CMSC 414 Computer and Network Security Lecture 3

1
CMSC 414Computer and Network SecurityLecture 3

• Jonathan Katz

2
JCE

• (The TA gave a brief presentation in class about
  the JCE and how to use it)

3
HW1 out

• Meant to get you familiar with the JCE, and some
  basic crypto
• Use your GRACE account
• Work in teams of two students
• Both students should contribute to all problems
• JCE use and syntax fair game for the exam
• We now have a class forum
• Post on the forum if you are looking for a
  partner

4
Computer security student club

• First meeting tomorrow night, 7PM, in CSIC 1115

5
Perfect secrecy
6
Defining secrecy (take 1)

• Even an adversary running for an unbounded amount
  of time learns nothing about the message from the
  ciphertext
• (Except the length)
• Perfect secrecy
• Formally, for all distributions over the message
  space, all m, and all c PrMm
  Cc PrMm

7
The one-time pad

• Scheme
• Proof of security

8
Properties of the one-time pad?

• Achieves perfect secrecy
• No eavesdropper (no matter how powerful) can
  determine any information whatsoever about the
  plaintext
• (Essentially) useless in practice
• Long key length
• Can only be used once (hence the name!)
• Insecure against known-plaintext attacks
• These are inherent limitations of perfect secrecy

9
Computational secrecy
10
Computational secrecy

• We can overcome the limitations of perfect
  secrecy by (slightly) relaxing the definition
• Instead of requiring total secrecy against
  unbounded adversaries, require secrecy against
  time-bounded adversaries except with some small
  probability
• E.g., secrecy for 100 years, except with
  probability 2-80
• How to define formally?

11
A simpler characterization

• Perfect secrecy is equivalent to the following,
  simpler definition
• Given a ciphertext C which is known to be an
  encryption of either M0 or M1, no adversary can
  guess correctly which message was encrypted with
  probability better than ½
• Computational security!
• Is this definition too strong? Why not?

2-80
12
The take-home message

• Weakening the definition slightly allows us to
  construct much more efficient schemes!
• Strictly speaking, no longer 100 absolutely
  guaranteed to be secure
• Security of encryption now depends on security of
  building blocks (which are analyzed extensively,
  and are believed to be secure)
• Given enough time and/or resources, the scheme
  can be broken

13
A computationally secure scheme

• A pseudorandom (number) generator (PRNG) is a
  deterministic function that takes as input a seed
  and outputs a string
• To be useful, the output must be longer than the
  seed
• If seed chosen at random, output of the PRNG
  should look random (i.e., be pseudorandom)

14
Notes

• Required notion of pseudorandomness is very
  strong must be indistinguishable from random
  for all efficient algorithms
• General-purpose PRNGs not sufficient for crypto
• Pseudorandomness of the PRNG depends on the seed
  being chosen at random
• Note in particular that if a seed is re-used then
  the output of the PRNG remains the same!
• In practice from physical processes and/or user
  behavior

15
A computationally secure scheme

• The pseudo-one-time pad
• Proof sketch
• Which drawback(s) of the one-time pad does this
  address?