title | filename | chapternum |
---|---|---|
Cryptography |
lec_19_cryptography |
21 |
- Definition of perfect secrecy \
- The one-time pad encryption scheme \
- Necessity of long keys for perfect secrecy \
- Computational secrecy and the derandomized one-time pad. \
- Public key encryption \
- A taste of advanced topics \
"Human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.", Edgar Allen Poe, 1841
"A good disguise should not reveal the person's height", Shafi Goldwasser and Silvio Micali, 1982
"“Perfect Secrecy” is defined by requiring of a system that after a cryptogram is intercepted by the enemy the a posteriori probabilities of this cryptogram representing various messages be identically the same as the a priori probabilities of the same messages before the interception. It is shown that perfect secrecy is possible but requires, if the number of messages is finite, the same number of possible keys.", Claude Shannon, 1945
"We stand today on the brink of a revolution in cryptography.", Whitfeld Diffie and Martin Hellman, 1976
Cryptography - the art or science of "secret writing" - has been around for several millennia, and for almost all of that time Edgar Allan Poe's quote above held true. Indeed, the history of cryptography is littered with the figurative corpses of cryptosystems believed secure and then broken, and sometimes with the actual corpses of those who have mistakenly placed their faith in these cryptosystems.
Yet, something changed in the last few decades, which is the "revolution" alluded to (and to a large extent initiated by) Diffie and Hellman's 1976 paper quoted above. New cryptosystems have been found that have not been broken despite being subjected to immense efforts involving both human ingenuity and computational power on a scale that completely dwarves the "code breakers" of Poe's time. Even more amazingly, these cryptosystem are not only seemingly unbreakable, but they also achieve this under much harsher conditions. Not only do today's attackers have more computational power but they also have more data to work with. In Poe's age, an attacker would be lucky if they got access to more than a few encryptions of known messages. These days attackers might have massive amounts of data- terabytes or more - at their disposal. In fact, with public key encryption, an attacker can generate as many ciphertexts as they wish.
The key to this success has been a clearer understanding of both how to define security for cryptographic tools and how to relate this security to concrete computational problems. Cryptography is a vast and continuously changing topic, but we will touch on some of these issues in this chapter.
::: {.nonmath}
Cryptography cannot be covered in a single chapter, and so this chapter merely gives a "taste" of crypto, focusing on the aspects most related to computational complexity.
For a more extensive treatment, see my lecture notes from which this chapter is adapted.
We will discuss some "classical cryptosystems" and show how we can mathematically define security of encryption, and use the one-time pad to achieve an encryption that provably satisfies this definition.
We will then see the fundamental limitation of this definition, and how to bypass it we need to relax security by only restricting attention to attackers that have bounded computational resources.
This notion of computational security is inherently tied to computational complexity and the
A great many cryptosystems have been devised and broken throughout the ages. Let us recount just some of these stories. In 1587, Mary the queen of Scots, and the heir to the throne of England, wanted to arrange the assassination of her cousin, queen Elisabeth I of England, so that she could ascend to the throne and finally escape the house arrest under which she had been for the last 18 years. As part of this complicated plot, she sent a coded letter to Sir Anthony Babington.
{#maryscottletterfig .margin }
Mary used what's known as a substitution cipher where each letter is transformed into a different obscure symbol (see maryscottletterfig{.ref}). At a first look, such a letter might seem rather inscrutable- a meaningless sequence of strange symbols. However, after some thought, one might recognize that these symbols repeat several times and moreover that different symbols repeat with different frequencies. Now it doesn't take a large leap of faith to assume that perhaps each symbol corresponds to a different letter and the more frequent symbols correspond to letters that occur in the alphabet with higher frequency. From this observation, there is a short gap to completely breaking the cipher, which was in fact done by queen Elisabeth's spies who used the decoded letters to learn of all the co-conspirators and to convict queen Mary of treason, a crime for which she was executed. Trusting in superficial security measures (such as using "inscrutable" symbols) is a trap that users of cryptography have been falling into again and again over the years. (As in many things, this is the subject of a great XKCD cartoon, see XKCDnavajofig{.ref}.)
The Vigenère cipher is named after Blaise de Vigenère who described it in a book in 1586 (though it was invented earlier by Bellaso).
The idea is to use a collection of substitution cyphers - if there are
The Enigma cipher was a mechanical cipher (looking like a typewriter, see enigmafig{.ref}) where each letter typed would get mapped into a different letter depending on the (rather complicated) key and current state of the machine which had several rotors that rotated at different paces. An identically wired machine at the other end could be used to decrypt. Just as many ciphers in history, this has also been believed by the Germans to be "impossible to break" and even quite late in the war they refused to believe it was broken despite mounting evidence to that effect. (In fact, some German generals refused to believe it was broken even after the war.) Breaking Enigma was an heroic effort which was initiated by the Poles and then completed by the British at Bletchley Park, with Alan Turing (of the Turing machines) playing a key role. As part of this effort the Brits built arguably the world's first large scale mechanical computation devices (though they looked more similar to washing machines than to iPhones). They were also helped along the way by some quirks and errors of the German operators. For example, the fact that their messages ended with "Heil Hitler" turned out to be quite useful.
Here is one entertaining anecdote: the Enigma machine would never map a letter to itself. In March 1941, Mavis Batey, a cryptanalyst at Bletchley Park received a very long message that she tried to decrypt. She then noticed a curious property--- the message did not contain the letter "L".1 She realized that the probability that no "L"'s appeared in the message is too small for this to happen by chance. Hence she surmised that the original message must have been composed only of L's. That is, it must have been the case that the operator, perhaps to test the machine, have simply sent out a message where he repeatedly pressed the letter "L". This observation helped her decode the next message, which helped inform of a planned Italian attack and secure a resounding British victory in what became known as "the Battle of Cape Matapan". Mavis also helped break another Enigma machine. Using the information she provided, the Brits were able to feed the Germans with the false information that the main allied invasion would take place in Pas de Calais rather than on Normandy.
In the words of General Eisenhower, the intelligence from Bletchley park was of "priceless value". It made a huge difference for the Allied war effort, thereby shortening World War II and saving millions of lives. See also this interview with Sir Harry Hinsley.
Many of the troubles that cryptosystem designers faced over history (and still face!) can be attributed to not properly defining or understanding what are the goals they want to achieve in the first place.
Let us focus on the setting of private key encryption. (This is also known as "symmetric encryption"; for thousands of years, "private key encryption" was synonymous with encryption and only in the 1970's was the concept of public key encryption invented, see publickeyencdef{.ref}.)
A sender (traditionally called "Alice") wants to send a message (known also as a plaintext)
Alice and Bob share a secret key
::: {.definition title="Valid encryption scheme" #encryptiondef}
Let
We will often write the first input (i.e., the key) to the encryption and decryption as a subscript and so can write eqvalidenc{.eqref} also as
::: {.solvedexercise title="Lengths of ciphertext and plaintext" #lengthsciphertextplaintext}
Prove that for every valid encryption scheme
::: {.solution data-ref="lengthsciphertextplaintext"}
For every fixed key
Since the ciphertext length is always at least the plaintext length (and in most applications it is not much longer than that), we typically focus on the plaintext length as the quantity to
optimize in an encryption scheme.
The larger
encryptiondef{.ref} says nothing about the security of
You would appreciate the subtleties of defining security of encryption more if at this point you take a five minute break from reading, and try (possibly with a partner) to brainstorm on how you would mathematically define the notion that an encryption scheme is secure, in the sense that it protects the secrecy of the plaintext
Throughout history, many attacks on cryptosystems were rooted in the cryptosystem designers' reliance on "security through obscurity"--- trusting that the fact their methods are not known to their enemy will protect them from being broken. This is a faulty assumption - if you reuse a method again and again (even with a different key each time) then eventually your adversaries will figure out what you are doing. And if Alice and Bob meet frequently in a secure location to decide on a new method, they might as well take the opportunity to exchange their secrets. These considerations led Auguste Kerckhoffs in 1883 to state the following principle:
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.^[The actual quote is "Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi" loosely translated as "The system must not require secrecy and can be stolen by the enemy without causing trouble". According to Steve Bellovin the NSA version is "assume that the first copy of any device we make is shipped to the Kremlin".]
Why is it OK to assume the key is secret and not the algorithm? Because we can always choose a fresh key. But of course that won't help us much if our key is "1234" or "passw0rd!". In fact, if you use any deterministic algorithm to choose the key then eventually your adversary will figure this out. Therefore for security we must choose the key at random and can restate Kerckhoffs's principle as follows:
There is no secrecy without randomness
This is such a crucial point that is worth repeating:
::: { .bigidea #securityrandomness} There is no secrecy without randomness. :::
At the heart of every cryptographic scheme there is a secret key, and the secret key is always chosen at random. A corollary of that is that to understand cryptography, you need to know probability theory.
::: {.remark title="Randomness in the real world" #randomnessinlife} Choosing the secrets for cryptography requires generating randomness, which is often done by measuring some "unpredictable" or "high entropy" data, and then applying hash functions to the result to "extract" a uniformly random string. Great care must be taken in doing this, and randomness generators often turn out to be the Achilles heel of secure systems.
In 2006 a programmer removed a line of code from the procedure to generate entropy in OpenSSL package distributed by Debian since it caused a warning in some automatic verification code. As a result for two years (until this was discovered) all the randomness generated by this procedure used only the process ID as an "unpredictable" source. This means that all communication done by users in that period is fairly easily breakable (and in particular, if some entities recorded that communication they could break it also retroactively). See XKCD's take on that incident.
In 2012 two separate teams of researchers scanned a large number of RSA keys on the web and found out that about 4 percent of them are easy to break. The main issue were devices such as routers, internet-connected printers and such. These devices sometimes run variants of Linux- a desktop operating system- but without a hard drive, mouse or keyboard, they don't have access to many of the entropy sources that desktop have. Coupled with some good old fashioned ignorance of cryptography and software bugs, this led to many keys that are downright trivial to break, see this blog post and this web page for more details.
Since randomness is so crucial to security, breaking the procedure to generate randomness can lead to a complete break of the system that uses this randomness. Indeed, the Snowden documents, combined with observations of Shumow and Ferguson, strongly suggest that the NSA has deliberately inserted a trapdoor in one of the pseudorandom generators published by the National Institute of Standards and Technologies (NIST). Fortunately, this generator wasn't widely adapted but apparently the NSA did pay 10 million dollars to RSA security so the latter would make this generator their default option in their products. :::
If you think about encryption scheme security for a while, you might come up with the following principle for defining security: "An encryption scheme is secure if it is not possible to recover the key $k$ from $E_k(x)$".
However, a moment's thought shows that the key is not really what we're trying to protect.
After all, the whole point of an encryption is to protect the confidentiality of the plaintext
The above thinking led Shannon in 1945 to formalize the notion of perfect secrecy, which is that an encryption reveals absolutely nothing about the message. There are several equivalent ways to define it, but perhaps the cleanest one is the following:
::: {.definition title="Perfect secrecy" #perfectsecrecy}
A valid encryption scheme
-
$Y$ is obtained by sampling$k\sim {0,1}^n$ and outputting$E_k(x)$ . -
$Y'$ is obtained by sampling$k\sim {0,1}^n$ and outputting$E_k(x')$ . :::
::: { .pause }
This definition might take more than one reading to parse. Try to think of how this condition would correspond to your intuitive notion of "learning no information" about
In particular, suppose that you knew ahead of time that Alice sent either an encryption of
To understand perfectsecrecy{.ref}, suppose that Alice sends only one of two possible messages: "attack" or "retreat", which we denote by
Before reading the next paragraph, you might want to try the analysis yourself. You may find it useful to look at the Wikipedia entry on Bayesian Inference or these MIT lecture notes.
Let us define
(The equation bayeseq{.eqref} is a special case of Bayes' rule which, although a simple restatement of the formula for conditional probability, is an extremely important and widely used tool in statistics and data analysis.)
Since the probability that
This example can be vastly generalized to show that perfect secrecy is indeed "perfect" in the sense that observing a ciphertext gives Eve no additional information about the plaintext beyond her a priori knowledge.
Perfect secrecy is an extremely strong condition, and implies that an eavesdropper does not learn any information from observing the ciphertext. You might think that an encryption scheme satisfying such a strong condition will be impossible, or at least extremely complicated, to achieve. However it turns out we can in fact obtain perfectly secret encryption scheme fairly easily. Such a scheme for two-bit messages is illustrated in onetimepadtwofig{.ref}
In fact, this can be generalized to any number of bits:
There is a perfectly secret valid encryption scheme
Our scheme is the one-time pad also known as the "Vernam Cipher", see onetimepadfig{.ref}.
The encryption is exceedingly simple: to encrypt a message
::: {.proof data-ref="onetimepad"}
For two binary strings
To analyze the perfect secrecy property, we claim that for every
The argument above is quite simple but is worth reading again. To understand why the one-time pad is perfectly secret, it is useful to envision it as a bipartite graph as we've done in onetimepadtwofig{.ref}.
(In fact the encryption scheme of onetimepadtwofig{.ref} is precisely the one-time pad for
So, does onetimepad{.ref} give the final word on cryptography, and means that we can all communicate with perfect secrecy and live happily ever after?
No it doesn't.
While the one-time pad is efficient, and gives perfect secrecy, it has one glaring disadvantage: to communicate
This is not just a theoretical issue. The Soviets have used the one-time pad for their confidential communication since before the 1940's. In fact, even before Shannon's work, the U.S. intelligence already knew in 1941 that the one-time pad is in principle "unbreakable" (see page 32 in the Venona document). However, it turned out that the hassle of manufacturing so many keys for all the communication took its toll on the Soviets and they ended up reusing the same keys for more than one message. They did try to use them for completely different receivers in the (false) hope that this wouldn't be detected. The Venona Project of the U.S. Army was founded in February 1943 by Gene Grabeel (see genegrabeelfig{.ref}), a former home economics teacher from Madison Heights, Virgnia and Lt. Leonard Zubko. In October 1943, they had their breakthrough when it was discovered that the Russians were reusing their keys. In the 37 years of its existence, the project has resulted in a treasure chest of intelligence, exposing hundreds of KGB agents and Russian spies in the U.S. and other countries, including Julius Rosenberg, Harry Gold, Klaus Fuchs, Alger Hiss, Harry Dexter White and many others.
Unfortunately it turns out that such long keys are necessary for perfect secrecy:
For every perfectly secret encryption scheme
The idea behind the proof is illustrated in longkeygraphfig{.ref}. We define a graph between the plaintexts and ciphertexts, where we put an edge between plaintext
::: {.proof data-ref="longkeysthm"}
Let
We choose
We will show the following claim:
Claim I: There exists some
Claim I implies that the string
To sum up the previous episodes, we now know that:
- It is possible to obtain a perfectly secret encryption scheme with key length the same as the plaintext.
and
- It is not possible to obtain such a scheme with key that is even a single bit shorter than the plaintext.
How does this mesh with the fact that, as we've already seen, people routinely use cryptosystems with a 16 byte (i.e., 128 bit) key but many terabytes of plaintext? The proof of longkeysthm{.ref} does give in fact a way to break all these cryptosystems, but an examination of this proof shows that it only yields an algorithm with time exponential in the length of the key. This motivates the following relaxation of perfect secrecy to a condition known as "computational secrecy". Intuitively, an encryption scheme is computationally secret if no polynomial time algorithm can break it. The formal definition is below:
::: {.definition title="Computational secrecy" #compsecdef}
Let
$$ \left| \E_{k \sim {0,1}^n} [P(E_k(x_0))] - \E_{k \sim {0,1}^n} [P(E_k(x_1))] \right| < \tfrac{1}{p(n)} \label{eqindist} $$ :::
compsecdef{.ref} requires a second or third read and some practice to truly understand.
One excellent exercise to make sure you follow it is to see that if we allow
compsecdef{.ref} raises two natural questions:
-
Is it strong enough to ensure that a computationally secret encryption scheme protects the secrecy of messages that are encrypted with it?
-
It is weak enough that, unlike perfect secrecy, it is possible to obtain a computationally secret encryption scheme where the key is much smaller than the message?
To the best of our knowledge, the answer to both questions is Yes. This is just one example of a much broader phenomenon. We can use computational hardness to achieve many cryptographic goals, including some goals that have been dreamed about for millenia, and other goals that people have not even dared to imagine.
::: { .bigidea #computationcrypto} Computational hardness is necessary and sufficient for almost all cryptographic applications. :::
Regarding the first question, it is not hard to show that if, for example, Alice uses a computationally secret encryption algorithm to encrypt either "attack" or "retreat" (each chosen with probability
To answer the second question we will show that under the same assumption we used for derandomizing
It turns out that if pseudorandom generators exist as in the optimal PRG conjecture, then there exists a computationally secret encryption scheme with keys that are much shorter than the plaintext. The construction below is known as a stream cipher, though perhaps a better name is the "derandomized one-time pad". It is widely used in practice with keys on the order of a few tens or hundreds of bits protecting many terabytes or even petabytes of communication.
{#derandonetimepadfig .margin }
We start by recalling the notion of a pseudorandom generator, as defined in prgdef{.ref}. For this chapter, we will fix a special case of the definition:
::: {.definition title="Cryptographic pseudorandom generator" #cryptoprg}
Let
-
For every
$n\in \N$ and$s\in {0,1}^n$ ,$|G(s)|=L(n)$ . -
For every polynomial
$p:\N \rightarrow \N$ and$n$ large enough, if$C$ is a circuit of$L(n)$ inputs, one output, and at most$p(n)$ gates then $$ \left| \Pr_{s\sim {0,1}^\ell}[C(G(s))=1] - \Pr_{r \sim {0,1}^m}[C(r)=1] \right| < \frac{1}{p(n)} ;. $$ :::
In this chapter we will call a cryptographic pseudorandom generator simply a pseudorandom generator or PRG for short. The optimal PRG conjecture of optimalprgconj{.ref} implies that there is a pseudorandom generator that can "fool" circuits of exponential size and where the gap in probabilities is at most one over an exponential quantity. Since exponential grow faster than every polynomial, the optimal PRG conjecture implies the following:
The crypto PRG conjecture: For every
$a \in \N$ , there is a cryptographic pseudorandom generator with$L(n)=n^a$ .
The crypto PRG conjecture is a weaker conjecture than the optimal PRG conjecture, but it too (as we will see) is still stronger than the conjecture that
Suppose that the crypto PRG conjecture is true.
Then for every constant
The proof is illustrated in derandonetimepadfig{.ref}. We simply take the one-time pad on
::: {.proof data-ref="PRGtoENC"}
Let
Computational secrecy follows from the condition of a pseudorandom generator.
Suppose, towards a contradiction, that there is a polynomial
By the definition of our encryption scheme, this means that $$ \left| \E_{k \sim {0,1}^n}[ Q(G(k) \oplus x)] - \E_{k \sim {0,1}^n}[Q(G(k) \oplus x')] \right| > \tfrac{1}{p(L)} ;. \label{eqprgsecone} $$
Now since (as we saw in the security analysis of the one-time pad), for every strings
Now we can use the triangle inequality that
In particular, either the first term or the second term of the left-hand side of eqprgsefour{.eqref} must be at least
But if we now define the NAND-CIRC program
The two most widely used forms of (private key) encryption schemes in practice are stream ciphers and block ciphers. (To make things more confusing, a block cipher is always used in some mode of operation and some of these modes effectively turn a block cipher into a stream cipher.)
A block cipher can be thought as a sort of a "random invertible map" from
We've also mentioned before that an efficient algorithm for
::: {.theorem title="Breaking encryption using
Furthermore, for every valid encryption scheme
Note that the "furthermore" part is extremely strong. It means that if the plaintext is even a little bit larger than the key, then we can already break the scheme in a very strong way.
That is, there will be a pair of messages
::: {.proofidea data-ref="breakingcryptowithnp"}
The proof follows along the lines of longkeysthm{.ref} but this time paying attention to the computational aspects.
If
::: {.proof data-ref="breakingcryptowithnp"} We focus on showing only the "furthermore" part since it is the more interesting and the other part follows by essentially the same proof.
Suppose that
We denote by
Consider now the following probabilistic experiment (which we define solely for the sake of analysis).
We consider the sample space of choosing
We will now use the following extremely simple but useful fact known as the averaging principle (see also averagingprinciplerem{.ref}): for every random variable
In retrospect breakingcryptowithnp{.ref} is perhaps not surprising.
After all, as we've mentioned before it is known that the Optimal PRG conjecture (which is the basis for the derandomized one-time pad encryption) is false if
People have been dreaming about heavier-than-air flight since at least the days of Leonardo Da Vinci (not to mention Icarus from the greek mythology). Jules Verne wrote with rather insightful details about going to the moon in 1865. But, as far as I know, in all the thousands of years people have been using secret writing, until about 50 years ago no one has considered the possibility of communicating securely without first exchanging a shared secret key.
Yet in the late 1960's and early 1970's, several people started to question this "common wisdom".
Perhaps the most surprising of these visionaries was an undergraduate student at Berkeley named Ralph Merkle.
In the fall of 1974 Merkle wrote in a project proposal for his computer security course that while "it might seem intuitively obvious that if two people have never had the opportunity to prearrange an encryption method, then they will be unable to communicate securely over an insecure channel... I believe it is false".
The project proposal was rejected by his professor as "not good enough".
Merkle later submitted a paper to the communication of the ACM where he apologized for the lack of references since he was unable to find any mention of the problem in the scientific literature, and the only source where he saw the problem even raised was in a science fiction story.
The paper was rejected with the comment that "Experience shows that it is extremely dangerous to transmit key information in the clear."
Merkle showed that one can design a protocol where Alice and Bob can use
We only found out much later that in the late 1960's, a few years before Merkle, James Ellis of the British Intelligence agency GCHQ was having similar thoughts.
His curiosity was spurred by an old World-War II manuscript from Bell labs that suggested the following way that two people could communicate securely over a phone line.
Alice would inject noise to the line, Bob would relay his messages, and then Alice would subtract the noise to get the signal.
The idea is that an adversary over the line sees only the sum of Alice's and Bob's signals, and doesn't know what came from what. This got James Ellis thinking whether it would be possible to achieve something like that digitally.
As Ellis later recollected, in 1970 he realized that in principle this should be possible, since he could think of an hypothetical black box
But among all those thinking of public key cryptography, probably the people who saw the furthest were two researchers at Stanford, Whit Diffie and Martin Hellman. They realized that with the advent of electronic communication, cryptography would find new applications beyond the military domain of spies and submarines, and they understood that in this new world of many users and point to point communication, cryptography will need to scale up. Diffie and Hellman envisioned an object which we now call "trapdoor permutation" though they called "one way trapdoor function" or sometimes simply "public key encryption". Though they didn't have full formal definitions, their idea was that this is an injective function that is easy (e.g., polynomial-time) to compute but hard (e.g., exponential-time) to invert. However, there is a certain trapdoor, knowledge of which would allow polynomial time inversion. Diffie and Hellman argued that using such a trapdoor function, it would be possible for Alice and Bob to communicate securely without ever having exchanged a secret key. But they didn't stop there. They realized that protecting the integrity of communication is no less important than protecting its secrecy. Thus they imagined that Alice could "run encryption in reverse" in order to certify or sign messages.
At the point, Diffie and Hellman were in a position not unlike physicists who predicted that a certain particle should exist but without any experimental verification. Luckily they met Ralph Merkle, and his ideas about a probabilistic key exchange protocol, together with a suggestion from their Stanford colleague John Gill, inspired them to come up with what today is known as the Diffie Hellman Key Exchange (which unbeknownst to them was found two years earlier at GCHQ by Malcolm Williamson). They published their paper "New Directions in Cryptography" in 1976, and it is considered to have brought about the birth of modern cryptography.
The Diffie-Hellman Key Exchange is still widely used today for secure communication. However, it still felt short of providing Diffie and Hellman's elusive trapdoor function. This was done the next year by Rivest, Shamir and Adleman who came up with the RSA trapdoor function, which through the framework of Diffie and Hellman yielded not just encryption but also signatures. (A close variant of the RSA function was discovered earlier by Clifford Cocks at GCHQ, though as far as I can tell Cocks, Ellis and Williamson did not realize the application to digital signatures.) From this point on began a flurry of advances in cryptography which hasn't died down till this day.
{#diffiehellmanmerklegillfig .margin }
A public key encryption consists of a triple of algorithms:
-
The key generation algorithm, which we denote by
$KeyGen$ or$KG$ for short, is a randomized algorithm that outputs a pair of strings$(e,d)$ where$e$ is known as the public (or encryption) key, and$d$ is known as the private (or decryption) key. The key generation algorithm gets as input$1^n$ (i.e., a string of ones of length$n$ ). We refer to$n$ as the security parameter of the scheme. The bigger we make$n$ , the more secure the encryption will be, but also the less efficient it will be. -
The encryption algorithm, which we denote by
$E$ , takes the encryption key$e$ and a plaintext$x$ , and outputs the ciphertext$y=E_e(x)$ . -
The decryption algorithm, which we denote by
$D$ , takes the decryption key$d$ and a ciphertext$y$ , and outputs the plaintext$x=D_d(y)$ .
We now make this a formal definition:
::: {.definition title="Public Key Encryption" #publickeyencdef}
A computationally secret public key encryption with plaintext length
-
For every
$n$ , if$(e,d)$ is output by$KG(1^n)$ with positive probability, and$x\in {0,1}^{L(n)}$ , then$D_d(E_e(x))=x$ with probability one. -
For every polynomial
$p$ , and sufficiently large$n$ , if$P$ is a NAND-CIRC program of at most$p(n)$ lines then for every$x,x'\in {0,1}^{L(n)}$ ,$\left| \E[ P(e,E_e(x))] - \E[P(e,E_e(x'))] \right| < 1/p(n)$ , where this probability is taken over the coins of$KG$ and$E$ . :::
publickeyencdef{.ref} allows
We will not give full constructions for public key encryption schemes in this chapter, but will mention some of the ideas that underlie the most widely used schemes today. These generally belong to one of two families:
-
Group theoretic constructions based on problems such as integer factoring and the discrete logarithm over finite fields or elliptic curves.
-
Lattice/coding based constructions based on problems such as the closest vector in a lattice or bounded distance decoding.
Group-theory based encryptions such as the RSA cryptosystem, the Diffie-Hellman protocol, and Elliptic-Curve Cryptography, are currently more widely implemented. But the lattice/coding schemes are recently on the rise, particularly because the known group theoretic encryption schemes can be broken by quantum computers, which we discuss in quantumchap{.ref}.
As just one example of how public key encryption schemes are constructed, let us now describe the Diffie-Hellman key exchange. We describe the Diffie-Hellman protocol in a somewhat of an informal level, without presenting a full security analysis.
The computational problem underlying the Diffie Hellman protocol is the discrete logarithm problem.
Let's suppose that
However, suppose now that we use modular arithmetic and work modulo some prime number
The Diffie-Hellman protocol for Bob to send a message to Alice is as follows:
-
Alice: Chooses
$p$ to be a random$n$ bit long prime (which can be done by choosing random numbers and running a primality testing algorithm on them), and$g$ and$a$ at random in$[p]$ . She sends to Bob the triple$(p,g,g^a \mod p)$ . -
Bob: Given the triple
$(p,g,h)$ , Bob sends a message$x \in {0,1}^L$ to Alice by choosing$b$ at random in$[p]$ , and sending to Alice the pair$(g^b \mod p, rep(h^b \mod p) \oplus x)$ where$rep:[p] \rightarrow {0,1}^*$ is some "representation function" that maps$[p]$ to${0,1}^L$ . (The function$rep$ does not need to be one-to-one and you can think of$rep(z)$ as simply outputting$L$ of the bits of$z$ in the natural binary representation, it does need to satisfy certain technical conditions which we omit in this description.) -
Alice: Given
$g',z$ , Alice recovers$x$ by outputting$rep(g'^a \mod p) \oplus z$ .
The correctness of the protocol follows from the simple fact that
One can think of the Diffie-Hellman protocol as being based on a "trapdoor pseudorandom generator" whereas the triple
There is a great deal to cryptography beyond just encryption schemes, and beyond the notion of a passive adversary. A central objective is integrity or authentication: protecting communications from being modified by an adversary. Integrity is often more fundamental than secrecy: whether it is a software update or viewing the news, you might often not care about the communication being secret as much as that it indeed came from its claimed source. Digital signature schemes are the analog of public key encryption for authentication, and are widely used (in particular as the basis for public key certificates) to provide a foundation of trust in the digital world.
Similarly, even for encryption, we often need to ensure security against active attacks, and so notions such as non-malleability and adaptive chosen ciphertext security have been proposed. An encryption scheme is only as secure as the secret key, and mechanisms to make sure the key is generated properly, and is protected against refresh or even compromise (i.e., forward secrecy) have been studied as well. Hopefully this chapter provides you with some appreciation for cryptography as an intellectual field, but does not imbue you with a false self confidence in implementing it.
Cryptographic hash functions is another widely used tool with a variety of uses, including extracting randomness from high entropy sources, achieving hard-to-forge short "digests" of files, protecting passwords, and much more.
Beyond encryption and signature schemes, cryptographers have managed to obtain objects that truly seem paradoxical and "magical". We briefly discuss some of these objects. We do not give any details, but hopefully this will spark your curiosity to find out more.
On October 31, 1903, the mathematician Frank Nelson Cole, gave an hourlong lecture to a meeting of the American Mathematical Society where he did not speak a single word.
Rather, he calculated on the board the value
In Zero Knowledge Proofs we try to achieve the opposite effect.
We want a proof for a statement
Suppose that we are given a bit-by-bit encryption of a string
Rivest et al already showed that such encryption schemes could be immensely useful, and their utility has only grown in the age of cloud computing.
After all, if we can compute NAND then we can use this to run any algorithm
The question of existence of such a scheme took much longer time to resolve. Only in 2009 Craig Gentry gave the first construction of an encryption scheme that allows to compute a universal basis of gates on the data (known as a Fully Homomorphic Encryption scheme in crypto parlance). Gentry's scheme left much to be desired in terms of efficiency, and improving upon it has been the focus of an intensive research program that has already seen significant improvements.
Cryptography is about enabling mutually distrusting parties to achieve a common goal.
Perhaps the most general primitive achieving this objective is secure multiparty computation.
The idea in secure multiparty computation is that
::: { .recap }
-
We can formally define the notion of security of an encryption scheme.
-
Perfect secrecy ensures that an adversary does not learn anything about the plaintext from the ciphertext, regardless of their computational powers.
-
The one-time pad is a perfectly secret encryption with the length of the key equaling the length of the message. No perfectly secret encryption can have key shorter than the message.
-
Computational secrecy can be as good as perfect secrecy since it ensures that the advantage that computationally bounded adversaries gain from observing the ciphertext is exponentially small. If the optimal PRG conjecture is true then there exists a computationally secret encryption scheme with messages that can be (almost) exponentially bigger than the key.
-
There are many cryptographic tools that go well beyond private key encryption. These include public key encryption, digital signatures and hash functions, as well as more "magical" tools such as multiparty secure computation, fully homomorphic encryption, zero knowledge proofs, and many others. :::
Much of this text is taken from my lecture notes on cryptography.
Shannon's manuscript was written in 1945 but was classified, and a partial version was only published in 1949. Still it has revolutionized cryptography, and is the forerunner to much of what followed.
The Venona project's history is described in this document. Aside from Grabeel and Zubko, credit to the discovery that the Soviets were reusing keys is shared by Lt. Richard Hallock, Carrie Berry, Frank Lewis, and Lt. Karl Elmquist, and there are others that have made important contribution to this project. See pages 27 and 28 in the document.
In a 1955 letter to the NSA that only recently came forward, John Nash proposed an "unbreakable" encryption scheme. He wrote "I hope my handwriting, etc. do not give the impression I am just a crank or circle-squarer.... The significance of this conjecture [that certain encryption schemes are exponentially secure against key recovery attacks] .. is that it is quite feasible to design ciphers that are effectively unbreakable. ". John Nash made seminal contributions in mathematics and game theory, and was awarded both the Abel Prize in mathematics and the Nobel Memorial Prize in Economic Sciences. However, he has struggled with mental illness throughout his life. His biography, A Beautiful Mind was made into a popular movie. It is natural to compare Nash's 1955 letter to the NSA to Gödel's letter to von Neumann we mentioned before. From the theoretical computer science point of view, the crucial difference is that while Nash informally talks about exponential vs polynomial computation time, he does not mention the word "Turing machine" or other models of computation, and it is not clear if he is aware or not that his conjecture can be made mathematically precise (assuming a formalization of "sufficiently complex types of enciphering").
The definition of computational secrecy we use is the notion of computational indistinguishability (known to be equivalent to semantic security) that was given by Goldwasser and Micali in 1982.
Although they used a different terminology, Diffie and Hellman already made clear in their paper that their protocol can be used as a public key encryption, with the first message being put in a "public file". In 1985, ElGamal showed how to obtain a signature scheme based on the Diffie Hellman ideas, and since he described the Diffie-Hellman encryption scheme in the same paper, the public key encryption scheme originally proposed by Diffie and Hellman is sometimes also known as ElGamal encryption.
My survey contains a discussion on the different types of public key assumptions. While the standard elliptic curve cryptographic schemes are as susceptible to quantum computers as Diffie-Hellman and RSA, their main advantage is that the best known classical algorithms for computing discrete logarithms over elliptic curve groups take time
Zero-knowledge proofs were constructed by Goldwasser, Micali, and Rackoff in 1982, and their wide applicability was shown (using the theory of
Two party and multiparty secure computation protocols were constructed (respectively) by Yao in 1982 and Goldreich, Micali, and Wigderson in 1987. The latter work gave a general transformation from security against passive adversaries to security against active adversaries using zero knowledge proofs.
Footnotes
-
Here is a nice exercise: compute (up to an order of magnitude) the probability that a 50-letter long message composed of random letters will end up not containing the letter "L". ↩