Lecture 1

Cryptography (historically)
“…the art of writing or solving codes…”

• Historically, cryptography focused exclusively

on ensuring private communication
between two parties sharing secret
information in advance using “codes” (aka
private-key encryption)
 Modern cryptography
• Much broader scope!
– Data integrity, authentication, protocols, …
– The public-key setting
– Group communication
– More-complicated trust models
– Foundations (e.g., number theory, quantum-
resistance) to systems (e.g., electronic voting,
privacy-preserving ML, blockchain, DeFi)
 Modern cryptography

Design, analysis, and implementation of mathematical

techniques for securing information, systems, and
distributed computations against adversarial attack
 Cryptography (historically)
“…the art of writing or solving codes…”

• Historically, cryptography was an art

– Heuristic, unprincipled design and analysis
– Schemes proposed, broken, repeat…
 Modern cryptography
• Cryptography is now much more of a science
– Rigorous analysis, firm foundations, deeper
understanding, rich theory

• The “crypto mindset” has permeated

other areas of computer security
– Threat modeling
– Proofs of security
 Cryptography (historically)
• Used primarily for military/government
applications, plus a few niche applications in
industry (e.g., banking)
 Modern cryptography
• Cryptography is ubiquitous!
– Password-based authentication, password hashing
– Secure credit-card transactions over the internet
– Encrypted WiFi
– Disk encryption
– Digitally signed software updates
– Bitcoin
–…
Classical Cryptography
 Classical cryptography
• Until the 1970s, relied exclusively on secret
information (a key) shared in advance
between the communicating parties

Private-key cryptography
– aka secret-key / shared-key / symmetric-key
cryptography
 Private-key encryption
key key
ciphertext

c
k k

m
c ¬ Enck(m) message/plaintext m := Deck(c)

decryption
encryption
 Private-key encryption
• A private-key encryption scheme is defined by a
message space M and algorithms (Gen, Enc, Dec):
– Gen (key-generation algorithm): outputs kÎK
– Enc (encryption algorithm): takes key k and message
mÎM as input; outputs ciphertext c
c ¬ Enck(m)
– Dec (decryption algorithm): takes key k and
ciphertext c as input; outputs m or “error”
m := Deck(c)
For all mÎM and k output by Gen,
Deck(Enck(m)) = m
 Kerckhoffs’s principle
• The encryption scheme is not secret
– The attacker knows the encryption scheme
– The only secret is the key
– The key must be chosen at random; kept secret

• Arguments in favor of this principle

– Easier to keep key secret than algorithm
– Easier to change key than to change algorithm
– Standardization
• Ease of deployment
• Public scrutiny
 The shift cipher
• Consider encrypting English text
• Associate ‘a’ with 0; ‘b’ with 1; …; ‘z’ with 25

• k Î K = {0, …, 25}
• To encrypt using key k, shift every letter of the
plaintext by k positions (with wraparound)
• Decryption just does the reverse
helloworldz
ccccccccccc
 The shift cipher
• Consider encrypting English text
• Associate ‘a’ with 0; ‘b’ with 1; …; ‘z’ with 25

• k Î K = {0, …, 25}
• To encrypt using key k, shift every letter of the
plaintext by k positions (with wraparound)
• Decryption just does the reverse
helloworldz
ccccccccccc
jgnnqyqtnfb
 Modular arithmetic
• x = y mod N if and only if N divides x-y
• [x mod N] = the remainder when x is divided by N
– I.e., the unique value yÎ{0, …, N-1} such that
x = y mod N

• 25 = 35 mod 10
• 25 ≠ [35 mod 10]
• 5 = [35 mod 10]
 The shift cipher, formally
• M = {strings over lowercase English alphabet}
• Gen: choose uniform kÎ{0, …, 25}
• Enck(m1…mt): output c1…ct, where
ci := [mi + k mod 26]
• Deck(c1…ct): output m1…mt, where
mi := [ci - k mod 26]

• Can verify that correctness holds…

 Is the shift cipher secure?
• No -- only 26 possible keys!
– Given a ciphertext, try decrypting with every
possible key
– Only one possibility will “make sense”
– (What assumptions are we making here?)

• Example of a “brute-force” or “exhaustive-

search” attack
 Example
• Ciphertext uryybjbeyq
• Try every possible key…
– tqxxaiadxp
– spwwzhzcwo
–…
– helloworld
 Byte-wise shift cipher
• Work with an alphabet of bytes rather than
(English, lowercase) letters
– Works natively for arbitrary data!

• Use XOR instead of modular addition

– Essential properties still hold
 Hexadecimal (base 16)
Hex Bits Decimal Hex Bits Decimal
(“nibble”) (“nibble”)
0 0000 0 8 1000 8
1 0001 1 9 1001 9
2 0010 2 A 1010 10
3 0011 3 B 1011 11
4 0100 4 C 1100 12
5 0101 5 D 1101 13
6 0110 6 E 1110 14
7 0111 7 F 1111 15
 Hexadecimal (base 16)
• 0x10
– 0x10 = 16*1 + 0 = 16
– 0x10 = 0001 0000

• 0xAF
– 0xAF = 16*A + F = 16*10 + 15 = 175
– 0xAF = 1010 1111
 Byte-wise shift cipher
• M = ({0,1}8)* (i.e., strings of bytes)
• Gen: choose uniform kÎK = {0x00, …, 0xFF}
– 256 possible keys
• Enck(m1…mt): output c1…ct, where
ci := mi Å k
• Deck(c1…ct): output m1…mt, where
mi := ci Å k

• Verify that correctness holds…

 ASCII
• Characters often represented in ASCII
– 1 byte/char = 2 hex digits/char
Source: http://benborowiec.com/2011/07/23/better-ascii-table/
 Code for byte-wise shift cipher
// read key from key.txt (hex) and message from ptext.txt (ASCII);
// output ciphertext to ctext.txt (hex)
#include <stdio.h>

main(){
FILE *keyfile, *pfile, *cfile;
int i;
unsigned char key, ch;

keyfile = fopen("key.txt", "r"), pfile = fopen("ptext.txt", "r"), cfile = fopen("ctext.txt", "w");

if (fscanf(keyfile, "%2hhX", &key)==EOF) printf("Error reading key.\n");

for (i=0; ; i++){

if (fscanf(pfile, "%c", &ch)==EOF) break;
fprintf(cfile, "%02X", ch^key);
}

fclose(keyfile), fclose(pfile), fclose(cfile);

}
 Is this scheme secure?
• No -- only 256 possible keys!
– Given a ciphertext, try decrypting with every
possible key
– If ciphertext is long enough, only one plaintext will
“make sense”

• Sufficient key space principle

– The key space must be large enough to make
exhaustive-search attacks impractical
• How large do you think that is?
– Technical note (more next lecture): only true when the
plaintext is sufficiently long
 Can we improve the attack?
• Useful observations about ASCII
– Only 128 valid ASCII chars (128 bytes invalid)
– Only 0x20-0x7E printable
– 0x41-0x7a includes all upper/lowercase letters
• Uppercase letters begin with 0x4 or 0x5
• Lowercase letters begin with 0x6 or 0x7

• Can we break the scheme without trying

all 256 possible keys?
 The Vigenère cipher
• The key is multiple characters, not just one
• To encrypt, shift each character in the
plaintext by the amount dictated by the next
character of the key
– Wrap around in the key as needed
• Decryption just reverses the process
tellhimaboutme
cafecafecafeca
 The Vigenère cipher
• The key is multiple characters, not just one
• To encrypt, shift each character in the
plaintext by the amount dictated by the next
character of the key
– Wrap around in the key as needed
• Decryption just reverses the process
tellhimaboutme
cafecafecafeca
veqpjiredozxoe
 The Vigenère cipher
• Size of key space?
– If keys are 14-character strings over the English
alphabet, then key space has size 2614 » 266
– If variable length keys, even more…
– Brute-force search becomes infeasible

• Does that mean the Vigenère cipher is secure?

 Attacking the Vigenère cipher
• Assume a 14-character key
• Observation: every 14th character is
“encrypted” using the same shift
veqpjiredozxoeualpcmsdjqu
iqndnossoscdcusoakjqmxpqr
• Looking at every 14th character is (almost) like
hyycjqoqqodhjcciowieii
looking at a ciphertext encrypted with the
shift cipher
– Though a direct brute-force attack doesn’t work
(why not?)
Using plaintext letter frequencies
 Attacking the Vigenère cipher
• Look at every 14th character of the ciphertext,
starting with the first
– Call this the first “stream”
• Let a be the most common character appearing
in this stream
• Most likely, a corresponds to the most common
character of the plaintext (i.e., ‘e’)
– Guess that the first character of the key is a - ’e’
• Repeat for all other positions

• This is somewhat haphazard … and does not use

all the available information
 A better attack (high level)
• Let pi (0 ≤ i ≤ 25) denote the frequency of the
ith English letter in normal English plaintext
– One can compute that Si pi2 » 0.065
• Let qi denote the observed frequency of the ith
letter in a given stream of the ciphertext
• If the shift for that stream is j, expect qi+j » pi
for all i
– So expect Si pi qi+j » 0.065
• Test for every value of j to find the right one
– Repeat for each stream
Lecture 2
 So far…
• Heuristic constructions; build, break, repeat, …
– This isn’t very satisfying

• Can we prove that some encryption scheme

is secure?

• First need to define what we mean by “secure”

in the first place…
 Modern cryptography
• Historically, cryptography was an art
– Heuristic design and analysis

• Starting in the early ‘80s, cryptography began

to develop into more of a science

• Based on three principles that underpin most

real-world cryptography today
 Core principles of modern crypto
• Formal definitions
– Precise, mathematical model and definition of
what security means

• Assumptions
– Clearly stated and unambiguous

• Proofs of security
– Move away from design-break-patch cycle
 Importance of definitions
• Definitions are essential for the design,
analysis, and sound usage of crypto
Importance of definitions -- design
• Developing a precise definition forces the
designer to think about what they really want
– What is essential and (sometimes more
important) what is not
• Often reveals subtleties of the problem
Importance of definitions -- design

If you don’t understand what you want to

achieve, how can you possibly know when (or if)
you have achieved it?
 Importance of definitions -- analysis
• Definitions enable meaningful analysis,
evaluation, and comparison of schemes
– Does a scheme satisfy the definition?
– What definition does it satisfy?
• Note: there may be multiple meaningful definitions!
• One scheme may be less efficient than another, yet
satisfy a stronger security definition
 Importance of definitions -- usage
• Definitions allow others to understand the
security guarantees provided by a scheme
• Enables schemes to be used as components of
a larger system (modularity)
• Enables one scheme to be substituted for
another if they satisfy the same definition
 Assumptions
• With few exceptions, cryptography currently
requires computational assumptions
– At least until we prove P ¹ NP (and even that
would not be enough)

• Principle: any such assumptions must be

made explicit
 Importance of clear assumptions
• Allow researchers to (attempt to) validate
assumptions by studying them
• Allow meaningful comparison between
schemes based on different assumptions
– Useful to understand minimal assumptions needed
• Practical implications if assumptions are wrong

• Enable proofs of security

 Proofs of security
• Provide a rigorous proof that a construction
satisfies a given definition under certain
specified assumptions
– Provides an iron-clad guarantee (relative to your
definition and assumptions!)

• Proofs are crucial in cryptography, where

there is a malicious attacker trying to “break”
the scheme
Defining secure encryption
 Crypto definitions (generally)
• Security guarantee/goal
– What we want to achieve (or what we want to
prevent the attacker from achieving)

• Threat model
– What (real-world) capabilities the attacker is
assumed to have
 Recall
• A private-key encryption scheme is defined by a
message space M and algorithms (Gen, Enc, Dec):
– Gen (key-generation algorithm): generates k
– Enc (encryption algorithm): takes key k and message
m Î M as input; outputs ciphertext c
c ¬ Enck(m)
– Dec (decryption algorithm): takes key k and
ciphertext c as input; outputs m.
m := Deck(c)
 Private-key encryption
key key
ciphertext

c
k k

m m := Deck(c)
c ¬ Enck(m) message/plaintext

decryption
encryption
 Threat models for encryption
• Ciphertext-only attack
– One ciphertext or many?

• Known-plaintext attack

• Chosen-plaintext attack

• Chosen-ciphertext attack
 Goal of secure encryption?
• How would you define what it means for
encryption scheme (Gen, Enc, Dec) over
message space M to be secure?
– Against a (single) ciphertext-only attack
 Secure encryption?
• “Impossible for the attacker to learn the key”
– The key is a means to an end, not the end itself
– Necessary (to some extent) but not sufficient
– Easy to design an encryption scheme that
hides the key completely, but is insecure
– Can design schemes where most of the key is
leaked, but the scheme is still secure
 Secure encryption?
• “Impossible for the attacker to learn the
plaintext from the ciphertext”
– What if the attacker learns 90% of the plaintext?
 Secure encryption?
• “Impossible for the attacker to learn any
character of the plaintext from the ciphertext”
– What if the attacker is able to learn (other)
partial information about the plaintext?
• E.g., salary is greater than $75K
– What if the attacker guesses a character correctly,
or happens to know it?
 The right definition
• “Regardless of any prior information the
attacker has about the plaintext, the ciphertext
should leak no additional information about
the plaintext”
– How to formalize?
Perfect secrecy
 Probability review
• Random variable: variable that takes on (discrete)
values with certain probabilities

• Probability distribution for a random variable gives

the probabilities with which the variable takes on
each possible value
– Each probability must be between 0 and 1
– The probabilities must sum to 1
 Probability review
• Event: a particular occurrence in some experiment
– E.g., the event that random variable X takes value x
– Pr[E]: probability of event E

• Conditional probability: probability that one event

occurs, given that some other event occurred
– Pr[A | B] = Pr[A and B]/Pr[B]

• Two random variables X, Y are independent if

for all x, y: Pr[X=x | Y=y] = Pr[X=x]
 Probability review
• Law of total probability: say E1, …, En are a partition
of all possibilities. Then for any A:
Pr[A] = Si Pr[A and Ei] = Si Pr[A | Ei] · Pr[Ei]
 Notation
• K (key space) – set of all possible keys

• C (ciphertext space) – set of all possible

ciphertexts
 Probability distributions
• Let M be the random variable denoting the
value of the message
– M ranges over M
– Context dependent!
– Reflects the likelihood of different messages being
sent, given the attacker’s prior knowledge
– E.g.,
Pr[M = “attack today”] = 0.7
Pr[M = “don’t attack”] = 0.3
 Probability distributions
• Let K be a random variable denoting the key
– K ranges over K

• Fix some encryption scheme (Gen, Enc, Dec)

– Gen defines a probability distribution for K:
Pr[K = k] = Pr[Gen outputs key k]
– Generally the uniform distribution, but not always
 Probability distributions
• Assume random variables M and K are
independent
– I.e., parties don’t pick the key based on the
message, or the message based on the key
• In general, this assumption holds
• If it doesn’t hold, can cause problems
 Probability distributions
• Fix some encryption scheme (Gen, Enc, Dec), and
some distribution for M
• Consider the following (randomized) experiment:
1. Generate a key k using Gen
2. Choose a message m, according to the given distribution
3. Compute c ¬ Enck(m)
• This defines a distribution on the ciphertext!
• Let C be a random variable denoting the value of the
ciphertext in this experiment
 Example 1
• Consider the shift cipher
– So for all k Î {0, …, 25}, Pr[K = k] = 1/26

• Say Pr[M = ‘a’] = 0.7, Pr[M = ‘z’] = 0.3

• What is Pr[C = ‘b’] ?

– Either M = ‘a’ and K = 1, or M = ‘z’ and K = 2
– Pr[C=‘b’] = Pr[M=‘a’]·Pr[K=1] + Pr[M=‘z’] ·Pr[K=2]
Pr[C=‘b’] = 0.7 · (1/26) + 0.3 · (1/26)
Pr[C=‘b’] = 1/26
 Example 2
• Consider the shift cipher, and the distribution
on M given by
Pr[M = ‘one’] = ½, Pr[M = ‘ten’] = ½

• Pr[C = ‘rqh’] = ?
= Pr[C = ‘rqh’ | M = ‘one’] · Pr[M = ‘one’]
+ Pr[ C = ‘rqh’ | M = ‘ten’] · Pr[M = ‘ten’]
= 1/26 · ½ + 0 · ½ = 1/52
 Perfect secrecy (informal)
• “Regardless of any prior information the
attacker has about the plaintext, the ciphertext
should leak no additional information about
the plaintext”
 Perfect secrecy (informal)
• Attacker’s information about the plaintext =
attacker knows the distribution of M

• Perfect secrecy: observing the ciphertext

should not change the attacker’s knowledge
about the distribution of M
 Perfect secrecy (formal)
• Encryption scheme (Gen, Enc, Dec) with message
space M and ciphertext space C is perfectly secret if
for every distribution over M, every m Î M, and
every c Î C with Pr[C=c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m].

• I.e., the distribution of M does not change, even

conditioned on observing the ciphertext
 Example 3
• Consider the shift cipher, and the distribution
Pr[M = ‘one’] = ½, Pr[M = ‘ten’] = ½
• Take m = ‘ten’ and c = ‘rqh’

• Pr[M = ‘ten’ | C = ‘rqh’] = ?

=0
¹ Pr[M = ‘ten’]
 Bayes’s theorem
• Pr[A | B] = Pr[B | A] · Pr[A]/Pr[B]
 Example 4
• Shift cipher;
Pr[M=‘hi’] = 0.3,
Pr[M=‘no’] = 0.2,
Pr[M=‘in’]= 0.5

• Pr[M = ‘hi’ | C = ‘xy’] = ?

= Pr[C = ‘xy’ | M = ‘hi’] · Pr[M = ‘hi’]/Pr[C = ‘xy’]
 Example 4, continued
• Pr[C = ‘xy’ | M = ‘hi’] = 1/26

• Pr[C = ‘xy’]
= Pr[C = ‘xy’ | M = ‘hi’] · 0.3 + Pr[C = ‘xy’ | M = ‘no’] · 0.2
+ Pr[C=‘xy’ | M=‘in’] · 0.5
= (1/26) · 0.3 + (1/26) · 0.2 + 0 · 0.5
= 1/52
 Example 4, continued
• Pr[M = ‘hi’ | C = ‘xy’] = ?
= Pr[C = ‘xy’ | M = ‘hi’] · Pr[M = ‘hi’]/Pr[C = ‘xy’]
= (1/26) · 0.3/(1/52)
= 0.6
¹ Pr[M = ‘hi’]
 Conclusion
• The shift cipher is not perfectly secret!
– At least not for 2-character messages

• How to construct a perfectly secret scheme?

 One-time pad
• Patented in 1917 by Vernam
– Recent historical research indicates it was
invented (at least) 35 years earlier

• Proven perfectly secret by Shannon (1949)

 One-time pad
• Let M = {0,1}n
• Gen: choose a uniform key k Î {0,1}n
• Enck(m) = k Å m
• Deck(c) = k Å c

• Correctness:
Deck( Enck(m) ) = k Å (k Å m)
= (k Å k) Å m = m
 One-time pad
n bits

key

n bits n bits

message Å ciphertext
 Perfect secrecy of one-time pad
• Note that any observed ciphertext can
correspond to any message (why?)
– (This is necessary, but not sufficient, for perfect
secrecy)
• So, having observed a ciphertext, the attacker
cannot conclude for certain which message
was sent
 Perfect secrecy of one-time pad
• Fix arbitrary distribution over M = {0,1}n, and
arbitrary m, c Î {0,1}n
• Pr[M = m | C = c] = ?
= Pr[C = c | M = m] · Pr[M = m]/Pr[C = c]

• Pr[C = c]
= Sm’ Pr[C = c | M = m’] · Pr[M = m’]
= Sm’ Pr[K = m’ Å c | M = m’] · Pr[M = m’]
= Sm’ 2-n · Pr[M = m’]
= 2-n
 Perfect secrecy of one-time pad
• Fix arbitrary distribution over M = {0,1}n, and
arbitrary m, c Î {0,1}n
• Pr[M = m | C = c] = ?
= Pr[C = c | M = m] · Pr[M = m]/Pr[C = c]
= Pr[K = m Å c | M = m] · Pr[M = m] / 2-n
= 2-n · Pr[M = m] / 2-n
= Pr[M = m]