際際滷

際際滷Share a Scribd company logo

lec3.pdf

S
ssuser8b461f

This document discusses the core principles of modern cryptography: formal definitions, clear assumptions, and proofs of security. It emphasizes the importance of having precise definitions of what security means for a given cryptographic scheme. This allows meaningful analysis of schemes and understanding of their security guarantees. The document then discusses the definition of a secure private-key encryption scheme and introduces the notion of perfect secrecy. It proves that the one-time pad encryption scheme satisfies the definition of perfect secrecy.

1 of 50
Download to read offline
Cryptography Lecture 3
So far Heuristic constructions; build, break, repeat, This isnt very satisfying Can we prove that some encryption scheme is secure? First need to define what we mean by secure in the first place
Modern cryptography Historically, cryptography was an art Heuristic design and analysis Starting in the early 80s, cryptography began to develop into more of a science Based on three principles that underpin most real-world cryptography today
Core principles of modern crypto Formal definitions Precise, mathematical model and definition of what security means Assumptions Clearly stated and unambiguous Proofs of security Move away from design-break-patch cycle
Importance of definitions Definitions are essential for the design, analysis, and sound usage of crypto
Importance of definitions -- design Developing a precise definition forces the designer to think about what they really want What is essential and (sometimes more important) what is not Often reveals subtleties of the problem
Importance of definitions -- design If you dont understand what you want to achieve, how can you possibly know when (or if) you have achieved it?
Importance of definitions -- analysis Definitions enable meaningful analysis, evaluation, and comparison of schemes Does a scheme satisfy the definition? What definition does it satisfy? Note: there may be multiple meaningful definitions! One scheme may be less efficient than another, yet satisfy a stronger security definition
Importance of definitions -- usage Definitions allow others to understand the security guarantees provided by a scheme Enables schemes to be used as components of a larger system (modularity) Enables one scheme to be substituted for another if they satisfy the same definition
Assumptions With few exceptions, cryptography currently requires computational assumptions At least until we prove P NP (and even that would not be enough) Principle: any such assumptions must be made explicit
Importance of clear assumptions Allow researchers to (attempt to) validate assumptions by studying them Allow meaningful comparison between schemes based on different assumptions Useful to understand minimal assumptions needed Practical implications if assumptions are wrong Enable proofs of security
Proofs of security Provide a rigorous proof that a construction satisfies a given definition under certain specified assumptions Provides an iron-clad guarantee (relative to your definition and assumptions!) Proofs are crucial in cryptography, where there is a malicious attacker trying to break the scheme
Limitations? Cryptography still remains partly an art as well Proofs given an iron-clad guarantee of security relative to the definition and assumptions! Provably secure schemes can be broken! If the definition does not correspond to the real-world threat model I.e., if attacker can go outside the assumed security model This happens a lot in practice If the assumption is invalid If the implementation is flawed This happens a lot in practice
Nevertheless This does not detract from the importance of having formal definitions in place and giving proofs of security
Defining secure encryption
Crypto definitions (generally) Security guarantee/goal What we want to achieve (or what we want to prevent the attacker from achieving) Threat model What (real-world) capabilities the attacker is assumed to have
Recall A private-key encryption scheme is defined by a message space M and algorithms (Gen, Enc, Dec): Gen (key-generation algorithm): generates k Enc (encryption algorithm): takes key k and message m M as input; outputs ciphertext c c Enck(m) Dec (decryption algorithm): takes key k and ciphertext c as input; outputs m. m := Deck(c)
Private-key encryption k k c key m c Enck(m) message/plaintext encryption ciphertext m := Deck(c) decryption key
Threat models for encryption Ciphertext-only attack One ciphertext or many? Known-plaintext attack Chosen-plaintext attack Chosen-ciphertext attack
Goal of secure encryption? How would you define what it means for encryption scheme (Gen, Enc, Dec) over message space M to be secure? Against a (single) ciphertext-only attack
Secure encryption? Impossible for the attacker to learn the key The key is a means to an end, not the end itself Necessary (to some extent) but not sufficient Easy to design an encryption scheme that hides the key completely, but is insecure Can design schemes where most of the key is leaked, but the scheme is still secure
Secure encryption? Impossible for the attacker to learn the plaintext from the ciphertext What if the attacker learns 90% of the plaintext?
Secure encryption? Impossible for the attacker to learn any character of the plaintext from the ciphertext What if the attacker is able to learn (other) partial information about the plaintext? E.g., salary is greater than $75K What if the attacker guesses a character correctly, or happens to know it?
The right definition Regardless of any prior information the attacker has about the plaintext, the ciphertext should leak no additional information about the plaintext How to formalize?
Perfect secrecy
Probability review Random variable: variable that takes on (discrete) values with certain probabilities Probability distribution for a random variable gives the probabilities with which the variable takes on each possible value Each probability must be between 0 and 1 The probabilities must sum to 1
Probability review Event: a particular occurrence in some experiment E.g., the event that random variable X takes value x Pr[E]: probability of event E Conditional probability: probability that one event occurs, given that some other event occurred Pr[A | B] = Pr[A and B]/Pr[B] Two random variables X, Y are independent if for all x, y: Pr[X=x | Y=y] = Pr[X=x]
Probability review Law of total probability: say E1, , En are a partition of all possibilities. Then for any A: Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] 揃 Pr[Ei]
Notation K (key space) set of all possible keys C (ciphertext space) set of all possible ciphertexts
Probability distributions Let M be the random variable denoting the value of the message M ranges over M Context dependent! Reflects the likelihood of different messages being sent, given the attackers prior knowledge E.g., Pr[M = attack today] = 0.7 Pr[M = dont attack] = 0.3
Probability distributions Let K be a random variable denoting the key K ranges over K Fix some encryption scheme (Gen, Enc, Dec) Gen defines a probability distribution for K: Pr[K = k] = Pr[Gen outputs key k] Generally the uniform distribution, but
Probability distributions Assume random variables M and K are independent I.e., parties dont pick the key based on the message, or the message based on the key In general, this assumption holds If it doesnt hold, can cause problems
Probability distributions Fix some encryption scheme (Gen, Enc, Dec), and some distribution for M Consider the following (randomized) experiment: 1. Generate a key k using Gen 2. Choose a message m, according to the given distribution 3. Compute c Enck(m) This defines a distribution on the ciphertext! Let C be a random variable denoting the value of the ciphertext in this experiment
Example 1 Consider the shift cipher So for all k {0, , 25}, Pr[K = k] = 1/26 Say Pr[M = a] = 0.7, Pr[M = z] = 0.3 What is Pr[C = b] ? Either M = a and K = 1, or M = z and K = 2 Pr[C=b] = Pr[M=a]揃Pr[K=1] + Pr[M=z] 揃Pr[K=2] Pr[C=b] = 0.7 揃 (1/26) + 0.3 揃 (1/26) Pr[C=b] = 1/26
Example 2 Consider the shift cipher, and the distribution on M given by Pr[M = one] = 遜, Pr[M = ten] = 遜 Pr[C = rqh] = ? = Pr[C = rqh | M = one] 揃 Pr[M = one] + Pr[ C = rqh | M = ten] 揃 Pr[M = ten] = 1/26 揃 遜 + 0 揃 遜 = 1/52
Perfect secrecy (informal) Regardless of any prior information the attacker has about the plaintext, the ciphertext should leak no additional information about the plaintext
Perfect secrecy (informal) Attackers information about the plaintext = attacker knows the distribution of M Perfect secrecy: observing the ciphertext should not change the attackers knowledge about the distribution of M
Perfect secrecy (formal) Encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if for every distribution over M, every m M, and every c C with Pr[C=c] > 0, it holds that Pr[M = m | C = c] = Pr[M = m]. I.e., the distribution of M does not change, even conditioned on observing the ciphertext
Example 3 Consider the shift cipher, and the distribution Pr[M = one] = 遜, Pr[M = ten] = 遜 Take m = ten and c = rqh Pr[M = ten | C = rqh] = ? = 0 Pr[M = ten]
Bayess theorem Pr[A | B] = Pr[B | A] 揃 Pr[A]/Pr[B]
Example 4 Shift cipher; Pr[M=hi] = 0.3, Pr[M=no] = 0.2, Pr[M=in]= 0.5 Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] 揃 Pr[M = hi]/Pr[C = xy]
Example 4, continued Pr[C = xy | M = hi] = 1/26 Pr[C = xy] = Pr[C = xy | M = hi] 揃 0.3 + Pr[C = xy | M = no] 揃 0.2 + Pr[C=xy | M=in] 揃 0.5 = (1/26) 揃 0.3 + (1/26) 揃 0.2 + 0 揃 0.5 = 1/52
Example 4, continued Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] 揃 Pr[M = hi]/Pr[C = xy] = (1/26) 揃 0.3/(1/52) = 0.6 Pr[M = hi]
Conclusion The shift cipher is not perfectly secret! At least not for 2-character messages How to construct a perfectly secret scheme?
One-time pad Patented in 1917 by Vernam Recent historical research indicates it was invented (at least) 35 years earlier Proven perfectly secret by Shannon (1949)
One-time pad Let M = {0,1}n Gen: choose a uniform key k {0,1}n Enck(m) = k m Deck(c) = k c Correctness: Deck( Enck(m) ) = k (k m) = (k k) m = m
One-time pad key n bits messag e n bits cipherte xt n bits
Perfect secrecy of one-time pad Note that any observed ciphertext can correspond to any message (why?) (This is necessary, but not sufficient, for perfect secrecy) So, having observed a ciphertext, the attacker cannot conclude for certain which message was sent
Perfect secrecy of one-time pad Fix arbitrary distribution over M = {0,1}n , and arbitrary m, c {0,1}n Pr[M = m | C = c] = ? = Pr[C = c | M = m] 揃 Pr[M = m]/Pr[C = c] Pr[C = c] = m Pr[C = c | M = m] 揃 Pr[M = m] = m Pr[K = m c | M = m] 揃 Pr[M = m] = m 2-n 揃 Pr[M = m] = 2-n
Perfect secrecy of one-time pad Fix arbitrary distribution over M = {0,1}n , and arbitrary m, c {0,1}n Pr[M = m | C = c] = ? = Pr[C = c | M = m] 揃 Pr[M = m]/Pr[C = c] = Pr[K = m c | M = m] 揃 Pr[M = m] / 2-n = 2-n 揃 Pr[M = m] / 2-n = Pr[M = m]

Recommended

Rsa
RsaRsa
Rsa
magentie
lec1.pdf
lec1.pdflec1.pdf
lec1.pdf
ssuser8b461f
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.ppt
ChandraB15
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.ppt
DHANABALSUBRAMANIAN
lecture2-Cryptography Its Uses and Limitations.ppt
lecture2-Cryptography Its Uses and Limitations.pptlecture2-Cryptography Its Uses and Limitations.ppt
lecture2-Cryptography Its Uses and Limitations.ppt
ssuser6c0026
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applications
thai
3 pkc+rsa
3 pkc+rsa3 pkc+rsa
3 pkc+rsa
Shashank Mishra
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
Samdish Arora
Machine learning mathematicals.pdf
Machine learning mathematicals.pdfMachine learning mathematicals.pdf
Machine learning mathematicals.pdf
King Khalid University
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_CryptographyCS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
HoangDungNguyen17
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
Samia Elsayed
lec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.pptlec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.ppt
ssuser6c0026
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt
senpaixd0110
Ch9
Ch9Ch9
Ch9
Mahender Kumar
CNS.ppt
CNS.pptCNS.ppt
CNS.ppt
GopinathSamydurai
Public key cryptography and RSA algorithm
Public key cryptography and RSA algorithmPublic key cryptography and RSA algorithm
Public key cryptography and RSA algorithm
Nitin Birari
RSA
RSARSA
RSA
Abirami Thangavel
Rsa
RsaRsa
Rsa
ismaelhaider
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-final
Taymoor Nazmy
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
Kaya Ota
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & Cryptography
Dr. Himanshu Gupta
2.10 Security of RSA.pptx
2.10 Security of RSA.pptx2.10 Security of RSA.pptx
2.10 Security of RSA.pptx
girilogu2
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
Sam Bowne
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
Indra97065
Crytography
CrytographyCrytography
Crytography
Mostak Ahmed
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptxcryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
darkchocolate5556
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
OS-01 intro.pdf
OS-01 intro.pdfOS-01 intro.pdf
OS-01 intro.pdf
ssuser8b461f
lec2.pdf
lec2.pdflec2.pdf
lec2.pdf
ssuser8b461f

More Related Content

Similar to lec3.pdf (20)

Machine learning mathematicals.pdf
Machine learning mathematicals.pdfMachine learning mathematicals.pdf
Machine learning mathematicals.pdf
King Khalid University
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_CryptographyCS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
HoangDungNguyen17
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
Samia Elsayed
lec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.pptlec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.ppt
ssuser6c0026
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt
senpaixd0110
Ch9
Ch9Ch9
Ch9
Mahender Kumar
CNS.ppt
CNS.pptCNS.ppt
CNS.ppt
GopinathSamydurai
Public key cryptography and RSA algorithm
Public key cryptography and RSA algorithmPublic key cryptography and RSA algorithm
Public key cryptography and RSA algorithm
Nitin Birari
RSA
RSARSA
RSA
Abirami Thangavel
Rsa
RsaRsa
Rsa
ismaelhaider
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-final
Taymoor Nazmy
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
Kaya Ota
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & Cryptography
Dr. Himanshu Gupta
2.10 Security of RSA.pptx
2.10 Security of RSA.pptx2.10 Security of RSA.pptx
2.10 Security of RSA.pptx
girilogu2
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
Sam Bowne
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
Indra97065
Crytography
CrytographyCrytography
Crytography
Mostak Ahmed
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptxcryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
darkchocolate5556
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
Machine learning mathematicals.pdf
Machine learning mathematicals.pdfMachine learning mathematicals.pdf
Machine learning mathematicals.pdf
King Khalid University
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_CryptographyCS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
HoangDungNguyen17
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
Samia Elsayed
lec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.pptlec-04-Private-key encryption, message authentication.ppt
lec-04-Private-key encryption, message authentication.ppt
ssuser6c0026
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt1. Classical Encryption Techniques.ppt
1. Classical Encryption Techniques.ppt
senpaixd0110
Ch9
Ch9Ch9
Ch9
Mahender Kumar
CNS.ppt
CNS.pptCNS.ppt
CNS.ppt
GopinathSamydurai
Public key cryptography and RSA algorithm
Public key cryptography and RSA algorithmPublic key cryptography and RSA algorithm
Public key cryptography and RSA algorithm
Nitin Birari
RSA
RSARSA
RSA
Abirami Thangavel
Rsa
RsaRsa
Rsa
ismaelhaider
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-final
Taymoor Nazmy
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
Kaya Ota
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & Cryptography
Dr. Himanshu Gupta
2.10 Security of RSA.pptx
2.10 Security of RSA.pptx2.10 Security of RSA.pptx
2.10 Security of RSA.pptx
girilogu2
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
Sam Bowne
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
Indra97065
Crytography
CrytographyCrytography
Crytography
Mostak Ahmed
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptxcryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
cryptography_and_Network_Security_fuck_scribd_scribd_will_go_to_hell.pptx
darkchocolate5556
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne

More from ssuser8b461f (8)

OS-01 intro.pdf
OS-01 intro.pdfOS-01 intro.pdf
OS-01 intro.pdf
ssuser8b461f
lec2.pdf
lec2.pdflec2.pdf
lec2.pdf
ssuser8b461f
2021-1577.pdf
2021-1577.pdf2021-1577.pdf
2021-1577.pdf
ssuser8b461f
Quantum factorization.pdf
Quantum factorization.pdfQuantum factorization.pdf
Quantum factorization.pdf
ssuser8b461f
VulnScan_PenTest.pdf
VulnScan_PenTest.pdfVulnScan_PenTest.pdf
VulnScan_PenTest.pdf
ssuser8b461f
Off-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfOff-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdf
ssuser8b461f
Lost-In-The-Loader.pdf
Lost-In-The-Loader.pdfLost-In-The-Loader.pdf
Lost-In-The-Loader.pdf
ssuser8b461f
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfAttacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
ssuser8b461f
OS-01 intro.pdf
OS-01 intro.pdfOS-01 intro.pdf
OS-01 intro.pdf
ssuser8b461f
lec2.pdf
lec2.pdflec2.pdf
lec2.pdf
ssuser8b461f
2021-1577.pdf
2021-1577.pdf2021-1577.pdf
2021-1577.pdf
ssuser8b461f
Quantum factorization.pdf
Quantum factorization.pdfQuantum factorization.pdf
Quantum factorization.pdf
ssuser8b461f
VulnScan_PenTest.pdf
VulnScan_PenTest.pdfVulnScan_PenTest.pdf
VulnScan_PenTest.pdf
ssuser8b461f
Off-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfOff-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdf
ssuser8b461f
Lost-In-The-Loader.pdf
Lost-In-The-Loader.pdfLost-In-The-Loader.pdf
Lost-In-The-Loader.pdf
ssuser8b461f
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdfAttacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
Attacks-From-a-New-Front-Door-in-4G-5G-Mobile-Networks.pdf
ssuser8b461f

Recently uploaded (20)

The Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
The Sense Organs: Structure and Function of the Eye and Skin | IGCSE BiologyThe Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
The Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
Blessing Ndazie
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
David Podorefsky, PhD
Neumann, Franz. - Behemoth [ocr] [1942].pdf
Neumann, Franz. - Behemoth [ocr] [1942].pdfNeumann, Franz. - Behemoth [ocr] [1942].pdf
Neumann, Franz. - Behemoth [ocr] [1942].pdf
Francisco Sandoval Mart鱈nez
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
David Podorefsky, PhD
Simple Phenomena of Magnetism | IGCSE Physics
Simple Phenomena of Magnetism | IGCSE PhysicsSimple Phenomena of Magnetism | IGCSE Physics
Simple Phenomena of Magnetism | IGCSE Physics
Blessing Ndazie
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
VasileiosMezaris
Cell Structure & Function | Cambridge IGCSE Biology
Cell Structure & Function | Cambridge IGCSE BiologyCell Structure & Function | Cambridge IGCSE Biology
Cell Structure & Function | Cambridge IGCSE Biology
Blessing Ndazie
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
Graz University of Technology & Know-Center
(Journal Club) Folding DNA to create nanoscale shapes and patterns
(Journal Club) Folding DNA to create nanoscale shapes and patterns(Journal Club) Folding DNA to create nanoscale shapes and patterns
(Journal Club) Folding DNA to create nanoscale shapes and patterns
David Podorefsky, PhD
Seymour Benzer's experiment and complementation test
Seymour Benzer's experiment and complementation testSeymour Benzer's experiment and complementation test
Seymour Benzer's experiment and complementation test
AkankshaSindhiya
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
David Podorefsky, PhD
The Arctic through the lens of data visualization
The Arctic through the lens of data visualizationThe Arctic through the lens of data visualization
The Arctic through the lens of data visualization
Zachary Labe
Variation and Natural Selection | IGCSE Biology
Variation and Natural Selection | IGCSE BiologyVariation and Natural Selection | IGCSE Biology
Variation and Natural Selection | IGCSE Biology
Blessing Ndazie
Investigational New drug application process
Investigational New drug application processInvestigational New drug application process
Investigational New drug application process
onepalyer4
The Solar Systems passage through the Radcliffe wave during the middle Miocene
The Solar Systems passage through the Radcliffe wave during the middle MioceneThe Solar Systems passage through the Radcliffe wave during the middle Miocene
The Solar Systems passage through the Radcliffe wave during the middle Miocene
S辿rgio Sacani
Digestive System - Digestion of carbohydrates, proteins and lipids.ppt
Digestive System - Digestion of carbohydrates, proteins and lipids.pptDigestive System - Digestion of carbohydrates, proteins and lipids.ppt
Digestive System - Digestion of carbohydrates, proteins and lipids.ppt
Jamakala Obaiah
Coordination and Response: The Nervous System | IGCSE Biology
Coordination and Response: The Nervous System | IGCSE BiologyCoordination and Response: The Nervous System | IGCSE Biology
Coordination and Response: The Nervous System | IGCSE Biology
Blessing Ndazie
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
Scintica Instrumentation
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
David Podorefsky, PhD
Energ and Energy Forms, Work, and Power | IGCSE Physics
Energ and Energy Forms, Work, and Power | IGCSE PhysicsEnerg and Energy Forms, Work, and Power | IGCSE Physics
Energ and Energy Forms, Work, and Power | IGCSE Physics
Blessing Ndazie
The Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
The Sense Organs: Structure and Function of the Eye and Skin | IGCSE BiologyThe Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
The Sense Organs: Structure and Function of the Eye and Skin | IGCSE Biology
Blessing Ndazie
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
(Journal Club) - Transgenic mice for in vivo epigenome editing with CRISPR-ba...
David Podorefsky, PhD
Neumann, Franz. - Behemoth [ocr] [1942].pdf
Neumann, Franz. - Behemoth [ocr] [1942].pdfNeumann, Franz. - Behemoth [ocr] [1942].pdf
Neumann, Franz. - Behemoth [ocr] [1942].pdf
Francisco Sandoval Mart鱈nez
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
(Chapter Summary) Molecular Biology of the Cell, Chapter 18: Cell Death
David Podorefsky, PhD
Simple Phenomena of Magnetism | IGCSE Physics
Simple Phenomena of Magnetism | IGCSE PhysicsSimple Phenomena of Magnetism | IGCSE Physics
Simple Phenomena of Magnetism | IGCSE Physics
Blessing Ndazie
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
Improving the Perturbation-Based Explanation of Deepfake Detectors Through th...
VasileiosMezaris
Cell Structure & Function | Cambridge IGCSE Biology
Cell Structure & Function | Cambridge IGCSE BiologyCell Structure & Function | Cambridge IGCSE Biology
Cell Structure & Function | Cambridge IGCSE Biology
Blessing Ndazie
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
2025-03-03-Data-related-Ethics Issues in Technologies for Professional Learni...
Graz University of Technology & Know-Center
(Journal Club) Folding DNA to create nanoscale shapes and patterns
(Journal Club) Folding DNA to create nanoscale shapes and patterns(Journal Club) Folding DNA to create nanoscale shapes and patterns
(Journal Club) Folding DNA to create nanoscale shapes and patterns
David Podorefsky, PhD
Seymour Benzer's experiment and complementation test
Seymour Benzer's experiment and complementation testSeymour Benzer's experiment and complementation test
Seymour Benzer's experiment and complementation test
AkankshaSindhiya
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
(Journal Club) - RNA m6A regulates transcription via DNA demethylation and ch...
David Podorefsky, PhD
The Arctic through the lens of data visualization
The Arctic through the lens of data visualizationThe Arctic through the lens of data visualization
The Arctic through the lens of data visualization
Zachary Labe
Variation and Natural Selection | IGCSE Biology
Variation and Natural Selection | IGCSE BiologyVariation and Natural Selection | IGCSE Biology
Variation and Natural Selection | IGCSE Biology
Blessing Ndazie
Investigational New drug application process
Investigational New drug application processInvestigational New drug application process
Investigational New drug application process
onepalyer4
The Solar Systems passage through the Radcliffe wave during the middle Miocene
The Solar Systems passage through the Radcliffe wave during the middle MioceneThe Solar Systems passage through the Radcliffe wave during the middle Miocene
The Solar Systems passage through the Radcliffe wave during the middle Miocene
S辿rgio Sacani
Digestive System - Digestion of carbohydrates, proteins and lipids.ppt
Digestive System - Digestion of carbohydrates, proteins and lipids.pptDigestive System - Digestion of carbohydrates, proteins and lipids.ppt
Digestive System - Digestion of carbohydrates, proteins and lipids.ppt
Jamakala Obaiah
Coordination and Response: The Nervous System | IGCSE Biology
Coordination and Response: The Nervous System | IGCSE BiologyCoordination and Response: The Nervous System | IGCSE Biology
Coordination and Response: The Nervous System | IGCSE Biology
Blessing Ndazie
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
(February 25th, 2025) Real-Time Insights into Cardiothoracic Research with In...
Scintica Instrumentation
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
(Journal Club) - Hydro-Seq enables contamination-free high throughput single-...
David Podorefsky, PhD
Energ and Energy Forms, Work, and Power | IGCSE Physics
Energ and Energy Forms, Work, and Power | IGCSE PhysicsEnerg and Energy Forms, Work, and Power | IGCSE Physics
Energ and Energy Forms, Work, and Power | IGCSE Physics
Blessing Ndazie

lec3.pdf

  • 2. So far Heuristic constructions; build, break, repeat, This isnt very satisfying Can we prove that some encryption scheme is secure? First need to define what we mean by secure in the first place
  • 3. Modern cryptography Historically, cryptography was an art Heuristic design and analysis Starting in the early 80s, cryptography began to develop into more of a science Based on three principles that underpin most real-world cryptography today
  • 4. Core principles of modern crypto Formal definitions Precise, mathematical model and definition of what security means Assumptions Clearly stated and unambiguous Proofs of security Move away from design-break-patch cycle
  • 5. Importance of definitions Definitions are essential for the design, analysis, and sound usage of crypto
  • 6. Importance of definitions -- design Developing a precise definition forces the designer to think about what they really want What is essential and (sometimes more important) what is not Often reveals subtleties of the problem
  • 7. Importance of definitions -- design If you dont understand what you want to achieve, how can you possibly know when (or if) you have achieved it?
  • 8. Importance of definitions -- analysis Definitions enable meaningful analysis, evaluation, and comparison of schemes Does a scheme satisfy the definition? What definition does it satisfy? Note: there may be multiple meaningful definitions! One scheme may be less efficient than another, yet satisfy a stronger security definition
  • 9. Importance of definitions -- usage Definitions allow others to understand the security guarantees provided by a scheme Enables schemes to be used as components of a larger system (modularity) Enables one scheme to be substituted for another if they satisfy the same definition
  • 10. Assumptions With few exceptions, cryptography currently requires computational assumptions At least until we prove P NP (and even that would not be enough) Principle: any such assumptions must be made explicit
  • 11. Importance of clear assumptions Allow researchers to (attempt to) validate assumptions by studying them Allow meaningful comparison between schemes based on different assumptions Useful to understand minimal assumptions needed Practical implications if assumptions are wrong Enable proofs of security
  • 12. Proofs of security Provide a rigorous proof that a construction satisfies a given definition under certain specified assumptions Provides an iron-clad guarantee (relative to your definition and assumptions!) Proofs are crucial in cryptography, where there is a malicious attacker trying to break the scheme
  • 13. Limitations? Cryptography still remains partly an art as well Proofs given an iron-clad guarantee of security relative to the definition and assumptions! Provably secure schemes can be broken! If the definition does not correspond to the real-world threat model I.e., if attacker can go outside the assumed security model This happens a lot in practice If the assumption is invalid If the implementation is flawed This happens a lot in practice
  • 14. Nevertheless This does not detract from the importance of having formal definitions in place and giving proofs of security
  • 16. Crypto definitions (generally) Security guarantee/goal What we want to achieve (or what we want to prevent the attacker from achieving) Threat model What (real-world) capabilities the attacker is assumed to have
  • 17. Recall A private-key encryption scheme is defined by a message space M and algorithms (Gen, Enc, Dec): Gen (key-generation algorithm): generates k Enc (encryption algorithm): takes key k and message m M as input; outputs ciphertext c c Enck(m) Dec (decryption algorithm): takes key k and ciphertext c as input; outputs m. m := Deck(c)
  • 18. Private-key encryption k k c key m c Enck(m) message/plaintext encryption ciphertext m := Deck(c) decryption key
  • 19. Threat models for encryption Ciphertext-only attack One ciphertext or many? Known-plaintext attack Chosen-plaintext attack Chosen-ciphertext attack
  • 20. Goal of secure encryption? How would you define what it means for encryption scheme (Gen, Enc, Dec) over message space M to be secure? Against a (single) ciphertext-only attack
  • 21. Secure encryption? Impossible for the attacker to learn the key The key is a means to an end, not the end itself Necessary (to some extent) but not sufficient Easy to design an encryption scheme that hides the key completely, but is insecure Can design schemes where most of the key is leaked, but the scheme is still secure
  • 22. Secure encryption? Impossible for the attacker to learn the plaintext from the ciphertext What if the attacker learns 90% of the plaintext?
  • 23. Secure encryption? Impossible for the attacker to learn any character of the plaintext from the ciphertext What if the attacker is able to learn (other) partial information about the plaintext? E.g., salary is greater than $75K What if the attacker guesses a character correctly, or happens to know it?
  • 24. The right definition Regardless of any prior information the attacker has about the plaintext, the ciphertext should leak no additional information about the plaintext How to formalize?
  • 26. Probability review Random variable: variable that takes on (discrete) values with certain probabilities Probability distribution for a random variable gives the probabilities with which the variable takes on each possible value Each probability must be between 0 and 1 The probabilities must sum to 1
  • 27. Probability review Event: a particular occurrence in some experiment E.g., the event that random variable X takes value x Pr[E]: probability of event E Conditional probability: probability that one event occurs, given that some other event occurred Pr[A | B] = Pr[A and B]/Pr[B] Two random variables X, Y are independent if for all x, y: Pr[X=x | Y=y] = Pr[X=x]
  • 28. Probability review Law of total probability: say E1, , En are a partition of all possibilities. Then for any A: Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] 揃 Pr[Ei]
  • 29. Notation K (key space) set of all possible keys C (ciphertext space) set of all possible ciphertexts
  • 30. Probability distributions Let M be the random variable denoting the value of the message M ranges over M Context dependent! Reflects the likelihood of different messages being sent, given the attackers prior knowledge E.g., Pr[M = attack today] = 0.7 Pr[M = dont attack] = 0.3
  • 31. Probability distributions Let K be a random variable denoting the key K ranges over K Fix some encryption scheme (Gen, Enc, Dec) Gen defines a probability distribution for K: Pr[K = k] = Pr[Gen outputs key k] Generally the uniform distribution, but
  • 32. Probability distributions Assume random variables M and K are independent I.e., parties dont pick the key based on the message, or the message based on the key In general, this assumption holds If it doesnt hold, can cause problems
  • 33. Probability distributions Fix some encryption scheme (Gen, Enc, Dec), and some distribution for M Consider the following (randomized) experiment: 1. Generate a key k using Gen 2. Choose a message m, according to the given distribution 3. Compute c Enck(m) This defines a distribution on the ciphertext! Let C be a random variable denoting the value of the ciphertext in this experiment
  • 34. Example 1 Consider the shift cipher So for all k {0, , 25}, Pr[K = k] = 1/26 Say Pr[M = a] = 0.7, Pr[M = z] = 0.3 What is Pr[C = b] ? Either M = a and K = 1, or M = z and K = 2 Pr[C=b] = Pr[M=a]揃Pr[K=1] + Pr[M=z] 揃Pr[K=2] Pr[C=b] = 0.7 揃 (1/26) + 0.3 揃 (1/26) Pr[C=b] = 1/26
  • 35. Example 2 Consider the shift cipher, and the distribution on M given by Pr[M = one] = 遜, Pr[M = ten] = 遜 Pr[C = rqh] = ? = Pr[C = rqh | M = one] 揃 Pr[M = one] + Pr[ C = rqh | M = ten] 揃 Pr[M = ten] = 1/26 揃 遜 + 0 揃 遜 = 1/52
  • 36. Perfect secrecy (informal) Regardless of any prior information the attacker has about the plaintext, the ciphertext should leak no additional information about the plaintext
  • 37. Perfect secrecy (informal) Attackers information about the plaintext = attacker knows the distribution of M Perfect secrecy: observing the ciphertext should not change the attackers knowledge about the distribution of M
  • 38. Perfect secrecy (formal) Encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if for every distribution over M, every m M, and every c C with Pr[C=c] > 0, it holds that Pr[M = m | C = c] = Pr[M = m]. I.e., the distribution of M does not change, even conditioned on observing the ciphertext
  • 39. Example 3 Consider the shift cipher, and the distribution Pr[M = one] = 遜, Pr[M = ten] = 遜 Take m = ten and c = rqh Pr[M = ten | C = rqh] = ? = 0 Pr[M = ten]
  • 40. Bayess theorem Pr[A | B] = Pr[B | A] 揃 Pr[A]/Pr[B]
  • 41. Example 4 Shift cipher; Pr[M=hi] = 0.3, Pr[M=no] = 0.2, Pr[M=in]= 0.5 Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] 揃 Pr[M = hi]/Pr[C = xy]
  • 42. Example 4, continued Pr[C = xy | M = hi] = 1/26 Pr[C = xy] = Pr[C = xy | M = hi] 揃 0.3 + Pr[C = xy | M = no] 揃 0.2 + Pr[C=xy | M=in] 揃 0.5 = (1/26) 揃 0.3 + (1/26) 揃 0.2 + 0 揃 0.5 = 1/52
  • 43. Example 4, continued Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] 揃 Pr[M = hi]/Pr[C = xy] = (1/26) 揃 0.3/(1/52) = 0.6 Pr[M = hi]
  • 44. Conclusion The shift cipher is not perfectly secret! At least not for 2-character messages How to construct a perfectly secret scheme?
  • 45. One-time pad Patented in 1917 by Vernam Recent historical research indicates it was invented (at least) 35 years earlier Proven perfectly secret by Shannon (1949)
  • 46. One-time pad Let M = {0,1}n Gen: choose a uniform key k {0,1}n Enck(m) = k m Deck(c) = k c Correctness: Deck( Enck(m) ) = k (k m) = (k k) m = m
  • 47. One-time pad key n bits messag e n bits cipherte xt n bits
  • 48. Perfect secrecy of one-time pad Note that any observed ciphertext can correspond to any message (why?) (This is necessary, but not sufficient, for perfect secrecy) So, having observed a ciphertext, the attacker cannot conclude for certain which message was sent
  • 49. Perfect secrecy of one-time pad Fix arbitrary distribution over M = {0,1}n , and arbitrary m, c {0,1}n Pr[M = m | C = c] = ? = Pr[C = c | M = m] 揃 Pr[M = m]/Pr[C = c] Pr[C = c] = m Pr[C = c | M = m] 揃 Pr[M = m] = m Pr[K = m c | M = m] 揃 Pr[M = m] = m 2-n 揃 Pr[M = m] = 2-n
  • 50. Perfect secrecy of one-time pad Fix arbitrary distribution over M = {0,1}n , and arbitrary m, c {0,1}n Pr[M = m | C = c] = ? = Pr[C = c | M = m] 揃 Pr[M = m]/Pr[C = c] = Pr[K = m c | M = m] 揃 Pr[M = m] / 2-n = 2-n 揃 Pr[M = m] / 2-n = Pr[M = m]
AboutCopyright
息 2025 際際滷