introduction to modern cryptography sharif university spring 2016 data and network security lab...
DESCRIPTION
Introduction to Modern Cryptography Sharif University Spring 2016 Modern Cryptography and its relation to classic cryptography 3 / 39TRANSCRIPT
Introduction to Modern CryptographySharif University Spring 2016
Data and Network Security LabSharif University of TechnologyDepartment of Computer Engineering
A Primer on Modern Cryptography (1)
Mohammad Sadeq Dousti
1 / 39
Introduction to Modern CryptographySharif University Spring 2016
Definition of Modern Cryptography Evolution from Classic to Modern Cryptography Principles of Modern Cryptography
Exact Definitions Precise Assumptions Rigorous Proofs of Security
An Introduction to Theory of Computation Course Topics
Outline
2 / 39
Introduction to Modern CryptographySharif University Spring 2016
Modern Cryptography
and its relation to classic cryptography
3 / 39
Introduction to Modern CryptographySharif University Spring 2016
Concise Oxford Dictionary (2006): Cryptography is the art of writing or solving codes.
Classically, cryptography Focused solely on secret communication Seen as an art, relied on creativity and personal skill Used only by military and intelligence
Classic Cryptography
4 / 39
Introduction to Modern CryptographySharif University Spring 2016
In the late 20th century, cryptography deals with message authentication, digital signatures, protocols for
exchanging secret keys, authentication protocols, electronic auctions and elections, digital cash, and more.
Nowadays, cryptography is almost everywhere: ATM machines Online banking All HTTPS websites Remote login and file transfer (SSH, …) Mobile communications (GSM, …) Wireless networking (Wi-Fi, WiMAX, …)
Modern Cryptography
5 / 39
Introduction to Modern CryptographySharif University Spring 2016
An encrypted web communication (HTTPS)
Cryptography is Everywhere!
6 / 39
Introduction to Modern CryptographySharif University Spring 2016
11,748 Android apps use cryptography (encryption),however, 10,327 (88%) get it wrong [EBFK13]
Cryptography is Everywhere! (cont.)
7 / 39
Introduction to Modern CryptographySharif University Spring 2016
Katz and Lindell [KL08]: (Modern) Cryptography is the scientific study of techniques for
securing digital information, transactions, and distributed computations.
Definition of Modern Cryptography
Image courtesy of Amazon
8 / 39
Introduction to Modern CryptographySharif University Spring 2016
Example: An encryption scheme
Our concerns: How to define security goals? How to design and ? How to gain confidence that achieve our goal?
Cryptography Concerns
Image courtesy of Microsoft
9 / 39
Introduction to Modern CryptographySharif University Spring 2016
How does computer/system protect from break-in (viruses, vulnerabilities, …)?
Not our concern in this class.
How do we use to ensure security of communication over an insecure network?
That’s our business.
Cryptography Concerns (cont.)
Image courtesy of Microsoft
10 / 39
Introduction to Modern CryptographySharif University Spring 2016
Classic Ciphers
11 / 39
What is its key length?However, not very secure!
Introduction to Modern CryptographySharif University Spring 2016
Enigma: German World War II machine
Broken by British in an effortled by Turing
Classic Ciphers (cont.)
Images courtesy of Wikipedia and Louise Dade
12 / 39
Introduction to Modern CryptographySharif University Spring 2016
One-time-pad (OTP) Encryption
13 / 39
Proven by Shannon
Introduction to Modern CryptographySharif University Spring 2016
Principles of Modern Cryptography
14 / 39
Introduction to Modern CryptographySharif University Spring 2016
Security of a “practical” system must rely not on the impossibility but on the computational difficulty of breaking the system.
“Practical” = more message bits than key bits
Rather than:“It is impossible to break the scheme”
We might be able to say:“Attacks can exist as long as cost to mount them is prohibitive”
Modern Cryptography: A Computational Science
Image courtesy of mynextbrain.com
15 / 39
Introduction to Modern CryptographySharif University Spring 2016
A sample security proposition: Cannot be broken with probability better than 10−30 in 200 years,
using the fastest available supercomputer.
Cryptography is now not just mathematics;it needs to draw on computer science:
(Computational) Complexity Theory Design of Algorithms
Modern Cryptography: A Computational Science (cont.)
Image courtesy of snookerbacker.com
16 / 39
Introduction to Modern CryptographySharif University Spring 2016
Two approaches to define security goals:
No attack using ≤ 2160 time succeedswith probability ≥ 2−20
Concrete/Exact Security or -Security
Any efficient adversary succeeds with onlya negligible probability Asymptotic Security
“Efficient” = Probabilistic Polynomial Time (next sess.) “Negligible” = Easily (!) defined by a number of quantifiers
Concrete vs. Asymptotic Security
17 / 39
Introduction to Modern CryptographySharif University Spring 2016
Auguste Kerckhoffs in the late 19th century: The cipher method must not be required to
be secret, and it must be able to fall intothe hands of the enemy withoutinconvenience.
Why? Easier to maintain secrecy of a short key rather than an algorithm
Algorithm parts may be leaked: insider or reverse engineering. Key revocation/reissue is easier than algorithm revocation/reissue! Different people communication: different keys or different
algorithms?
Kerckhoffs’ principle
Image courtesy of Wikipedia
18 / 39
Introduction to Modern CryptographySharif University Spring 2016
Why exact definitions for security? Importance for design- To know what to design- Not to provide more than what needed: efficiency- (different definitions with different security levels are usually
proposed for any crypto concept) Importance for usage- Application designers match their requirement with what a scheme
provide- More precise application verification- Not to use the most secure scheme if not needed: efficiency
Importance for study- Comparing different schemes- More precise efficiency/security trade-off
Needed for security proofs (later)
Modern Crypto Principles: Exact Definitions
19 / 39
Introduction to Modern CryptographySharif University Spring 2016
Most modern cryptographic constructions cannot be proven secure unconditionally.
Thus, rely on some assumptions: Hardness of mathematical problems Hardness of cryptographic primitives
Why precise assumptions? Validation of the assumption- Reliable assumptions should be examined and tested a lot without
being successfully refuted.- The hardness of an assumption may be implied by another widely-
believed hard assumption.- Both above need precise assumptions.
Modern Crypto Principles: Precise Assumptions
20 / 39
Introduction to Modern CryptographySharif University Spring 2016
Why precise assumptions? Comparison of schemes- Scheme A relies on assumption X- Scheme B relies on assumption Y- (Stronger) assumption X implies (weaker) assumption Y- Scheme B is better
X may become invalid while Y still holds, but not vice versa.- If X and Y incomparable:
(Usually) more-studied/simpler assumption is better. Needed for security proofs (later)
Modern Crypto Principles: Precise Assumptions (cont.)
21 / 39
Introduction to Modern CryptographySharif University Spring 2016
Why a security proof? Countless examples of unproven schemes that were broken- Sometimes immediately- Sometimes years after being presented or deployed
Security testing is different than software testing- Cannot anticipate an adversary strategy
Experience shown that intuition here is disastrous.
Modern Crypto Principles: Rigorous Proofs of Security
22 / 39
Introduction to Modern CryptographySharif University Spring 2016
Reductionist Approach: Assumption X reduced to scheme A
Interpretations: If an adversary breaks the scheme A, it must have found a fast
algorithm for X. The only way to break A is to solve X efficiently.
Two sub-approaches: Asymptotic: The reduction is itself polynomial-time. Concrete: is not much different than .
Modern Crypto Principles: Rigorous Proofs of Security (cont.)
Image courtesy of derf.net
23 / 39
Introduction to Modern CryptographySharif University Spring 2016
Integer Factorization is hard (after exact formulation)
If an scheme is provably-secure assuming hardness of factorization:
Bug in the scheme implies- attacker has found a way to factor fast- attacker is smarter than Gauss- and smarter than all living mathematicians
Example Assumptions: Mathematical Problem
24 / 39
Introduction to Modern CryptographySharif University Spring 2016
Block cipher primitives: DES, AES, ...Hash functions: MD5, SHA1, SHA2, ...
Features: Few such primitives Bugs rare Design an art, confidence by history.
Drawback: Don’t directly solve any security problem.
Example Assumptions: Crypto Primitives
25 / 39
Introduction to Modern CryptographySharif University Spring 2016
Goal: Solve security problem of direct interest.Examples: encryption, authentication, digital signatures, keydistribution, ...
Features: Lots of them Bugs common in practice
History shows that building schemes from primitives is usually the weak link:
AES or SHA-2 secure, yet Higher level scheme insecure
Example Assumptions: Crypto Primitives (cont.)
26 / 39
Introduction to Modern CryptographySharif University Spring 2016
Theory of Computation
An Introduction
27 / 39
Introduction to Modern CryptographySharif University Spring 2016
Computation in cryptography is done by algorithms.
But, what is an algorithm? Wikipedia: a step-by-step procedure for calculations. Oxford dictionary: a process or set of rules to be followed in
calculations or other problem-solving operations, especially by a computer.
We need a precise definition for algorithm/computation.
Formal definition:An algorithm = A Turing machine (which halts on all inputs)
Computation Model
28 / 39
Introduction to Modern CryptographySharif University Spring 2016
What is a Turing machine? Semantics:
An automata with access to an infinite tape. Initially, the input on the tape. Upon halting (if any), tape content is the output.
Turing Machines
Image courtesy of its designer
29 / 39
Introduction to Modern CryptographySharif University Spring 2016
What is a Turing machine?
Syntax: is a 5-tuple, where
is a finite, non-empty set of states
is the set of symbols
is the initial state
is the set of final or accepting states
is a transition function, where L is left shift, R is right shift, and is
no move.
Turing Machines (cont.)
30 / 39
Introduction to Modern CryptographySharif University Spring 2016
Time complexity of : Maximum number of transitions for all inputs of length . Some ’s may not be in the domain. Why?
Space complexity of : Maximum number of (scratch) memory cells used for all inputs of
length .
FACT: A today’s super-computer can be simulated by a Turing machine.
The notion of computability is fixed, regardless of the model of computation.
Turing Machines (cont.)
Some text from Wikipedia
31 / 39
Introduction to Modern CryptographySharif University Spring 2016
Course Topics(tentative)
32 / 39
Introduction to Modern CryptographySharif University Spring 2016
Preliminaries (1 sess.) Some fundamental concepts from complexity theory Deeper look on security definition and model Games as a useful tool for security definition and proof
Primitives (1 sess.) Mathematical notions for crypto primitives, e.g., one-way functions
(OWF) and trapdoor permutations (TDP)
Pseudo-randomness (1 sess.) The notions of randomness and pseudo-randomness Mathematical notions to capture pseudo-random primitives, e.g.,
pseudo-random generators (PRNG) and pseudo-random functions (PRF)
Course Topics
33 / 39
Introduction to Modern CryptographySharif University Spring 2016
Simple cryptographic proofs (1 sess.) Constructing and proving secure primitives, e.g., PRFs from PRGs Samples of security definitions, attack models, and security proofs.
Symmetric encryption (2 sess.) Minimal full-fledged security definition for encryption (CPA) Simple encryption scheme built upon PRFs Provably-secure operation modes Stronger notions of security for symmetric encryption (CCA).
Course Topics (cont.)
34 / 39
Introduction to Modern CryptographySharif University Spring 2016
Hash functions and message authentication codes (2 sess.) Universal and collision-resistant hash function (CRHF) Provably-secure message authentication codes Provably-secure hash functions from other primitives, such as block
ciphers. Secure MACs using PRFs, CRHFs, and block ciphers.
Asymmetric (public-key) encryption (3 sess.) Different definitions for different levels of security for a public-key
encryption scheme (CPA, CCA, CCA2, etc.) Constructions: RSA, El-Gamal, GM, etc.
Course Topics (cont.)
35 / 39
Introduction to Modern CryptographySharif University Spring 2016
Mathematics of public-key cryptography (2 sess.) Quick review on mathematical backgrounds, i.e., group theory,
factoring, discrete logarithm problems, elliptic curves, etc.
Applied provably-secure schemes (1 sess.) Applications of provably-secure schemes Authenticated encryption schemes and hybrid encryption
Course Topics (cont.)
36 / 39
Introduction to Modern CryptographySharif University Spring 2016
Other topics Digital signature schemes (2 sess.) Simulation-based security definitions (3 sess.) Random oracle model (2 sess.) Identification and key distribution (3 sess.) Two-party and multi-party computation (3 sess.) Quantum and post-quantum cryptography (1 sess.) Review of other not-covered topics (1 sess.)
Course Topics (cont.)
37 / 39
Introduction to Modern CryptographySharif University Spring 2016
[KL08] Katz, Jonathan, and Yehuda Lindell. Introduction to modern cryptography: principles and protocols. CRC Press,
2007.[EBFK13] Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. "An empirical study of cryptographic misuse in Android applications." In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013.
References
38 / 39
Introduction to Modern CryptographySharif University Spring 2016
پایانصفحه درس:
http://ce.sharif.edu/courses/94-95/2/ce675-1
مراجعه حضوری جهت رفع اشکال:18 الی 17سه شنبه ها
)طبقه پنجم دانشکده، درب شیشه ای جنب آسانسور(
یا در زمانهای دیگر با قرار قبلی
dousti@ce یا به وسیله رایانامه:
39 / 39