Course Information Cryptography usage CSE 107 — Introduction to Modern Cryptography Instructor: Mihir Bellare Did you use any cryptography today? Website: http://cseweb.ucsd.edu/~mihir/cse107 Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Cryptography usage Secure messaging apps WhatsApp, Signal, iMessage/FaceTime, Viber, Telegram, LINE, Threema, ChatSecure, KakaoTalk, ... • https invokes the TLS protocol • TLS uses cryptography Use them! • TLS is in ubiquitous use for secure communication: shopping, banking, Netflix, gmail, Facebook, ... Mihir Bellare UCSD 3 Mihir Bellare UCSD 4
Cryptography usage What is cryptography about? Other uses of cryptography • ATM machines • Bitcoin • Tor: Anonymous web browsing Adversary: clever person with powerful computer • Google authenticator Security goals: • ... • Data privacy: Ensure adversary does not see or obtain the data (message) M . 11,748 android apps use cryptography (encryption), and 10,327 get it • Data integrity and authenticity: Ensure M really originates with wrong [EBFK13] Alice and has not been modified in transit. Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Example: Medical databases Example: Medical databases Doctor Database Doctor Database Get Alice - Get Alice - Alice F A Alice F A F A F A Reads F A Bob Reads F A Bob F B F B � � Modifies F A to F 0 Modifies F A to F 0 A A Put: Alice, F 0 Put: Alice, F 0 F 0 F 0 Alice Alice A A A A - - Bob Bob F B F B • Privacy: F A , F 0 A contain confidential information and we want to ensure the adversary does not obtain them • Integrity and authenticity: Need to ensure – doctor is authorized to get Alice’s file – F A , F 0 A are not modified in transit – F A is really sent by database – F 0 A is really sent by (authorized) doctor Mihir Bellare UCSD 7 Mihir Bellare UCSD 8
Ideal World Ideal World Cryptonium pipe: Cannot see inside or alter content. Cryptonium pipe: Cannot see inside or alter content. All our goals would be achieved! All our goals would be achieved! But cryptonium is only available on planet Crypton and is in short supply. Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 Cryptographic schemes Cryptographic schemes E : encryption algorithm K e : encryption key E : encryption algorithm K e : encryption key D : decryption algorithm K d : decryption key D : decryption algorithm K d : decryption key Algorithms: standardized, implemented, public! Mihir Bellare UCSD 11 Mihir Bellare UCSD 12
Cryptographic schemes Cryptographic schemes E : encryption algorithm K e : encryption key E : encryption algorithm K e : encryption key D : decryption algorithm K d : decryption key D : decryption algorithm K d : decryption key Settings: How do keys get distributed? Magic, for now! • public-key (assymmetric): K e public, K d secret • private-key (symmetric): K e = K d secret Mihir Bellare UCSD 13 Mihir Bellare UCSD 14 Cryptographic schemes Cryptographic schemes Computer Security: How does the computer/system protect K e / K d from Our concerns: break-in (viruses, worms, OS holes, . . . )? (CSE 127,227) • How to define security goals? • How to design E , D ? Cryptography: How do we use K e , K d to ensure security of • How to gain confidence that E , D achieve our goals? communication over an insecure network? (CSE 107,207) Mihir Bellare UCSD 15 Mihir Bellare UCSD 16
Why is cryptography hard? Early history Substitution ciphers/Caesar ciphers: K e = K d = π : Σ ! Σ , a secret permutation • One cannot anticipate an adversary strategy in advance; number of e.g., Σ = { A , B , C , . . . } and π is as follows: possibilities is infinite. · · · • “Testing” is not possible in this setting. A B C D σ π ( σ ) E A Z U · · · E π ( CAB ) = π ( C ) π ( A ) π ( B ) = Z E A D π ( ZEA ) = π � 1 ( Z ) π � 1 ( E ) π � 1 ( A ) = C A B Mihir Bellare UCSD 17 Mihir Bellare UCSD 18 Early history The age of machines Substitution ciphers/Caesar ciphers: K e = K d = π : Σ ! Σ , a secret permutation Enigma: German World War II machine e.g., Σ = { A , B , C , . . . } and π is as follows: · · · A B C D σ π ( σ ) E A Z U · · · E π ( CAB ) = π ( C ) π ( A ) π ( B ) = Z E A Broken by British in an e ff ort led by Turing D π ( ZEA ) = π � 1 ( Z ) π � 1 ( E ) π � 1 ( A ) = C A B Not very secure! (Common newspaper puzzle) Mihir Bellare UCSD 19 Mihir Bellare UCSD 20
Shannon and One-Time-Pad (OTP) Encryption Shannon and One-Time-Pad (OTP) Encryption { 0 , 1 } k $ { 0 , 1 } k $ K e = K d = K K e = K d = K | {z } | {z } K chosen at random K chosen at random from { 0 , 1 } k from { 0 , 1 } k For any M 2 { 0 , 1 } k For any M 2 { 0 , 1 } k – E K ( M ) = K � M – E K ( M ) = K � M – D K ( C ) = K � C – D K ( C ) = K � C Theorem (Shannon): OTP is perfectly secure as long as only one message encrypted. “Perfect” secrecy, a notion Shannon defines, captures mathematical impossibility of breaking an encryption scheme. Fact: if | M | > | K | , then no scheme is perfectly secure. Mihir Bellare UCSD 21 Mihir Bellare UCSD 22 Modern Cryptography: A Computational Science Modern Cryptography: A Computational Science Security of a “practical” system must rely not on the impossibility but on the computational di ffi culty of breaking the system. Security of a “practical” system must rely not on the impossibility but on (“Practical” = more message bits than key bits) the computational di ffi culty of breaking the system. Rather than: Cryptography is now not just mathematics; it needs to draw on computer “It is impossible to break the scheme” science • Computational complexity theory (CSE 105,200) We might be able to say: • Algorithm design (CSE 101,202) “No attack using 2 160 time succeeds with probability � 2 � 20 ” I.e., Attacks can exist as long as cost to mount them is prohibitive, where Cost = computing time/memory, $$$ Mihir Bellare UCSD 23 Mihir Bellare UCSD 24
The factoring problem The factoring problem Input: Composite integer N Input: Composite integer N Desired output: prime factors of N Desired output: prime factors of N Example: Example: Input: 85 Input: 85 Output: Output: 17 , 5 Mihir Bellare UCSD 25 Mihir Bellare UCSD 26 The factoring problem The factoring problem Input: Composite integer N Input: Composite integer N Desired output: prime factors of N Desired output: prime factors of N Example: Example: Input: 85 Input: 85 Output: 17 , 5 Output: 17 , 5 Can we write a factoring program? Can we write a factoring program? Easy! Alg Factor( N ) / / N a product of 2 primes p For i = 2 , 3 , . . . , d N e do If N mod i = 0 then return i Mihir Bellare UCSD 27 Mihir Bellare UCSD 28
The factoring problem Can we factor fast? Input: Composite integer N Desired output: prime factors of N • Gauss couldn’t figure out how Example: • Today there is no known algorithm to Input: 85 factor a 400 digit number in a practical Output: 17 , 5 amount of time. Can we write a factoring program? Easy! Alg Factor( N ) / / N a product of 2 primes p Factoring is an example of a problem believed to be computationally hard. For i = 2 , 3 , . . . , d N e do If N mod i = 0 then return i Note 1: A fast algorithm MAY exist. Note 2: A quantum computer can factor fast! One has not yet been built but e ff orts are underway ... But this is very slow ... Prohibitive if N is large (e.g., 400 digits) Mihir Bellare UCSD 29 Mihir Bellare UCSD 30 Atomic Primitives or Problems Atomic Primitives or Problems Examples: Examples: • Factoring: Given large N = pq , find p , q • Factoring: Given large N = pq , find p , q • Block cipher primitives: DES, AES, ... • Block cipher primitives: DES, AES, ... • Hash functions: MD5, SHA1, SHA3, ... • Hash functions: MD5, SHA1, SHA3, ... Features: • Few such primitives • Design an art, confidence by history. Mihir Bellare UCSD 31 Mihir Bellare UCSD 32
Atomic Primitives or Problems Higher Level Primitives Examples: • Factoring: Given large N = pq , find p , q Goal: Solve security problem of direct interest. • Block cipher primitives: DES, AES, ... Examples: encryption, authentication, digital signatures, key distribution, • Hash functions: MD5, SHA1, SHA3, ... . . . Features: • Few such primitives • Design an art, confidence by history. Drawback: Don’t directly solve any security problem. Mihir Bellare UCSD 33 Mihir Bellare UCSD 34 Higher Level Primitives Lego Approach We typically design high-level primitives from atomic ones Goal: Solve security problem of direct interest. Atomic primitive Examples: encryption, authentication, digital signatures, key distribution, # . . . Transformer Features: # • Lots of them High-level primitive Mihir Bellare UCSD 35 Mihir Bellare UCSD 36
Recommend
More recommend