Anda di halaman 1dari 41

Week 1: Classical vs

Modern Cryptography
Dr Emiliano De Cristofaro
UCL Intro to Crypto 16/17

Instructors
Lecturer: Dr Emiliano De Cristofaro
E-mail: e.decristofaro@ucl.ac.uk
Office hours: Tue 4-6pm, in MPEB 6.04 (6th floor)

Demonstrators (tutorial sessions):


Andrea Cerulli (andrea.cerulli.13@ucl.ac.uk)
Apostolos Pyrgelis (apostolos.pyrgelis.14@ucl.ac.uk)
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Classical vs Modern Crypto


Classical Cryptography:
People have used ciphers for centuries
The art of writing and solving codes (Oxford)

Modern Cryptography (our focus):


Starts in late 70s/80s
Not an art but a science
Provable security
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Symmetric Ciphers

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Substitution Cipher

k :=

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Caesar Cipher

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Caesar cipher
Encrypt: Rotate k letters forward

Key:
k = 3
Plaintext:
m = venividivici*
Ciphertext:
c = zhqmzmgmzmfm
Decrypt: Rotate k letters backwards

*I came, I saw, I conquered


Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Cryptanalysis of Caesars Salad


Challenge

Key:
Plaintext:
Ciphertext:

k = ?
m = ?
c = vagebgbpelcgb

Hint: Plaintext is in English


For more fun:
https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Cryptanalysis
Brute force attack:
26 possible keys since English has 26 letters
Shortcut attack:
The most frequent letter in English is e, so you might
guess that g = e ROT k

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

Frequency table

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

10

Affine cipher
Interpret alphabet as numbers 0, ..., 25
Key k = (a,b)
Encrypt(k,m) = am+b mod 26
Decrypt(k,c) = a-1(c-b) mod 26

a must be invertible, i.e., there exists a number a-1


such that a-1a 1 mod 26
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

11

Modular arithmetic
Given integers x>0,y,z we write
z y mod x [e.g., 73 mod 4, 172 mod 5]
when there is integer s so
z-y = sx
Given (x,y), we can always find unique (r,s) such that:
y = sx+r
[e.g., given (17,5), 17=3*5+2]
with r {0,1,,x-1}

If y = sx+r then y r mod x


Last Updated: 01/10/16

UCL Intro to Crypto 16/17

12

Cryptanalysis of Affine cipher


Brute force 1226 possible keys
But also shortcut attack: consider, for instance,
c = fdbkjfhblkfhkffsdbkcbccwedfcc
Frequency: f 6, c 5, b 4,...
Guess f (5) encrypts e (4) and c (2) encrypts t (19)
a4+b = 5 mod 26, a19+b = 2 mod 26
Solve the system to get a = 5 and b = 11
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

13

Substitution cipher
Key
a b c d e f g h i j k l m ... z
g a h e j k l q r t x d i ... b
Encrypt and decrypt by looking up in the codebook
26! possible keys, brute force attack hard
Yet, frequency analysis makes a short-cut attack
possible
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

14

Rotor Machines
Early example: the Hebern machine (single rotor)
A
B
C
.
.
X
Y
Z

key

Last Updated: 01/10/16

K
S
T
.
.
R
N
E

E
K
S
T
.
.
R
N

N
E
K
S
T
.
.
R

UCL Intro to Crypto 16/17

15

Rotor Machines
Most famous: the Enigma

# keys = 264 = 218


Last Updated: 01/10/16

(3-5 rotors)

(actually 236 due to plugboard)

UCL Intro to Crypto 16/17

16

Permutation cipher
Block-wise permutation

Key: k =(12,24,33,41)
Plaintext:
m = perm utat ions
Ciphertext:
c = mpre tuat sino
Cryptanalysis
Permutation size divides ciphertext length
Reverse-engineer permutation using digram frequencies
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

17

Kerckhoffs principle
Decryption algorithms cannot be kept secret

Consider for instance encryption in military. Thousands


know decryption algorithm. Sooner or later somebody
will leak it.
Instead: Use publically known algorithms, but have a
secret key K that easily can be changed and selected
individually
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

18

Cipher

Key space K
Message space M
Ciphertext space C
Encryption
Enc: K M C
Decryption
Dec: K C M
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

19

Correct decryption
For all k, m we have
Dec(k,Enc(k,m)) = m
Security?

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

20

Correct decryption
m

E(k,m)

Alice

Bob

Eve

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

21

Perfect Secrecy
Message distribution independent of ciphertexts
Let (X,Y) be a joint probability distribution of plaintexts
and ciphertexts
For all mM and cC
Pr[X=m|Y=c] = Pr[X=m]

What does this mean?


Last Updated: 01/10/16

UCL Intro to Crypto 16/17

22

Perfect Secrecy (cntd)


See Lemma 2.2 and 2.3

Pr[Y=c|X=m] = Pr[Y=c]
Pr[Y=c|X=m0] = Pr[Y=c|X=m1], for all m0,m1

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

23

Perfect Indistinguishability
Game between unbounded Adv A and Challenger Ch
A is given sec. par. n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b

Scheme has indistinguishability if:


Pr[A wins] =
Last Updated: 01/10/16

(equivalent to perfect secrecy)


UCL Intro to Crypto 16/17

24

Vernam one-time pad


Encryption
Enc(k,m) = m k
Decryption
Dec(k,c) = c k

m = 101111
k = 010010
c = 111101
c = 111101
k = 010010
m = 101111

Perfectly secure! (Proof Theorem 2.6)


Last Updated: 01/10/16

UCL Intro to Crypto 16/17

25

Why we dont use it? Shannon


If |K|=|C|=|M| then perfect security if and only each key has same probability
(uniform distribution) and for all pairs (m,c) there exists unique possible key k
m1
m2
m3

k1
k2

k3

This implies |K|>|M|, i.e., keys as long as the messages


Homework: Why cant we re-use OTP keys?
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

26

What can we do?


Perfect security impractical

Relax security definition


Go for computational approach

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

27

Computational Approach
Information Theoretic security
Perfect secrecy (impractical)
Adv: not enough information

Computational security
Adv: not enough computational power
Weaker model but good enough in practice
(if carefully defined)
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

28

Concrete Security 1/2


We consider a maximum time the adversary can run
That is, we limit their resources

We accept a small probability the adversary wins


A scheme is (t-) secure if:
Every Adv running for at most time t succeeds in breaking
scheme with prob. at most
E.g., t=280 cpu cycles, < 2-64
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

29

Concrete Security 2/2


Defining and t extremely important
Often defined as a function of key length n and t: < t/2n
But the other way around is valid too, i.e., given and t,
derive the desired key length

Still how do we estimate t???

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

30

Asymptotic Security 1/2


Introduce the concept of a security parameter n
Use it to define security:
Against a probabilistic algorithm running in time
polynomial in n
That is, t is in the order of nc

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

31

Asymptotic Security 2/2


Use it to define probability of success ():
Smaller than inverse polynomial in n (e.g., n-c)
is negligible in n

Negligible function:
A function growing slower than any inverse polynomial
f is negligible if for every polynomial p, there exists an N
s.t. for all n > N, f(n) < 1/p(n)
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

32

Negligible advantage
Natural examples:
2-n is negligible
n-1 is not negligible

Less natural examples:


21000000-n is negligible
n-100 is not negligible
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

33

Negligibility
Why define negligible as smaller than the inverse of any
polynomial?
Closed under composition
negl(n) + negl(n) = negl(n)

Resists polynomial scaling


poly(n) negl(n) = negl(n)

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

34

Asymptotic Complexity
Obvious examples
t(n) = n2 is efficient
t(n) = 2n is not efficient
Not so obvious examples
t(n) = n100 + 1000000000000 is efficient
t(n) = 2n-1000000 is not efficient
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

35

Polynomial time
Why define efficient as polynomial time?
Combining two poly time machines gives poly time
machine
poly(n) + poly(n) = poly(n)
poly(n)poly(n) = poly(n)
poly(poly(n)) = poly(n)

At least better than exponential time


Experience shows that security against poly time
adversary corresponds well with real-life security
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

36

Using Asymptotic Security


A scheme secure if, for a given security parameter n,
Adversary running in time t polynomial in n succeeds in
breaking the scheme with only negligible probability

In practice n is at least 80 (128 better)


Assume an adv running for n3 mins wins with prob. 240*2-n
If n<40, then running for 403 wins with prob. 1

Last Updated: 01/10/16

UCL Intro to Crypto 16/17

37

Concrete vs Asymptotical 1/2


Concrete:
n = 128, t = 2 years, = 0.000001
Adversary has 1,000,000
Asymptotic:
t(n) polynomial in n
(n) negligible in n
Adversary is Turing machine that can take t(n) steps
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

38

Concrete vs Asymptotic 2/2


Concrete security: t-bounded adversary has chance of
breaking the system
Advantage: What we want in practice
Disadvantage: System dependent, cumbersome to gauge

Asymptotic security: efficient adversary has negligible


chance of breaking system
Advantage: Easy to work with, fixed system
Disadvantage: Less clear correspondence to practice, how
to choose security parameter
Last Updated: 01/10/16

UCL Intro to Crypto 16/17

39

Perfect Indistinguishability
Game between unbounded Adv A and Challenger Ch
A is given sec. par. n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b

Scheme has indistinguishability if:


Pr[A wins] =
Last Updated: 01/10/16

(equivalent to perfect secrecy)


UCL Intro to Crypto 16/17

40

Computational Indistinguishability
Game between t(n)-bounded Adv A and Challenger Ch
A is given 1n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b

Scheme has (t(n)-(n)) indistinguishability if:


Pr[A wins] +
Last Updated: 01/10/16

(for negligible in n)
UCL Intro to Crypto 16/17

41

Anda mungkin juga menyukai