Sharif University of Technology Department of Computer Engineering Data and Network Security Lab A Primer on Modern Cryptography (1) Author: Ahmad Boorghany Instructor: Dr. Rasool Jalili Sharif University Introduction to Modern Cryptography Spring 2015 1 / 38 Outline Definition of Modern Cryptography Evolution from Classic to Modern Cryptography Principles of Modern Cryptography Exact Definitions Precise Assumptions Rigorous Proofs of Security An Introduction to Theory of Complexity Course Topics Sharif University Introduction to Modern Cryptography Spring 2015 2 / 38 Modern Cryptography and its relation to classic cryptography Sharif University Introduction to Modern Cryptography Spring 2015 3 / 38 Classic Cryptography Concise Oxford Dictionary (2006): Cryptography is the art of writing or solving codes. Classically, cryptography Focused solely on secret communication Seen as an art, relied on creativity and personal skill Used only by military and intelligence Sharif University Introduction to Modern Cryptography Spring 2015 4 / 38 Modern Cryptography In the late 20th century, cryptography deals with message authentication, digital signatures, protocols for exchanging secret keys, authentication protocols, electronic auctions and elections, digital cash, and more. Nowadays, cryptography is almost everywhere: ATM machines Online banking All HTTPS websites Remote login and file transfer (SSH, …) Mobile communications (GSM, …) Wireless networking (Wi-Fi, WiMAX, …) Sharif University Introduction to Modern Cryptography Spring 2015 5 / 38 Cryptography is Everywhere! An encrypted web communication (HTTPS) Sharif University Introduction to Modern Cryptography Spring 2015 6 / 38 Cryptography is Everywhere! (cont.) 11,748 Android apps use cryptography (encryption), however, 10,327 (88%) get it wrong [EBFK13] Sharif University Introduction to Modern Cryptography Spring 2015 7 / 38 Definition of Modern Cryptography Katz and Lindell [KL08]: (Modern) Cryptography is the scientific study of techniques for securing digital information, transactions, and distributed computations. Image courtesy of Amazon Sharif University Introduction to Modern Cryptography Spring 2015 8 / 38 Cryptography Concerns Example: An encryption scheme Our concerns: How to define security goals? How to design ℰ and 𝒟? How to gain confidence that ℰ, 𝒟 achieve our goal? Image courtesy of Microsoft Sharif University Introduction to Modern Cryptography Spring 2015 9 / 38 Cryptography Concerns (cont.) How does computer/system protect 𝐾 from break-in (viruses, vulnerabilities, …)? Not our concern in this class. How do we use 𝐾 to ensure security of communication over an insecure network? That’s our business. Image courtesy of Microsoft Sharif University Introduction to Modern Cryptography Spring 2015 10 / 38 Classic Ciphers What is its key length? However, not very secure! Sharif University Introduction to Modern Cryptography Spring 2015 11 / 38 Classic Ciphers (cont.) Enigma: German World War II machine Broken by British in an effort led by Turing Images courtesy of Wikipedia and Louise Dade Sharif University Introduction to Modern Cryptography Spring 2015 12 / 38 One-time-pad (OTP) Encryption Proven by Shannon Sharif University Introduction to Modern Cryptography Spring 2015 13 / 38 Principles of Modern Cryptography Sharif University Introduction to Modern Cryptography Spring 2015 14 / 38 Modern Cryptography: A Computational Science Security of a “practical” system must rely not on the impossibility but on the computational difficulty of breaking the system. “Practical” = more message bits than key bits Rather than: “It is impossible to break the scheme” We might be able to say: “Attacks can exist as long as cost to mount them is prohibitive” Image courtesy of mynextbrain.com Sharif University Introduction to Modern Cryptography Spring 2015 15 / 38 Modern Cryptography: A Computational Science (cont.) A sample security proposition: Cannot be broken with probability better than 10−30 in 200 years, using the fastest available supercomputer. Cryptography is now not just mathematics; it needs to draw on computer science: (Computational) Complexity Theory Design of Algorithms Image courtesy of snookerbacker.com Sharif University Introduction to Modern Cryptography Spring 2015 16 / 38 Concrete vs. Asymptotic Security Two approaches to define security goals: No attack using ≤ 2160 time succeeds with probability ≥ 2−20 Concrete/Exact Security or (𝑡, 𝜀)-Security Any efficient adversary succeeds with only a negligible probability Asymptotic Security “Efficient” = Probabilistic Polynomial Time (next sess.) “Negligible” = Easily (!) defined by a number of quantifiers Sharif University Introduction to Modern Cryptography Spring 2015 17 / 38 Kerckhoffs’ principle Auguste Kerckhoffs in the late 19th century: The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. Why? Easier to maintain secrecy of a short key rather than an algorithm Algorithm parts may be leaked: insider or reverse eng. Key revocation/reissue is easier than algorithm revocation/reissue! Different people communication: different keys or different algorithms? Image courtesy of Wikipedia Sharif University Introduction to Modern Cryptography Spring 2015 18 / 38 Modern Crypto Principles: Exact Definitions Why exact definitions for security? Importance for design - - Importance for usage - Application designers match their requirement with what a scheme provide More precise application verification Not to use the most secure scheme if not needed: efficiency Importance for study - To know what to design Not to provide more than what needed: efficiency (different definitions with different security levels are usually proposed for any crypto concept) Comparing different schemes More precise efficiency/security trade-off Needed for security proofs (later) Sharif University Introduction to Modern Cryptography Spring 2015 19 / 38 Modern Crypto Principles: Precise Assumptions Most modern cryptographic constructions cannot be proven secure unconditionally. Thus, rely on some assumptions: Hardness of mathematical problems Hardness of cryptographic primitives Why precise assumptions? Validation of the assumption - - Sharif University Reliable assumptions should be examined and tested a lot without being successfully refuted. The hardness of an assumption may be implied by another widelybelieved hard assumption. Both above need precise assumptions. Introduction to Modern Cryptography Spring 2015 20 / 38 Modern Crypto Principles: Precise Assumptions (cont.) Why precise assumptions? Comparison of schemes - - Scheme A relies on assumption X Scheme B relies on assumption Y (Stronger) assumption X implies (weaker) assumption Y Scheme B is better X may become invalid while Y still holds, but not vice versa. - If X and Y incomparable: (Usually) more-studied/simpler assumption is better. Needed for security proofs (later) Sharif University Introduction to Modern Cryptography Spring 2015 21 / 38 Modern Crypto Principles: Rigorous Proofs of Security Why a security proof? Countless examples of unproven schemes that were broken Sometimes immediately Sometimes years after being presented or deployed - Security testing is different than software testing - Cannot anticipate an adversary strategy Experience shown that intuition here is disastrous. Sharif University Introduction to Modern Cryptography Spring 2015 22 / 38 Modern Crypto Principles: Rigorous Proofs of Security (cont.) Reductionist Approach: Assumption X reduced to scheme A Interpretations: If an adversary breaks the scheme A, it must have found a fast algorithm for X. The only way to break A is to solve X efficiently. Two sub-approaches: Asymptotic: The reduction is itself polynomial-time. Concrete: 𝑡𝐴 , 𝜀𝐴 is not much different than 𝑡𝑋 , 𝜀𝑋 . Image courtesy of derf.net Sharif University Introduction to Modern Cryptography Spring 2015 23 / 38 Example Assumptions: Mathematical Problem Integer Factorization is hard (after exact formulation) If an scheme is provably-secure assuming hardness of factorization: Bug in the scheme implies - - Sharif University attacker has found a way to factor fast attacker is smarter than Gauss and smarter than all living mathematicians Introduction to Modern Cryptography Spring 2015 24 / 38 Example Assumptions: Crypto Primitives Block cipher primitives: DES, AES, ... Hash functions: MD5, SHA1, SHA2, ... Features: Few such primitives Bugs rare Design an art, confidence by history. Drawback: Don’t directly solve any security problem. Sharif University Introduction to Modern Cryptography Spring 2015 25 / 38 Example Assumptions: Crypto Primitives (cont.) Goal: Solve security problem of direct interest. Examples: encryption, authentication, digital signatures, key distribution, ... Features: Lots of them Bugs common in practice History shows that building schemes from primitives is usually the weak link: AES or SHA-2 secure, yet Higher level scheme insecure Sharif University Introduction to Modern Cryptography Spring 2015 26 / 38 Theory of Complexity An Introduction Sharif University Introduction to Modern Cryptography Spring 2015 27 / 38 Computation Model Computation in cryptography is done by algorithms. But, what is an algorithm? Wikipedia: a step-by-step procedure for calculations. Oxford dictionary: a process or set of rules to be followed in calculations or other problem-solving operations, especially by a computer. We need a precise definition for algorithm/computation. Formal definition: An algorithm = A Turing machine Sharif University Introduction to Modern Cryptography Spring 2015 28 / 38 Turing Machines What is a Turing machine? Semantics: An automata with access to an infinite tape. Initially, the input on the tape. Upon halting (if any), tape content is the output. Image courtesy of its designer Sharif University Introduction to Modern Cryptography Spring 2015 29 / 38 Turing Machines (cont.) What is a Turing machine? Syntax: 𝑀 = 𝑄, Σ, 𝛿, 𝑞0 , 𝐹 is a 5-tuple, where 𝑄 is a finite, non-empty set of states Σ is the set of symbols 𝑞0 ∈ 𝑄 is the initial state 𝐹 ⊆ 𝑄 is the set of final or accepting states 𝛿: 𝑄\𝐹 × Σ → 𝑄 × Σ × 𝐿, 𝑅, − is a transition function, where L is left shift, R is right shift, and – is no move. Sharif University Introduction to Modern Cryptography Spring 2015 30 / 38 Turing Machines (cont.) Time complexity of 𝑀 𝑇 𝑛 : Maximum number of transitions for all inputs of length 𝑛. Some 𝑛’s may not be in the domain. Why? Space complexity of 𝑀 𝑆(𝑛): Maximum number of (scratch) memory cells used for all inputs of length 𝑛. FACT: A today’s super-computer can be simulated by a Turing machine. The notion of computability is fixed, regardless of the model of computation. Some text from Wikipedia Sharif University Introduction to Modern Cryptography Spring 2015 31 / 38 Course Topics (tentative) Sharif University Introduction to Modern Cryptography Spring 2015 32 / 38 Course Topics Preliminaries (1 sess.) Some fundamental concepts from complexity theory Deeper look on security definition and model Games as a useful tool for security definition and proof Primitives (1 sess.) Mathematical notions for crypto primitives, e.g., one-way functions (OWF) and trapdoor permutations (TDP) Pseudo-randomness (1 sess.) The notions of randomness and pseudo-randomness Mathematical notions to capture pseudo-random primitives, e.g., pseudo-random generators (PRNG) and pseudo-random functions (PRF) Sharif University Introduction to Modern Cryptography Spring 2015 33 / 38 Course Topics (cont.) Simple cryptographic proofs (1 sess.) Constructing and proving secure primitives, e.g., PRFs from PRGs Samples of security definitions, attack models, and security proofs. Symmetric encryption (2 sess.) Minimal full-fledged security definition for encryption (CPA) Simple encryption scheme built upon PRFs Provably-secure operation modes Stronger notions of security for symmetric encryption (CCA). Sharif University Introduction to Modern Cryptography Spring 2015 34 / 38 Course Topics (cont.) Hash functions and message authentication codes (2 sess.) Universal and collision-resistant hash function (CRHF) Provably-secure message authentication codes Provably-secure hash functions from other primitives, such as block ciphers. Secure MACs using PRFs, CRHFs, and block ciphers. Asymmetric (public-key) encryption (3 sess.) Different definitions for different levels of security for a public-key encryption scheme (CPA, CCA, CCA2, etc.) Constructions: RSA, El-Gamal, GM, etc. Sharif University Introduction to Modern Cryptography Spring 2015 35 / 38 Course Topics (cont.) Mathematics of public-key cryptography (2 sess.) Quick review on mathematical backgrounds, i.e., group theory, factoring, discrete logarithm problems, elliptic curves, etc. Applied provably-secure schemes (1 sess.) Applications of provably-secure schemes Authenticated encryption schemes and hybrid encryption Sharif University Introduction to Modern Cryptography Spring 2015 36 / 38 Course Topics (cont.) Other topics Digital signature schemes (2 sess.) Simulation-based security definitions (3 sess.) Random oracle model (2 sess.) Identification and key distribution (3 sess.) Two-party and multi-party computation (3 sess.) Quantum and post-quantum cryptography (1 sess.) Review of other not-covered topics (1 sess.) Sharif University Introduction to Modern Cryptography Spring 2015 37 / 38 Questions? Sharif University Introduction to Modern Cryptography Spring 2015 38 / 38 References [KL08] Katz, Jonathan, and Yehuda Lindell. Introduction to modern cryptography: principles and protocols. CRC Press, 2007. [EBFK13] Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. "An empirical study of cryptographic misuse in Android applications." In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013. Sharif University Introduction to Modern Cryptography Spring 2015 39 / 38
© Copyright 2026 Paperzz