Unconditional Security
I still need to figure out how to set up MathJax, so the math on this page is ugly (\LaTeX).
The Encrpytion Problem
Alice wants to send a message to Bob over a communication channel. Alice wants to encrypt her plaintext message (m) to generate ciphertext (c). To encryption, Alice will provide the encryption scheme her plaintext message and her key. Bob will take the ciphertext (c) and decrypt it with his key to produce the original message (m).
Eve is an eavesdropper and can observe messages sent over the communication channel. Eve does not know the key and should not be able to learn (m).
Kerckhoff's Principle
Kerckhoff's Principle
A cryptographic system should be designed to be secure, even if all its details, except for the key, are publicly known.Not following this principle is called “security by obscurity”.
Motivation
- It is unrealistic to assume that the design details remain secret.
- Pairwise-shared keys are easier to protect, generate, and replace.
- The design details can be discussed and analyzed in public.
- What would it even mean formally if the specification is unknown?
A Mathematical View of the Encryption Problem
Definitions
-
(K) is the key space.
-
(M) is the plaintext space.
-
(C) is the ciphertext space.
-
An encryption scheme is a pair (Enc,Dec), where
- Enc : (K \times M \to C) is an encryption algorithm
- Dec : (K \times M \to C) is an decryption algorithm
-
Correctness - for every (k), (m), Dec((k), Enc((k), (m))) = (m)
Some Bad Ciphers
Shift Cipher
(M) is the set of words in the alphabet and (K) is the set of numbers mod the length of the alphabet. To encrypt the key would be added to each character in the message mod the length of the alphabet. To decrypt the key would be subtracted from each character in the message mod the length of the alphabet.
In the Caesar Cipher, (k = 3).
Security of the Shift Cipher
The keyspace is very small, just try all the possible keys.
Substitution Cipher
(M) is the set of words in the alphabet and (K) is a set of permutations of numbers mod the length of the alphabet. To encrypt, just apply the permutation. To decrpyt, just apply the inverse of the permutation.
Security of the Substitution Cipher
Use statistical patterns (e.g. frequency tables) to make informed guesses about parts of the permutation.
Other Bad Ciphers
- Vigenere cipher
- Enigma
Perfectly Secure Encryption: Constructions and Limitations
The definition of security is not trivial. The key (k) must be chosen uniformly at random. The adversary, Eve, will know the ciphertext (c).
- Eve should not learn (k).
- Eve should not learn any information about (m) (i.e. Eve knowing the ciphertext should not change the probability distribution of the plaintext).
Probability Theory
The Probability Space contains a universe (U) and probability functions (\forall u \in U), assign (0 \leq Pr[u] \leq 1) such that (\sum_{u \in U} Pr[u] = 1). For Random Variables, (Pr[X = x] = \sum_{u: X(u)=x} Pr[u]).
Two random variables are independent if for all (x,y), (Pr[X=x, Y=y] = Pr[X=x] * Pr[Y=y])
Conditional probability is defined as (Pr[X=x | Y=y] \frac{Pr[X=x, Y=y]}{Pr[Y=y]})
Events: An event is a subset of the universe. We define (Pr[E] = \sum_{{e \in E}}Pr[u]). Alternatively, we can think of events as binary random variables: either the event happens or it doesn't.
Any two events (E_1 , E_2) are Union Bound if (Pr[E_1 \cup E_2] = Pr[E_1] + Pr[E_2] - Pr[E_1 \cap E_2] \leq Pr[E_1] + Pr[E_2])
Back to Crypto
Perfect Secrecy
An encryption scheme is perfectly secret if for every (m \in M) and (c \in C), then (Pr[ M=m ] = Pr[ M=m | C=c])
This means that Eve does not learn anything about plaintext when given the ciphertext.
Another way to state perfect secrecy is (Pr[ Enc(K, m) = c] = Pr[ Enc(K, m’) = c]). Or a third way: the plaintext and the ciphertext are independent.
(|K| \le |M|) means that exhaustive search over keys will reveal something about the plaintext. The opposite of this statement must be true to have perfect secrecy.
Abstract Algebra
A group ((G, +)) consists of a set (G) and one operation (+ : G \times G \to G). Groups are abstract ways to lump things together (e.g., the integers can be grouped over the addition operator). Some properties of groups are associative, commutative, identity, and inverses.
(Z_{n} = {0, \dots, n-1}) and (Z^{t}_{n}) is the set of vectors of length (t).
When Encryption is Not Enough
For man-in-the-middle attacks, encryption is not enough. The attacker can modify the ciphertext before passing it along to Bob.
Message Authentication Code (MAC)
Message space (M), key space (K), tag space (T). MAC (K \cross M \to T).
Alice computes the tag and send the message and tag to Bob. Bob receives these and verifies the integrity of the message. Eve “wins” if her edited message and her key produce the same tag as Alice's message and key.
(\epsilon)-security: (Pr[\text{Eve wins}] \leq \epsilon)
Fields
A field consists of a set and two operations usually addition and multiplication. There are infinite fields (rational, reals, complex; not the integers) and finite fields ((Z_{p}) where (p) is a prime number).
MAC Construction
Let (p) be a prime number. The message and tag spaces are (Z_{p}) The key space is (Z_p \times \Z_p)
Define (MAC(k,m) = x \dot m + y | k=(x,y)).
Construction is not very practical: the key must be twice as big as the message and it can only be used one to authenticate a single message.
Better MAC Construction
[
K = Z_p \times Z_p \
M = Z_{p}^{d} for any d \gre 1 \
T = Z_p \
\
For k=(x,y) and m = (m_1 \cdots m_d)\
MAC(k,m) = \sum_{i=1}^{d} m_{i}x^{i} + y
]
Construction is still not very practical since the key can only be used one to authenticate a single message.
Encrypt then Authenticate
The MAC is sent as cleartext, so you don't want to give any info about plaintext when sending the tag.Secret Sharing
Message space (M), share space (S). Number of parties (n)
[
Share : M \to S^n \text{randomized algorithm}\
Rec : S^n \to M
]
Correctness should hold : (Pr[Rec(Share(m)) = m] = 1) The secret sharing algorithm should have perfect secrecy.
Construction
Message space (M = Z_p) and Share space (S = Z_p) with (n) parties.
(Share(m)): choose (s_1, …, s_{n-1}) uniformly at random. Set (s_n = m - (s_1 + … + s_{n-1})
(Rec(s_1, …, s_n) = s_1 + … + s_n)
This scheme has perfect secrecy (see powerpoint for proof).
Threshold Secret Sharing
Still have (n) parties with one share per party, but now also threshold (t). Any (t+1) can recover the message. Any (t) don't learn anything about the message.
Construction (Shamir Secret Sharing):
- Number of parties (n) and threshold (t < n).
- Message space (M = Z_p) and Share space (S = Z_p) with (n) parties.
(Share(m)):
- Choose (t) random coefficients (c_1, …, c_t) and set (c_0 = m).
- Define polynomial (p(x) = \sum^t_{j=0} c_jx^j
- Output (s_i = p(i))
\Recover( { (i, s_i) } )) through a Lagrange Interpolation (see powerpoint).
The threshold secret sharing scheme using Shamir Secret Sharing has perfect secrecy.
Multiparty Computation
Each of (n) parties holds a private input (x_i). They wish to jointly compute some function (f(x_1, …, x_n)). They don't want to reveal their inputs to each other. They can communicate via private point-to-point channels. We want to have correctness (all parties get the correct output at the end of the protocol) and perfect secrecy (no parties can figure out what another party's private input is).
Each party (i) sees their own inputs (x_i), the randomness of parties (i \in S), and all protocol message received by party (i). We want the “view” (what each party sees) to depend on their input and the final output (to have perfect secrecy).
Multiparty Computation for Addition
Each party (i) secret-shares its input (x_i) using additive secret sharing to get shres (x_{i,j}) such that (\sum^n_{j=1} x_{i,j} = x_i) Send (x_{i,j) to party (j).
Each party (j) sums up all the shares it has and broadcasts it to the group Let the sum be (y_j).
Then everyone sums the broadcasted sums.