Cryptology at Vrije Universiteit

Feb 5, 2008

Lecture 1
Lecturer: Eike Kiltz (CWI) Spring 2008

Introduction

Assume there are three parties: Alice, Bob and Eve. Bob wants to send Alice a message that only she can read. Eve is an adversary that can intercept the communication between Alice and Bob but should not be able to learn the message. This is the essence of the problem of secure communication. We x some notation. The message m sent by Bob is called a plaintext. In order to prevent Eve from reading it, Bob applies some transformation to the plaintext which is called encryption. The result of the tranformation is called the ciphertext c. We write c = Enc(m, . . .). After receiving the ciphertext, Alice has to invert this transformation to reconstruct the plaintext using a decryption algorithm. We write m = Dec(c, . . .). In encryption/decryption, the dots stand for some additional input that depends on the specic method used. Here are some examples for this additional input. KA : some information (also called key) only known to Alice. KB : some information only known to Bob. pk: some public information known to everyone (including Eve). R: some random string (also called nonces) used for encryption. The above illustrates the example of secure communication or secure encryption. However, the broad area of cryptography includes many more topics. Examples include: Electronic signatures, authentication . . . Multi-lateral security: two and multi-party computatation Zero-Knowledge Complex cryptographic protocols: electronic cash, anonymous voting Cryptoanalysis Implementation (fast and secure) in software and hardware Fundamental cryptographic primitives: one-way functions, pseudorandomness Cryptography under dierent assumption: quantum cryptography, bounded storage model, noisy channels

L1-1

Secret-Key Encryption

Alice and Bob can use a secret-key encryption scheme (also called symmetric encryption/cipher) to achieve their goal of secure communication. Denition 1 A secret-key encryption scheme with respect to a message space M, a key space K, and a ciphertext space C, is dened by a pair (Enc, Dec) of algorithms, where Enc : K M C is the encryption algorithm. It takes as input a key K from the key space K and a message M from the message space M and outputs a ciphertext C := Enc(K, M ) from the ciphertext space C. Dec : K C P is the decryption algorithm. It takes as input a ciphertext C C and outputs a plaintext M := Dec(K, C). We require the scheme to be correct, i.e., that for all keys K K and messages M M, Dec(K, Enc(K, M )) = M . Correctness means that if we rst encrypt M with key K, and then decrypt (using the same key), we get back the message M . Note that the above denition does not talk about the schemes security. Later we will formalize this by a seperate denition. Informally, the scheme being secure means that an adversary who does not know the key K, should not learn any (useful) information about M from a ciphertext C := Enc(K, M ). When dening security we must be precise in specifying what it means to break the scheme and what kind of adversary is considered. In order to use the encryption scheme, Alice and Bob must already share a secret key K. (Therefore the name secret-key encryption scheme.) It seems unavoidable that Alice and Bob share some sort information that Eve does not know, after all, Eve sees the whole conversation between Alice and Bob, and if Alice and Bob want to communicate privately, they must have some kind of advantage over Eve.

3
3.1

History
Kerckhos principle

Historically, cryptography was considered the art of encryption, i.e., transforming a message into some gibberish, such that only the party for which the message was intended could recover the message. To achieve this, the sender and receiver needed to share some information which was unknown to anyone else. Until the beginning of the 20th century, condential messages were mostly send by a trusted courier. Encryption was seldom used, it was more of an add-on for the case that the courier cannot be trusted or gets caught by the enemy. Authentication of messages was achieved by putting a sophisticated seal on the envelope. It was the invention of the radio which made the problem of encryption a primary concern, as now the messages were transmitted through the aether, and thus were accessible to everyone. In the last few decades cryptography has matured from an art to science, and the range of problems that are considered cryptographic are much broader than just encryption. L1-2

Figure 1: Caesars cipher.

Auguste Kerckhos was a Dutch linguist and one of the earliest cryptographers, already in the 19th century he formalized some requirements a cryptosystem should satisfy, one of them became known as Kerckhos principle: Het systeem dient, indien gecompromitteerd, de correspondenten niet in verlegenheid brengen. Thus he requires that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. A classical example of a scheme not following this approach, was used by Julius Caesar. He encrypted the messages sent to Rome by shifting each letter by three, so A became D, B became E, . . . , Z became C. That might have worked for barbarians, but there are very good reasons why one should follow this principle: if a cryptosystem is widely employed, then it will be almost impossible to keep the scheme secure. You could say that the same holds for a secret key, the point is that a cryptosystem can be used with many dierent keys by dierent parties (thus leakage of a key will only aect communication for which this particular key is used). And moreover a (compromised) key can easily be replaced with a fresh one, whereas replacing a whole cryptosystem is more dicult.

3.2

Historical ciphers

We mention some cryptosystems that were (unsuccessfully) employed in hostory. Let us assume the plaintexts consist of the Roman alphabet, i.e., of the 26 characters A to Z which we identify with the natural numbers 0, . . . , 25. Therefore M = {0, . . . , 25} . Shift Ciphers. In a shift cipher the secret key K consist of an index K chosen from the key space K := {0, . . . , 25}. To encrypt a message M = M1 . . . Mn M consisting of n characters, the index is added to each character, taking into account a wrap-around modulo 26. That is, Enc(K , M1 . . . Mn ) = C1 . . . Cn , where Ci = Mi + K mod 26. See Figure 1 for an illustration with K = 3. Of course this system is completely insecure since the key-space only consists of 26 dierent elements. The plaintext can be recovered by a brute-force attack testing each of the 26 keys and testing if the resulting plaintext makes any sense. As already mentioned, Julius Caesar used this cipher with a fxed value K = 3, which is nowadays known as Caesars cipher. Another common variant is the so-called ROT-13 scheme, where K = 13. Substitution Cipher. In a substitution ciphert the secret key K consists of a (random) permutation on the alphabet. To encrypt a message M = M1 . . . Mn consisting of n characters the L1-3

Figure 2: The frequency of letters used in a piece of common dutch text.

permutation is applied character by character, i.e., Enc(, M1 . . . Mn ) = (M1 ) . . . (Mn ). Decryption simply inverses the permutation. A brute-force attack over all possible keys (there are 26! 286 of them) is considered to be impractical. However, using statistical attacks, the substitution cipher can be broken quite easily. The main observation is that letters in an average text do not occur with the same probability. In Dutch text, for example, the letter E appears with probability 18%, while Y has probability below 1%. See Figure 2. Vigen`re Cipher. The Vigen`re cipher (invented in the 15th century) is a generalization of the e e shift cipher. While the latter relies on a single index K to shift every letter by K positions, the key of the Vigenere cipher uses k such indices K0 , . . . , Kk1 to shift dierent letters by a dierent number K0 , . . . , Kk1 of positions: Enc(K, M1 . . . Mn ) = C1 . . . Cn , where Ci = Mi + Ki mod k mod 26. The size of the key space is 26k 24.7k , which becomes infeasible for brute-force attacks for moderate values of k. But again, statistical tests can be applied to break the scheme quite easily. OV-chipkaart. The OV-chipkaart (with a total budget of $2 billion) is a recent example where a weak symmetric cipher is used. The system uses contactless smart cards, a technology that allows small digital cards to communicate by radio over short distances (i.e., centimeters or inches) with reader devices. It uses cryptography to, for example, authenticate itself to the reader to avoid that attackers can straightforwardly clone a card. Unfortunately the designers did not follow the Kerckhos principle and kept their cryptographic algorithms secret. Hence it was just a matter of time until a group of researchers reverse-engeneered this secret algorithm from the card. This indeed happend very recently and it turned out that the developers chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm its possible for an attacker to search the entire 48-bit key space, and therefore to forge cards in a matter or days.

One-Time Pad

The one-time pad is an extremely simple and ecient (secret-key) encryption scheme. It was invented in 1917 by Vernam and Mauborgne. It took 25 years before the one-time pad was rigorously L1-4

proven to be perfectly secure (as dened below) by Shannon. Let we denote the bitwise XOR (i.e., addition in GF (2)) operation, e.g., 0011 0101 = 0101. The encryption and decryption algorithms of the one-time pad for a key K K := {0, 1}n , a plaintext message M M := {0, 1}n , and a ciphertext C C := {0, 1}n are dened as Enc(K, M ) = K M Dec(K, C) = C K

Correctness of the scheme follows from the fact that 0 0 = 1 1 = 0, thus Dec(K, Enc(K, M )) = M K K = M If the key K is chosen uniformly at random and used only once, then this scheme satises the strongest privacy security requirement one could possibly come up with: the ciphertext C := K M does not contain any information about M . Thus if Eve observes a ciphertext C being sent over the channel to Bob, she learns absolutely nothing about the message M = C K (except the fact that Alice and Bob exchanged a message at all, and that its length is at most |C|).

5
5.1

Security of secret-key encryption

Learning absolutely nothing

The notion of learning absolutely nothing has a well dened meaning as shown by Claude Shannon, the inventor of information theory. If youre familiar with the Shannon entropy function H, let me mention that Shannon proved H(M |C) = H(M ). The following security notion is equivalent, but does not need any background in information theory. Denition 2 (One-Time Security) An encryption scheme (Enc, Dec) is perfectly one-time secure if for any two messages M0 , M1 M of equal length, and any ciphertext C C Pr[Enc(K, M0 ) = C] = Pr[Enc(K, M1 ) = C] Where the probabilities are over the random choice of the key K. Theorem 3 (Shannon) The one-time pad is perfectly one-time secure. Proof: We must prove that for a uniformly random K {0, 1}n and any M0 , M1 , C {0, 1}n Pr[K M0 = C] = Pr[K M1 = C] This hold as both probabilities are exactly 2n : for i {0, 1} we have Pr[K Mi = C] = Pr[K = Mi C] = 2n where in the last step we used that K is uniformly random. Thus the probability that of the 2n possible choices for K, it takes a particular one (here Mi C), is 2n . Theorem 4 (Shannon) For any perfectly one-time secure scheme with key space K and message space M, we must have |K| |M|. Thus, the one-time pad is optimal in this regard. L1-5

Proof: Let C be any valid ciphertext of a perfectly one-time secure scheme, which corresponds to some message M1 under the appropriate choice of the key K1 . Let us estimate m(C), the number of plaintext messages M that could result from the decryption of C under some valid secret key K. On the one hand, each key K in K can correspond to at most one M , since Alice can decrypt C in at most one way for each choice of K (otherwise unique decryption is not possible). Thus, m(C) |K|. On the other hand, we claim that m(C) = |M|, i.e., every M M can result in C when encrypted by Bob (under some key K). Indeed, if this was not the case for some M0 , then Pr[Enc(K, M0 ) = C] = 0. However, since C is a valid ciphertext for some message M1 under some key K1 , we have Pr[Enc(K, M1 ) = C] > 0 which contradicts the perfect security. Thus, |M| = m(C) |K|, completing the proof.

5.2

Other security denitions

In the previous section we assumed that the attacker intends to learn some information about the plaintext given a ciphertext. While this is certainly a reasonable goal, there are other goals that are potentially easier to achieve, but should arguably be avoided as well. Apart from the goals an adversary pursues, there are dierent possibilities an attacker might exploit for attacking an encryption scheme, e.g., ciphertext-only attacks, or attacks where one assumes that certain plaintexts/ciphertext pairs are already known to the adversary. We will informally discuss the most common of these attack goals in the sequel. 5.2.1 Adversarial goals

The following goals of an attacker are usually discussed (listed in decreasing strength). Total break: The adversary recovers the secret key. Clearly this will enable him to decrypt any other ciphertext. Universal break: The attacker nds an alternative method to decrypt any ciphertext, without necessarily recovering the secret key. Partial break: The attacker nds an alternative method to decrypt some particular ciphertexts. Partial information: The attacker nds a method to compute partial information about the plaintexts given some ciphertext, e.g., individual bits, checksum, etc. 5.2.2 Adversarial capabilities

The following adversarial capabilities are usually discussed (listed in decreasing strength). Ciphertext-only attack: The adversary only sees one ciphertext (or a sequence of ciphertexts) encrypted with the same (unknown) key, and does not know the corresponding plaintext. Known plaintext attack: The adversary gets a sequence of plaintext/ciphertext pairs encrypted using the same (unknown) key, and wants to attack an additional ciphertext whose corresponding plaintext is not known to him.

L1-6

Chosen plaintext attack: The adversary may choose a sequence of plaintexts himself and get their encryptions using the same xed key. After that, he wants to attack an additional ciphertext whose corresponding plaintext is not known to him. Chosen ciphertext attack: Similar to chosen plaintext, but the attacker may additionally choose ciphertexts and get their decryption under the considered key.

Authentication

For now we assumed that the adversary Eve can only listen to the channel over which Alice and Bob are talking. Thus when Bob receives a message, he can be sure it comes from Alice, such a channel is called authentic. In practice though, most channels are not authentic, just think of the Internet, so one must take extra eort to ensure authenticity. Note that authenticity and privacy are independent concepts. Sometimes one only needs the communication to be private (like in pay-TV applications where the sender does only want receivers who payed to be able to decrypt), sometimes one only needs authenticity (say, a captain who receives weather data), but usually one needs both (like in e-banking).

6.1

Privacy does not imply Authenticity

Although the one-time pad gives perfect privacy, it does not provide any authenticity, so Bob will never know if a message he received was really sent by Alice (unless this is otherwise guaranteed by the channel). Eve can simply send a ciphertext C to Bob, who will decrypt it to some value M := C K. Here Eve has no control what the message M will be (in fact, it will be uniformly random). Eve can also rst wait for Alice to actually send a ciphertext C, and then replace it by some cipher text C := C E for some E of her choice. Bob will decrypt this C to M := M E (where M is the message originally encrypted by Alice). In particular, if Eve knows the message M contained in C, she can come up with an encryption of any message of her choice.

6.2

Authentication Schemes

Note that if Eve has full control over the channel, i.e. she can delete and insert messages at will, there is no way one can guarantee that Bob will receive any message sent by Alice at all, as Eve can simply block all messages sent. Thus the best we can hope for, is that Bob can determine (with very high probability) whether a message was sent by Alice. To achieve this, we will let Alice add an authentication tag to the message P sent (let us stress that P can be anything, some message in cleartext, or, if privacy is a concern, an encrypted message). The authentication tag := F(K, P ) is computed as a function of the message P and a secret key K shared by Alice and Bob. When Bob receives a message/tag pair (P, ), he accepts the message as coming from Alice if = F(K, P ). Denition 5 (Message Authentication Code) A message authentication code (MAC) with respect to a key space K, a plaintext space P, and a tag space T consist of a tagging algorithm F : K P T . We write = F(K, P ), where K K is a key and P P is a plaintext.

L1-7

We call such a scheme an -secure message authentication code, if for any Eve, the probability is at most , that after observing a valid message/tag pair (P, ) (where := F(K, P ) for a random K K), she can come up with another message/tag pair (P , ), where P = P and = F(K, P ). Denition 6 A message authentication code F : K P T is -secure if for any P P and any adversary A, Pr [F(K, P ) = P = P : (P , ) A(P, F(K, P ))]
KK

Such a scheme can be used by Alice and Bob to authenticate a message: Assume Alice sends Bob a message (P, ) where := F(K, P ). If Eve does not alter the message, Bob will always accept the message as coming from Alice (as the check = F(K, P ) will be successful). If Eve decides to replace (P, ) with any other message/tag pair (P , ) (where P = P ), then (6) guarantees that Bob will wrongfully accept P as coming from Alice with probability at most . The size of the keyspace and of the tagspace give an upper bound on the security that such a scheme can achieve, as shown by the following theorem. Theorem 7 If F is an -secure message authentication code then (i) 1/|K|; and (ii) 1/|T |.
?

Proof: To prove (i), let the adversary A(P, F(K, P )) output (P , F(K , P )) for any P = P and any K . The probability that this will be a good forgery is at least Pr[F(K , P ) = F(K, P )] Pr[K = K] = 1/|K| , where in the last step we used that K is uniformly random. To prove (ii), let A(P, F(K, P )) output (P , ) for any P = P and a uniformly random T . The probability that this will be a good forgery is Pr[F(K, P ) = ] = 1/|T | Note that in both of the above cases, A did not even need his input (which is a valid message/authentication tag) to come up with a forgery which is correct with probability 1/|K| and 1/|T | respectively.

6.3

MAC constructions

Intuitively, what the above security denition says is that even if the adversary sees a valid message/tag pair, it should, in no way, help it in nding a valid tag for another message. That is, the tag for any message should be independent of a tag on any other message. This brings us to the following notion of pairwise independent hash functions. Denition 8 (Pairwise Independent) A keyed hash function H : K P T is pairwise independent if its output on a random key and any two distinct values is uniformly random and independent, or equivalently, if for any P, P P where P = P and A, A T
KK

Pr [H(K, P ) = A H(K, P ) = A ] = 1/|T |2 .

(1)

Theorem 9 A pairwise independent hash function H : K P T is a 1/|T |-secure message authentication code.

L1-8

The proof is an easy exercise and uses the fact that (1) directly implies
KK

Pr [H(K, P ) = A | H(K, P ) = A ] = 1/|T | .

We now give an simple example of a pairwise independent hash function. Let p be prime and Zp denote the nite eld of integers modulo p. Let HP I : Z2 Zp Zp be dened as p HP I (K, P ) = P K1 + K2 mod p, where K = (K1 , K2 ) Z2 . p

Lemma 10 HP I : Z2 Zp Zp is a pairwise independent hash function. p P roof: One can look at the key K as the matrix rewritten as HP I (K, P ) = Thus, for two distinct messages P = P , P P Since det P P 1 1 1 1 K1 K2 = HP I (P ) HP I (P ) . P 1 K1 K2 = P K1 + K2 . K1 K2 Zp Zp and the function HP I can we

= P P = 1 the matrix is invertible and therefore, for all A, A Zp , P P K1 K2 1 1 = K1 K2 P P 1 1 A A A A = 1 . p2

KK

Pr [H(K, P ) = A H(K, P ) = A ] = =

(K1 ,K2 )Z2 p

Pr

=
1

(K1 ,K2 )Z2 p

Pr

L1-9