Modern Cryptography: Principles and Paradigms, Study notes of Design

Download Modern Cryptography: Principles and Paradigms and more Study notes Design in PDF only on Docsity! 18 Introduction to Modern Cryptography 2. Designing secure ciphers is a hard task: The Vigenère cipher remained unbroken for a long time, partially due to its presumed complexity. Far more complex schemes have also been used, such as the German Enigma. Nevertheless, this complexity does not imply security and all historical ciphers can be completely broken. In general, it is very hard to design a secure encryption scheme, and such design should be left to experts. The history of classical encryption schemes is fascinating, both with respect to the methods used as well as the influence of cryptography and cryptanalysis on world history (in World War II, for example). Here, we have only tried to give a taste of some of the more basic methods, with a focus on what modern cryptography can learn from these attempts. 1.4 The Basic Principles of Modern Cryptography The previous section has given a taste of historical cryptography. It is fair to say that, historically, cryptography was more of an art than any sort of science: schemes were designed in an ad-hoc manner and then evaluated based on their perceived complexity or cleverness. Unfortunately, as we have seen, all such schemes (no matter how clever) were eventually broken. Modern cryptography, now resting on firmer and more scientific founda- tions, gives hope of breaking out of the endless cycle of constructing schemes and watching them get broken. In this section we outline the main principles and paradigms that distinguish modern cryptography from classical cryptog- raphy. We identify three main principles: 1. Principle 1 — the first step in solving any cryptographic problem is the formulation of a rigorous and precise definition of security. 2. Principle 2 — when the security of a cryptographic construction relies on an unproven assumption, this assumption must be precisely stated. Furthermore, the assumption should be as minimal as possible. 3. Principle 3 — cryptographic constructions should be accompanied by a rigorous proof of security with respect to a definition formulated accord- ing to principle 1, and relative to an assumption stated as in principle 2 (if an assumption is needed at all). We now discuss each of these principles in greater depth. 1.4.1 Principle 1 – Formulation of Exact Definitions One of the key intellectual contributions of modern cryptography has been the realization that formal definitions of security are essential prerequisites Introduction 19 for the design, usage, or study of any cryptographic primitive or protocol. Let us explain each of these in turn: 1. Importance for design: Say we are interested in constructing a secure encryption scheme. If we do not have a firm understanding of what it is we want to achieve, how can we possibly know whether (or when) we have achieved it? Having an exact definition in mind enables us to better direct our design efforts, as well as to evaluate the quality of what we build, thereby improving the end construction. In particular, it is much better to define what is needed first and then begin the design phase, rather than to come up with a post facto definition of what has been achieved once the design is complete. The latter approach risks having the design phase end when the designers’ patience is tried (rather than when the goal has been met), or may result in a construction that achieves more than is needed and is thus less efficient than a better solution. 2. Importance for usage: Say we want to use an encryption scheme within some larger system. How do we know which encryption scheme to use? If presented with a candidate encryption scheme, how can we tell whether it suffices for our application? Having a precise definition of the security achieved by a given scheme (coupled with a security proof relative to a formally-stated assumption as discussed in principles 2 and 3) allows us to answer these questions. Specifically, we can define the security that we desire in our system (see point 1, above), and then verify whether the definition satisfied by a given encryption scheme suffices for our purposes. Alternatively, we can specify the definition that we need the encryption scheme to satisfy, and look for an encryption scheme satis- fying this definition. Note that it may not be wise to choose the “most secure” scheme, since a weaker notion of security may suffice for our application and we may then be able to use a more efficient scheme. 3. Importance for study: Given two encryption schemes, how can we com- pare them? Without any definition of security, the only point of com- parison is efficiency, but efficiency alone is a poor criterion since a highly efficient scheme that is completely insecure is of no use. Precise specifi- cation of the level of security achieved by a scheme offers another point of comparison. If two schemes are equally efficient but the first one satisfies a stronger definition of security than the second, then the first is preferable.5 There may also be a trade-off between security and effi- ciency (see the previous two points), but at least with precise definitions we can understand what this trade-off entails. 5Of course, things are rarely this simple. 22 Introduction to Modern Cryptography (i.e., a ciphertext-only attack), or whether we assume that the adversary can also actively request encryptions of any plaintext that it likes (i.e., carry out a chosen-plaintext attack). A second issue that must be considered is the computational power of the adversary. For all of this book, except Chapter 2, we will want to ensure security against any efficient adversary, by which we mean any adversary running in polynomial time. (A full discussion of this point appears in Section 3.1.2. For now, it suffices to say that an “efficient” strategy is one that can be carried out in a lifetime. Thus “feasible” is ar- guably a more accurate term.) When translating this into concrete terms, we might require security against any adversary utilizing decades of computing time on a supercomputer. In summary, any definition of security will take the following general form: A cryptographic scheme for a given task is secure if no adversary of a specified power can achieve a specified break. We stress that the definition never assumes anything about the adversary’s strategy. This is an important distinction: we are willing to assume something about the adversary’s capabilities (e.g., that it is able to mount a chosen- plaintext attack but not a chosen-ciphertext attack), but we are not willing to assume anything about how it uses its abilities. We call this the “arbitrary adversary principle”: security must be guaranteed for any adversary within the class of adversaries having the specified power. This principle is impor- tant because it is impossible to foresee what strategies might be used in an adversarial attack (and history has proven that attempts to do so are doomed to failure). Mathematics and the real world. A definition of security essentially pro- vides a mathematical formulation of a real-world problem. If the mathemati- cal definition does not appropriately model the real world, then the definition may be useless. For example, if the adversarial power under consideration is too weak (and, in practice, adversaries have more power), or the break is such that it allows real attacks that were not foreseen (like one of the early answers regarding encryption), then “real security” is not obtained, even if a “mathematically-secure” construction is used. In short, a definition of se- curity must accurately model the real world in order for it to deliver on its mathematical promise of security. It is quite common, in fact, for a widely-accepted definition to be ill-suited for some new application. As one notable example, there are encryption schemes that were proven secure (relative to some definition like the ones we have discussed above) and then implemented on smart-cards. Due to physical properties of the smart-cards, it was possible for an adversary to monitor the power usage of the smart-card (e.g., how this power usage fluctuated over time) as the encryption scheme was being run, and it turned out that this information could be used to determine the key. There was nothing wrong with the security definition or the proof that the scheme satisfied this Introduction 23 definition; the problem was simply that there was a mismatch between the definition and the real-world implementation of the scheme on a smart-card. This should not be taken to mean that definitions (or proofs, for that mat- ter) are useless! The definition — and the scheme that satisfies it — may still be appropriate for other settings, such as when encryption is performed on an end-host whose power usage cannot be monitored by an adversary. Fur- thermore, one way to achieve secure encryption on a smart-card would be to further refine the definition so that it takes power analysis into account. Or, perhaps hardware countermeasures for power analysis can be developed, with the effect of making the original definition (and hence the original scheme) appropriate for smart-cards. The point is that with a definition you at least know where you stand, even if the definition turns out not to accurately model the particular setting in which a scheme is used. In contrast, with no definition it is not even clear what went wrong. This possibility of a disconnect between a mathematical model and the reality it is supposed to be modeling is not unique to cryptography but is something that occurs throughout science. To take an example from the field of computer science, consider the meaning of a mathematical proof that there exist well-defined problems that computers cannot solve.7 The immediate question that arises is what does it mean for “a computer to solve a problem”? Specifically, a mathematical proof can be provided only when there is some mathematical definition of what a computer is (or to be more exact, what the process of computation is). The problem is that computation is a real-world process, and there are many different ways of computing. In order for us to be really convinced that the “unsolvable problem” is really unsolvable, we must be convinced that our mathematical definition of computation captures the real-world process of computation. How do we know when it does? This inherent difficulty was noted by Alan Turing who studied questions of what can and cannot be solved by a computer. We quote from his original paper [140] (the text in square brackets replaces original text in order to make it more reader friendly): No attempt has yet been made to show [that the problems we have defined to be solvable by a computer] include [exactly those prob- lems] which would naturally be regarded as computable. All argu- ments which can be given are bound to be, fundamentally, appeals to intuition, and for this reason rather unsatisfactory mathemati- cally. The real question at issue is “What are the possible processes which can be carried out in [computation]?” The arguments which I shall use are of three kinds. (a) A direct appeal to intuition. 7Those who have taken a course in computability theory will be familiar with the fact that such problems do indeed exist (e.g., the Halting Problem). 24 Introduction to Modern Cryptography (b) A proof of the equivalence of two definitions (in case the new definition has a greater intuitive appeal). (c) Giving examples of large classes of [problems that can be solved using a given definition of computation]. In some sense, Turing faced the exact same problem as cryptographers. He developed a mathematical model of computation but needed to somehow be convinced that the model was a good one. Likewise, cryptographers define notions of security and need to be convinced that their definitions imply mean- ingful security guarantees in the real world. As with Turing, they may employ the following tools to become convinced: 1. Appeals to intuition: the first tool when contemplating a new definition of security is to see whether it implies security properties that we in- tuitively expect to hold. This is a minimum requirement, since (as we have seen in our discussion of encryption) our initial intuition usually results in a notion of security that is too weak. 2. Proofs of equivalence: it is often the case that a new definition of secu- rity is justified by showing that it is equivalent to (or stronger than) a definition that is older, more familiar, or more intuitively-appealing. 3. Examples: a useful way of being convinced that a definition of security suffices is to show that the different real-world attacks we are familiar with are ruled out by the definition. In addition to all of the above, and perhaps most importantly, we rely on the test of time and the fact that with time, the scrutiny and investigation of both researchers and practitioners testifies to the soundness of a definition. 1.4.2 Principle 2 – Reliance on Precise Assumptions Most modern cryptographic constructions cannot be proven secure uncon- ditionally. Indeed, proofs of this sort would require resolving questions in the theory of computational complexity that seem far from being answered today. The result of this unfortunate state of affairs is that security typically relies upon some assumption. The second principle of modern cryptography states that assumptions must be precisely stated. This is for three main reasons: 1. Validation of the assumption: By their very nature, assumptions are statements that are not proven but are rather conjectured to be true. In order to strengthen our belief in some assumption, it is necessary for the assumption to be studied. The more the assumption is examined and tested without being successfully refuted, the more confident we are that the assumption is true. Furthermore, study of an assumption can provide positive evidence of its validity by showing that it is implied by some other assumption that is also widely believed.