Crypto Corner

Editors: Peter Gutmann, pgut001@cs.auckland.ac.nz David Naccache, david.naccache@ens.fr Charles C. Palmer, ccpalmer@us.ibm.com

What Is Cryptography?

C
J EANSBASTIEN CORON University of Luxembourg

ryptographys aim is to construct schemes or protocols that can still accomplish certain tasks even in the presence of an adversary. A basic task in cryptography is to enable users to communicate

securely over an insecure channel in a way that guarantees their

tack cant succeed, except maybe with some negligible probability.

transmissions privacy and authenticity. Assume, for example, that Alice wants to send a message to Bob over the Internet. Ideally, no attacker should be able to obtain information about her message or modify it without Bobs notice. Providing privacy and authenticity remains a central goal for cryptographic protocols, but the eld has expanded to encompass many others, including evoting, digital coins, and secure auctions. This installment of Crypto Corner will explain what cryptography is about and how we can scientically justify a cryptographic schemes security.

Symmetric encryption
In the simplest setting, Alice and Bob can share the same key K, unknown to the attacker, and use it to encrypt and decrypt their communication. The shared key is usually a uniformly distributed, random string of k bits for some parameter k. As Figure 1 shows, Alice can apply an encryption algorithm to the plaintext M under the key K to get a ciphertext C. This ciphertext is then sent to Bob, who applies the corresponding decryption algorithm to recover the plaintext M. This is the symmetric encryption setting, in which users share the same key K. An encryption scheme is generally randomizedthat is, Alice must get a random number and use it to compute C from the inputs M and K; a fresh random number is required each time the encryption algorithm is invoked. This implies that invoking the encryption algorithm twice with the same inputs M and K will produce a different ciphertext C.

and outputs a xed-length ciphertext c. For any xed key K, E must be a permutationthat is, exactly one plaintext corresponds to any given ciphertext. Popular blockciphers include the old Data Encryption Standard (DES) and the new Advanced Encryption Standard (AES). Keep in mind that blockciphers are tools: they dont provide a secure encryption scheme by themselves. This is because a blockcipher can encrypt only a xed-length block (such as 128 bits for AES), whereas we must be able to encrypt a message of any size; moreover, as well see later, encryption must be randomized or depend on a variable thats updated for each new encryption (for example, a counter). The mechanism used to obtain an encryption scheme from a blockcipher is called the blockciphers mode of operation. Cipher-block chaining (CBC) with a random initial vector, as illustrated in Figure 2, is the most widely used blockcipher mode of operation.

Modeling security
How do we guarantee that a cryptographic scheme is secure? To rigorously formalize security, we must rst specify the adversarys capabilities (what he or she is allowed to do), and in which situation an attack would be successful. In our example, the attacker is allowed to read and modify Alices transmission, and the attack is successful if he or she can obtain some information about Alices original message, or if the attacker can modify the transmission so that Bob still believes the message came from Alice. We can thus say a cryptographic scheme is secure if we can prove mathematically that such an at70
PUBLISHED BY THE IEEE COMPUTER SOCIETY

Passive attacks
In cryptography, we generally assume that keys are kept secure by the parties using them; in particular, if a key is stored in a computer, we assume that an adversary cant break into that computer and steal the key. Lets consider an attacker who can only eavesdrop on the transmissions between Alice and Bob. We might think that his or her goal would be to recover the secret key K, so that he could decrypt all further transmissions between Alice and Bob, but this is a very ambitious goal that would correspond to a total break of the encryption scheme. In reality, the attackers goal would be something

Blockciphers
Symmetric encryption is usually based on blockciphers. A blockcipher E is a function that takes as input a key K and a xed-length plaintext m
1540-7993/06/$20.00 2006 IEEE

IEEE SECURITY & PRIVACY

Crypto Corner

easierfor example, recovering M given C, or even obtaining only one specic bit of M. Because this bit might carry valuable information, being able to recover it would clearly make the scheme insecure.

Ignorance is bliss
We might say that an encryption scheme is secure if an adversary knows nothing about M when given C, but this cant be true in general because the adversary might have a priori information about Mfor example, M might be a text document with a specic format that the adversary already knows. Privacy of encryption really means that the adversary who obtains C shouldnt be able to learn anything about M that he or she didnt know before. Claude Shannon introduced this notion of security in 1949;1 it implies that an encryption scheme is perfectly secure if, for any two messages M1 and M2, any ciphertext C has the same probability of being the encryption of M1 as being the encryption of M2. Here, the probability is taken over the choice of the key and the random bits used by the encryption algorithms (if any).

contrast, semantic security gives a security level that depends on the adversarys computational effort: anything that could be efciently computed about the plaintext from the ciphertext must also be efciently computable in the absence of the ciphertext. Intuitively, this means that computationally limited adversaries cant learn anything from the ciphertext because they can do the same things after seeing it as they could have before seeing it.

tell which of the two messages was encrypted. Instead of a single message pair, the adversary can actually choose a sequence of pairs of messages (Mi, Mi ), and for a random bit

K=

K=

Indistinguishability
An equivalent, but simpler, notion of security is indistinguishability of encryption. Consider an adversary who rst chooses two messages of the same length and then receives an encryption of one of them. The encryption scheme is considered secure if the adversary cant efciently
Plaintext

C = E (K, M )

M = D (K, C )

Figure 1. Symmetric encryption. Alice applies the encryption algorithm E to message M using key K and sends the resulting ciphertext C. Using the same key K, Bob can recover the plaintext by applying the decryption algorithm to C.

Plaintext

Plaintext

Semantic security
However, perfect security can be realized only if the total number of message bits encrypted with K doesnt exceed the number of bits in K, as exemplied with the one-time pad encryption algorithm.1 This is an important limitation in practice because we would like to use a single short key to encrypt many long messages, thus we should use a different notion of security, weaker than perfect security, but almost as good for any practical purpose: semantic security, rst introduced by Sha Goldwasser and Silvio Micali in 1982.2 The notion of perfect security Shannon introduced is absolute no matter how powerful the adversary is, he or she will be unable to derive any information from the plaintext, given the ciphertext. In
Ciphertext (a) IV Plaintext Plaintext Plaintext Ciphertext Ciphertext

Ciphertext (b)

Ciphertext

Ciphertext

Ciphertext

Figure 2. The (a) electronic codebook (ECB) and the (b) cipher-block chaining (CBC) encryption modes of operation. For CBC, a fresh random IV is generated for each new encryption.

www.computer.org/security/

IEEE SECURITY & PRIVACY

71

Crypto Corner

pkBob =

skBob =

C = E ( pkBob , M)

M = D (skBob , C )

Figure 3. Public-key cryptography. Alice sends a message to Bob and encrypts it with his public key (pk).

b, the adversary receives a sequence of ciphertexts Ci, where Ci is either an encryption of Mi for all i if b = 0 or an encryption of Mi for all i if b = 1. The adversary must then output a guess b of b and is said to be successful if b = b. Of course, the adversary can always have a 1/2 probability of success, simply by outputting a random bit for b ; thus the adversarys success in breaking the scheme is measured as the excess over 1/2 of its probability to guess correctly this is the adversarys advantage. We can say an encryption scheme is secure if the advantage of any computationally limited adversary in the previous scenario remains bounded by a very small value. We can prove that the CBC mode of operation described in Figure 2 satises the previous security notion, assuming that the underlying blockcipher is a pseudorandom function. However, its easy to see that the basic electronic codebook (ECB) mode described in Figure 2 doesnt achieve this propertynamely, we can nd an attacker who can easily distinguish between the encryption of two messages, no matter how good the blockcipher is.

Public-key cryptography
The privacy notion weve now dened applies for the symmetric setting, in which Alice and Bob share the same key K for both encryption
72
IEEE SECURITY & PRIVACY

and decryption. In the public-key setting (or asymmetric setting), however, a different key is used for encryption and decryption. Essentially, a party possesses a pair of keysa public key, pk, and an associated secret key, skwith the public key for encryption and the secret key for decryption. As illustrated in Figure 3, when Alice wishes to send a message M to Bob, she encrypts it using Bobs public key pkBob by computing the ciphertext C = E(pkBob , M) and sending C to Bob. He then recovers the plaintext with his secret key skBob by computing M = D(skBob , C). The advantage of public-key cryptography is that it enables secure communications between users who have never met before; Whiteld Dife and Martin Hellman introduced the idea of public-key cryptography in 1976.3 Figure 4 shows the most popular public-key cryptosystem, the RSA algorithm, which Ron Rivest, Adi Shamir, and Len Adleman invented in 1977.4 Dening the notion of privacy in the public-key setting occurs in a similar way as in the symmetric setting, but with some modications. Here, the adversary rst receives a public-key pk, and must distinguish between the encryption of two messages m1 and m2 under pk. As earlier, the encryption scheme is secure if any computationally limited adversarys advantage remains bounded by a very small value. The plain RSA algorithm shown in Figure 4 doesnt achieve the indistinguishability propertynamely, the adversary can always encrypt the messages m1 and m2 and check whether c = E(pk, m1) or c = E(pk, m2). In fact, indistinguishability can be achieved only via probabilistic encryptionthat is, a random number must be used each time the encryption algorithm is invoked; as a result, a plaintext has many possible ciphertexts. To obtain the indistinguishability property when encrypting with RSA, we must therefore

apply an encoding to the message prior to applying the RSA function; the most popular encoding for achieving this property is the optimal asymmetric encryption padding (OAEP) that Mihir Bellare and Phil Rogaway developed in 1994.5

Active attacks
So far, weve focused on passive adversariesthe ones who just eavesdrop. In practice, though, an adversary might be able to inject or modify the messages transmitted over a network. Specically, he or she could inject ciphertexts and possibly obtain some partial information about their corresponding plaintexts. To deal with active attacks, Charles Rackoff and Daniel Simon introduced in 1991 the notion of security under an adaptive chosen ciphertext attack.6 As we learned earlier, the adversary must tell whether a challenge ciphertext c is an encryption of m1 or m2, but he or she can also obtain the decryption of any ciphertext, except for the challenge ciphertext c. Ronald Cramer and Victor Shoup invented the rst practical public-key encryption scheme to provably achieve this property in 1998,7 based on a standard hardness assumption. The OAEP scheme mentioned earlier also achieves this property, but only in the random oracle modelan idealized model of computation in which hash functions are viewed as completely random functions.

he eld of provable security is the combination of three steps: security denition, scheme, and proof of security. Although this approach is now part of the mainstream in modern cryptography, provable security has some limitations. In the real world, real computation takes time, consumes power, and leaks radiation, and adversaries can exploit these vulnerabilities with timing attacks,

JANUARY/FEBRUARY 2006

Crypto Corner

differential power analysis, and fault attacks. An interesting future research direction would be to extend the models used in provable security to include such attacks.
References
1. C.E. Shannon, Communication Theory of Secrecy Systems, Bell System Tech. J., vol. 28, no. 4, 1949, pp. 656715. 2. S. Goldwasser and S. Micali, Probabilistic Encryption, J. Computer and System Sciences, vol. 28, Apr. 1984, pp. 270299. 3. W . Dife and M.E. Hellman, New Directions in Cryptography, IEEE Trans. Information Theory, vol. 22, Nov. 1976, pp. 644654. 4. R. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Comm. ACM, vol. 21, no. 2, 1978, pp. 120126. 5. M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Advances in Cryptology (Eurocrypt 94), LNCS 950, Springer-Verlag, 1994, pp. 92111.

Setup: n = pq, with p and q primes e relatively prime to (n) = (p 1) (q 1) d inverse of e in Z(n) Public key: pk = (n, e) Private key: sk = d Encryption: Plaintext M in Zn C = Me mod n Decryption: M = Cd mod n

Figure 4. The RSA cryptosystem. The systems security is based on the difculty of recovering p and q given n = pq.

6. C. Rackoff and D. Simon, NonInteractive Zero-Knowledge Proof of Knowledge and the Chosen Ciphertext Attack, Proc. Crypto 91, LNCS 576, Springer-Verlag, 1991, pp. 433444. 7. R. Cramer and V. Shoup, A Practical Public Key Crypto System Provably Secure against Adaptive Chosen Ciphertext Attack, Proc. Crypto 1998, LNCS

1462, Springer-Verlag, 1998, pp. 1325.

Jean-Sbastien Coron is a professor of cryptography at the University of Luxembourg. His research interests include the cryptanalysis of public-key cryptosystems and the construction of efcient protocols. Coron has a PhD in computer science from the Ecole Polytechnique (France). He is a member of the International Association for Cryptologic Research (IACR). Contact him at coron@clipper.ens.fr.

THE IEEES 1ST ONLINE-ONLY MAGAZINE

IEEE Distributed Systems Online brings you peer-reviewed articles,

detailed tutorials, expert-managed topic areas, and diverse departments covering the latest news and developments in this fast-growing eld. Log on for free

access to such topic areas as

Grid Computing Middleware Cluster Computing Security Peer-to-Peer Operating Systems Web Systems Mobile & Pervasive and More!
To receive monthly updates, email dsonline@computer.org

http://dsonline.computer.org
www.computer.org/security/ IEEE SECURITY & PRIVACY

73