Foundations of Cryptography: MIT Course Overview and Key Concepts

Slide Note
Embed
Share

Explore the MIT course "Foundations of Cryptography" offering insights on cryptography, key themes like adversarial thinking and computational hardness, historical context, and the significance of security proofs via reductions. Learn about the course staff, topics covered, and intellectual origins of modern cryptography.

dherb
dherb Follow

Uploaded on Sep 11, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. MIT 6.875/18.425 Foundations of Cryptography Lecture 1 Course website: https://mit6875.github.io/

  2. Course Staff TAs Instructor Lali Devadas (lali@mit) Vinod Vaikuntanathan (vinodv@mit) Sacha Servan-Schreiber (3s@mit)

  3. Crypto Cryptocurrencies 6.875 is not about 6.875 is about foundations: Zero-knowledge Proofs Public-key Encryption Digital Signatures Threshold Cryptography Pseudorandomness Homomorphic Encryption

  4. The Intellectual Origins Communication Theory of Secrecy Systems (1945) preceded A Mathematical Theory of Communication (1948) which founded Information Theory Claude E. Shannon Cryptanalysis of the Enigma Machine (~1938-39) On Computable Numbers, with an Application to the Entscheidungsproblem (1936) which gave birth to Computer Science Alan M. Turing

  5. Modern Cryptography: Practice to Theory and Back Problems Tools Security, Privacy, Integrity Math and Theoretical CS CRYPTO Ideas Solutions Interactive Proofs Encryption Digital Signatures Probabilistically checkable Proofs Locally decodable Codes Pseudorandom Functions

  6. 6.875 Themes 1. The Omnipresent, Worst-case, Adversary. Central idea. model the adversary: what they know, what they can do, and what their goals are. Definitions will be our friend. If you cannot define something, you cannot achieve it. A key takeaway from 6.875: Cryptographic (or, adversarial) thinking.

  7. 6.875 Themes 2. Computational Hardness will be our enabler. (starting lecture 2) Central theme:the cryptographic leash. Use computational hardness to tame the adversary. A classical source of hard problems: number theory. Both Gauss and lesser mathematicians may be justified in rejoicing that there is one such science [number theory] at any rate, whose very remoteness from ordinary human activities should keep it gentle and clean [G. H. Hardy, A Mathematician s Apology ] More recently: geometry, coding theory, combinatorics.

  8. 6.875 Themes 3. Security Proofs via Reductions. If there is an (efficient) adversary that breaks scheme A w.r.t. definition D, then there is an (efficient) adversary that factors large numbers. Science wins either way Our reductions will be probabilistic and significantly more involved than the NP-hardness reductions in, say, 6.045.

  9. 6.875 Topics Pseudorandomness Secret-key Encryption and Authentication Public-key Encryption and Digital Signatures Cryptographic Hashing Zero-knowledge Proofs Secure Multiparty Computation Private Information Retrieval Homomorphic Encryption Advanced topics: Threshold Cryptography, Differential Privacy,

  10. Administrivia o Course website, the central point of reference. https://mit6875.github.io Piazza for questions, Gradescope for psets. o Homework (95%): 6 psets, we will count your best 5. o Class Participation (5%): Lecture, Recitations, Piazza. o Prerequisites: Algorithms, Probability & Discrete Math, but most of all, mathematical maturity . o (Optional) special recitations: one on basic complexity theory (next Friday 9/17, watch your email!) another on number theory.

  11. Secure Communication m Bob Alice Eavesdropper Eve Alice wants to send a message M to Bob without revealing it to Eve.

  12. Secure Communication m Key k Key k Eavesdropper Eve SETUP: Alice and Bob meet beforehand to agree on a secret key k.

  13. Key Notion: Secret-key Encryption (or Symmetric-key Encryption) ? Ciphertext ? Enc(?,?) ? Dec(?,?) Key k Key k Three (possibly probabilistic) polynomial-time algorithms: o Key Generation Algorithm Gen: ? Gen(1?) Has to be probabilistic o Encryption Algorithm Enc: ? Enc(?,?) o Decryption Algorithm Dec: ? Dec(?,?)

  14. The Worst-case Adversary An arbitrary computationally unbounded algorithm EVE.* Knows Alice and Bob s algorithms ???,??? and ??? but does not know the key nor their internal randomness. (Kerckhoff sprinciple or Shannon s maxim) Can see the ciphertexts going through the channel (but cannot modify them we will come to that later) Security Definition: What is she trying to learn?

  15. Shannons Perfect Secrecy Definition Message space (probability distribution) ? ? Enc(?,?) Ciphertext space ? Key k ? Key k ? Key space ? IDEA: A-posteriori = A-priori ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? A-posteriori A-priori

  16. Perfect Indistinguishability Definition Perfect indistinguishability: a Turing test ?,? Supp( ), ? Supp(?): Pr[? K,? = ?] = Pr[? K,? = ?] World 0: World 1: k K k K ? = ? ?,? ? = ? ?,? is a distinguisher (that gets c and tries to guess which world she s in)

  17. The Two Definitions are Equivalent THEOREM: An encryption scheme (Gen,Enc,Dec) satisfies perfect secrecy IFF it satisfies perfect indistinguishability. PROOF: Simple use of Bayes Theorem.

  18. 1. Indistinguishability Secrecy WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Key Observation: ?Pr ??? ?, = ? = Pr[??? ?,? = ?]. Proof: definition of conditional probability. Pr ??? ?, = ? = Pr ??? ?, = ?| = ? Pr[ = ?] = Pr ??? ?,? = ? Pr = ? = ? Pr = ? = ?.

  19. 1. Indistinguishability Secrecy WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Proof: Pr = ?|??? ?, = ? = Pr ??? ?, =?| =? Pr[ =?] (Bayes) Pr[??? ?, =?] = Pr ??? ?,? =? Pr[ =?] Pr[??? ?, =?] = Pr[ =?] = Pr[ = ?] (key obs.)

  20. 2. Secrecy Indistinguishability WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Proof: Pr ??? ?,? = ? = Pr[??? ?, = ?| = ?] = Pr =?|??? ?, =? Pr[??? ?, =?] Pr[ =?] (Bayes) (because of SEC) = Pr[??? ?, = ?] (symmetry) = Pr ??? ?,? = ?

  21. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? : bitwise exclusive OR (or XOR) 0 0 = 1 1 = 0 0 1 = 1 0 = 1 a b = a + b (mod 2)

  22. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Correctness: ? ? = ? ? ? = ?.

  23. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any ?,? {0,1}?, Pr Enc K,? = ? = Pr ? K = ?= Pr K = ? ? = 1/2?

  24. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any ?,? ,? {0,1}?, Pr Enc K,? = ? = Pr ? K = ?= Pr K = ? ? = 1/2? = Pr K = ? ? = Pr ? K = ? = Pr Enc K,? = ?

  25. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any m,? ,? {0,1}?, So, Pr Enc K,? = ? =Pr Enc K,? = ? . QED.

  26. Reusing a One-time Pad? m0 ?0 = ?0 ? Key k Key k A week later: m1 c1 = ?1 ? Is this still perfectly secret? Super-secure Whisper room

  27. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: Perfect indistinguishability requires that for all pairs ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2?: Pr[Enc k,?0) = ?0 ??? Enc(k,?1 = ?1] = Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1]

  28. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: We want to pick ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2? s.t. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1] ???? ?? = ?? = ?,?? ?? ??? ?? = ?? = ?. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] = Pr En? ?,? = ? = 1/2?

  29. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: We want to pick ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2? s.t. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1] ???? ?? = ?? = ?,?? ?? ??? ?? = ?? = ?. Pr[Enc k,?0) = ? = Enc(?,?1 ] = 1/2? Pr[Enc k,?0 ) = c = Enc(?,?1 ] = 0

  30. Perfect Secrecy has its Price THEOREM: For any perfectly secure encryption scheme, |?| | | PROOF (by picture): Assume for contradiction that ? < . ? ? Pick any ? ? ? ? ? Look at the set of possible msgs ? ? ? Distinct keys! ? < |?| ?

  31. Perfect Secrecy has its Price THEOREM: For any perfectly secure encryption scheme, |?| | | PROOF (by picture): Assume for contradiction that ? < . ? ? ? ? Pr ??? ?,? = ? > 0 ? ? ? Pr ??? ?, ? = ? = 0 ???. ? ? < |?| ?

  32. So, what are we to do? RELAX the definition: EVE is an arbitrary computationallybounded algorithm. + number theory/geometry/combinatorics the promised crypto land Fully homomorphic encryption ZK proofs Public-key encryption Pseudorandomness

  33. To Summarize Secure Communication: a quintessential problem in cryptography. We saw two equivalent definitions of security: Shannon s perfect indistinguishability and perfect secrecy One-time pad achieves perfect secrecy. A Serious Limitation: Any perfectly secure encryption scheme needs keys that are at least as long as the messages. Next Lecture: Overcoming the limitation withComputationally Bounded Adversaries.

Related


Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Understanding Public Key Cryptography in Network Security

Understanding Public Key Cryptography in Network Security

mwasd
Understanding Public-Key Cryptography and Its Applications

Understanding Public-Key Cryptography and Its Applications

nbull
Key Distribution and Management in Cryptography

Key Distribution and Management in Cryptography

kreitzer_k
Understanding Cryptography: Basic Concepts in Number Theory and Divisibility

Understanding Cryptography: Basic Concepts in Number Theory and Divisibility

hoon_ynn
Introduction to Cryptography, Cryptanalysis, and Cryptology

Introduction to Cryptography, Cryptanalysis, and Cryptology

waverly
Understanding Cryptography in the Digital World

Understanding Cryptography in the Digital World

oona
Exploring the World of Quantum Money and Cryptography

Exploring the World of Quantum Money and Cryptography

guinevere
Post-Quantum Cryptography Security Proofs and Models Overview

Post-Quantum Cryptography Security Proofs and Models Overview

siddhi
Exploring Public-Key Cryptography and Ancient Mathematical Techniques

Exploring Public-Key Cryptography and Ancient Mathematical Techniques

kbre
Introduction to Cryptography: Basics, Terminology, and Significance

Introduction to Cryptography: Basics, Terminology, and Significance

lucius
The Fascinating World of Cryptography

The Fascinating World of Cryptography

solveig
Formal Verification of Quantum Cryptography by Dominique Unruh

Formal Verification of Quantum Cryptography by Dominique Unruh

aslan
Exploring Post-Quantum Cryptography and Constructive Reductions

Exploring Post-Quantum Cryptography and Constructive Reductions

spradlin_g
Understanding CDBG-MIT Action Plan Development

Understanding CDBG-MIT Action Plan Development

huxley
Guide to Crafting a Winning Research Presentation for the 2021 MIT SCALE Latin America Conference

Guide to Crafting a Winning Research Presentation for the 2021 MIT SCALE Latin America Conference

alphonse
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography

kenna
Cryptography Concepts and Encryption Methods Overview

Cryptography Concepts and Encryption Methods Overview

tming
Leakage-Resilient Key Exchange and Seed Extractors in Cryptography

Leakage-Resilient Key Exchange and Seed Extractors in Cryptography

nataly
Basic Concepts in Number Theory and Finite Fields for Cryptography

Basic Concepts in Number Theory and Finite Fields for Cryptography

laurissa

More Related Content

Introduction to RSA Cryptography and Public Key Encryption
Introduction to RSA Cryptography and Public Key Encryption
Key Management and Distribution Techniques in Cryptography
Key Management and Distribution Techniques in Cryptography
Key Principles in Cryptography: Kerckhoff's and Key Space
Key Principles in Cryptography: Kerckhoff's and Key Space
Understanding Block Ciphers in Cryptography
Understanding Block Ciphers in Cryptography
Overview of Modern Cryptography and Data Encryption Standard (DES)
Overview of Modern Cryptography and Data Encryption Standard (DES)
Understanding Cryptography: Basics of Encryption and Padding
Understanding Cryptography: Basics of Encryption and Padding
Cryptography and Information Security Fundamentals
Cryptography and Information Security Fundamentals
Understanding Secure Information Transmission in Cryptography
Understanding Secure Information Transmission in Cryptography
Advanced Cryptography Techniques: PKE/KEM Constructions
Advanced Cryptography Techniques: PKE/KEM Constructions
Islamic Finance: Ethical Foundations and Compliance Challenges
Islamic Finance: Ethical Foundations and Compliance Challenges
Overview of Cryptography Techniques and Algorithms
Overview of Cryptography Techniques and Algorithms
Understanding Cryptography Basics and Toolbox
Understanding Cryptography Basics and Toolbox
Cryptographic Reductions and Learning in Computational Complexity
Cryptographic Reductions and Learning in Computational Complexity
Mechanical Isolation Design of Vopo LIGO MIT Lab
Mechanical Isolation Design of Vopo LIGO MIT Lab
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Introduction to Cryptography and Its Applications in Computer Science
Introduction to Cryptography and Its Applications in Computer Science
Ascon: The Lightweight Cryptography Standard for IoT
Ascon: The Lightweight Cryptography Standard for IoT
Understanding the Importance of Web Cryptography API and Its Application
Understanding the Importance of Web Cryptography API and Its Application
Understanding Number Theory and Cryptography for Security
Understanding Number Theory and Cryptography for Security
Lightweight Cryptography Standard for IoT - November 2023 IEEE Presentation
Lightweight Cryptography Standard for IoT - November 2023 IEEE Presentation
Steganography: Hiding Secrets in Plain Sight
Steganography: Hiding Secrets in Plain Sight
Evolution of Proofs in Cryptography
Evolution of Proofs in Cryptography
Foundations of Evaluation - Conference Experience and Approaches
Foundations of Evaluation - Conference Experience and Approaches
MIT Vision for Diversity, Equity, and Inclusion Strategic Action Plan
MIT Vision for Diversity, Equity, and Inclusion Strategic Action Plan