CSL759: Cryptography and Computer

Security
Ragesh Jaiswal
CSE, IIT Delhi
Administrative information
 Course webpage:
 www.cse.iitd.ac.in/~rjaiswal/2013/csl759

 Evaluation components:
 Minor 1 and 2 exams: 15% each
 Homework (2 - 3): 20%
 Project: 20%
 Major exam: 20%

 Reference material:
 Mihir Bellare’s slides and notes (available on the web).
 Introduction to Modern Cryptography (Katz and Lindell).
 Foundations of Cryptography (Oded Goldreich).
 Other notes/slides/practice material on the web.
Administrative information
 Pre-requisites:
 Basic probability theory
 Algorithms
 Comfortable in reading/writing rigorous mathematical proofs

 Lecture Timing:
 To be decided.
Introduction
Introduction
 Throughout most of history:
 Cryptography = art of secret writing
 Secure communication

𝑀 𝑀 = 𝐷𝐾 (𝐶)

𝐶 = 𝐸𝐾 (𝑀)

𝑲 Key exchange protocol

𝑲
Introduction
 Early history ( - early 70s):
 Synonymous with secret communication.
 Restricted to Military and Nobility.
 More of art than rigorous science.

Design protocol Protocol broken

Introduction
 Early history ( - early 70s):
 Synonymous with secret communication.
 Restricted to Military and Nobility.
 More of art than rigorous science.

Design protocol Protocol broken

 Modern Cryptography:
 Digital signatures, e-cash, secure computation, e-voting …
 Touches most aspects of modern lifestyle.
 Rigorous science:
 Reason about security of protocols.
Introduction: Theme of this course
 Theme: Reason about security of protocols (Provable
security)
 Fix security goals and formalize the notion of security.
 Construct a protocol.
 Show that a successful attack as per the security notion results
in a successful attack on an underlying problem that is believed
to be hard to solve.

 What you should hope to learn in the course:

 Learn basic cryptographic primitives and their interesting
properties.
 Reasoning about security of protocols.
 Numerous applications/examples.
 Introduction: Provable security
Factoring Discrete log AES MD5

Protocol
Construction

Protocol
 Introduction: Provable security
Factoring Discrete log AES MD5

Protocol
Construction

Protocol

We would like to argue:

• If the basic primitive/problem is secure/hard, then the constructed protocol is “secure”
 Introduction: Provable security
Factoring Discrete log AES MD5

Protocol
Construction

Protocol

• :If there is an adversary that successfully attacks the protocol, then there is another
adversary that successfully attacks/solves at least one of the basic primitives/problems.
Introduction
Secure communication
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Ceaser Cipher): Substitute each letter with the

letter that is the 𝛼th letter after the letter in the sequence
AB...Z
 Example (𝛼 = 2): SEND TROOPS 
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Ceaser Cipher): Substitute each letter with the

letter that is the 𝛼th letter after the letter in the sequence
AB...Z
 Example (𝛼 = 2): SEND TROOPS  UGPF VTQQRU
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Ceaser Cipher): Substitute each letter with the

letter that is the 𝛼th letter after the letter in the sequence
AB...Z
 Security was based on the fact that the encryption algorithm
was a secret (Security through obscurity)
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Ceaser Cipher): Substitute each letter with the

letter that is the 𝛼th letter after the letter in the sequence
AB...Z
- Should be avoided at all cost!
 Security was based on the fact that the encryption algorithm
- Algorithm should be public
was a secret (Security through obscurity) and security should come
from secret keys.
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Ceaser Cipher): Substitute each letter with the

letter that is the 𝛼th letter after the letter in the sequence
AB...Z
 Suppose we make the algorithm public and use the secret key
as 𝛼. Can you break this protocol?
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Substitution Cipher): Let 𝜋 be a permutation of

the English letters. Substitute each letter 𝛼 with the letter
𝜋 𝛼 . 𝜋 acts as the secret key.
 Example: Let 𝜋 𝐴 = 𝑈, 𝜋 𝐵 = 𝑇, 𝜋 𝐶 = 𝑃, …then
encryption of CAB is PUT.
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Substitution Cipher): Let 𝜋 be a permutation of

the English letters. Substitute each letter 𝛼 with the letter
𝜋 𝛼 . 𝜋 acts as the secret key.
 Question: How much space you need to use to store the
secret key?
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Substitution Cipher): Let 𝜋 be a permutation of

the English letters. Substitute each letter 𝛼 with the letter
𝜋 𝛼 . 𝜋 acts as the secret key.
 Consider a brute-force attack where you try to guess the
secret key. Is such an attack feasible?
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Substitution Cipher): Let 𝜋 be a permutation of

the English letters. Substitute each letter 𝛼 with the letter
𝜋 𝛼 .
 Can you break this scheme?
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Substitution Cipher): Let 𝜋 be a permutation of

the English letters. Substitute each letter 𝛼 with the letter
𝜋 𝛼 .
 Attack idea: E’s occur more frequently than X’s
Introduction: Secure communication
Frequency of letters in typical
English sentences.
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Vignere Cipher): Let 𝐾 be a short string. For

any given message 𝑀, add repeated copies of 𝐾 to 𝑀. 𝐾 acts
as the secret key.
 Example: Let 𝐾 = AB and 𝑀 = 𝐴𝑇𝑇𝐴𝐶𝐾. Then the cipher
text is 𝐴𝑇𝑇𝐴𝐶𝐾 + 𝐴𝐵𝐴𝐵𝐴𝐵 = 𝐵𝑉𝑈𝐶𝐷𝑀.
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (Vignere Cipher): Let 𝐾 be a short string. For

any given message 𝑀, add repeated copies of 𝐾 to 𝑀. 𝐾 acts
as the secret key.
 Can you break this scheme?
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (One Time Pad(OTP)):Let the message 𝑀 be an

𝑛 binary string. Let 𝐾 be an 𝑛 bit binary string that is used as
a secret key. Add 𝑀 and 𝐾 modulo 2 to get the ciphertext.
 Example: 𝑀 = 1101, 𝐾 = 0101,
then 𝐶 = 𝑀 + 𝐾 (𝑚𝑜𝑑 2) = 𝑀 ⊕ 𝐾 = 1000
 Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.

 Simple idea (One Time Pad(OTP)):Let the message 𝑀 be an

𝑛 binary string. Let 𝐾 be an 𝑛 bit binary string that is used as
a secret key. Add 𝑀 and 𝐾 modulo 2 to get the Ciphertext.
 Can you break this scheme?
Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 Given the ciphertext, all messages are equally likely to be the
secret message
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 One Time Pad (OTP):
 The Keyspace is 0, 1 𝑛 .
 𝐸𝐾 𝑀 = 𝐾 ⊕ 𝑀
 𝐷𝐾 𝐶 = 𝐾 ⊕ 𝐶
 For any messages 𝑀0 , 𝑀1 and ciphertext 𝐶:
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶 = ? ?
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 One Time Pad (OTP):
 The Keyspace is 0, 1 𝑛 .
 𝐸𝐾 𝑀 = 𝐾 ⊕ 𝑀
 𝐷𝐾 𝐶 = 𝐾 ⊕ 𝐶
 For any messages 𝑀0 , 𝑀1 and ciphertext 𝐶:
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶 = 1/2𝑛
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 One Time Pad (OTP):
 The Keyspace is 0, 1 𝑛 .
 𝐸𝐾 𝑀 = 𝐾 ⊕ 𝑀
 𝐷𝐾 𝐶 = 𝐾 ⊕ 𝐶
 For any messages 𝑀0 , 𝑀1 and ciphertext 𝐶:
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶 = 1/2𝑛
 Disadvantage: Key is as long as the message.
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 One Time Pad (OTP):
 The Keyspace is 0, 1 𝑛 .
 𝐸𝐾 𝑀 = 𝐾 ⊕ 𝑀
 𝐷𝐾 𝐶 = 𝐾 ⊕ 𝐶
 For any messages 𝑀0 , 𝑀1 and ciphertext 𝐶:
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶 = 1/2𝑛
 Disadvantage: Key is as long as the message.
 Fact: If 𝑀 > |𝐾|, then no scheme is perfectly secure.
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 Fact: If 𝑀 > |𝐾|, then no scheme is perfectly secure.
 How do we get around this problem?
Introduction: Secure communication
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 Fact: If 𝑀 > |𝐾|, then no scheme is perfectly secure.
 How do we get around this problem?
 Relax our notion of security: Instead of saying “it is impossible
to break the scheme”, we would like to say “it is computationally
infeasible to break the scheme”.
Introduction: Pseudorandom generator
 Suppose there was a generator that stretches random bits.

001101011 00101001001010010100101011

𝐺
 Idea:
 Choose a short key 𝐾 randomly.
 Obtain 𝐾’ = 𝐺(𝐾).
 Use 𝐾’ as key for the one time pad.
 Issue: ?
Introduction: Pseudorandom generator
 Suppose there was a generator that stretches random bits.

001101011 00101001001010010100101011

𝐺
 Idea:
 Choose a short key 𝐾 randomly.
 Obtain 𝐾’ = 𝐺(𝐾).
 Use 𝐾’ as key for the one time pad.
 Issue:
 Such a generator is not possible!
 Any such generator produces a longer string but the string is
not random.
Introduction: Pseudorandom generator
 Suppose there was a generator that stretches random bits.

001101011 00101001001010010100101011

 Idea:
𝐺
 Choose a short key 𝐾 randomly.
 Obtain 𝐾’ = 𝐺(𝐾).
 Use 𝐾’ as key for the one time pad.
 Issue:
 Such a generator is not possible!
 Any such generator produces a longer string but the string is not
random.
 What if we can argue that the output of the generator is
computationally indistinguishable from truly random string.
End