Transcript CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz

CMSC 414
Computer and Network Security
Lecture 3
Jonathan Katz
HW1
 Will be posted shortly
 Work in teams
– Both students should contribute to all problems
– JCE fair game for the exam
Defining secrecy (take 1)
 Even an adversary running for an unbounded
amount of time learns nothing about the message
from the ciphertext
 Perfect secrecy
 Formally, for all distributions over the message
space, all m, and all c:
Pr[M=m | C=c] = Pr[M=m]
One-time pad
and proof of security
Properties of the one-time pad?
 Achieves perfect secrecy
– No eavesdropper (no matter how powerful) can
determine any information whatsoever about the
plaintext
 (Essentially) useless in practice…
– Long key length
– Can only be used once (hence the name!)
– Insecure against known-plaintext attacks
 These are inherent limitations of perfect secrecy
Computational secrecy
Computational secrecy
 We can overcome the limitations of perfect
secrecy by (slightly) relaxing the definition
 Instead of requiring total secrecy against
unbounded adversaries, require secrecy against
time-bounded adversaries except with some small
probability
– E.g., secrecy for 100 years, except with probability 2-80
 How to define formally?
A simpler characterization
 Perfect secrecy is equivalent to the following,
simpler definition:
– Given a ciphertext C which is known to be an
encryption of either M0 or M1, no adversary can guess
correctly which message was encrypted with
probability better than ½ + 2-80
running for 100 years
 Computational security!
 Is this definition too strong? Why not?
The take-home message
 Weakening the definition slightly allows us to
construct much more efficient schemes!
 Strictly speaking, no longer 100% absolutely
guaranteed to be secure
– Security of encryption now depends on security of
building blocks (which are analyzed extensively, and
are assumed to be secure)
– Given enough time, the scheme can be broken
Attacks
 So far, we have been considering only passive
eavesdropping of a single ciphertext
– AKA, ciphertext-only attack
 In practice, stronger attacks often need to be
considered
– Known plaintext
– Chosen plaintext
– Chosen ciphertext (includes chosen plaintext attacks)
Minimum requirements
 The minimum level of security nowadays is
security against chosen-plaintext attacks
 But security against chosen-ciphertext attacks (or
even stronger) is often necessary for certain
applications
– Make sure you are aware of this when deploying
encryption!
 We will revisit this after discussing message
authentication
Randomized encryption
 Can a deterministic encryption scheme be secure
against chosen-plaintext attacks?
 To be secure against chosen-plaintext attack,
encryption must be randomized
 Moral: always use randomized encryption!