Modern Cryptography
Dr Emiliano De Cristofaro
UCL Intro to Crypto 16/17
Instructors
Lecturer: Dr Emiliano De Cristofaro
E-mail: e.decristofaro@ucl.ac.uk
Office hours: Tue 4-6pm, in MPEB 6.04 (6th floor)
Symmetric Ciphers
Substitution Cipher
k :=
Caesar Cipher
Caesar cipher
Encrypt: Rotate k letters forward
Key:
k = 3
Plaintext:
m = venividivici*
Ciphertext:
c = zhqmzmgmzmfm
Decrypt: Rotate k letters backwards
Key:
Plaintext:
Ciphertext:
k = ?
m = ?
c = vagebgbpelcgb
Cryptanalysis
Brute force attack:
26 possible keys since English has 26 letters
Shortcut attack:
The most frequent letter in English is e, so you might
guess that g = e ROT k
Frequency table
10
Affine cipher
Interpret alphabet as numbers 0, ..., 25
Key k = (a,b)
Encrypt(k,m) = am+b mod 26
Decrypt(k,c) = a-1(c-b) mod 26
11
Modular arithmetic
Given integers x>0,y,z we write
z y mod x [e.g., 73 mod 4, 172 mod 5]
when there is integer s so
z-y = sx
Given (x,y), we can always find unique (r,s) such that:
y = sx+r
[e.g., given (17,5), 17=3*5+2]
with r {0,1,,x-1}
12
13
Substitution cipher
Key
a b c d e f g h i j k l m ... z
g a h e j k l q r t x d i ... b
Encrypt and decrypt by looking up in the codebook
26! possible keys, brute force attack hard
Yet, frequency analysis makes a short-cut attack
possible
Last Updated: 01/10/16
14
Rotor Machines
Early example: the Hebern machine (single rotor)
A
B
C
.
.
X
Y
Z
key
K
S
T
.
.
R
N
E
E
K
S
T
.
.
R
N
N
E
K
S
T
.
.
R
15
Rotor Machines
Most famous: the Enigma
(3-5 rotors)
16
Permutation cipher
Block-wise permutation
Key: k =(12,24,33,41)
Plaintext:
m = perm utat ions
Ciphertext:
c = mpre tuat sino
Cryptanalysis
Permutation size divides ciphertext length
Reverse-engineer permutation using digram frequencies
Last Updated: 01/10/16
17
Kerckhoffs principle
Decryption algorithms cannot be kept secret
18
Cipher
Key space K
Message space M
Ciphertext space C
Encryption
Enc: K M C
Decryption
Dec: K C M
Last Updated: 01/10/16
19
Correct decryption
For all k, m we have
Dec(k,Enc(k,m)) = m
Security?
20
Correct decryption
m
E(k,m)
Alice
Bob
Eve
21
Perfect Secrecy
Message distribution independent of ciphertexts
Let (X,Y) be a joint probability distribution of plaintexts
and ciphertexts
For all mM and cC
Pr[X=m|Y=c] = Pr[X=m]
22
Pr[Y=c|X=m] = Pr[Y=c]
Pr[Y=c|X=m0] = Pr[Y=c|X=m1], for all m0,m1
23
Perfect Indistinguishability
Game between unbounded Adv A and Challenger Ch
A is given sec. par. n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b
24
m = 101111
k = 010010
c = 111101
c = 111101
k = 010010
m = 101111
25
k1
k2
k3
26
27
Computational Approach
Information Theoretic security
Perfect secrecy (impractical)
Adv: not enough information
Computational security
Adv: not enough computational power
Weaker model but good enough in practice
(if carefully defined)
Last Updated: 01/10/16
28
29
30
31
Negligible function:
A function growing slower than any inverse polynomial
f is negligible if for every polynomial p, there exists an N
s.t. for all n > N, f(n) < 1/p(n)
Last Updated: 01/10/16
32
Negligible advantage
Natural examples:
2-n is negligible
n-1 is not negligible
33
Negligibility
Why define negligible as smaller than the inverse of any
polynomial?
Closed under composition
negl(n) + negl(n) = negl(n)
34
Asymptotic Complexity
Obvious examples
t(n) = n2 is efficient
t(n) = 2n is not efficient
Not so obvious examples
t(n) = n100 + 1000000000000 is efficient
t(n) = 2n-1000000 is not efficient
Last Updated: 01/10/16
35
Polynomial time
Why define efficient as polynomial time?
Combining two poly time machines gives poly time
machine
poly(n) + poly(n) = poly(n)
poly(n)poly(n) = poly(n)
poly(poly(n)) = poly(n)
36
37
38
39
Perfect Indistinguishability
Game between unbounded Adv A and Challenger Ch
A is given sec. par. n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b
40
Computational Indistinguishability
Game between t(n)-bounded Adv A and Challenger Ch
A is given 1n and outputs m0,m1 (eq. length)
Ch generates k <- Gen(1n)
Ch picks a random b{0,1}
Ch encrypts c <- Enck(mb)
A outputs bit guess, wins if guess=b
(for negligible in n)
UCL Intro to Crypto 16/17
41