyqk zkbdi

20 vnnc vn jocna cqn cxpj yjach

21 ummb um inbmz bpm bwoi xizbg

22 tlla tl hmaly aol avnh whyaf

23 skkz sk glzkx znk zumg vgxze

24 rjjy rj fkyjw ymj ytlf ufwyd

25 qiix qi ejxiv xli xske tevxc


Su�cient key space principle

Any secure encryption scheme must have a key space that is not

vulnerable to exhaustive search.


So let’s completely mix the letters*

Classic cryptology 2-8

So let’s completely mix the letters*

*Or even invent our own -- the resulting encryptions are known as monoalphabetic ciphers. *Or even invent our own – the resulting encryptions are known as

mono-alphabetic ciphers..


26! keys should be a challenge to brute-force

• But mono-alphabetic substitution is still vulnerable to patternmatching and statistical attack.

• Probable word attacks can be particularly devastating.


Automating an attack on the shift cipher

• A simple calculation using the known values of pi , theprobability of the ith letter occurring in normal text, yields

25X

i=0

p

2i ⇡ 0.065.

• Let qi denote the probability of the ith letter in a givenciphertext. If the key is k , then we expect that qi+k ⇡ pi foreach i . Equivalently, computing

Ijdef=

25X

i=0

pi · qi+j

for each j 2 {0, 1, . . . , 25}, then we expect Ik ⇡ 0.065 wherek is the actual key.


Vigenere (poly-alphabetic shift) cipher

• Statistical attack on the mono-alphabetic substitution ciphercould be carried out because the mapping of each letter wasfixed.

• Such an attack can be thwarted by mapping di↵erentinstances of the same plaintext character to di↵erentciphertext characters.

plaintext: tellhimaboutme

Key: cafecafecafeca

Ciphertext: WFRQKJSFEPAYPF}


Breaking the Vigenere cipher

• Say the length of the key, called the period, is t. Then theciphertext can be divided up into t parts where each part canbe viewed as being encrypted using a single instance of theshift cipher.

• More precisely, if k = k1 . . . , kt and c1, c2, . . . , cn are theciphertext characters, then for every j(1 j t) the set ofcharacters

cj , cj+t , cj+2t , . . .

were all encrypted by a shift cipher using key kj .

• Now use the statistical method previously described toautomatically find the correct shift.


The index of coincidence

• It remains to determine the length of the key. Recall that if tis the key-length, then the ciphertext characters

cj , cj+t , cj+2t , . . .

were all encrypted using the same shift. Let qi denote thefrequency of the ith English letter in this sequence.

• In other words, the sequence p0, . . . , p25 is identical to thesequence q0, . . . , q25 shifted by kj places and we would expect

25X

i=0

q

2i =

25X

i=0

p

2i ⇡ 0.065.


Putting the theory into practice

• For each ⌧ = 1, 2, . . . tabulate frequencies q0, . . . , q25 for thesequence c1, c1+⌧ , c1+2⌧ , . . ., then compute

S⌧def=

25X

i=0

q

2i .

• When ⌧ = t we expect to see S⌧ ⇡ 0.065. On the other hand,when ⌧ 6= t we expect all characters with roughly equalprobability and qi ⇡ 1/26 for all I . In this case,

S⌧ ⇡25X

i=0

1/262 ⇡ 0.038.


Principles of modern Cryptography

1. Formulate a rigorous definition of security.

2. Precisely state each unproven assumption and keep this listshort as possible.

3. Provide rigorous proofs of security according to definitionsformulated in principle 1, and relative to the assumptionsstated in principle 2.


Easier than it looks

But how should secure encryption be defined?

Documents

Principles of modern cryptography