Professional Documents
Culture Documents
Crypto 1
Crypto 1
Benjamin Hof
hof@in.tum.de
Cryptography – 18ss
1 / 34
Outline
Cryptography
Symmetric setting
2 / 34
Outline
Cryptography
Symmetric setting
3 / 34
Scope
Focus on:
I modern cryptography
I methods used in communications security
4 / 34
Communication
by Melissa Elliott
https://twitter.com/0xabad1dea/status/400676797874208768
5 / 34
What we are concerned with
6 / 34
What we are concerned with
BfV
6 / 34
What we are concerned with
Eve
6 / 34
What we are concerned with
6 / 34
Limitations
7 / 34
Kerckhoffs’ principle
No security by obscurity.
I scrutiny
I standards
I reverse engineering
8 / 34
Another principle as a side note
Example
Signal, NaCl
9 / 34
What should secure encryption guarantee?
10 / 34
What should secure encryption guarantee?
10 / 34
What should secure encryption guarantee?
10 / 34
Modern cryptography
relies on
I formal definitions
I precisely defined assumptions
I mathematical proofs
Reductionist security arguments, the proofs, require to formulate
assumptions explicitly.
11 / 34
A definition of security
Negligible
For every polynomial p and for all sufficiently large values of n:
1
f (n) <
p(n)
1
e.g., f (n) = 2n
Church-Turing Hypothesis
We believe polynomial time models all computers.
12 / 34
Our goals
13 / 34
Motivation
14 / 34
Uniform distribution
P : U → [0, 1]
X
P(x ) = 1
x ∈U
1
∀x ∈ U : P(x ) =
|U|
15 / 34
Randomness
Example
used to generate keys or other information unkown to any other
parties
16 / 34
Collecting unpredictable bits
I physical phenomena
I time between emission of particles during radioactive decay
I thermal noise from a semiconductor diode or resistor
I software-based
I elapsed time between keystrokes or mouse movement
I packet interarrival times
17 / 34
Pseudo-random generator
18 / 34
Outline
Cryptography
Symmetric setting
19 / 34
Symmetric encryption scheme
I provide confidentiality
I definition of security: chosen-plaintext attack (CPA)
Cryptography uses theoretical attack games to analyze and
formalize security.
20 / 34
The eavesdropping experiment
C A
k ← Gen(1n ) input 1n
The eavesdropping experiment
C A
k ← Gen(1n ) input 1n
m 0, m 1
b ← {0, 1}
c ← Enck (mb )
c
output b 0
I A succeeds, iff b = b 0
21 / 34
Discussion of the eavesdropping experiment
I |m0 | = |m1 |
I probabilistic polynomial time algorithms
22 / 34
Pseudorandom permutation
23 / 34
A block cipher
Example
I fixed key length and block length
I chop m into 128 bit blocks
m k
128 bit
AES
24 / 34
Chosen-plaintext attack
C A
k ← Gen(1n ) input 1n
25 / 34
Chosen-plaintext attack
C A
k ← Gen(1n ) input 1n
m
c ← Enck (m)
c
.. ..
. .
25 / 34
Chosen-plaintext attack
C A
k ← Gen(1n ) input 1n
m
c ← Enck (m)
c
.. ..
. .
m0, m1
b ← {0, 1}
Enck (m
b)
25 / 34
Chosen-plaintext attack
C A C (cont’d) A
k ← Gen(1n ) input 1n m
m c ← Enck (m)
c
c ← Enck (m)
c .. ..
. .
.. ..
. . output bit b 0
m0, m1
b ← {0, 1}
Enck (m
b)
25 / 34
Chosen-plaintext attack
C A C (cont’d) A
k ← Gen(1n ) input 1n m
m c ← Enck (m)
c
c ← Enck (m)
c .. ..
. .
.. ..
. . output bit b 0
m0, m1
b ← {0, 1}
Enck (m
b)
25 / 34
Discussion of CPA
26 / 34
Example constructions: counter mode
Example
I randomised AES counter mode (AES-CTR$)
I choose nonce r ← {0, 1}128 , key k ← {0, 1}128
I great if you have dedicated circuits for AES, else vulnerable to
timing attacks
r AES k r +1 AES k
m0 ⊕ m1 ⊕
c0 c1
···
complete ciphertext c := (r , c0 , c1 , · · · )
27 / 34
Example constructions: stream ciphers
Example
A modern stream cipher, fast in software:
ChaCha
keystream
plaintext ⊕
ciphertext
28 / 34
Message authentication code (MAC)
I transmit hm, ti
I tag t is a short authenticator
I message authenticity ⇔ integrity
I detect tampering
I no protection against replay
I “existentially unforgeable”
I security definition: adaptive chosen-message attack
29 / 34
Adaptive chosen-message attack
C A
k ← Gen(1n )
m input 1n
.. ..
. .
output hm0 , t 0 i
30 / 34
Used in practice
Example
I HMAC based on hash functions
I CMAC based on cipher block chaining mode (CBC)
I authenticated encryption modes
31 / 34
Example: side-channel attack
32 / 34
Recap: secret-key cryptography
33 / 34
Combining confidentiality and authentication
34 / 34