Dan Boneh

Introduction
Course Overview
Online Cryptography Course Dan Boneh
Dan Boneh
Welcome
Course objectives:
Learn how crypto primitives work
Learn how to use them correctly and reason about security

My recommendations:
Take notes
Pause video frequently to think about the material
Answer the in-video questions
Dan Boneh
Cryptography is everywhere
Secure communication:
web traffic: HTTPS
wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth
Encrypting files on disk: EFS, TrueCrypt
Content protection (e.g. DVD, Blu-ray): CSS, AACS
User authentication
and much much more

Dan Boneh
Secure communication
no eavesdropping
no tampering
Dan Boneh
Secure Sockets Layer / TLS

Two main parts
1. Handshake Protocol: Establish shared secret key
using public-key cryptography (2
nd
part of course)
2. Record Layer: Transmit data using shared secret key
Ensure confidentiality and integrity (1
st
part of course)
Dan Boneh
Protected files on disk
Disk
File 1
File 2
Alice Alice
No eavesdropping
No tampering
Analogous to secure communication:
Alice today sends a message to Alice tomorrow
Dan Boneh
Building block: sym. encryption






E, D: cipher k: secret key (e.g. 128 bits)
m, c: plaintext, ciphertext
Encryption algorithm is publicly known
Never use a proprietary cipher
Alice
E
m
E(k,m)=c
Bob
D
c
D(k,c)=m
k k
Dan Boneh
Use Cases
Single use key: (one time key)
Key is only used to encrypt one message
encrypted email: new key generated for every email
Multi use key: (many time key)
Key used to encrypt multiple messages
encrypted files: same key used to encrypt many files
Need more machinery than for one-time key

Dan Boneh
Things to remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not:
The solution to all security problems
Reliable unless implemented and used properly
Something you should try to invent yourself
many many examples of broken ad-hoc designs
Dan Boneh
End of Segment
Dan Boneh
Introduction
What is cryptography?
Online Cryptography Course Dan Boneh
Dan Boneh
Crypto core
Secret key establishment:




Secure communication:
attacker???
k
k
confidentiality and integrity
m
1
m
2
Alice
Bob
Talking
to Alice
Talking
to Bob
Dan Boneh
But crypto can do much more
Digital signatures


Anonymous communication
Alice
signature
Alice
Who did I
just talk to?
Bob
Dan Boneh
Alice
But crypto can do much more
Digital signatures


Anonymous communication
Anonymous digital cash
Can I spend a digital coin without anyone knowing who I am?
How to prevent double spending?
Who was
that?
Internet
1$
(anon. comm.)
Dan Boneh
Protocols
Elections
Private auctions

Dan Boneh
Protocols
Elections
Private auctions






Secure multi-party computation
Goal: compute f(x
1
, x
2
, x
3
, x
4
)

Thm: anything that can done with trusted auth. can also
be done without
trusted
authority
Dan Boneh
Crypto magic
Privately outsourcing computation




Zero knowledge (proof of knowledge)
Alice
search
query
What did she
search for?
results
I know the factors of N !!
proof
???
E[ query ]
E[ results ]
Alice
N=pq
Bob
N
Dan Boneh
A rigorous science
The three steps in cryptography:

Precisely specify threat model

Propose a construction

Prove that breaking construction under
threat mode will solve an underlying hard problem
Dan Boneh
End of Segment
Dan Boneh
Introduction
History
Online Cryptography Course Dan Boneh
Dan Boneh
History
David Kahn, The code breakers (1996)
Dan Boneh
Symmetric Ciphers
Dan Boneh
Few Historic Examples (all badly broken)
1. Substitution cipher
k :=
Dan Boneh
Caesar Cipher (no key)
Dan Boneh
What is the size of key space in the substitution cipher
assuming 26 letters?
|| = 26
|| = 2
26

= 26! (26 factorial)
|| = 26
2

Dan Boneh
How to break a substitution cipher?
What is the most common letter in English text?
X
L
E
H
Dan Boneh
How to break a substitution cipher?
(1) Use frequency of English letters


(2) Use frequency of pairs of letters (digrams)
Dan Boneh
An Example
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFO
FEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWN
CPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVF
ZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUB
OYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR

B 36
N 34
U 33
P 32
C 26
E
T
A
NC 11
PU 10
UB 10
UN 9
IN
AT
UKB 6
RVN 6
FZI 4
THE
digrams
trigrams
Dan Boneh
2. Vigener cipher (16th century, Rome)
k = C R Y P T O C R Y P T O
m = W H A T A N I C E D A Y T O D A Y
C R Y P T
(+ mod 26)
c = Z Z Z J U C L U D T U N W G C Q S
suppose most common = H first letter of key = H E = C
Dan Boneh
3. Rotor Machines (1870-1943)
Early example: the Hebern machine (single rotor)
A
B
C
.
.
X
Y
Z
K
S
T
.
.
R
N
E
E
K
S
T
.
.
R
N
N
E
K
S
T
.
.
R
key
Dan Boneh
Rotor Machines (cont.)
Most famous: the Enigma (3-5 rotors)
# keys = 26
4
= 2
18
(actually 2
36
due to plugboard)

Dan Boneh
4. Data Encryption Standard (1974)

DES: # keys = 2
56
, block size = 64 bits


Today: AES (2001), Salsa20 (2008) (and many others)
Dan Boneh
End of Segment
Dan Boneh
Introduction
Discrete Probability
(crash course, cont.)
Online Cryptography Course Dan Boneh
See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability
Dan Boneh
U: finite set (e.g. U = {0,1}
n
)
Def: Probability distribution P over U is a function P: U [0,1]
such that P(x) = 1

Examples:
1. Uniform distribution: for all xU: P(x) = 1/|U|
2. Point distribution at x
0
: P(x
0
) = 1, xx
0
: P(x) = 0

Distribution vector: ( P(000), P(001), P(010), , P(111) )
xU
Dan Boneh
Events
For a set A U: Pr[A] = P(x) [0,1]

The set A is called an event

Example: U = {0,1}
8
A = { all x in U

such that lsb
2
(x)=11 } U
for the uniform distribution on {0,1}
8
: Pr[A] = 1/4

xA
note: Pr[U]=1
Dan Boneh
The union bound
For events A
1
and A
2

Pr[ A
1
A
2
] Pr[A
1
] + Pr[A
2
]


Example:
A
1
= { all x in {0,1}
n
s.t lsb
2
(x)=11 } ; A
2
= { all x in {0,1}
n
s.t. msb
2
(x)=11 }

Pr[ lsb
2
(x)=11 or msb
2
(x)=11 ] = Pr[A
1
A
2
] + =

A
1
A
2
Dan Boneh
Random Variables
Def: a random variable X is a function X:UV

Example: X: {0,1}
n
{0,1} ; X(y) = lsb(y)

{0,1}


For the uniform distribution on U:
Pr[ X=0 ] = 1/2 , Pr[ X=1 ] = 1/2

More generally:
rand. var. X induces a distribution on V: Pr[ X=v ] := Pr[ X
-1
(v) ]

lsb=1
0
1
lsb=0
U V
Dan Boneh
The uniform random variable
Let U be some set, e.g. U = {0,1}
n

We write r U to denote a uniform random variable over U

for all aU: Pr[ r = a ] = 1/|U|


( formally, r is the identity function: r(x)=x for all xU )
R
Dan Boneh
Let r be a uniform random variable on {0,1}
2

Define the random variable X = r
1
+ r
2



Then Pr[X=2] =




Hint: Pr[X=2] = Pr[ r=11 ]
Dan Boneh
Randomized algorithms
Deterministic algorithm: y A(m)

Randomized algorithm
y A( m ; r ) where r {0,1}
n

output is a random variable
y A( m )
Example: A(m ; k) = E(k, m) , y A( m )
A(m)
m
inputs outputs
A(m)
m R
R
R
Dan Boneh
End of Segment
Dan Boneh
Introduction
Discrete Probability
(crash course, cont.)
Online Cryptography Course Dan Boneh
See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability
Dan Boneh
Recap
U: finite set (e.g. U = {0,1}
n
)
Prob. distr. P over U is a function P: U [0,1] s.t. P(x) = 1
A U is called an event and Pr[A] = P(x) [0,1]

A random variable is a function X:UV .
X takes values in V and defines a distribution on V

xU
xA
Dan Boneh
Independence
Def: events A and B are independent if Pr[ A and B ] = Pr*A+ Pr[B]
random variables X,Y taking values in V are independent if
a,bV: Pr[ X=a and Y=b] = Pr[X=a] Pr[Y=b]

Example: U = {0,1}
2
= {00, 01, 10, 11} and r U

Define r.v. X and Y as: X = lsb(r) , Y = msb(r)

Pr[ X=0 and Y=0 ] = Pr[ r=00 ] = = Pr[X=0] Pr[Y=0]


R
Dan Boneh
Review: XOR
XOR of two strings in {0,1}
n
is their bit-wise addition mod 2






0 1 1 0 1 1 1
1 0 1 1 0 1 0

Dan Boneh
An important property of XOR
Thm: Y a rand. var. over {0,1}
n
, X an indep. uniform var. on {0,1}
n

Then Z := YX is uniform var. on {0,1}
n


Proof: (for n=1)
Pr[ Z=0 ] =

Dan Boneh
The birthday paradox
Let r
1
, , r
n
U be indep. identically distributed random vars.
Thm: when n= 1.2 |U|
1/2

then Pr[ ij: r
i
= r
j
]

Example: Let U = {0,1}
128

After sampling about 2
64
random messages from U,

some two sampled messages will likely be the same


notation: |U| is the size of U
Dan Boneh
|U|=10
6
# samples n
c
o
l
l
i
s
i
o
n

p
r
o
b
a
b
i
l
i
t
y

Dan Boneh
End of Segment