CS 6903 Modern Cryptography February 2, 2011

Lecture 1: Introduction
Instructor: Nitesh Saxena Scribe: Agilan R, Praveen R, Raghavan M

1 “Provable Security” Methodology

Let us assume that we have a Cryptographic Primitive P (e.g., an Encryption scheme
such as RSA) which is based on some Assumption A (e.g., in case of RSA the assumption
is the factoring of huge numbers is NP problem). We would like to prove that if A holds
then the Primitive P will be secure (based on some security notion).
We say that P is secure if ∀ Adversary A (T ,p) that tries to break the primitive P, where
Here:

• p: the probability of succuess of breaking the primitve

• T : Execution time of the algorithm.

then either Time T is exponential (e.g., T ≥ 280 .C) or the probability of success of the
1
Algorithm p is negligible (e.g., p ≤ 80 ).
2
If Theorem:

X: ”P is Secure”

Y: ”A Holds”.

The aim is to prove that if Y is true then X is true i.e. Y implies X ( Y ⇒ X).
[The concept of “Provable Security” can also be illustrated using the following example:
Say we have a Cryptographic appliction(e.g SSL) which is based on a cryptographic
primitive( in case of SSL- RSA Encryption). To prove that the application is secure we
have to prove that the the primitive is secure.]
This means that a primitive is secure if for all the adversary algorithms which attempt
to break the security of the primitve either take exponential time or the probabibilty of
its sucess is negligible.
Proof Technique:
Instead of proving,
Y ⇒X (1)

1-1
we will be proving its contrapositive, i.e,

¬X ⇒ ¬Y (2)

¬X: ”P is not secure”

¬Y: ”A does not hold”

This means that in order to prove Y ⇒X, we can prove in the following way it’s con-
trapositive. If ∃ an adversary A (T,p) which can break primitive P, we must prove that
∃ another adversary B(T 0 , p0 ) which invalidates the Assumtion A. If we can construct B
by making use of A, we are done. However, we must make sure that B is an efficient
algorithm and its probability of success is comparable to that of A.
We know that A has probability of success p and it takes time T for execution. Also
let us say that the B (called the “Reduction algorithm”) is such that it succeeds with a
probability p0 and Execution time T 0 . Then, we can relate p0 to p in some way, and T 0
will be related to T in some way, because B runs A as a subroutine. Let’s say that that
B succeeds with probability,

p
p0 = (3)
η
and time complexity for the Algorithm,

T0 = T + ∆ (4)

where ∆ and η are positive numbers. We want to minimize the value of ∆ and also
reduce η as much as possible.
(T 0 , p0 ) → β(A)): With typical security parameters, execution time and probability are
related to the Reduction of the Adversary Algorithm as follows:

T 0 ≥ 280 × C ⇒ T ≥ 280 × C − ∆ (5)

1 η
p0 ≤ 80
⇒ p ≤ 80 . (6)
2 2
In case η = 230 then p = 2150 . To compensate for the high η value we need to increase the
key size has to be increased to110 in order to get the equivalent security of 280 .

1 η
p0 ≤ ⇒p≤ (7)
2110 2110
Therefore we need to design our ”reduction” algorithms carefully such that a security
degradation should not occur.

1-2
2 Overview
Basic Goals of Information Security:

1. Confidentiality

2. Authentication

3. Integrity

4. Non-repudiation

5. Availability (Cryptography can be used to improve availability but not completely

achieve it).

3 Confidentiality
Confidentiality is defined as ”ensuring that the information is accessible only to those
who are authorized to have the access” . If Alice sends a message to Bob, the goal of
Cryptography is to ensure that only Alice and Bob learn the message and no one else.
Encryption is a Cryptographic Primitive that can be used to provide confidentiality. The
goal here is to come up with an Algorithm that can be used to scramble the message.
Alice will Encrypt the message and send to Bob. Bob will then be able to decrypt it.
Since the Adversary E does not know how the Algorithm works (Closed Design) or does
not know the key(s) (Open Design), E cannot see the message, which achieves the goal
of Confidentiality.

3.1 Open and Closed Design

1. I: Closed Design: In closed design the Algorithm is kept in secret between the sender
and recipeint. If an adversary knows the Algorithm, then another Algorithm needs
to be designed. In closed design model, if you would like to send five different
messages to five different people, you will need to designing an Algorithm for each
message recipient. This is not Practical because it does not scale well and when
cracked a whole new design is needed.

2. I: Open Design: In Open design the algorithm is known to all while the key to
unscramble the message is kept secret. The adversary may know the Algorithm,
but if the adversary doesn’t know the key an important part of the puzzle is missing.
This is more practical than the closed design because it scales well. If the key is
compromised then all that is needed is a new key.

1-3
Figure 1: (a) Alice sends a plaintext message to Bob, but Eve can see it. (b) Alice sends
Bob a message using Encryption, now Eve can intercept, but can’t read it.

3.2 Encryption
1. Symmetric-Key Based - Two parties that want to communicate share a key with
each other. Nobody other than the two parties know the key.
2. Assymetric-Key Based - Every user has two keys: a secret key and the correspond-
ing public key. We assume that everyone has a valid copy of everyone else’s public
key. Here the sender encrypts with the public key of the reciever and the reciever
decrypts using his private(secret) key.

3.2.1 Symmetric Key Encryption

1. Key Generation- Both Alice and Bob generate a symmetric key K

2. Encryption - Alice uses the secret key to encrypt a message “M”, to obtain a
ciphertext “C”, to send to bob
• Input: (M, K)
• C ← EncK (M )
• Output: (C)
3. Decryption - Bob recieves the ciphertext “C” from Alice and uses the shared secret
key to decrypt it and obtain the message “M”.
• Input: (C, K)

1-4
Figure 2: Alice sends an encrypted message to Bob using Symmetric Key Encryption.
Unless Eve knows the shared key K she can’t read the message.

• M ← DecK (C)
• Output: (M)

Anybody listening to the channel between Alice and Bob, would not be able to
learn the message unless they know the secret key. This is the simplest security
notion for an encryption schema.

3.2.2 Asymmetric Key Encryption

Figure 3: Alice sends an encrypted message to Bob using Asymmetric Key Encryption
(encryption using Bob’s public key). Unless Eve Bob’s Secret Key (SKB ), she can’t read
the message.

1. Key Generation - Both Alice and Bob each generate a secret key and a public key
pair. That is, Alice generates (SKA , P KA ) and Bob generates (SKB , P KB )

1-5
 2. Encryptiton - Alice uses Bob’s public key to encrypt a message “M”, obtaining
ciphertext “C”, to send to Bob.

• Input: (M, P KB )
• C ← EncP KB (M )
• Output: (C)

3. Decryption - Bob recives the ciphertext “C” from Alice and uses the his secret key
to decrypt it and obtain the message “M”.

• Input: (C, SKB )

• M ← DecSKB (C)
• Output: (M)

A message encrypted with public key of a user, can only be decrypted using the secret
key of that particular user. Therefore, an attacker who learns the ciphertext would not
be able to learn the message. As in the symmetric encryption, this is the simple security
notion.

4 Authentication
Authentication is way to ensure the authenticity of the sender of the message i.e if a
message comes from Alice we have to be sure that it was Alice who sent the message and
not Eve.

Figure 4: Illustrates the need for Authentication. How can Bob know who is sending
him the message?

1-6
4.1 Ways to Provide Authentication

4.1.1 Encryption (Symmetric-Key Based)

Figure 5: Alice sends Bob the mesage plus the message encrypted with the shared key.
Bob decrypts the encrpted message and compares it to the plain message, since only
Alice and Bob know the shared key, if the derypted message matches with plain message
then Bob knows the message is from Alice

Assume that Alice and Bob share a key K with each other

• In order to authenticate a message M to Bob, Alice will send the message and the
encryption of the message (M, C = EncK (M )).

• Bob will decrypt C (the ciphertext) and compare if it is the same as the message
(M == DecK (C)).

Since, Bob knows that only Alice posseses the key K, therefore only Alice could have
produced a valid encryption of the orginial message. In other words, an adversary not
knowing the key, would not be able to impersonate Alice. This is the simplest security
notion for an authentication scheme.

4.1.2 Encryption for Authentication (Asymmetric-Key Based)

• Alice will send the message to Bob (e.g “I am Alice”).

• Bob will challenge by encrypting a random number R using Alice’s public key and
sending it to Alice. (EncP KA (R))

• Alice will use her private key to decrypt the message and respond with R

Since, only Alice could have decrypted the challenge, Bob has the guarantee about Alice’s
authenticity.

1-7
Figure 6: Alice begins the transmission by saying, ”I’m Alice”. Bob replies with a random
nonce encrypted with Alice’s public key. Alice decrpyts the random nonce with her secret
key and sends it to Bob thus proving that it really is Alice.

4.1.3 Message Authentication Code (MAC) (Symmetric-Key Based only)

Figure 7: Alice sends the message plus the MAC of the message generated with the
shared key. Bob verifies the MAC of the message with the shared key.

• MAC Generation - Alice uses the secret key and the messsage “M” to generate a
MAC (µ) to send to bob
– Input: (M, K)
– µ ← M ACK (M )
– Output: (M, µ)
• Verification - Bob recives the message and MAC pair (M, µ) and uses the shared
secret key to verify if the MAC is correct.
– Input: (M, K, µ)
– Y es/N o ← V erif y(M, µ)
– Output: Yes/No

Since, Bob knows that only Alice posseses the key K, therefore only Alice could have
produced a valid MAC. No one else could have produced the MAC for that message.

1-8
4.1.4 Digital Signatures (Asymmetric-Key Based only)

Figure 8: Alice signs a random nonce and sends it to Bob. Bob verifies that it is from
Alice using the verification function.

• Key Generation - Both Alice and Bob generate a secret key and a public key pair.
That is, Alice generates (SKA , P KA ) and Bob generates and (SKB , P KB )
• Signing - Alice signs the message M using her secret key and sends the signature
(S) and the message (M) to bob.
– Input: (M, SKA )
– S ← SignSKA (M )
– Output: (M, S)
• Verification - Bob recieves the signature (S) and the message (M) and uses Alices
Public key to verify that the message is indeed signed by Alice and thus authentic.
– Input: (M, P KA )
– Accept/Reject ← V erif yP KA (M, S)
– Output: (Accept/Reject)

Only Alice can sign messages using her secret key and anyone can publicly verify the
signatures using Alice’s public key. It will be impossible for an an adversary to sign (or
forge) a message on behalf of someone else and impersonate someone in this case Alice
as their private key is known only to them.

5 Integrity
Integrity is ensuring that a message is not tampered with or modified while in transit.
Assuming Bob received a message from Alice, Integrity is all about making sure that
message is received by Bob is in the original from it was sent by Alice. Integrity can be
achieved using Encryption, Digital signatures and also MAC.

1-9
Figure 9: Illustrates the problem with Integrity. How can we make sure that the message
Bob receives is the original message that Alice sent?

Figure 10: Any of the methods used for Authentication can also be used to ensure
Integrity.

6 Non-repudiation

Figure 11: Digital Signatures can be used for non-repudiation because the sender uses
his/her secret key, which only they have.

Repudiation is when Alice sends a message to Bob and later says she did not. We need
to guarantee that it was indeed Alice who sent the message in such a way that she cannot
deny it. Digital signatures can be used to achieve this goal. If Alice signs a message, she
cannot deny not sending it since her private key was used to sign the message. MAC
can’t be used in this instance because the MAC could have been sent by any party.

1-10