Contemporary Cryptography Concepts

Questions and Answers

What transformation did cryptography undergo from the mid-20th century to today?

Cryptography evolved from a practice limited to writing and solving codes into a scientific discipline encompassing various applications like authentication and key exchange.

List two applications of cryptography beyond simple encryption.

Authentication and key exchange are two key applications of cryptography beyond simple encryption.

Define what constitutes an encryption scheme.

An encryption scheme consists of a method for converting plaintext into ciphertext using a specific algorithm and key for secure communication.

What were the primary users of cryptography before the mid-20th century?

Before the mid-20th century, cryptography was primarily used by armies and diplomats.

Explain the significance of Yao's millionaire problem in contemporary cryptography.

Yao's millionaire problem illustrates the concept of secure function evaluation, showcasing the application of cryptography in privacy-preserving protocols.

What is the significance of the statement Pr[M = m|C = c] = Pr[M = m] in the context of perfect encryption?

It signifies that the probability of a message given a ciphertext is equal to the probability of the message itself, indicating that ciphertext does not provide any information about the message.

How does perfect encryption ensure that every message has an equal probability distribution over messages?

Perfect encryption ensures that for every ciphertext c, all messages have the same probability of being the original message, maintaining uniform distribution across the message space.

Explain the role of Bayes' theorem in the proof of equivalence for perfect encryption.

Bayes' theorem is used to relate the conditional probabilities of the message and ciphertext, showing that if Pr[C = c|M = m] equals Pr[C = c], then perfect secrecy is maintained.

In perfect encryption, why is it crucial that Pr[C = c|M = m] = Pr[C = c] holds for all messages m and ciphertexts c?

It is crucial because it ensures that the occurrence of a specific ciphertext does not influence the probabilities of the underlying messages, hence achieving perfect secrecy.

What implications does having a probability distribution over messages (Pr[M = m]) have on the encryption process in perfect encryption?

It implies that the encryption process must account for the likelihood of each message in order to maintain the perfect secrecy property across various distributions.

What is the essence of Kerckhoffs’ principle?

The essence is that only the key should be kept secret while the encryption algorithm can be public.

Why is it more manageable to keep only the key secret according to Kerckhoffs' principle?

Because keys are easier to exchange and update in case of compromise than entire encryption systems.

How does the use of public algorithms enhance security?

Public algorithms allow for scrutiny by others, which increases safety and can lead to standardized practices.

What are the four attack scenarios described in the context of cryptanalysis?

They are passive attacks (ciphertext-only, known-plaintext) and active attacks (chosen-plaintext, chosen-ciphertext).

What is a simple method to break Caesar's cipher when only the ciphertext is known?

One can try all 26 possible keys to decrypt the message.

What lesson can be learned about key space from the analysis of Caesar's cipher?

The key space should be large enough to prevent exhaustive search attacks when messages are long.

In what way does Kerckhoffs’ principle suggest avoiding risks associated with code reverse-engineering?

By keeping the algorithm public, the risk of reverse-engineering is minimized since the key alone is secret.

Why is having a single encryption scheme per pair of users considered unmanageable?

It complicates key management, increases the risk of key compromise, and hinders communication efficiency.

What is the primary improvement of mono-alphabetic substitution over Caesar's cipher?

It allows for any permutation of the alphabet instead of just a constant shift.

How many possible keys are there in a mono-alphabetic substitution cipher?

There are approximately 26! which is about 288 keys.

What cryptanalysis method can be used to break a mono-alphabetic substitution cipher?

Frequency analysis can be utilized if the plaintext language is known.

What lesson is learned about key space from the vulnerabilities of mono-alphabetic ciphers?

A large key space alone is insufficient for security; independent message distribution is also needed.

Describe the unique feature of the Vigenère cipher compared to previous ciphers.

It uses varying shifts for each position in the plaintext based on a sequence of numbers.

What hypothetical key could you use to encode 'Cryptography is great' in a Vigenère cipher, if the key is ⟨2, 24, 5⟩?

The encoded result would be 'Attnvjetvnjt gu bpgvr'.

What can help to break the Vigenère cipher, given sufficient ciphertext?

Making educated guesses about the key length followed by frequency analysis can help.

Why is large key space not enough for secure encryption according to the discussions on mono-alphabetic ciphers?

Because it does not account for the vulnerabilities in message distributions and frequency patterns.

What condition is necessary for a cryptographic system to be considered perfectly secret?

For every pair of messages $m_0$ and $m_1$, and every ciphertext $c$, the equality $Pr[C = c|M = m_0] = Pr[C = c|M = m_1]$ must hold.

Explain the significance of the condition $Pr[PrivKeav_{A,Π} = 1] = rac{1}{2}$ in terms of an adversary's success.

This condition implies that an adversary cannot successfully distinguish between the two chosen messages with a probability better than random guessing.

What does it imply if an adversary A outputs $b'$ in the PrivKeav experiment?

It indicates that A is trying to guess which of the two messages has been encrypted, based on the ciphertext received.

In the context of perfect encryption, what role does the encryption function play?

The encryption function ensures that each message is transformed into a ciphertext in a way that conceals the original content.

How does the one-time pad achieve perfect secrecy?

The one-time pad achieves perfect secrecy by using a random key that is as long as the message and used only once.

Why is it essential that the encryption scheme be indistinguishable for any two messages?

Indistinguishability ensures that even if the same plaintexts are encrypted multiple times, the ciphertexts reveal no information about the messages.

What is the implication of choosing random keys in the encryption process of a perfectly secret system?

Randomly chosen keys are crucial because they ensure that the output (ciphertext) is unpredictable, thus protecting the plaintext.

What does the condition $Pr[M = m | C = c]$ imply in the context of perfect encryption?

It implies that given a ciphertext $c$, the probability of any specific message $m$ remains constant and independent of $c$.

What is the primary function of the one-time pad in encryption?

The one-time pad provides perfect secrecy during the encryption process.

Why is the one-time pad considered to be inconvenient?

It requires a key as long as the message, which is impractical for most uses.

Explain the significance of the binary XOR operation in the context of the one-time pad.

The XOR operation is used to encrypt and decrypt messages, ensuring confidentiality.

What condition must be met for an encryption scheme to be considered perfectly secret?

The size of the key must be at least equal to the size of the message.

Describe the result of applying the one-time pad encryption to two messages with the same key.

It allows an attacker to potentially determine the XOR of the two messages.

What happens when |K| < |M| in terms of security?

The encryption scheme cannot be perfectly secret, as there exist messages that could be decrypted from ciphertexts.

According to Shannon’s theory, what limitation exists regarding perfectly secret encryption schemes?

Shannon states that perfectly secret encryption schemes are theoretically possible but impractical.

What does Pr[C = c | M = m] signify in the context of the one-time pad?

It represents the probability of the ciphertext being c given the plaintext m.

Flashcards

Plaintext

In cryptography, the original message before encryption.

Encryption

In cryptography, the process of transforming plaintext into ciphertext.

Ciphertext

In cryptography, the encrypted message that is unreadable without a key.

Decryption

In cryptography, the process of transforming ciphertext back into plaintext.

Key

In cryptography, the secret information used for encryption and decryption.

Kerckhoffs' Principle

The idea that only the secret key used in a cryptographic system should be kept confidential, while the algorithm itself can be publicly known.

Ciphertext-only Attack

A type of attack where the attacker only has access to encrypted messages (ciphertexts) and tries to decipher them without any knowledge of the plaintext or the key.

Known-plaintext Attack

A type of attack where the attacker has access to both plaintext and encrypted messages (ciphertext) and uses this information to deduce the secret key.

Chosen-plaintext Attack

A type of attack where the attacker can choose specific messages to encrypt and then analyze the ciphertexts to find the key.

Chosen-ciphertext Attack

A type of attack where the attacker can choose specific ciphertexts to decrypt and analyze the decrypted messages to find the key.

Cryptanalysis

The process of analyzing cryptographic systems to find weaknesses and break them, potentially leading to unauthorized access to encrypted data.

Key Space

The range of all possible secret keys that could be used in a cryptographic system.

Brute-force Attack

The ability to reliably break an encryption scheme by trying each possible key until the correct one is found. This is generally only feasible when the key space is small enough.

Perfect Secrecy

A cryptosystem (Gen, Enc, Dec) over message space M is perfectly secret if, for any probability distribution over messages, any message m in M, and any ciphertext c in C, the probability of the message being m given that the ciphertext is c is equal to the probability of the message being m.

Probability distribution over M

In the context of perfect secrecy, this refers to the distribution of messages being used. For example, you could have a distribution where 'hello' is the most common message, or an even distribution where all messages have the same probability.

Pr[M = m]

The probability that a message sampled according to its distribution takes the value 'm'.

Pr[C = c]

The probability of getting ciphertext 'c' when: 1. You sample a message according to the message distribution, 2. You randomly choose a key, 3. You encrypt the message with the key.

Alternative definition of Perfect Secrecy

A cryptosystem (Gen, Enc, Dec) is perfectly secret if, for any probability distribution over messages, any message m in M, and any ciphertext c, the probability of getting ciphertext 'c' given that the message is 'm' is equal to the probability of getting ciphertext 'c'.

Computational Complexity of Mono-alphabetic Ciphers

In practice: Trying all keys should require at least 280 computational steps. 280 is a very large number, but it is much smaller than the total number of possible keys for a mono-alphabetic cipher.

Mono-alphabetic Substitution Cipher

A mono-alphabetic substitution cipher is a type of cipher where each letter in the plaintext is replaced by a different letter, according to a fixed rule. This rule is essentially a permutation of the alphabet.

Key Space of Mono-alphabetic Ciphers

The number of possible permutations for a 26 letter alphabet is 26!, which is 26 multiplied by itself 26 times. 26! is a massive number, making it seem difficult to break.

Frequency Analysis for Mono-alphabetic Ciphers

Frequency analysis is a technique for breaking mono-alphabetic substitution ciphers. It exploits the fact that certain letters occur more frequently in the plaintext language and are more frequent in the ciphertext than others.

Vigenère Cipher

The Vigenère cipher is an improvement on the Caesar cipher. Instead of using a fixed shift, the Vigenère cipher uses a sequence of shifts, based on a key, to change the letters in the plaintext before encryption.

Breaking the Vigenère Cipher

Breaking the Vigenère cipher requires guessing the length of the key. Once we know the key length, we can use frequency analysis to determine the actual key used.

Polyalphabetic Substitution Cipher

The Vigenère cipher is an example of a polyalphabetic substitution cipher. In polyalphabetic substitution ciphers, each letter is not always replaced by the same letter, as is the case with mono-alphabetic ciphers.

Weakness of Large Key Space

Both the mono-alphabetic cipher and the Vigenère cipher are vulnerable to attacks because they can be broken by analyzing the frequencies of letters. This reveals the weakness of relying solely on a large key space for security.

Perfect Encryption Definition

An encryption scheme is considered perfectly secret if, given a ciphertext, the probability of it corresponding to a particular message is the same for all possible messages.

PrivKeav Experiment

An experiment to test the secrecy of an encryption scheme. It involves an adversary choosing two messages, and the scheme encrypts one of them. The adversary then tries to guess which message was encrypted.

Pr[PrivKeav A,Π = 1]

A way to analyze the ability of an adversary to distinguish between ciphertexts, regardless of the chosen message. It's based on the probability that the adversary correctly guesses which message was encrypted.

One-Time Pad

A perfectly secret encryption scheme where the key is as long as the message and is used only once.

One-Time Pad: Perfect Secrecy

The one-time pad is a perfect encryption scheme because it satisfies the definition of perfect secrecy. It's impossible to distinguish the ciphertext from the plaintext.

Pr[PrivKeav A,Π = 1] = 1/2

For every adversary, the probability of successfully guessing which message was encrypted in the PrivKeav experiment is 1/2. This implies that the encryption scheme is perfectly secret.

One-Time Pad's Strength

The one-time pad is a powerful encryption scheme ensuring perfect secrecy, where the ciphertext reveals nothing about the plaintext.

What is a one-time pad?

A one-time pad is an encryption scheme where the key is as long as the message and is used only once to encrypt a single message. It is known for perfect secrecy, meaning even with unlimited computational power, an adversary can't learn anything about the plaintext by observing the ciphertext.

How is XOR used in the one-time pad?

The XOR operation (exclusive OR) is used in the one-time pad. It combines the plaintext with the key to produce the ciphertext. XOR flips a bit if the corresponding key bit is 1 and leaves it unchanged if it's 0.

Why is a one-time pad considered perfectly secure?

The one-time pad achieves perfect secrecy because each plaintext bit is equally likely to be encrypted to either 0 or 1. This makes it impossible to determine any information about the plaintext without the key.

What are the limitations of using a one-time pad?

A one-time pad requires a key as long as the message, which can be impractical for long messages. Also, managing and distributing such large keys securely is challenging.

Why is reusing a one-time pad a security risk?

If a one-time pad is reused to encrypt different messages, it becomes vulnerable. Attackers can use the shared key to deduce information about either message.

Can we have perfect secrecy with a small key?

An encryption scheme where the key's length is shorter than the message cannot achieve perfect secrecy. This is because the number of possible ciphertexts becomes smaller than the number of possible plaintexts, allowing an attacker to deduce some patterns about the message.

What does Shannon's theory tell us about perfect secrecy?

Shannon's theory suggests that perfectly secure encryption can be achieved with a one-time pad but emphasizes the limitations of achieving this in practical scenarios.

What are the challenges with perfect secrecy in practice?

Perfect secrecy, while theoretically possible, is difficult to implement due to the impracticality of managing and distributing large keys.

Study Notes

Introduction to Cryptography

• The course is titled LMAT2450 - Cryptography.
• The course is taught by François Koeune, Olivier Pereira, and T. Peters
• The course focuses on the algorithmic and mathematical aspects of securing information.

Course Goal

• Students will understand fundamental concepts, methods, and algorithms used to secure information.

Related Courses at UCL

• Information theory and coding, taught by J. Louveaux and B. Macq. and O. Pereira
• Secure electronic circuits and systems, taught by F.-X. Standaert
• Privacy Enhancing Technologies, taught by O. Pereira and F.-X. Standaert
• Secured systems engineering, taught by A. Legay
• Computer System Security, taught by R. Sadre
• Number Theory, taught by P.-E. Caprace and O. Pereira

Other Related Courses

• Machine Learning, taught by J. Lee and M. Verleysen
• Computer Networks, taught by O. Bonaventure
• Discrete Mathematics II: Algorithms and complexity, taught by J.-C. Delvenne
• Ethics and ICT, taught by A. Gosseries and O. Pereira

Class Organisation

• Lectures are held on Wednesday from 14:00 to 16:00.
• Exercises are held on Wednesday from 16:15 to 18:15.
• TAs are Antoine Legat and Alexis Vuille.
• Students are allowed to use slides and personal notes during exams
• Past exam questions are often used as exercises.

Syllabus

• The course will cover Introduction (1 lecture)
• Symmetric cryptography (4 lectures)
• Asymmetric cryptography and algorithmic number theory (5 lectures)
• Post-quantum cryptography (1 lecture)

Support Material

• Introduction to Modern Cryptography (3rd edition) by J. Katz and Y. Lindell, Chapman & Hall/CRC - 2021, http://www.cs.umd.edu/~jkatz/imc.html
• Other references (see also Moodle):
• D. Stinson, Cryptography, Theory and Practice, 3rd edition, Chapman & Hall/CRC, 2005.
• N.P. Smart, Cryptography Made Simple, Springer, 2016. (Free access within UCLouvain network)
• A.J. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, 1999. (Free on http://www.cacr.math.uwaterloo.ca/hac/)
• D. Boneh, V. Shoup, A Graduate Course in Applied Cryptography, Free draft on http://toc.cryptobook.us/.
• S. Gabraith, Mathematics of Public Key Cryptography, Cambridge University Press, 2012, Extended version from author's homepage.

Cryptography...

• COD defines cryptography as "the art of writing or solving codes".
• This definition was mostly true until the mid-20th century
• Cryptography was primarily used by armies and diplomats.

Cryptography... Today

• Cryptography is used widely in daily life.
• Examples include car security systems, identification cards, and security in financial transactions.
• Cryptography is much more than just encryption, instead it's also used in key exchange, identification and is used in elections.

The Cryptography Problem

• The diagram shows a basic message encryption problem between 2 users (A and B).
• A sends a message m to B.
• The system receives m and encrypts it into c and sends it to B.
• B decrypts the message and reads m.

Message Encryption

• An encryption scheme consists of three components: Gen, Enc, and Dec.

• Gen probabilistically produces a key, k

• Enc encrypts the message, m, using the key k, producing a ciphertext, c

• Dec decrypts the ciphertext, c, using the key, k, recovering the original message, m

• The Scytale (Greece, 7th century BC) involves using a cylinder to encrypt messages based on its diameter.

• The Caesar's cipher (Rome, 1st c. BC) involves shifting each letter of the alphabet a fixed number of positions.

Cryptanalysis

• Cryptanalysis is the art of code-breaking or cracking codes.
• In cryptanalysis, the attacker should consider which information should be secret, like Gen, Enc, Dec, or k.
• The attacker should identify which attack scenario would be used. Possible attacks include eavesdropping or chosen-plaintext attacks.
• Kerckhoffs' principle (1883) states that only the secret key should be kept secret. This principle is to ensure that the encryption scheme and algorithm can be public knowledge.

Cryptanalysis: Attacker Model

• The attacker needs to determine which attack scenario is relevant.
  • Passive attacks (e.g., ciphertext-only, known-plaintext) involve observing the ciphertext only, or observing plaintext/ciphertext pairs
  • Active attacks (e.g., chosen-plaintext, chosen-ciphertext) involve the ability to choose messages to be encrypted or decrypted.

Mono-alphabetic Substitution

• An improvement on Caesar's cipher, allows any permutation of the alphabet.
• The possible keys are 26! ≈ 2⁸⁸
• To break this, frequency analysis can be useful if the plaintext language is known.
• This shows that frequency analysis can be useful in breaking substitution ciphers.

Mono-alphabetic Substitution (Frequencies)

• Frequency analysis can help in breaking codes because letter frequencies in English and other languages vary.

Vigenère Cipher

• A further improvement over substitution ciphers using a repeating key to determine the shift factor for each letter
• To break this, enough ciphertext is needed to determine the keylength by trial and error.
• Frequency analysis is then used to break the code.

Historic Ciphers

• Cryptography has a long history.
• For example. D. Kahn, or J. Stern.

Modern Cryptography

• Definitions, assumptions, proofs.

Modern Cryptography: Definitions

• Defining what needs to be done, and defining why one scheme is better than another.

Example of Encryption

• Cryptography needs to define security for encryption schemes.
  • Given a ciphertext, an attacker shouldn't be able to recover the key or the plaintext.
  • Given a ciphertext, an attacker shouldn't be able to recover any character or function of the plaintext.

Modern Cryptography: Precise Assumptions

• Most schemes rely on computational assumptions, useful for abstraction and scheme comparison.

Modern Cryptography: Proof of Security

• Relate schemes, definitions, and assumptions using a reductionist approach. If a scheme can be broken, an assumption can also be falsified.

Modern Cryptography: Definitions (Limitations)

• Science vs. real-world limitations.
• Checking intuitive properties.
• Comparing with other definitions and attack examples.
• Using definitions for a period of time.

Perfect Encryption

• Shannon (1949) showed that theoretically, perfect encryption is possible.

Perfect Encryption (Definition)

• A triple (Gen, Enc, Dec) is perfectly secret if the probability of a ciphertext given a message is equal to the probability of the message
• Enc, Dec may be probabilistic or deterministic.
• M and C are sets of possible messages and ciphertexts.

Perfect Encryption (Equivalent Definition)

• If for any two messages (m and m'), in a given ciphertext, the probability of m is equal to m'
• This means that the ciphertext corresponding to the two messages cannot be distinguished.

Perfect Encryption (Example)

• The One-Time Pad (OTP) is a perfectly secret encryption scheme.
• OTP uses a key that is as long as the message.
• Each bit of the message is XORed with the corresponding key bit to produce the ciphertext.
• XOR is a binary operation that returns 1 if the inputs are different and 0 if they are the same.

One-Time Pad

• The one-time pad is perfectly secret but is not convenient to use.
• The key needs to be as long a message to be secure.
• If a key is used twice with multiple messages, then the adversary can solve the code.

Limits of Perfect Secrecy

• Schemes with shorter key lengths than messages can't be perfectly secret
• Because of this the ciphertext is not equally probable under different messages.

Conclusion

• Perfectly secret encryption schemes exist, but are difficult to use.
• Shannon's work indicates that a theoretical limit exists under various assumptions.
• The next topic in the course will discuss bounded computational power.