Crypto Corner

Editors: Peter Gutmann, pgut001@cs.auckland.ac.nz

David Naccache, david.naccache@ens.fr
Charles C. Palmer, ccpalmer@us.ibm.com

What Is Cryptography?

C
ryptography’s aim is to construct schemes or pro- and outputs a fixed-length cipher-
text c. For any fixed key K, E must be
tocols that can still accomplish certain tasks even a permutation—that is, exactly one
plaintext corresponds to any given
in the presence of an adversary. A basic task in ciphertext. Popular blockciphers in-
clude the old Data Encryption Stan-
cryptography is to enable users to communicate dard (DES) and the new Advanced
Encryption Standard (AES).
securely over an insecure channel in a way that guarantees their Keep in mind that blockciphers
are tools: they don’t provide a secure
J EAN- transmissions’ privacy and authen- tack can’t succeed, except maybe encryption scheme by themselves.
SÉBASTIEN ticity. Assume, for example, that with some negligible probability. This is because a blockcipher can en-
CORON Alice wants to send a message to Bob crypt only a fixed-length block (such
University of over the Internet. Ideally, no attacker Symmetric encryption as 128 bits for AES), whereas we
Luxembourg should be able to obtain information In the simplest setting, Alice and Bob must be able to encrypt a message of
about her message or modify it can share the same key K, unknown any size; moreover, as we’ll see later,
without Bob’s notice. Providing pri- to the attacker, and use it to encrypt encryption must be randomized or
vacy and authenticity remains a cen- and decrypt their communication. depend on a variable that’s updated
tral goal for cryptographic protocols, The shared key is usually a uniformly for each new encryption (for exam-
but the field has expanded to en- distributed, random string of k bits ple, a counter). The mechanism used
compass many others, including e- for some parameter k. As Figure 1 to obtain an encryption scheme from
voting, digital coins, and secure shows, Alice can apply an encryption a blockcipher is called the blockci-
auctions. This installment of Crypto algorithm to the plaintext M under pher’s mode of operation. Cipher-block
Corner will explain what cryp- the key K to get a ciphertext C. This chaining (CBC) with a random ini-
tography is about and how we can ciphertext is then sent to Bob, who tial vector, as illustrated in Figure 2, is
scientifically justify a cryptographic applies the corresponding decryp- the most widely used blockcipher
scheme’s security. tion algorithm to recover the plain- mode of operation.
text M. This is the symmetric encryption
Modeling security setting, in which users share the same Passive attacks
How do we guarantee that a crypto- key K. In cryptography, we generally as-
graphic scheme is secure? To rigor- An encryption scheme is gener- sume that keys are kept secure by the
ously formalize security, we must first ally randomized—that is, Alice must parties using them; in particular, if a
specify the adversary’s capabilities get a random number and use it to key is stored in a computer, we as-
(what he or she is allowed to do), and compute C from the inputs M and K; sume that an adversary can’t break
in which situation an attack would be a fresh random number is required into that computer and steal the key.
successful. In our example, the at- each time the encryption algorithm Let’s consider an attacker who can
tacker is allowed to read and modify is invoked. This implies that invoking only eavesdrop on the transmissions
Alice’s transmission, and the attack is the encryption algorithm twice with between Alice and Bob. We might
successful if he or she can obtain the same inputs M and K will pro- think that his or her goal would be to
some information about Alice’s orig- duce a different ciphertext C. recover the secret key K, so that he
inal message, or if the attacker can could decrypt all further transmis-
modify the transmission so that Bob Blockciphers sions between Alice and Bob, but this
still believes the message came from Symmetric encryption is usually is a very ambitious goal that would
Alice. We can thus say a crypto- based on blockciphers. A blockcipher correspond to a total break of the en-
graphic scheme is “secure” if we can E is a function that takes as input a cryption scheme. In reality, the at-
prove mathematically that such an at- key K and a fixed-length plaintext m tacker’s goal would be something

70 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/06/$20.00 © 2006 IEEE ■ IEEE SECURITY & PRIVACY
 Crypto Corner

easier—for example, recovering M
given C, or even obtaining only one
specific bit of M. Because this bit
might carry valuable information,
being able to recover it would clearly
make the scheme insecure.
Ignorance is bliss
We might say that an encryption
scheme is secure if an adversary
“knows nothing” about M when
given C, but this can’t be true in
general because the adversary might
have a priori information about
M—for example, M might be a text
document with a specific format
that the adversary already knows.
Privacy of encryption really means
that the adversary who obtains C
shouldn’t be able to learn anything
about M that he or she didn’t know
before. Claude Shannon introduced
this notion of security in 1949;1 it
implies that an encryption scheme is
perfectly secure if, for any two mes-
sages M1 and M2, any ciphertext C
has the same probability of being the
encryption of M1 as being the en-
cryption of M2. Here, the probabil-
ity is taken over the choice of the key
and the random bits used by the en-
cryption algorithms (if any).
contrast, semantic security gives a
security level that depends on the
adversary’s computational effort:
anything that could be efficiently
computed about the plaintext from
the ciphertext must also be ef-
ficiently computable in the absence
of the ciphertext. Intuitively, this
means that computationally limited
adversaries can’t learn anything from
the ciphertext because they can do
the same things after seeing it as they
could have before seeing it.
Indistinguishability
An equivalent, but simpler, notion
of security is indistinguishability of
encryption. Consider an adversary
who first chooses two messages of
the same length and then receives an
encryption of one of them. The en-
cryption scheme is considered se-
cure if the adversary can’t efficiently
Plaintext
K E
tell which of the two messages was
encrypted. Instead of a single mes-
sage pair, the adversary can actually
choose a sequence of pairs of mes-
sages (Mi, Mi ), and for a random bit
K= K=
C
C = E (K, M ) M = D(K, C)
Figure 1. Symmetric encryption. Alice applies the
encryption algorithm E to message M using key K
and sends the resulting ciphertext C. Using the
same key K, Bob can recover the plaintext by
applying the decryption algorithm to C.
Plaintext Plaintext
K E K E

Semantic security
However, perfect security can be re-
alized only if the total number of Ciphertext Ciphertext Ciphertext
message bits encrypted with K (a)
doesn’t exceed the number of bits in IV Plaintext Plaintext Plaintext
K, as exemplified with the one-time
pad encryption algorithm.1 This is an
important limitation in practice be-
cause we would like to use a single
short key to encrypt many long mes- K E K E K E
sages, thus we should use a different
notion of security, weaker than per-
fect security, but “almost as good” for
any practical purpose: semantic secu-
rity, first introduced by Shafi Gold- Ciphertext Ciphertext Ciphertext Ciphertext
wasser and Silvio Micali in 1982.2
(b)
The notion of perfect security
Shannon introduced is absolute—
no matter how powerful the adver- Figure 2. The (a) electronic codebook (ECB) and the (b) cipher-block chaining (CBC)
sary is, he or she will be unable to encryption modes of operation. For CBC, a fresh random IV is generated for each new
derive any information from the encryption.
plaintext, given the ciphertext. In

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 71

 Crypto Corner
pkBob = skBob =
C
C = E( pkBob , M) M = D (skBob , C)
Figure 3. Public-key cryptography. Alice sends a
message to Bob and encrypts it with his public
key (pk).
b, the adversary receives a sequence
of ciphertexts Ci, where Ci is either
an encryption of Mi for all i if b = 0
or an encryption of Mi for all i if b =
1. The adversary must then output a
guess b of b and is said to be success-
ful if b = b.
Of course, the adversary can al-
ways have a 1/2 probability of
success, simply by outputting a ran-
dom bit for b ; thus the adversary’s
success in breaking the scheme is
measured as the excess over 1/2 of
its probability to guess correctly—
this is the adversary’s advantage. We
can say an encryption scheme is se-
cure if the advantage of any compu-
tationally limited adversary in the
previous scenario remains bounded
by a very small value. We can prove
that the CBC mode of operation
described in Figure 2 satisfies the
previous security notion, assuming
that the underlying blockcipher is a
pseudorandom function. However,
it’s easy to see that the basic elec-
tronic codebook (ECB) mode de-
scribed in Figure 2 doesn’t achieve
this property—namely, we can find
an attacker who can easily distin-
guish between the encryption of
two messages, no matter how good
the blockcipher is.
Public-key
cryptography
The privacy notion we’ve now de-
fined applies for the symmetric set-
ting, in which Alice and Bob share
the same key K for both encryption
72 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2006
and decryption. In the public-key
setting (or asymmetric setting),
however, a different key is used for
encryption and decryption. Essen-
tially, a party possesses a pair of
keys—a public key, pk, and an associ-
ated secret key, sk—with the public
key for encryption and the secret key
for decryption.
As illustrated in Figure 3, when
Alice wishes to send a message M to
Bob, she encrypts it using Bob’s
public key pkBob by computing the
ciphertext C = E(pkBob , M) and
sending C to Bob. He then recovers
the plaintext with his secret key skBob
by computing M = D(skBob , C). The
advantage of public-key cryptogra-
phy is that it enables secure commu-
nications between users who have
never met before; Whitfield Diffie
and Martin Hellman introduced the
idea of public-key cryptography in
1976.3 Figure 4 shows the most pop-
ular public-key cryptosystem, the
RSA algorithm, which Ron Rivest,
Adi Shamir, and Len Adleman in-
vented in 1977.4
Defining the notion of privacy in
the public-key setting occurs in a
similar way as in the symmetric set-
ting, but with some modifications.
Here, the adversary first receives a
public-key pk, and must distinguish
between the encryption of two mes-
sages m1 and m2 under pk. As earlier,
the encryption scheme is secure if
any computationally limited adver-
sary’s advantage remains bounded by
a very small value.
The plain RSA algorithm shown
in Figure 4 doesn’t achieve the in-
distinguishability property—namely,
the adversary can always encrypt the
messages m1 and m2 and check
whether c = E(pk, m1) or c = E(pk,
m2). In fact, indistinguishability can
be achieved only via probabilistic
encryption—that is, a random num-
ber must be used each time the en-
cryption algorithm is invoked; as a
result, a plaintext has many possible
ciphertexts. To obtain the indistin-
guishability property when encrypt-
ing with RSA, we must therefore
apply an encoding to the message
prior to applying the RSA function;
the most popular encoding for
achieving this property is the opti-
mal asymmetric encryption padding
(OAEP) that Mihir Bellare and Phil
Rogaway developed in 1994.5
Active attacks
So far, we’ve focused on passive
adversaries—the ones who just
eavesdrop. In practice, though, an
adversary might be able to inject or
modify the messages transmitted
over a network. Specifically, he or
she could inject ciphertexts and
possibly obtain some partial infor-
mation about their corresponding
plaintexts. To deal with active at-
tacks, Charles Rackoff and Daniel
Simon introduced in 1991 the no-
tion of security under an adaptive
chosen ciphertext attack.6 As we
learned earlier, the adversary must
tell whether a challenge ciphertext c
is an encryption of m1 or m2, but he
or she can also obtain the decryp-
tion of any ciphertext, except for
the challenge ciphertext c. Ronald
Cramer and Victor Shoup invented
the first practical public-key en-
cryption scheme to provably
achieve this property in 1998,7
based on a standard hardness as-
sumption. The OAEP scheme
mentioned earlier also achieves this
property, but only in the random
oracle model—an idealized model
of computation in which hash func-
tions are viewed as completely ran-
dom functions.
T he field of provable security is
the combination of three steps:
security definition, scheme, and
proof of security. Although this ap-
proach is now part of the main-
stream in modern cryptography,
provable security has some limita-
tions. In the real world, real com-
putation takes time, consumes
power, and leaks radiation, and ad-
versaries can exploit these vulnera-
bilities with timing attacks,
 Crypto Corner

differential power analysis, and fault Setup:

attacks. An interesting future re-
search direction would be to extend
the models used in provable secu-
rity to include such attacks.
References
1. C.E. Shannon, “Communication
Theory of Secrecy Systems,” Bell
System Tech. J., vol. 28, no. 4, 1949,
pp. 656–715.
2. S. Goldwasser and S. Micali,
“Probabilistic Encryption,” J. Com-
puter and System Sciences, vol. 28,
Apr. 1984, pp. 270–299.
3. W. Diffie and M.E. Hellman, “New
Directions in Cryptography,” IEEE
Trans. Information Theory, vol. 22,
Nov. 1976, pp. 644–654.
4. R. Rivest, A. Shamir, and L. Adle-
man, “A Method for Obtaining
Digital Signatures and Public-Key
Cryptosystems,” Comm. ACM, vol.
21, no. 2, 1978, pp. 120–126.
5. M. Bellare and P. Rogaway, “Opti-
mal Asymmetric Encryption,”
Advances in Cryptology (Eurocrypt
94), LNCS 950, Springer-Verlag,
1994, pp. 92–111.
n = pq, with p and q primes
e relatively prime to ␰(n) = (p – 1) (q – 1)
d inverse of e in Z␰(n)
Public key: pk = (n, e)
Private key: sk = d
Encryption:
Plaintext M in Zn
C = Me mod n
Decryption:
M = Cd mod n
Figure 4. The RSA cryptosystem. The system’s security is based on the difficulty of
recovering p and q given n = pq.
6. C. Rackoff and D. Simon, “Non- 1462, Springer-Verlag, 1998, pp.
Interactive Zero-Knowledge Proof 13–25.
of Knowledge and the Chosen
Ciphertext Attack,” Proc. Crypto Jean-Sébastien Coron is a professor of
cryptography at the University of Luxem-
91, LNCS 576, Springer-Verlag,
bourg. His research interests include the
1991, pp. 433–444. cryptanalysis of public-key cryptosystems
7. R. Cramer and V. Shoup, “A and the construction of efficient protocols.
Practical Public Key Crypto Sys- Coron has a PhD in computer science
from the Ecole Polytechnique (France). He
tem Provably Secure against
is a member of the International Associa-
Adaptive Chosen Ciphertext tion for Cryptologic Research (IACR). Con-
Attack,” Proc. Crypto 1998, LNCS tact him at coron@clipper.ens.fr.

THE IEEE’S 1ST ONLINE-ONLY MAGAZINE

IEEE Distributed Systems Online brings you peer-reviewed articles,

detailed tutorials, expert-managed topic areas, and diverse departments
covering the latest news and developments in this fast-growing field.
Log on for free access to such topic areas as
Grid Computing • Middleware • Cluster Computing • Security
Peer-to-Peer • Operating Systems • Web Systems
Mobile & Pervasive • and More!

To receive monthly updates, email dsonline@computer.org

http://dsonline.computer.org
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 73