I – Basic Notions

I – Basic Notions

Provable Security in the Computational Model I – Basic Notions David Pointcheval MPRI – Paris Ecole normale superieure,´ CNRS & INRIA ENS/CNRS/INRIA Cascade David Pointcheval 1/71 Outline Cryptography Provable Security Basic Security Notions Conclusion ENS/CNRS/INRIA Cascade David Pointcheval 2/71 Cryptography Outline Cryptography Introduction Kerckhoffs’ Principles Formal Notations Provable Security Basic Security Notions Conclusion ENS/CNRS/INRIA Cascade David Pointcheval 3/71 Secrecy of Communications One ever wanted to communicate secretly The treasure Bob is under Alice …/... ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications One ever wanted to communicate secretly The treasure Bob is under Alice …/... ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications One ever wanted to communicate secretly The treasure Bob is under Alice …/... ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications One ever wanted to communicate secretly The treasure Bob is under Alice …/... ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications One ever wanted to communicate secretly The treasure Bob is under Alice …/... With the all-digital world, security needs are even stronger ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Old Methods Substitutions and permutations Security relies on the secrecy of the mechanism ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation Alberti’s disk Mono-alphabetical Substitution ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation Alberti’s disk Wheel – M 94 (CSP 488) Mono-alphabetical Substitution Poly-alphabetical Substitution ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation Alberti’s disk Wheel – M 94 (CSP 488) Mono-alphabetical Substitution Poly-alphabetical Substitution ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Outline Cryptography Introduction Kerckhoffs’ Principles Formal Notations Provable Security Basic Security Notions Conclusion ENS/CNRS/INRIA Cascade David Pointcheval 6/71 Kerckhoffs’ Principles (1) La Cryptographie Militaire (1883) Le systeme` doit etreˆ materiellement,` sinon mathematiquement,´ indechiffrable´ The system should be, if not theoretically unbreakable, unbreakable in practice −! If the security cannot be formally proven, heuristics should provide some confidence. ENS/CNRS/INRIA Cascade David Pointcheval 7/71 Kerckhoffs’ Principles (1) La Cryptographie Militaire (1883) Le systeme` doit etreˆ materiellement,` sinon mathematiquement,´ indechiffrable´ The system should be, if not theoretically unbreakable, unbreakable in practice −! If the security cannot be formally proven, heuristics should provide some confidence. ENS/CNRS/INRIA Cascade David Pointcheval 7/71 Kerckhoffs’ Principles (2) La Cryptographie Militaire (1883) Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvenient´ tomber entre les mains de l’ennemi Compromise of the system should not inconvenience the correspondents −! The description of the mechanism should be public ENS/CNRS/INRIA Cascade David Pointcheval 8/71 Kerckhoffs’ Principles (2) La Cryptographie Militaire (1883) Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvenient´ tomber entre les mains de l’ennemi Compromise of the system should not inconvenience the correspondents −! The description of the mechanism should be public ENS/CNRS/INRIA Cascade David Pointcheval 8/71 Kerckhoffs’ Principles (3) La Cryptographie Militaire (1883) La clef doit pouvoir en etreˆ communiquee´ et retenue sans le secours de notes ecrites,´ et etreˆ changee´ ou modifiee´ au gre´ des correspondants The key should be rememberable without notes and should be easily changeable −! The parameters specific to the users (the key) should be short ENS/CNRS/INRIA Cascade David Pointcheval 9/71 Kerckhoffs’ Principles (3) La Cryptographie Militaire (1883) La clef doit pouvoir en etreˆ communiquee´ et retenue sans le secours de notes ecrites,´ et etreˆ changee´ ou modifiee´ au gre´ des correspondants The key should be rememberable without notes and should be easily changeable −! The parameters specific to the users (the key) should be short ENS/CNRS/INRIA Cascade David Pointcheval 9/71 Use of (Secret) Key A shared information (secret key) between the sender and the receiver parameterizes the mechanism: • Vigenere:` each key letter tells the shift • Enigma: connectors and rotors ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key A shared information (secret key) between the sender and the receiver parameterizes the mechanism: • Vigenere:` each key letter tells the shift • Enigma: connectors and rotors ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key A shared information (secret key) between the sender and the receiver parameterizes the mechanism: • Vigenere:` each key letter tells the shift • Enigma: connectors and rotors ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key A shared information (secret key) between the sender and the receiver parameterizes the mechanism: • Vigenere:` each key letter tells the shift • Enigma: connectors and rotors Security looks better: but broken (Alan Turing et al.) ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Symmetric Encryption Principles 2 and 3 define the concepts of symmetric cryptography: 1k G k k k m E c D m Secrecy It is impossible/hard to recover m from c only (without k) Security It is heuristic only: 1st principle ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Symmetric Encryption Principles 2 and 3 define the concepts of symmetric cryptography: 1k G k k k m E c D m Secrecy It is impossible/hard to recover m from c only (without k) Security It is heuristic only: 1st principle ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Symmetric Encryption Principles 2 and 3 define the concepts of symmetric cryptography: 1k G k k k m E c D m Secrecy It is impossible/hard to recover m from c only (without k) Security It is heuristic only: 1st principle ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Perfect Secrecy? Any security indeed vanished with statistical attacks! ENS/CNRS/INRIA Cascade David Pointcheval 12/71 Perfect Secrecy? Any security indeed vanished with statistical attacks! Perfect secrecy? Is it possible? ENS/CNRS/INRIA Cascade David Pointcheval 12/71 Perfect Secrecy? Any security indeed vanished with statistical attacks! Perfect secrecy? Is it possible? Perfect Secrecy The ciphertext does not reveal any (additional) information about the plaintext: no more than known before • a priori information about the plaintext, defined by the distribution probability of the plaintext • a posteriori information about the plaintext, defined by the distribution probability of the plaintext, given the ciphertext Both distributions should be perfectly identical ENS/CNRS/INRIA Cascade David Pointcheval 12/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m Which message is encrypted in the ciphertext c 2 f0; 1gn? ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m Which message is encrypted in the ciphertext c 2 f0; 1gn? For any candidate m 2 f0; 1gn, the key k = c ⊕ m would lead to c ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption Vernam’s Cipher (1929) • Encryption of m 2 f0; 1gn under the key k 2 f0; 1gn: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c 2 f0; 1gn under the key k 2 f0; 1gn: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m Which message is encrypted in the ciphertext c 2 f0; 1gn? For any candidate m 2 f0; 1gn, the key k = c ⊕ m would lead to c ) no information about m is leaked with c! ENS/CNRS/INRIA Cascade David Pointcheval 13/71 Information Theory Drawbacks • The key must be as long as the plaintext • This key must be used once only (one-time pad) Theorem (Shannon – 1949) To achieve perfect secrecy, A and B have to share a common string truly random and as long as the whole communication.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    292 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us