Professional Documents
Culture Documents
What Is Cryptography?: Crypto Corner
What Is Cryptography?: Crypto Corner
What Is Cryptography?
C
ryptography’s aim is to construct schemes or pro- and outputs a fixed-length cipher-
text c. For any fixed key K, E must be
tocols that can still accomplish certain tasks even a permutation—that is, exactly one
plaintext corresponds to any given
in the presence of an adversary. A basic task in ciphertext. Popular blockciphers in-
clude the old Data Encryption Stan-
cryptography is to enable users to communicate dard (DES) and the new Advanced
Encryption Standard (AES).
securely over an insecure channel in a way that guarantees their Keep in mind that blockciphers
are tools: they don’t provide a secure
J EAN- transmissions’ privacy and authen- tack can’t succeed, except maybe encryption scheme by themselves.
SÉBASTIEN ticity. Assume, for example, that with some negligible probability. This is because a blockcipher can en-
CORON Alice wants to send a message to Bob crypt only a fixed-length block (such
University of over the Internet. Ideally, no attacker Symmetric encryption as 128 bits for AES), whereas we
Luxembourg should be able to obtain information In the simplest setting, Alice and Bob must be able to encrypt a message of
about her message or modify it can share the same key K, unknown any size; moreover, as we’ll see later,
without Bob’s notice. Providing pri- to the attacker, and use it to encrypt encryption must be randomized or
vacy and authenticity remains a cen- and decrypt their communication. depend on a variable that’s updated
tral goal for cryptographic protocols, The shared key is usually a uniformly for each new encryption (for exam-
but the field has expanded to en- distributed, random string of k bits ple, a counter). The mechanism used
compass many others, including e- for some parameter k. As Figure 1 to obtain an encryption scheme from
voting, digital coins, and secure shows, Alice can apply an encryption a blockcipher is called the blockci-
auctions. This installment of Crypto algorithm to the plaintext M under pher’s mode of operation. Cipher-block
Corner will explain what cryp- the key K to get a ciphertext C. This chaining (CBC) with a random ini-
tography is about and how we can ciphertext is then sent to Bob, who tial vector, as illustrated in Figure 2, is
scientifically justify a cryptographic applies the corresponding decryp- the most widely used blockcipher
scheme’s security. tion algorithm to recover the plain- mode of operation.
text M. This is the symmetric encryption
Modeling security setting, in which users share the same Passive attacks
How do we guarantee that a crypto- key K. In cryptography, we generally as-
graphic scheme is secure? To rigor- An encryption scheme is gener- sume that keys are kept secure by the
ously formalize security, we must first ally randomized—that is, Alice must parties using them; in particular, if a
specify the adversary’s capabilities get a random number and use it to key is stored in a computer, we as-
(what he or she is allowed to do), and compute C from the inputs M and K; sume that an adversary can’t break
in which situation an attack would be a fresh random number is required into that computer and steal the key.
successful. In our example, the at- each time the encryption algorithm Let’s consider an attacker who can
tacker is allowed to read and modify is invoked. This implies that invoking only eavesdrop on the transmissions
Alice’s transmission, and the attack is the encryption algorithm twice with between Alice and Bob. We might
successful if he or she can obtain the same inputs M and K will pro- think that his or her goal would be to
some information about Alice’s orig- duce a different ciphertext C. recover the secret key K, so that he
inal message, or if the attacker can could decrypt all further transmis-
modify the transmission so that Bob Blockciphers sions between Alice and Bob, but this
still believes the message came from Symmetric encryption is usually is a very ambitious goal that would
Alice. We can thus say a crypto- based on blockciphers. A blockcipher correspond to a total break of the en-
graphic scheme is “secure” if we can E is a function that takes as input a cryption scheme. In reality, the at-
prove mathematically that such an at- key K and a fixed-length plaintext m tacker’s goal would be something
70 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/06/$20.00 © 2006 IEEE ■ IEEE SECURITY & PRIVACY
Crypto Corner
easier—for example, recovering M contrast, semantic security gives a tell which of the two messages was
given C, or even obtaining only one security level that depends on the encrypted. Instead of a single mes-
specific bit of M. Because this bit adversary’s computational effort: sage pair, the adversary can actually
might carry valuable information, anything that could be efficiently choose a sequence of pairs of mes-
being able to recover it would clearly computed about the plaintext from sages (Mi, Mi ), and for a random bit
make the scheme insecure. the ciphertext must also be ef-
ficiently computable in the absence
Ignorance is bliss of the ciphertext. Intuitively, this K= K=
We might say that an encryption means that computationally limited
scheme is secure if an adversary adversaries can’t learn anything from
“knows nothing” about M when the ciphertext because they can do
given C, but this can’t be true in the same things after seeing it as they C
general because the adversary might could have before seeing it.
have a priori information about
M—for example, M might be a text Indistinguishability C = E (K, M ) M = D(K, C)
document with a specific format An equivalent, but simpler, notion
that the adversary already knows. of security is indistinguishability of
Privacy of encryption really means encryption. Consider an adversary Figure 1. Symmetric encryption. Alice applies the
that the adversary who obtains C who first chooses two messages of encryption algorithm E to message M using key K
shouldn’t be able to learn anything the same length and then receives an and sends the resulting ciphertext C. Using the
about M that he or she didn’t know encryption of one of them. The en- same key K, Bob can recover the plaintext by
before. Claude Shannon introduced cryption scheme is considered se- applying the decryption algorithm to C.
this notion of security in 1949;1 it cure if the adversary can’t efficiently
implies that an encryption scheme is
perfectly secure if, for any two mes- Plaintext Plaintext Plaintext
sages M1 and M2, any ciphertext C
has the same probability of being the
encryption of M1 as being the en-
cryption of M2. Here, the probabil-
ity is taken over the choice of the key
K E K E K E
and the random bits used by the en-
cryption algorithms (if any).
Semantic security
However, perfect security can be re-
alized only if the total number of Ciphertext Ciphertext Ciphertext
message bits encrypted with K (a)
doesn’t exceed the number of bits in IV Plaintext Plaintext Plaintext
K, as exemplified with the one-time
pad encryption algorithm.1 This is an
important limitation in practice be-
cause we would like to use a single
short key to encrypt many long mes- K E K E K E
sages, thus we should use a different
notion of security, weaker than per-
fect security, but “almost as good” for
any practical purpose: semantic secu-
rity, first introduced by Shafi Gold- Ciphertext Ciphertext Ciphertext Ciphertext
wasser and Silvio Micali in 1982.2
(b)
The notion of perfect security
Shannon introduced is absolute—
no matter how powerful the adver- Figure 2. The (a) electronic codebook (ECB) and the (b) cipher-block chaining (CBC)
sary is, he or she will be unable to encryption modes of operation. For CBC, a fresh random IV is generated for each new
derive any information from the encryption.
plaintext, given the ciphertext. In
pkBob = skBob = and decryption. In the public-key apply an encoding to the message
setting (or asymmetric setting), prior to applying the RSA function;
however, a different key is used for the most popular encoding for
encryption and decryption. Essen- achieving this property is the opti-
C
tially, a party possesses a pair of mal asymmetric encryption padding
keys—a public key, pk, and an associ- (OAEP) that Mihir Bellare and Phil
ated secret key, sk—with the public Rogaway developed in 1994.5
C = E( pkBob , M) M = D (skBob , C)
key for encryption and the secret key
for decryption. Active attacks
As illustrated in Figure 3, when So far, we’ve focused on passive
Figure 3. Public-key cryptography. Alice sends a Alice wishes to send a message M to adversaries—the ones who just
message to Bob and encrypts it with his public Bob, she encrypts it using Bob’s eavesdrop. In practice, though, an
key (pk). public key pkBob by computing the adversary might be able to inject or
ciphertext C = E(pkBob , M) and modify the messages transmitted
sending C to Bob. He then recovers over a network. Specifically, he or
b, the adversary receives a sequence the plaintext with his secret key skBob she could inject ciphertexts and
of ciphertexts Ci, where Ci is either by computing M = D(skBob , C). The possibly obtain some partial infor-
an encryption of Mi for all i if b = 0 advantage of public-key cryptogra- mation about their corresponding
or an encryption of Mi for all i if b = phy is that it enables secure commu- plaintexts. To deal with active at-
1. The adversary must then output a nications between users who have tacks, Charles Rackoff and Daniel
guess b of b and is said to be success- never met before; Whitfield Diffie Simon introduced in 1991 the no-
ful if b = b. and Martin Hellman introduced the tion of security under an adaptive
Of course, the adversary can al- idea of public-key cryptography in chosen ciphertext attack.6 As we
ways have a 1/2 probability of 1976.3 Figure 4 shows the most pop- learned earlier, the adversary must
success, simply by outputting a ran- ular public-key cryptosystem, the tell whether a challenge ciphertext c
dom bit for b ; thus the adversary’s RSA algorithm, which Ron Rivest, is an encryption of m1 or m2, but he
success in breaking the scheme is Adi Shamir, and Len Adleman in- or she can also obtain the decryp-
measured as the excess over 1/2 of vented in 1977.4 tion of any ciphertext, except for
its probability to guess correctly— Defining the notion of privacy in the challenge ciphertext c. Ronald
this is the adversary’s advantage. We the public-key setting occurs in a Cramer and Victor Shoup invented
can say an encryption scheme is se- similar way as in the symmetric set- the first practical public-key en-
cure if the advantage of any compu- ting, but with some modifications. cryption scheme to provably
tationally limited adversary in the Here, the adversary first receives a achieve this property in 1998,7
previous scenario remains bounded public-key pk, and must distinguish based on a standard hardness as-
by a very small value. We can prove between the encryption of two mes- sumption. The OAEP scheme
that the CBC mode of operation sages m1 and m2 under pk. As earlier, mentioned earlier also achieves this
described in Figure 2 satisfies the the encryption scheme is secure if property, but only in the random
previous security notion, assuming any computationally limited adver- oracle model—an idealized model
that the underlying blockcipher is a sary’s advantage remains bounded by of computation in which hash func-
pseudorandom function. However, a very small value. tions are viewed as completely ran-
it’s easy to see that the basic elec- The plain RSA algorithm shown dom functions.
tronic codebook (ECB) mode de- in Figure 4 doesn’t achieve the in-
scribed in Figure 2 doesn’t achieve distinguishability property—namely,
this property—namely, we can find the adversary can always encrypt the
an attacker who can easily distin-
guish between the encryption of
messages m1 and m2 and check
whether c = E(pk, m1) or c = E(pk,
T he field of provable security is
the combination of three steps:
security definition, scheme, and
two messages, no matter how good m2). In fact, indistinguishability can proof of security. Although this ap-
the blockcipher is. be achieved only via probabilistic proach is now part of the main-
encryption—that is, a random num- stream in modern cryptography,
Public-key ber must be used each time the en- provable security has some limita-
cryptography cryption algorithm is invoked; as a tions. In the real world, real com-
The privacy notion we’ve now de- result, a plaintext has many possible putation takes time, consumes
fined applies for the symmetric set- ciphertexts. To obtain the indistin- power, and leaks radiation, and ad-
ting, in which Alice and Bob share guishability property when encrypt- versaries can exploit these vulnera-
the same key K for both encryption ing with RSA, we must therefore bilities with timing attacks,
http://dsonline.computer.org
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 73