11/09/07
ECS 235A

Cryptography

Goal of Cryptography
- To ensure secure communication across an insecure medium

Players
- A
- B
- M (attacker)
- T (trusted third party, in some cryptosystems)

Elements in Cryptosystem
E: encryption algorithm
D: decryption algorithm
K: set of encryption keys
K^(-1): set of decryption keys
M: set of plaintext
C: set of ciphertext

Goals of Attacker
- Recover plaintext (w/o having decryption keys)
- Recover keys
- Recover partial information about plaintext

Symmetric key cryptosystem: same key used for both decryption & encryption
Asymmetric key cryptosystem: different keys used in encryption/decryption

One-Time Pad (OTP):

M, C: n-bit messages
k, k^(-1): n-bit random number, used once for a single message

- Symmetic key cryptosystem, k = k-1

Ek(m) = m XOR k, cipher text is just a random number
Dk(m) = c XOR k

- can get no information about key or message from cipher text
- can be proven to be semantically secure

Perfect Security
- For any m1, m2, and c, Pr[Ek(m1) = C] = Pr[Ek(m2) = C]
- The probability is taken over all choices of k

One-Time Password Example:
- h^n-1(m), ...., h^2(m), h(m), m

Black Box Game:

- An encryption function is very strong if it is indistinguishable from a random permutation.
	- (2^n)! random permutation functions
	- (2^k)/(2^n)! encryption functions
	- Can't do better than random permutation function

Game: Imagine a black box that takes two inputs I1 and I2 and has one output O. Inside it contains an encryption function and a random permutation function. Each input is fed into one. There is a switch that connects either the encryption function or the random permutation function to the output. Let the attacker try a number of rounds (less than the key space), testing various I1 and I2 to observe O, in order to try and distinguish the position of the switch.

- If the attacker can't guess with Pr > 1/2, then the encryption function is indistinguishable from the random permutation function.

- Ex: 128-bit DES
	-Consists of two 64-bit DES boxes, first half of message into first box and second half into second box
	-Can determine difference with one message, I = 000...000
	-If switch connects to DES, then first half of output equivalent to second half.
	-If not connection, should have no correlation between the halves
	-Need to add random noise 

Protecting Confidentiality != Protecting Integrity
- OTP perfect for confidentiality
- Integrity?
	- Ex: a message containing a list of students accepted or rejected for admission
	- Sent as ciphertext using OTP
	- Attacker wants to alter the admission of a student - can simply flip the bit
	- Does not protect integrity, no way for receiver to know of the change
- Integrity goal - can't alter ciphertext without being discovered

Store Passwords Securely
- Plain text 
	- depends on security of the file system
	- admin can view all passwords
- One-way hash function: h(password)
	- admin can still brute force/dictionary attack
	- Passwords have m bits
	- 2^m tries to recover one password using brute force
	- A system has n users
	- To recover all passwords still only requires 2^m tries
	- With more users, increased chance of getting a password, 2^m / n
- Salted password
	- store as: username, h(password || username)
	- still 2^m tries for one password
	- but n * 2^m tries in order to get all passwords