Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Introduction
The Setting of Private-Key Encryption
Foundations of Cryptography
Computer Science Department
Wellesley College
September 1, 2016
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Table of contents
Introduction
Syntax of encryption
Kerckho↵s’ Principle
Ancient history
Basic Principles
Ancient history
Basic Principles
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Ancient history
Basic Principles
Then and now
• Historically, cryptography focused
on the the art of secret
communication.
• Much has changed in the last thirty
years. Cryptography is used to
address a number of other
considerations.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
The basic setting of private-key encryption
• In a private-key setting, two
parties share some secret
information called a key.
• The party sending a
plaintext message uses the
key to encrypt the message
before it is sent.
• The receiver uses the same
key to decrypt the ciphertext
message upon receipt in
order to recover the
plaintext.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Important safety tip
• An implicit assumption in any
system using private-key encryption
is that the communicating parties
have some way of initially sharing a
key in a secret manner.
• In military settings, communicating
parties physically met in a secure
location in order to agree upon a
key.
• Not so easy when purchasing a first
edition on ebay.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
The syntax of encryption
A private-key encryption scheme is comprised of three algorithms:
1. The key-generation algorithm Gen is a probabilistic algorithm
that outputs a key k chosen according to some distribution
that is determined by the scheme.
2. The encryption algorithm Enc takes as input a key k and a
plaintext message m and outputs a ciphertext c denoted by
Enck (m).
3. The decryption algorithm Dec takes as input a key k and a
ciphertext c and outputs a plaintext m, denoted by Deck (c).
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Ancient history
Basic Principles
Time and space
• The set of all possible keys output
by the key generation algorithm is
called the key space and is denoted
by K.
• Almost always, Gen choose a key
uniformly at random from the key
space (in fact, one can assume
WLOG this is the case).
• The set of all “legal” messages is
denote M and is called the
plaintext space.
• The sets K and M together define
the possible ciphertexts denoted by
C.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Perfectly correct
• We assume that encryption schemes are perfectly correct,
meaning that for all k 2 K, m 2 M, and any c
Deck (c) = m with probability 1.
Enck (m),
• This implies that we may assume Dec is deterministic (since
Deck (c) must give the same output every time it is run) and
write m := Deck (c) to denote the decryption process.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Ancient history
Basic Principles
Well, duh
• It is clear that if the adversary
knows the algorithm Dec and the
key k shared by two communicating
parties, then all is lost.
• Best to keep the key a secret. But
what about the algorithm? For
that matter, why not keep Gen and
Enc a secret as well. (The plaintext
space would be harder to hide.)
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Kerckho↵s’ principle
The cipher method must not be required to be secret, and it must
be able to fall into the hands of the enemy without inconvenience.1
1
Why?
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Attack scenarios
• CipherText-only attack: The adversary just observes one or
more ciphertexts and attempts to determine the plaintext(s).
• Known-plaintext attack: The adversary learns one or more
pairs of plaintext/ciphertext encrypted under the same key.
The aim is to then determine the plaintext of other ciphertext.
• Chosen-plaintext attack: The adversary has the ability to
obtain the encryption of plaintext of its choice.
• Chosen-ciphertext attack: The adversary is given the
capability to obtain decryption of ciphertexts of its choice.
The aim is to determine the plaintext that was encrypted in
some other ciphertext that the adversary is unable to obtain
directly.)
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Substitution ciphers
Julius Caesar used a system that cyclically mapped letters to the
third letter in the alphabet.
plain:
CIPHER:
meet me after the toga party
PHHW PH DIWU WKH WRJD SDUMB
Of course, a shift may be of any amount:
c = Enck (m) = (p + k)
p = Deck c = (c
k)
mod 26.
mod 26.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Brute-force cryptanalysis
PHHW PH DIWHU WKH WRJD SDUWB
• Here we guessed that the
encryption scheme was
Caesar cipher (Remember:
The enemy knows the
system being used.)
• We use the fact that the key
space is small and the
plaintext is easily
recognizable.
Introduction
Syntax of encryption
KEY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
oggv
nffu
meet
ldds
kccr
jbbq
iaap
hzzo
gyyn
fxxm
ewwl
dvvk
cuuj
btti
assh
zrrg
yqqf
xppe
wood
vnnc
ummb
tlla
skkz
rjjy
qiix
Kerckhoffs’ Principle
og
nf
me
ld
kc
jb
ia
hz
gy
fx
ew
dv
cu
bt
as
zr
yq
xp
wo
vn
um
tl
sk
rj
qi
chvgt
bgufs
after
zesdq
ydrcp
xcqbo
wbpan
vaozm
uznyl
tymxk
sxlwj
rwkvi
qvjuh
puitg
othsf
nsgre
mrfqd
lqepc
kpdob
jocna
inbmz
hmaly
glzkx
fkyjw
ejxiv
vjg
uif
the
sgd
rfc
qeb
pda
ocz
nby
max
lzw
kyv
jxu
iwt
hvs
gur
ftq
esp
dro
cqn
bpm
aol
znk
ymj
xli
vqic
uphb
toga
snfz
rmey
qldx
pkcw
ojbv
niau
mhzt
lgys
kfxr
jewq
idvp
hcuo
gbtn
fasm
ezrl
dyqk
cxpj
bwoi
avnh
zumg
ytlf
xske
rctva
qbsuz
party
ozqsx
nyprw
mxoqv
lwnpu
kvmot
julns
itkmr
hsjlq
grikp
fqhjo
epgin
dofhm
cnegl
bmdfk
alcej
zkbdi
yjach
xizbg
whyaf
vgxze
ufwyd
tevxc
Ancient history
Basic Principles
Sufficient key space principle
Any secure encryption scheme must have a key space that is not
vulnerable to exhaustive search.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
let’s completely
letters*
So let’s So
completely
mix mix
the the
letters*
*Or even invent our own -- the resulting encryptions are known as
monoalphabetic
*Or even inventciphers.
our own – the resulting encryptions are known as
Classic cryptology
mono-alphabetic ciphers..
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
26! keys should be a challenge to brute-force
• But mono-alphabetic substitution is still vulnerable to pattern
matching and statistical attack.
• Probable word attacks can be particularly devastating.
2-8
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Automating an attack on the shift cipher
• A simple calculation using the known values of pi , the
probability of the ith letter occurring in normal text, yields
25
X
i=0
pi2 ⇡ 0.065.
• Let qi denote the probability of the ith letter in a given
ciphertext. If the key is k, then we expect that qi+k ⇡ pi for
each i. Equivalently, computing
def
Ij =
25
X
i=0
pi · qi+j
for each j 2 {0, 1, . . . , 25}, then we expect Ik ⇡ 0.065 where
k is the actual key.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Vigenère (poly-alphabetic shift) cipher
• Statistical attack on the mono-alphabetic substitution cipher
could be carried out because the mapping of each letter was
fixed.
• Such an attack can be thwarted by mapping di↵erent
instances of the same plaintext character to di↵erent
ciphertext characters.
plaintext:
Key:
Ciphertext:
tellhimaboutme
cafecafecafeca
WFRQKJSFEPAYPF}
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Breaking the Vigenère cipher
• Say the length of the key, called the period, is t. Then the
ciphertext can be divided up into t parts where each part can
be viewed as being encrypted using a single instance of the
shift cipher.
• More precisely, if k = k1 . . . , kt and c1 , c2 , . . . , cn are the
ciphertext characters, then for every j(1  j  t) the set of
characters
cj , cj+t , cj+2t , . . .
were all encrypted by a shift cipher using key kj .
• Now use the statistical method previously described to
automatically find the correct shift.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
The index of coincidence
• It remains to determine the length of the key. Recall that if t
is the key-length, then the ciphertext characters
cj , cj+t , cj+2t , . . .
were all encrypted using the same shift. Let qi denote the
frequency of the ith English letter in this sequence.
• In other words, the sequence p0 , . . . , p25 is identical to the
sequence q0 , . . . , q25 shifted by kj places and we would expect
25
X
i=0
qi2
=
25
X
i=0
pi2 ⇡ 0.065.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Basic Principles
Putting the theory into practice
• For each ⌧ = 1, 2, . . . tabulate frequencies q0 , . . . , q25 for the
sequence c1 , c1+⌧ , c1+2⌧ , . . ., then compute
def
S⌧ =
25
X
qi2 .
i=0
• When ⌧ = t we expect to see S⌧ ⇡ 0.065. On the other hand,
when ⌧ 6= t we expect all characters with roughly equal
probability and qi ⇡ 1/26 for all I . In this case,
S⌧ ⇡
Introduction
Syntax of encryption
25
X
i=0
1/262 ⇡ 0.038.
Kerckhoffs’ Principle
Ancient history
Basic Principles
Principles of modern Cryptography
1. Formulate a rigorous definition of security.
2. Precisely state each unproven assumption and keep this list
short as possible.
3. Provide rigorous proofs of security according to definitions
formulated in principle 1, and relative to the assumptions
stated in principle 2.
Introduction
Syntax of encryption
Kerckhoffs’ Principle
Ancient history
Easier than it looks
But how should secure encryption be defined?
Basic Principles