Cmsc 414 computer and network security lecture 3
1 / 19

CMSC 414 Computer and Network Security Lecture 3 - PowerPoint PPT Presentation

  • Uploaded on

CMSC 414 Computer and Network Security Lecture 3. Jonathan Katz. Attacking the Vigenere cipher. Let p i (for i=0, …, 25) denote the frequency of letter i in English-language text Known that Σ p i 2 ≈ 0.065

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' CMSC 414 Computer and Network Security Lecture 3' - matsu

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cmsc 414 computer and network security lecture 3

CMSC 414Computer and Network SecurityLecture 3

Jonathan Katz

Attacking the vigenere cipher
Attacking the Vigenere cipher

  • Let pi (for i=0, …, 25) denote the frequency of letter i in English-language text

    • Known that Σ pi2 ≈ 0.065

  • For each candidate period t, compute frequencies {qi} of letters in the sequence c0, ct, c2t, …

  • For the correct value of t, we expect Σ qi2 ≈ 0.065

    • For incorrect values of t, we expect Σ qi2 ≈ 1/26

  • Once we have the period, can use frequency analysis as in the case of the shift cipher

Moral of the story
Moral of the story?

  • Don’t use “simple” schemes

  • Don’t use schemes that you design yourself

    • Use schemes that other people have already designed and analyzed…

A fundamental problem
A fundamental problem

  • Wouldn’t it be nice if we could somehow prove that an encryption scheme is secure?

  • But before that…we haven’t even defined what “secure” means!

Modern cryptography
Modern cryptography

  • Proofs

    • We won’t do proofs in this course, but we will state known results

  • Definitions

  • Assumptions

Defining security
Defining security

  • Why is a good definition important?

    • If you don’t know what you want, how can you possibly know whether you’ve achieved it?

    • Forces you to think about what you really want

      • What is essential and what is extraneous

    • Allows comparison of schemes

      • May be multiple valid ways to define security

    • Allows others to use schemes; allows analysis of larger systems built using components

    • Allows for (the possibility of) proofs…

Security definitions
Security definitions

  • Two components

    • The threat model

    • The “security guarantees” or, looking at it from the other side, what counts as a successful attack

  • Crucial to understand these issues before crypto can be successfully deployed!

    • Make sure the stated threat model matches your application environment

    • Make sure the security guarantees are what you need

Security guarantee for encryption
Security guarantee for encryption?

  • So how would you define encryption?

  • Adversary unable to recover the key

    • Necessary, but meaningless on its own…

  • Adversary unable to recover entire plaintext

    • Good, but not enough

  • Adversary unable to determine any information at all about the plaintext

    • How to formalize?

    • Can we achieve it?

Defining secrecy take 1
Defining secrecy (take 1)

  • Even an adversary running for an unbounded amount of time learns nothing about the message from the ciphertext

    • (Except the length)

  • Perfect secrecy (Shannon)

  • Formally, for all distributions over the message space, all m, and all c: Pr[M=m | C=c] = Pr[M=m]

Leaking the message length
Leaking the message length

  • In general, encryption leaks the length of the message

  • Possible to (partly) address this using padding

    • Inefficient

    • Generally not done

  • Does not mean that length is unimportant!

    • In some cases, leaking length can ruin security

The one time pad
The one-time pad

  • Scheme

  • Proof of security

Properties of the one time pad
Properties of the one-time pad?

  • Achieves perfect secrecy

    • No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext

  • Limited use in practice…

    • Long key length

    • Can only be used once (hence the name!)

    • Insecure against known-plaintext attacks

  • These are inherent limitations of perfect secrecy

Computational secrecy
Computational secrecy

  • We can overcome the limitations of perfect secrecy by (slightly) relaxing the definition

  • Instead of requiring total secrecy against unbounded adversaries, require secrecy against bounded adversaries except with some small probability

    • E.g., secrecy for 100 years, except with probability 2-80

  • How to define formally?

A simpler characterization
A simpler characterization

  • Perfect secrecy is equivalent to the following, simpler definition:

    • Given a ciphertext C which is known to be an encryption of either m0 or m1, no adversary can guess correctly which message was encrypted with probability better than ½

  • Relax this to give computational security!

  • Is this definition too strong? Why not?

The take home message
The take-home message

  • Weakening the definition slightly allows us to construct much more efficient schemes!

  • However, we will need to make assumptions

  • Strictly speaking, no longer 100% absolutely guaranteed to be secure

    • Security of encryption now depends on security of building blocks (which are analyzed extensively, and are believed to be secure)

    • Given enough time and/or resources, the scheme can be broken


  • A pseudorandom (number) generator (PRNG) is a deterministic function that takes as input a seed and outputs a string

    • To be useful, the output must be longer than the seed

  • If seed chosen at random, output of the PRNG should “look random” (i.e., be pseudorandom) to any efficient distinguishing algorithm

    • Even when the algorithm knows G! (Kerchoffs’s rule)

Prgs a picture
PRGs: a picture

y{0,1}l chosen uniformly

at random



World 0

World 1


x {0,1}n chosen uniformly

at random


Far from identical,

but Adv can’t tell them apart


  • Required notion of pseudorandomness is very strong – must be indistinguishable from random for all efficient algorithms

    • General-purpose PRNGs (rand( ), java.random) not sufficient for crypto

  • Pseudorandomness of the PRNG depends on the seed being chosen “at random”

    • True randomness very difficult to obtain

    • In practice: randomness from physical processes and/or user behavior

A computationally secure scheme
A computationally secure scheme

  • The pseudo-one-time pad…

    • Theorem: If G is a pseudorandom generator, then this encryption scheme is secure (in the computational sense defined earlier)

  • Which drawback(s) of the one-time pad does this address?