YOUR DEPARTMENT NAME IN ALL CAPS

EDIT THIS TEXT ON TITLE MASTER

Applied Crypto:
Introduction
Amir Rezapour
Institute of Information Security,
National Tsing Hua University
 Introduction
• The goal of cryptographic objects is to protect other
objects.
– Thus, we need to ensure their security first.

NTHU Applied Crypto 2024 1

 Lecture objectives
• Design and analysis of cryptographic objects (primitives
and protocols).
• Rigorously deal with security definitions and proofs of
cryptographic objects.
• Backgrounds
– Basic cryptography
– Computer algorithms
– Probability

NTHU Applied Crypto 2024 2

 Objectives of cryptography
• Secrecy (privacy, confidentiality): data are protected
from un-authorized access
• Integrity: data are assured un-modified.
• Authentication:
– data origin authentication: the receiver is able to verify the origin
of a received message.
– entity authentication: the sender and the receiver are able to
identify each other.
• Non-repudiation: the sender is not able to later deny his
sent messages

NTHU Applied Crypto 2024 3

 Secrecy
• The classic task of cryptography is to encrypt data for
secrecy.
– 𝐸/𝐷: encryption/decryption method
– 𝑘: a key from the key space 𝐾
𝐸,𝑘
– Plaintext 𝑚 ciphertext 𝑐.
𝐷,𝑘
– Ciphertext 𝑐 plaintext 𝑚.

NTHU Applied Crypto 2024 4

 Secrecy
• Symmetric-key (secret-key, or one-key) encryption:
– One secret key 𝑘 shared by the sender and the receiver
– 𝑐 = 𝐸(𝑘, 𝑚)
– 𝐷(𝑘, 𝑐) = 𝐷(𝑘, 𝐸(𝑘, 𝑚)) = 𝑚
• Caesar’s shift cipher:
– 𝑐 = 𝐸 𝑘, 𝑚 = 𝑚 + 𝑘 𝑚𝑜𝑑 26, 𝑚 is English character (0-25).
– 𝑚 = 𝐷 𝑘, 𝑐 = 𝑐 − 𝑘 𝑚𝑜𝑑 26.

NTHU Applied Crypto 2024 5

 Secrecy
• Public-key (asymmetric, or two-key) encryption:
– Each user has a key pair (𝑠𝑘, 𝑝𝑘);
– 𝑝𝑘 is the public key known to all users;
– 𝑠𝑘 is the private key of the user;
– Given 𝑝𝑘, it is hard to derive 𝑠𝑘.
– 𝐷(𝑠𝑘, 𝐸(𝑝𝑘, 𝑚)) = 𝑚.

NTHU Applied Crypto 2024 6

 Integrity
• Message authentication code: a tag to a message for
withstanding the modification attack.
• Secret-key method:
– Alice (sender) and Bob (receiver) share a secret key 𝑘;
– ℎ is a cryptographic hash function;
– Alice → Bob: (𝑚, 𝑚),
ഥ where 𝑚 ഥ = ℎ(𝑘 ∥ 𝑚 ∥ 𝑘).
– Bob: check whether 𝑚 ഥ = ℎ(𝑘 ∥ 𝑚 ∥ 𝑘).
• Public-key method: digital signature

NTHU Applied Crypto 2024 7

 Integrity: Protected Password
• Files anti-virus

NTHU Applied Crypto 2024 8

 Non-repudiation
• A costumer (Alice) sends a message to a stockbroker
(Bob) to buy some stocks
– Later, the Alice denies sending the message!

I didn’t ask you

to buy!

Buy 500
shares of
NYSE:tsm
Alice for 81$. Bob
Alice

𝑡1 𝑡2 𝑡3
NTHU Applied Crypto 2024 9
 Non-repudiation
• Digital signature: a public-key method of emulating
handwritten signatures to ensure non-repudiation.
– Signing (private) key: 𝑠𝑘 for the signer
– Verification(public) key: 𝑣𝑘(𝑝𝑘) for verifiers
– 𝑠 = 𝑆𝑖𝑔𝑛(𝑠𝑘, 𝑚);
– 𝑉𝑒𝑟𝑖𝑓𝑦(𝑣𝑘, 𝑚, 𝑠) =true or false.

• Hash-then-sign: 𝑠 = 𝑆𝑖𝑔𝑛 𝑠𝑘, ℎ 𝑚 .

– ℎ: a cryptographically strong hash function

NTHU Applied Crypto 2024 10

 Cryptographic primitive
• Basic cryptographic functions/methods
– Public-key encryption method
– Secret-key encryption method
– Stream cipher
– Digital signature algorithm
– Cryptographic hash function
– Pseudorandom bit generator
– …

NTHU Applied Crypto 2024 11

 Cryptographic protocol
• A well-defined series of steps of combining various
primitives to achieve a cryptographic objective
• Two ore more parties are involved and interact.
• Examples
– Key exchange/establishment protocol
– Mutual authentication protocol
– Electronic voting
– Secure payment system
– Bitcoin

NTHU Applied Crypto 2024 12

 Cryptographic protocol
• One-way authentication protocol
– By digital signature.
Setup: Alice publishes her public key 𝑝𝑘𝐴𝑙𝑖𝑐𝑒
1. Bob → Alice: a randomly chosen challenge 𝑐.
2. Alice → Bob: 𝑠 = 𝑆𝑖𝑔𝑛(𝑠𝑘𝐴𝑙𝑖𝑐𝑒 , 𝑐).
3. Bob: accept Alice’s proof of identity if
𝑉𝑒𝑟𝑖𝑓𝑦(𝑝𝑘𝐴𝑙𝑖𝑐𝑒 , 𝑐, 𝑠) = 𝑡𝑟𝑢𝑒.

NTHU Applied Crypto 2024 13

 Cryptanalysis
• Study attacks against cryptographic schemes.
1. Kerckhoff’s principle: the adversary Eve knows all details
about a cryptosystem except the used private keys.
2. Break security objectives
• distinguish ciphertexts from random strings
• find "information" about the plaintext
• recover the plaintext from the ciphertext
• recover private keys of the cryptosystem

NTHU Applied Crypto 2024 14

 Adversaries
• Limited vs unlimited computing power
• Passive adversary
– Follow the protocol honestly
– Observe communications
– Use computation power to compute
• Active adversary: deviate in an arbitrary way
– inject false messages
– send wrong messages
– impersonalization
– Query oracles(signing, keys, etc)
– …

NTHU Applied Crypto 2024 15

 Provable security
• Mathematical proofs for showing that a cryptosystem
achieves some security objective under specified
attacks.
• Security model: security objective + attack model
• Security objectives
– Perfect/computational secrecy
– Whole/partial recovery
– Indistinguishability
• Attack models
– Chosen-plaintext attack
– Adaptively-chosen-ciphertext attack
– Side channel attack: power analysis, fault analysis,...
NTHU Applied Crypto 2024 16
 Provable security: Example
• Vernam’s one-time pad:
– Secret-key encryption: Alice and Bob share a secret key 𝑘,
which is truly random and used only once
– 𝐸(𝑘, 𝑚) = 𝑚 ⊕ 𝑘
– Security objective: perfect secrecy (unconditional security)
– Attack model: ciphertext-only attack by the adversary of
unlimited computing power
• Why is Venam’s one-time pad secure?
– Think if c = m ⊕ k = 1001, what is m?
– Under chosen-plaintext attack?
– Under chosen-ciphertext attack?

NTHU Applied Crypto 2024 17

 Under chosen-plaintext attack
• Adv can query the ciphertext of chosen plaintexts.
Adversary One-time pad

𝑚 =? 𝑐 = 1001 KeyGen()

𝑚1 = 1010
𝑘1 =0111 𝑐1 = 1101 Plaintext query
𝑚2 = 0100
𝑘2 =0011 𝑐1 = 0111
⋮
Outputs 𝑚 = 0101, correct/wrong?

NTHU Applied Crypto 2024 18

 Under chosen-ciphertext attack
• Adv can query the plaintext of chosen ciphertexts.
Adversary One-time pad

𝑚 =? 𝑐 = 1001 KeyGen()

𝑐1 = 0100
𝑘1 =1001 𝑚1 = 1101 Ciphertext query
𝑐2 = 1111
𝑘2 =1010 𝑚2 = 0101
⋮
Outputs 𝑚 = 1010, correct/wrong?

NTHU Applied Crypto 2024 19

 Computational security
• The adversary’s computing power is poly-time bounded.
– Example: RSA encryption: 𝑝𝑘 = 𝑒, 𝑛 , 𝑠𝑘 = 𝑑, 𝑛 , 𝑛 =
𝑝𝑞, 𝑒𝑑 = 1 (𝑚𝑜𝑑 𝜑(𝑛))
• 𝑐 = 𝐸((𝑒, 𝑛), 𝑚) = 𝑚𝑒 𝑚𝑜𝑑 𝑛
• 𝑚 = 𝐷((𝑑, 𝑛), 𝑐) = 𝑐 𝑑 𝑚𝑜𝑑 𝑛
• It is computationally secure under the ciphertext-only attack
• It is not perfectly secure
• Why?
– For any ((𝑒, 𝑛), 𝑐), 𝑚 is unique and computable in finite time.
– Poly-time algorithms for computing 𝑚 from ((𝑒, 𝑛), 𝑐) have not
been found yet.

NTHU Applied Crypto 2024 20

 Hardness assumption

• A computing problem is assumed not poly-time

solvable.
– There is still no mathematical proof for the assumption.
– It is still possible to find a poly-time algorithm for it.

• Assumed computationally hard problems (not poly-time

solvable)
– Factorization: given 𝑛, compute its prime factors
– Discrete logarithm: given (𝑔, 𝑝, 𝑦), compute 𝑥 = log 𝑔 𝑦 𝑚𝑜𝑑 𝑝

NTHU Applied Crypto 2024 21

 Problem reduction
• Notation: Π ≺𝑝𝑜𝑙𝑦−𝑡𝑖𝑚𝑒 Γ
– If there is a poly-time algorithm 𝐴 for solving Γ, there is another
poly-time algorithm 𝐵 for solving Π.
– An instance of Π can be transformed into an instance of Γ.
• Note: The same meaning: (1) Reduce Π to Γ. (2) Γ is
reduced to Π.

NTHU Applied Crypto 2024 22

 Problem reduction
• Example:
– Π: Given (𝑎, 𝑛), find Jacobi symbol 𝐽 (𝑎, 𝑛).
– Γ: Given 𝑛, find prime factorization of 𝑛.

NTHU Applied Crypto 2024 23

 Problem reduction
• Example: graph coloring
– Π: Given 𝐺, find minimum number of colors needed for coloring
𝐺.
– Γ: Given (𝐺, 𝑘), can 𝐺 be colored with less than or equal to 𝑘
colors? 𝐺 (𝐺, 𝑘)
𝐺 = (𝑉, 𝐸) Π ≺𝑝𝑜𝑙𝑦−𝑡𝑖𝑚𝑒 Γ
(𝐺, 𝑉 − 1)
yes

(𝐺, 𝑉 − 2)
𝐴
𝑖← yes
⋮
(𝐺, 𝑉 − 𝑖 − 1)
no

NTHU Applied Crypto 2024 24

 Security proof by reduction
• To prove security of a cryptosystem Λ:
– Define Γ: the problem of breaking Λ
– Find a hard problem Π.
– Reduce Π to Γ : Π ≺𝑝𝑜𝑙𝑦−𝑡𝑖𝑚𝑒 Γ.

NTHU Applied Crypto 2024 25

 Security proof by reduction
• Reduce hard problem Π to the security problem of Γ:
– Step 1. Assume that there is a poly-time algorithm 𝐴 for
breaking Γ. That is, Λ is not secure under the specified security
model.
– Step 2. Design a poly-time algorithm 𝐵, which uses 𝐴, to solve
the hard problem Π.
• Since Π is (assumed) hard, 𝐵 of solving Π does not
exist. Therefore, 𝐴 does not exist.
• This implies that if Π is hard,Γ is secure under the
defined security model.

NTHU Applied Crypto 2024 26

 Randomness and security
• Random bits are un-predictable by the adversary.
• There is no security without randomness.
• Secret keys must be chosen randomly.
• Example,
– One-time pad: 𝐸(𝑘, 𝑚) = 𝑘 ⊕ 𝑚.
– The secret key 𝑘 must be randomly chosen.

NTHU Applied Crypto 2024 27