Lecture 3

Shannon's theory identifies an issue with perfect secrecy encryption schemes: They require key whose length is at least as large as the message itself.

From here, cryptographers determined that meaningful amounts of secrecy can be gained using encryption schemes that might leak minuscule amounts of data, and can be reversed through interminably arduous multigenerational exhaustive searches.

This brings to rise the notion of Computational Security, a practice that persists to this day, which relaxes the aforementioned requirements, typically by instead basing their standard for "secure" on one of the following approaches:

• The concrete approach: a scheme must be able to resist an attempt to reverse a cipher for a duration t and without failing to protect the message contents more than \epsilon percent of the time. On paper, this is a reassuring definition, but the proofs that do so don't really say much about the sliding scale of information leakage that may occur in the interim

• The asymptotic approach: involves a security parameter* n, such as the length of a key, i.e. "128." Put simple, as the security parameter increases in value, the adversaries' probabilistic polynomial time attacks chance of succeeding decreases by a proportionally far greater amount. By more than the inverse of the polynomial representing the security parameter.

(Attach notes about computationally secure algorithms that you wrote last semester)

Ask professor what i := … means in a proof.

Defining security

Indistinguishability in the presence of an eavesdropper.

An attacker gave us two messages, each of the same length, and we used our encryption key to encryption one of the two messages, and returned the resultant cipher text to the attacker, that works not be able to figure out which message we had given back at least half of the time, or perhaps a negligible small amount below half, in the event that the attacker is a lucky guesser.

Length of messages

Usually not masked by the encryption scheme. Short messages could be padded to reach a certain length, or a channel of communication could be "jammed" with extra signal noise, for example.

Chosen plaintext attacks are the most realistic real world attack, so encryption schemes are typically designed with the goal of protecting messengers from this type of attack in mind.

• That being said, protection against this form of attack is essentially a basic fundamental requirement of any legitimate encryption scheme.

CPA: Chosen Plaintext Attack

Oracle access

Access to an encryptor, but not its underlying algorithms, just the ability to feed it plaintext and receive back cipher text.

In the case of CPA indistinguishability, the adversary cannot use the oracle to cipher the original two messages.

(Typo on slide 17)

PRG: pseudorandom generators

Can be used to generate long strings, to pad a message, allowing keys to be the same size as the message, which, isn't random, like it is in one time pad, it's pseudorandom. If this pseudorandom generated number is computationally indistinguishable from a true one time pad to the onlooking adversary trying to decipher it.

Block ciphers

• The most practical instance of a real world pseudorandom generator

• The most commonly used block cipher is Advanced Encryption Standard (AES)

AES became effective as a U.S. federal government standard on May 26, 2002, after approval by the U.S. Secretary of Commerce. AES is available in many different encryption packages, and is the first (and only) cipher approved by the U.S. National Security Agency (NSA) for top secret information and used in an approved NSA cryptographic module that has ever been publicly accessible.

A block cipher takes as input a key and a message and outputs cipher text

Modes of operation are imperative:

1. Electronic code book ECB mode encryption: chop messages into blocks, provide it a key, and get cipher text back. The chopping of the blocks makes it susceptible to frequency analysis, because you may leak successive blocks of identical cipher text

2. Cipher block chaining mode CBC encryption: first block is an initialization vector, used to encipher the next block, this method makes CBC CPA-secure, at the cost of preventing computers from processing blocks in parallel

3. Output feedback mode OFB encryption: CPA secure and possible to parallelize, after doing some preprocessing

4. Counter CTR mode operation: most commonly used, most efficient. Blocks are counted sequentially, then the indices themselves are encrypted with the block cipher, which produces cipher text, which is subsequently XOR'd with the message text. Doesn't require preprocessing, can be fully parallelized.

This week, we learned how messages are enciphered using encryption schemes. Next week, we will learn how we ensure our enciphered messages are not tampered with in transit using a Message Authentication Code MAC