Foundations of Cryptography: MIT Course Overview and Key Concepts

Slide Note
Embed
Share

Explore the MIT course "Foundations of Cryptography" offering insights on cryptography, key themes like adversarial thinking and computational hardness, historical context, and the significance of security proofs via reductions. Learn about the course staff, topics covered, and intellectual origins of modern cryptography.


Uploaded on Sep 11, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. MIT 6.875/18.425 Foundations of Cryptography Lecture 1 Course website: https://mit6875.github.io/

  2. Course Staff TAs Instructor Lali Devadas (lali@mit) Vinod Vaikuntanathan (vinodv@mit) Sacha Servan-Schreiber (3s@mit)

  3. Crypto Cryptocurrencies 6.875 is not about 6.875 is about foundations: Zero-knowledge Proofs Public-key Encryption Digital Signatures Threshold Cryptography Pseudorandomness Homomorphic Encryption

  4. The Intellectual Origins Communication Theory of Secrecy Systems (1945) preceded A Mathematical Theory of Communication (1948) which founded Information Theory Claude E. Shannon Cryptanalysis of the Enigma Machine (~1938-39) On Computable Numbers, with an Application to the Entscheidungsproblem (1936) which gave birth to Computer Science Alan M. Turing

  5. Modern Cryptography: Practice to Theory and Back Problems Tools Security, Privacy, Integrity Math and Theoretical CS CRYPTO Ideas Solutions Interactive Proofs Encryption Digital Signatures Probabilistically checkable Proofs Locally decodable Codes Pseudorandom Functions

  6. 6.875 Themes 1. The Omnipresent, Worst-case, Adversary. Central idea. model the adversary: what they know, what they can do, and what their goals are. Definitions will be our friend. If you cannot define something, you cannot achieve it. A key takeaway from 6.875: Cryptographic (or, adversarial) thinking.

  7. 6.875 Themes 2. Computational Hardness will be our enabler. (starting lecture 2) Central theme:the cryptographic leash. Use computational hardness to tame the adversary. A classical source of hard problems: number theory. Both Gauss and lesser mathematicians may be justified in rejoicing that there is one such science [number theory] at any rate, whose very remoteness from ordinary human activities should keep it gentle and clean [G. H. Hardy, A Mathematician s Apology ] More recently: geometry, coding theory, combinatorics.

  8. 6.875 Themes 3. Security Proofs via Reductions. If there is an (efficient) adversary that breaks scheme A w.r.t. definition D, then there is an (efficient) adversary that factors large numbers. Science wins either way Our reductions will be probabilistic and significantly more involved than the NP-hardness reductions in, say, 6.045.

  9. 6.875 Topics Pseudorandomness Secret-key Encryption and Authentication Public-key Encryption and Digital Signatures Cryptographic Hashing Zero-knowledge Proofs Secure Multiparty Computation Private Information Retrieval Homomorphic Encryption Advanced topics: Threshold Cryptography, Differential Privacy,

  10. Administrivia o Course website, the central point of reference. https://mit6875.github.io Piazza for questions, Gradescope for psets. o Homework (95%): 6 psets, we will count your best 5. o Class Participation (5%): Lecture, Recitations, Piazza. o Prerequisites: Algorithms, Probability & Discrete Math, but most of all, mathematical maturity . o (Optional) special recitations: one on basic complexity theory (next Friday 9/17, watch your email!) another on number theory.

  11. Secure Communication m Bob Alice Eavesdropper Eve Alice wants to send a message M to Bob without revealing it to Eve.

  12. Secure Communication m Key k Key k Eavesdropper Eve SETUP: Alice and Bob meet beforehand to agree on a secret key k.

  13. Key Notion: Secret-key Encryption (or Symmetric-key Encryption) ? Ciphertext ? Enc(?,?) ? Dec(?,?) Key k Key k Three (possibly probabilistic) polynomial-time algorithms: o Key Generation Algorithm Gen: ? Gen(1?) Has to be probabilistic o Encryption Algorithm Enc: ? Enc(?,?) o Decryption Algorithm Dec: ? Dec(?,?)

  14. The Worst-case Adversary An arbitrary computationally unbounded algorithm EVE.* Knows Alice and Bob s algorithms ???,??? and ??? but does not know the key nor their internal randomness. (Kerckhoff sprinciple or Shannon s maxim) Can see the ciphertexts going through the channel (but cannot modify them we will come to that later) Security Definition: What is she trying to learn?

  15. Shannons Perfect Secrecy Definition Message space (probability distribution) ? ? Enc(?,?) Ciphertext space ? Key k ? Key k ? Key space ? IDEA: A-posteriori = A-priori ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? A-posteriori A-priori

  16. Perfect Indistinguishability Definition Perfect indistinguishability: a Turing test ?,? Supp( ), ? Supp(?): Pr[? K,? = ?] = Pr[? K,? = ?] World 0: World 1: k K k K ? = ? ?,? ? = ? ?,? is a distinguisher (that gets c and tries to guess which world she s in)

  17. The Two Definitions are Equivalent THEOREM: An encryption scheme (Gen,Enc,Dec) satisfies perfect secrecy IFF it satisfies perfect indistinguishability. PROOF: Simple use of Bayes Theorem.

  18. 1. Indistinguishability Secrecy WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Key Observation: ?Pr ??? ?, = ? = Pr[??? ?,? = ?]. Proof: definition of conditional probability. Pr ??? ?, = ? = Pr ??? ?, = ?| = ? Pr[ = ?] = Pr ??? ?,? = ? Pr = ? = ? Pr = ? = ?.

  19. 1. Indistinguishability Secrecy WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Proof: Pr = ?|??? ?, = ? = Pr ??? ?, =?| =? Pr[ =?] (Bayes) Pr[??? ?, =?] = Pr ??? ?,? =? Pr[ =?] Pr[??? ?, =?] = Pr[ =?] = Pr[ = ?] (key obs.)

  20. 2. Secrecy Indistinguishability WE KNOW (IND): ?,? Supp( ), ? Supp(?), Pr ??? ?,? = ? = Pr ??? ?,? = ? WE WANT (SEC): ? Supp( ), ? Supp(?), Pr = ?|??? ?, = ? = Pr = ? Proof: Pr ??? ?,? = ? = Pr[??? ?, = ?| = ?] = Pr =?|??? ?, =? Pr[??? ?, =?] Pr[ =?] (Bayes) (because of SEC) = Pr[??? ?, = ?] (symmetry) = Pr ??? ?,? = ?

  21. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? : bitwise exclusive OR (or XOR) 0 0 = 1 1 = 0 0 1 = 1 0 = 1 a b = a + b (mod 2)

  22. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Correctness: ? ? = ? ? ? = ?.

  23. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any ?,? {0,1}?, Pr Enc K,? = ? = Pr ? K = ?= Pr K = ? ? = 1/2?

  24. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any ?,? ,? {0,1}?, Pr Enc K,? = ? = Pr ? K = ?= Pr K = ? ? = 1/2? = Pr K = ? ? = Pr ? K = ? = Pr Enc K,? = ?

  25. Perfect Secrecy is Achievable The One-time Pad Construction: ???: Choose an ?-bit string k at random, i.e. ? {0,1}? ??? ?,? , where M is an n-bit message: Output ? = ? ? ???(?,?): Output ? = ? ? Claim: One-time Pad achieves Perfect Indistinguishability (and therefore perfect secrecy). Proof: For any m,? ,? {0,1}?, So, Pr Enc K,? = ? =Pr Enc K,? = ? . QED.

  26. Reusing a One-time Pad? m0 ?0 = ?0 ? Key k Key k A week later: m1 c1 = ?1 ? Is this still perfectly secret? Super-secure Whisper room

  27. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: Perfect indistinguishability requires that for all pairs ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2?: Pr[Enc k,?0) = ?0 ??? Enc(k,?1 = ?1] = Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1]

  28. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: We want to pick ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2? s.t. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1] ???? ?? = ?? = ?,?? ?? ??? ?? = ?? = ?. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] = Pr En? ?,? = ? = 1/2?

  29. Reusing a One-time Pad? Claim: One-time Pad does not achieve Perfect Indistinguishability (and therefore not perfect secrecy). Proof: We want to pick ?0,?1 ,(?0 ,?1 ),(?0,?1) {0,1}2? s.t. Pr[Enc k,?0) = ?0 ??? Enc(?,?1 = ?1] Pr[Enc k,?0 ) = ?0 ??? Enc(?,?1 = ?1] ???? ?? = ?? = ?,?? ?? ??? ?? = ?? = ?. Pr[Enc k,?0) = ? = Enc(?,?1 ] = 1/2? Pr[Enc k,?0 ) = c = Enc(?,?1 ] = 0

  30. Perfect Secrecy has its Price THEOREM: For any perfectly secure encryption scheme, |?| | | PROOF (by picture): Assume for contradiction that ? < . ? ? Pick any ? ? ? ? ? Look at the set of possible msgs ? ? ? Distinct keys! ? < |?| ?

  31. Perfect Secrecy has its Price THEOREM: For any perfectly secure encryption scheme, |?| | | PROOF (by picture): Assume for contradiction that ? < . ? ? ? ? Pr ??? ?,? = ? > 0 ? ? ? Pr ??? ?, ? = ? = 0 ???. ? ? < |?| ?

  32. So, what are we to do? RELAX the definition: EVE is an arbitrary computationallybounded algorithm. + number theory/geometry/combinatorics the promised crypto land Fully homomorphic encryption ZK proofs Public-key encryption Pseudorandomness

  33. To Summarize Secure Communication: a quintessential problem in cryptography. We saw two equivalent definitions of security: Shannon s perfect indistinguishability and perfect secrecy One-time pad achieves perfect secrecy. A Serious Limitation: Any perfectly secure encryption scheme needs keys that are at least as long as the messages. Next Lecture: Overcoming the limitation withComputationally Bounded Adversaries.

Related


More Related Content