8/8/2019

Online Cryptography Course Dan Boneh

Welcome
Course objectives:
Introduction • Learn how crypto primitives work
• Learn how to use them correctly and reason about security

Course Overview My recommendations:

• Take notes
• Pause video frequently to think about the material
• Answer the in-video questions

Dan Boneh Dan Boneh

Cryptography is everywhere Secure communication

Secure communication:
– web traffic: HTTPS
– wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth

Encrypting files on disk: EFS, TrueCrypt

Content protection (e.g. DVD, Blu-ray): CSS, AACS

no eavesdropping
User authentication no tampering

… and much much more

Dan Boneh Dan Boneh

Secure Sockets Layer / TLS Protected files on disk

Disk
Two main parts
Alice File 1 Alice
1. Handshake Protocol: Establish shared secret key
using public-key cryptography (2nd part of course) No eavesdropping
No tampering
File 2

2. Record Layer: Transmit data using shared secret key

Ensure confidentiality and integrity (1st part of course) Analogous to secure communication:
Alice today sends a message to Alice tomorrow
Dan Boneh Dan Boneh

1
 8/8/2019

Building block: sym. encryption Use Cases

Alice Bob Single use key: (one time key)
m E(k,m)=c c D(k,c)=m • Key is only used to encrypt one message
E D
• encrypted email: new key generated for every email
k k

E, D: cipher k: secret key (e.g. 128 bits) Multi use key: (many time key)
m, c: plaintext, ciphertext • Key used to encrypt multiple messages
• encrypted files: same key used to encrypt many files
Encryption algorithm is publicly known • Need more machinery than for one-time key
• Never use a proprietary cipher
Dan Boneh Dan Boneh

Things to remember
Cryptography is:
– A tremendous tool
– The basis for many security mechanisms
End of Segment
Cryptography is not:
– The solution to all security problems
– Reliable unless implemented and used properly
– Something you should try to invent yourself
• many many examples of broken ad-hoc designs

Dan Boneh Dan Boneh

Online Cryptography Course Dan Boneh

Crypto core Talking
to Bob
Talking
to Alice

Secret key establishment: Alice

Bob
Introduction
attacker???

What is cryptography?
Secure communication: k m1
k
m2
confidentiality and integrity
Dan Boneh Dan Boneh

2
 8/8/2019

But crypto can do much more But crypto can do much more
• Digital signatures • Digital signatures

• Anonymous communication • Anonymous communication

Alice
Who did I signature
just talk to?
• Anonymous digital cash
– Can I spend a “digital coin” without anyone knowing who I am?
Alice – How to prevent double spending?
Bob Who was
1$ Alice that?
Internet
(anon. comm.)
Dan Boneh Dan Boneh

Protocols Protocols
• Elections • Elections
• Private auctions • Private auctions

trusted
Goal: compute f(x1, x2, x3, x4) authority

“Thm:” anything that can done with trusted auth. can also
be done without

• Secure multi-party computation

Dan Boneh Dan Boneh

Crypto magic A rigorous science

• Privately outsourcing computation What did she
search for? The three steps in cryptography:
search
query E[ query ]
Alice
• Precisely specify threat model
E[ results ]
results
• Propose a construction
• Zero knowledge (proof of knowledge)
???
• Prove that breaking construction under
N=p∙q Alice I know the factors of N !!
N threat mode will solve an underlying hard problem
proof π Bob
Dan Boneh Dan Boneh

3
 8/8/2019

Online Cryptography Course Dan Boneh

Introduction
End of Segment
History

Dan Boneh Dan Boneh

History Symmetric Ciphers

David Kahn, “The code breakers” (1996)

Dan Boneh Dan Boneh

Few Historic Examples (all badly broken) Caesar Cipher (no key)

1. Substitution cipher

k :=

Dan Boneh Dan Boneh

4
 8/8/2019

What is the size of key space in the substitution cipher How to break a substitution cipher?
assuming 26 letters?
| | = 26 What is the most common letter in English text?
= 26! (26 factorial)
“X”
| |=2 “L”
“E”
| | = 26
“H”

Dan Boneh Dan Boneh

How to break a substitution cipher? An Example

UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFO
FEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWN
(1) Use frequency of English letters CPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVF
ZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUB
OYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR

(2) Use frequency of pairs of letters (digrams) B 36  E NC 11  IN UKB 6  THE

N 34 PU 10  AT RVN 6
U 33  T UB 10 FZI 4
P 32  A UN 9 trigrams
C 26 digrams
Dan Boneh Dan Boneh

2. Vigener cipher (16’th century, Rome) 3. Rotor Machines (1870-1943)

Early example: the Hebern machine (single rotor)

k = C R Y P T O C R Y P T O C R Y P T
(+ mod 26)
m = W H A T A N I C E D A Y T O D A Y A K E N
B S K E
C T S K
c = Z Z Z J U C L U D T U N W G C Q S . . T S
. . . T
X R . .
Y N R .
Z key E N R
suppose most common = “H” first letter of key = “H” – “E” = “C”
Dan Boneh Dan Boneh

5
 8/8/2019

Rotor Machines (cont.) 4. Data Encryption Standard (1974)

Most famous: the Enigma (3-5 rotors)

DES: # keys = 256 , block size = 64 bits

Today: AES (2001), Salsa20 (2008) (and many others)

# keys = 264 = 218 (actually 236 due to plugboard)

Dan Boneh Dan Boneh

Online Cryptography Course Dan Boneh

See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability

Introduction
End of Segment
Discrete Probability
(crash course, cont.)

Dan Boneh Dan Boneh

U: finite set (e.g. U = {0,1}n ) Events

Def: Probability distribution P over U is a function P: U ⟶ [0,1]
• For a set A ⊆ U: Pr[A] = Σ P(x) ∈ [0,1]
such that Σ P(x) = 1
x∈U
x∈A
note: Pr[U]=1
• The set A is called an event
Examples:
1. Uniform distribution: for all x∈U: P(x) = 1/|U| Example: U = {0,1}8
2. Point distribution at x0: P(x0) = 1, ∀x≠x0: P(x) = 0 • A = { all x in U such that lsb2(x)=11 } ⊆U

for the uniform distribution on {0,1}8 : Pr[A] = 1/4

Distribution vector: ( P(000), P(001), P(010), … , P(111) ) Dan Boneh Dan Boneh

6
 8/8/2019

The union bound Random Variables

• For events A1 and A2 Def: a random variable X is a function X:U⟶V

Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2]

Example: X: {0,1}n ⟶ {0,1} ; X(y) = lsb(y) ∈{0,1}
U V
A1
A2 For the uniform distribution on U:
lsb=0 0
Example:
Pr[ X=0 ] = 1/2 , Pr[ X=1 ] = 1/2
A1 = { all x in {0,1}n s.t lsb2(x)=11 } ; A2 = { all x in {0,1}n s.t. msb2(x)=11 } lsb=1 1

More generally:
Pr[ lsb2(x)=11 or msb2(x)=11 ] = Pr[A1∪A2] ≤ ¼+¼ = ½ rand. var. X induces a distribution on V: Pr[ X=v ] := Pr[ X-1(v) ]
Dan Boneh Dan Boneh

The uniform random variable

Let r be a uniform random variable on {0,1}2
Let U be some set, e.g. U = {0,1}n
R
Define the random variable X = r1 + r2
We write r ⟵ U to denote a uniform random variable over U

for all a∈U: Pr[ r = a ] = 1/|U| Then Pr[X=2] = ¼

( formally, r is the identity function: r(x)=x for all x∈U ) Hint: Pr[X=2] = Pr[ r=11 ]

Dan Boneh Dan Boneh

Randomized algorithms
inputs outputs
• Deterministic algorithm: y ⟵ A(m)

m
• Randomized algorithm
R
A(m)
End of Segment
y ⟵ A( m ; r ) where r ⟵ {0,1}n

output is a random variable

R
y⟵ A( m ) m
A(m)

R
Example: A(m ; k) = E(k, m) , y⟵ A( m )
Dan Boneh Dan Boneh

7
 8/8/2019

Online Cryptography Course Dan Boneh

Recap
See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability
U: finite set (e.g. U = {0,1}n )
Introduction Prob. distr. P over U is a function P: U ⟶ [0,1] s.t. Σ P(x) = 1
x∈U

Discrete Probability A ⊆ U is called an event and Pr[A] = Σ P(x)

x∈A
∈ [0,1]

(crash course, cont.) A random variable is a function X:U⟶V .

X takes values in V and defines a distribution on V

Dan Boneh Dan Boneh

Independence Review: XOR

Def: events A and B are independent if Pr[ A and B ] = Pr[A] ∙ Pr[B] XOR of two strings in {0,1}n is their bit-wise addition mod 2
random variables X,Y taking values in V are independent if
∀a,b∈V: Pr[ X=a and Y=b] = Pr[X=a] ∙ Pr[Y=b]
0 1 1 0 1 1 1
⊕
Example: 2
U = {0,1} = {00, 01, 10, 11} and r⟵UR 1 0 1 1 0 1 0

Define r.v. X and Y as: X = lsb(r) , Y = msb(r)

Pr[ X=0 and Y=0 ] = Pr[ r=00 ] = ¼ = Pr[X=0] ∙ Pr[Y=0]

Dan Boneh Dan Boneh

An important property of XOR The birthday paradox

Let r1, …, rn ∈ U be indep. identically distributed random vars.
Thm: Y a rand. var. over {0,1}n , X an indep. uniform var. on {0,1}n
Then Z := Y⨁X is uniform var. on {0,1}n Thm: when n= 1.2 × |U|1/2 then Pr[ ∃i≠j: ri = rj ] ≥ ½

notation: |U| is the size of U

Proof: (for n=1)
Pr[ Z=0 ] = Example: Let U = {0,1}128

After sampling about 264 random messages from U,

some two sampled messages will likely be the same
Dan Boneh Dan Boneh

8
 8/8/2019

|U|=106
collision probability

End of Segment

# samples n
Dan Boneh Dan Boneh