< Return to Video

Definitions and security (16 min)

  • 0:00 - 0:04
    Last week, we learned a number theory
    that's needed for public key encryption.
  • 0:04 - 0:07
    This week we're gonna put this knowledge
    to work, and we're gonna construct a
  • 0:07 - 0:11
    number of secure public key encryption
    schemes. But first, we need to define what
  • 0:11 - 0:15
    is public key encryption, and what does it
    mean for public key encryption to be
  • 0:15 - 0:18
    secure? So let me remind you that in a
    public key encryption scheme, there is an
  • 0:18 - 0:22
    encryption algorithm which is usually
    denoted by E, and there's a decryption
  • 0:22 - 0:25
    algorithm which we denote by D. However
    here, the encryption algorithm takes a
  • 0:25 - 0:29
    public key, while the decryption algorithm
    takes a secret key. This pair is called a
  • 0:29 - 0:34
    key pair. And the public key is used for
    encrypting messages while the secret key
  • 0:34 - 0:39
    is used for decrypting messages. So in
    this case a message m is encrypting using
  • 0:39 - 0:44
    the public key and what comes out of that
    is the ciphertext c. And similarly the
  • 0:44 - 0:49
    ciphertext is fed into the decryption
    algorithm and using the secret key, what
  • 0:49 - 0:54
    comes out of the decryption algorithm is
    the original message m. Now public key
  • 0:54 - 0:58
    encryption has many applications. Last
    week we saw the classic application which
  • 0:58 - 1:02
    is session setup, namely, key exchange and
    for now we're just looking at key exchange
  • 1:02 - 1:07
    that is secure against eavesdropping only.
    And if you remember the way the protocol
  • 1:07 - 1:11
    works, basically Alice, what she would do
    is she would generate a public key secret
  • 1:11 - 1:16
    pair. She would send the public key to
    Bob. Bob will generate a random X, which
  • 1:16 - 1:20
    is gonna serve as their shared secret, and
    then he sends X encrypted to Alice,
  • 1:20 - 1:25
    encrypted under her public key. Alice can
    decrypt, recover X and now both of them
  • 1:25 - 1:30
    have this shared secret X which they can
    use to communicate securely with one
  • 1:30 - 1:34
    another. The attacker, of course, all he
    gets to see is just the public key, the
  • 1:34 - 1:39
    encryption of X under the public key, from
    which he should not be able to get any
  • 1:39 - 1:44
    information about X. And we are going to
    define that more precisely to understand
  • 1:44 - 1:49
    what it means to not be able to learn
    anything about X. Public key encryption
  • 1:49 - 1:53
    actually has many other applications. For
    example, it's very useful in
  • 1:53 - 1:57
    non-interactive applications. So think of
    an email system for example. So here, Bob
  • 1:57 - 2:02
    wants to send mail to Alice, and as Bob
    sends the email, the email passes from
  • 2:02 - 2:07
    mail relay to mail relay until finally it
    reaches Alice, at which point Alice should
  • 2:07 - 2:11
    decrypt. The way the email system is set
    up, is designed for kind of
  • 2:11 - 2:15
    non-interactive settings where Bob sends
    the email. And then Alice is supposed to
  • 2:15 - 2:19
    receive it. And Alice should not be to
    communicate with Bob in order to decrypt
  • 2:19 - 2:24
    the email. So in this case, because of the
    non-interactivity, there's no opportunity
  • 2:24 - 2:28
    for setting up a shared secret between
    Alice and Bob. So in this case, what would
  • 2:28 - 2:32
    happen is, Bob basically would, would send
    the email encrypted, using Alice's, public
  • 2:32 - 2:37
    key. So he sends the email. Anyone in the
    world can send the email encrypted to
  • 2:37 - 2:41
    Alice, encrypted using her public key.
    When Alice receives this email, she uses
  • 2:41 - 2:46
    her secret key to decrypt the ciphertext and recover the plain text message.
  • 2:46 - 2:51
    Of course the one caveat in a system like
    this is that in fact Bob needs to somehow
  • 2:51 - 2:55
    obtain Alice's public key So for now we
    are just going to assume Bob already has
  • 2:55 - 2:58
    Alice's public key, but later on,
    actually, when we talk about digital
  • 2:58 - 3:02
    signatures we're gonna see how, this can
    actually be done very efficiently using what's
  • 3:02 - 3:07
    called public key management and as I said
    we'll actually get back to that at a later
  • 3:07 - 3:11
    time. But the main thing I want you to
    remember, is that public key encryption is
  • 3:11 - 3:15
    used for session setup. This is very
    common on the web, where public key
  • 3:15 - 3:19
    encryption is used to set up a secure key
    between a web browser and, and web server.
  • 3:19 - 3:23
    And public key encryption is also very
    useful for non-interactive applications,
  • 3:23 - 3:26
    where anyone in the world,
    non-interactively, needs to send a message
  • 3:26 - 3:31
    to Alice, they can encrypt the message using
    Alice's public key, and Alice can decrypt
  • 3:31 - 3:36
    and recover the plain text. So let me
    remind you in a bit more detail what a
  • 3:36 - 3:40
    public key encryption system is. Well,
    it's made up of three algorithms G, E, and
  • 3:40 - 3:44
    D. G is called the key generation algorithm.
    Basically what it will do is it will
  • 3:44 - 3:49
    generate this key pair, the public key and
    the secret key. As written here, G takes
  • 3:49 - 3:53
    no arguments, but in real life, G actually
    does take an argument called the security
  • 3:53 - 3:57
    parameter which specifies the size of the
    keys that are generated by this key
  • 3:57 - 4:02
    generation algorithm. Then there are these
    encryption algorithms as usual that take a
  • 4:02 - 4:06
    public key and a message and produce a
    ciphertext in a decryption algorithm that
  • 4:06 - 4:11
    takes the corresponding secret key and a
    ciphertext and it produces a corresponding
  • 4:11 - 4:15
    message. And as usual for consistency we
    say that if we encrypt a message under a
  • 4:15 - 4:19
    given public key and then decrypt with a
    corresponding secret key we should get the
  • 4:19 - 4:24
    original message back. Now what does it
    mean for a public key encryption to be
  • 4:24 - 4:28
    secure? I'm going to start off by
    defining, security against eavesdropping.
  • 4:28 - 4:32
    And then we're going to define security
    against active attacks. So the way to
  • 4:32 - 4:36
    define security against eavesdropping is
    very similar to the symmetric case we've
  • 4:36 - 4:41
    already this last week so we're gonna go
    through this quickly just as a review.
  • 4:41 - 4:45
    Basically the attack game is defined as
    follows. We defined these two experiments,
  • 4:45 - 4:49
    experiment zero and experiment one. At in
    either experiment the challenger is gonna
  • 4:49 - 4:53
    generate a public and a secret key pair. He's gonna give the public
  • 4:53 - 4:57
    key to the adversary. The adversary's
    gonna output two messages m0 and m1 of
  • 4:57 - 5:02
    equal length and then what he gets back is
    either the encryption of m0 or the
  • 5:02 - 5:06
    encryption of m1. In experiment zero he
    gets the encryption of m0. In experiment
  • 5:06 - 5:11
    one he gets the encryption of m1. And then
    the adversary is supposed to say which one
  • 5:11 - 5:15
    did he get. Did he get the encryption of
    m0 or did he get the encryption of m1? So
  • 5:15 - 5:20
    in this game, the attacker only gets one
    ciphertext. This corresponds to an
  • 5:20 - 5:24
    eavesdropping attack where he simply
    eavesdropped on that ciphertext C. And now
  • 5:24 - 5:29
    his goal is to tell whether the ciphertext
    C i s the encryption of M0 or M1. No
  • 5:29 - 5:34
    tampering on the ciphertext C is allowed
    just yet. And as usual we say that the
  • 5:34 - 5:38
    public key encryption scheme is
    semantically secure if the attacker cannot
  • 5:38 - 5:42
    distinguish experiment zero from
    experiment one. In other words he cannot
  • 5:42 - 5:48
    tell whether he got the encryption of M0,
    or the encryption of M1. Before we move on
  • 5:48 - 5:52
    to active attacks, I want to mention a
    quick relation between the definition we
  • 5:52 - 5:56
    just saw, And the definition of, of
    eavesdropping security for symmetric
  • 5:56 - 6:00
    ciphers. If you remember, when we talked
    about eavesdropping security for symmetric
  • 6:00 - 6:05
    ciphers, we distinguished between the case
    where the key is used once, and the case
  • 6:05 - 6:09
    where the key is used multiple times. And,
    in fact we saw that, there's a clear
  • 6:09 - 6:13
    separation. For example, the onetime pad.
    Is secure if the key is used to encrypt a
  • 6:13 - 6:17
    single message, but is completely insecure
    if the key is used to encrypt multiple
  • 6:17 - 6:21
    messages. And in fact we had two different
    definitions if you remember we had a
  • 6:21 - 6:25
    definition for one-time security, and then
    we had a separate definition, which was
  • 6:25 - 6:30
    stronger, when the key was used multiple
    times. The definition that I showed you on
  • 6:30 - 6:34
    the previous slide's very similar to the
    definition of one time security for
  • 6:34 - 6:38
    symmetric ciphers. And in fact, it turns
    out that for public key encryption, if a
  • 6:38 - 6:43
    system is secure under a onetime key, in a
    sense, it's also secure for a many time
  • 6:43 - 6:48
    key. So in other words, we don't have to
    explicitly give the attacker the ability
  • 6:48 - 6:53
    to, request encryptions of messages of his
    choice. Because he could just create those
  • 6:53 - 6:58
    encryptions all by himself. He is given
    the public key, and therefore he can by
  • 6:58 - 7:05
    himself encrypt any message he likes. As a
    result any public key secret pair in some
  • 7:05 - 7:09
    sense inherently is used to encrypt
    multiple messages because the attacker
  • 7:09 - 7:14
    could have just encrypted many, many
    messages of his choice using the given
  • 7:14 - 7:19
    public key that we just gave him in the
    first step. And so, as a result in fact,
  • 7:19 - 7:24
    the definition of one time security is
    enough to imply many time security and
  • 7:24 - 7:29
    that's why we refer to the concept as
    indistinguishability under a chosen plain
  • 7:29 - 7:34
    text attach. So this is just a minor point
    to explain why the settings of public
  • 7:34 - 7:38
    encryption, we don't need a more
    complicated definition to capture
  • 7:38 - 7:43
    eavesdropping security. Now that we
    understand eavesdropping security, let's
  • 7:43 - 7:47
    look at more powerful adversaries that can
    actually mount active attacks. So, in
  • 7:47 - 7:52
    particular, let's look at the email
    example. So here, we have our friend Bob
  • 7:52 - 7:56
    who wants to send mail to his friend
    Caroline. And Caroline happens to have, an
  • 7:56 - 8:01
    account at Gmail. And the way this works
    is basically, the email is sent to the
  • 8:01 - 8:06
    Gmail server, encrypted. The Gmail server
    decrypts the email, looks at the, intended
  • 8:06 - 8:09
    recipients. And then, if it's, the
    intended recipient is Caroline, it
  • 8:09 - 8:14
    forwards the email to Caroline. If the
    intended recipient is the attacker, it
  • 8:14 - 8:19
    forwards the email to the attacker. This
    is similar to how Gmail actually works
  • 8:19 - 8:23
    because the sender would send the email
    encrypted over SSL to the Gmail server.
  • 8:23 - 8:28
    The Gmail server would terminate the SSL
    and then forward the email to the
  • 8:28 - 8:33
    appropriate recipients. Now suppose Bob
    encrypts the email using a system that
  • 8:33 - 8:38
    allows the adversary to tamper with the
    ciphertext without being detected. For
  • 8:38 - 8:42
    example, imagine this email is encrypted
    using Counter Mode, or something like
  • 8:42 - 8:47
    that. Then when the attacker intercepts
    this email, he can change the recipient,
  • 8:47 - 8:51
    so that now the recipient says
    attacker@gmail.com, and we know that for
  • 8:51 - 8:55
    Counter Mode, for example, this is quite
    easy to do. The attacker knows that the
  • 8:55 - 9:00
    email is intended for Caroline, he is just
    interested in the email body. So he can
  • 9:00 - 9:04
    easily change the email recipient to
    attacker@gmail.com and now when the server
  • 9:04 - 9:08
    receives the email, he will decrypt it,
    see that the recipient is supposed to be
  • 9:08 - 9:12
    attacker, and forward the body to the
    attacker. And now the attacker was able to
  • 9:12 - 9:16
    read the body of the email that was
    intended for Caroline. So this is a
  • 9:16 - 9:21
    classic example of an active attack, and
    you notice what the attacker could do
  • 9:21 - 9:26
    here, is it could decrypt any ciphertext
    where the intended recipient is to:
  • 9:26 - 9:32
    attacker. So any ciphertext where the plain
    text begins with the words "to: attacker". So our goal is
  • 9:32 - 9:37
    to design public key systems that are
    secure, even if the attacker can tamper
  • 9:37 - 9:43
    with ciphertext and possibly decrypt
    certain cyphertexts. And again, I want to
  • 9:43 - 9:48
    emphasize that here the attacker's goal
    was to get the message body. The attacker
  • 9:48 - 9:52
    already knew that the email is intended
    for Caroline. And all he had to do was
  • 9:52 - 9:57
    just change the, intended recipient. So
    this tampering attack motivates the
  • 9:57 - 10:02
    definition of chosen ciphertext security.
    And in fact this is the standard notion of
  • 10:02 - 10:07
    security for public key encryption. So let
    me explain how the attack [here procedes] and as I
  • 10:07 - 10:12
    said our goal is to build systems that are
    secure under this very, very conservative
  • 10:12 - 10:16
    notion of encryption. So we have an
    encryption scheme (G, E, D). And let's say
  • 10:16 - 10:20
    that's defined over a message space and
    a ciphertext (M, C) and as usual we're
  • 10:20 - 10:24
    gonna define two experiments, experiment
    zero, and experiment one. So 'b' here
  • 10:24 - 10:28
    says whether the challenger is
    implementing experiment zero or experiment
  • 10:28 - 10:33
    one. The challenger begins by generating a
    public key and a secret key, and then gives
  • 10:33 - 10:37
    the public key to the adversary. Now the
    adversary can say, "Well, here are a bunch
  • 10:37 - 10:42
    of ciphertexts, please decrypt them for
    me." So here the adversary submits
  • 10:42 - 10:46
    ciphertext C1 and he gets the decryption
    of ciphertext C1, namely M1. And he gets
  • 10:46 - 10:51
    to do this again and again, so he submits
    ciphertext C2, and he gets the decryption,
  • 10:51 - 10:56
    which is M2, ciphertext C3, and he gets
    the decryption M3, and so on and so forth.
  • 10:56 - 11:00
    Finally, the adversary says, "This
    squaring phase is over," and now he
  • 11:00 - 11:04
    submits basically two equal length
    messages, M0 and M1 as normal, and he
  • 11:04 - 11:09
    receives in response the challenge
    ciphertext C, Which is the encryption of M
  • 11:09 - 11:13
    zero or the encryption of M one. Depending
    on whether we're in experiment zero or
  • 11:13 - 11:17
    experiment one. Now, the adversary can
    continue to issue these ciphertext
  • 11:17 - 11:21
    queries. So he can continue to issue,
    decryption requests. So he submits a
  • 11:21 - 11:25
    ciphertext, and he gets a decryption of
    that ciphertext, but of course, now, there
  • 11:25 - 11:30
    has to be a caveat. If the attacker could
    submit arbitrary ciphertext of his choice,
  • 11:30 - 11:34
    of course, he could break the challenge.
    What he would do is he would submit the
  • 11:34 - 11:39
    challenge ciphertext C as a decryption
    query. And then he would be told whether
  • 11:39 - 11:43
    in the challenge phase he was given the
    encryption of M0 or the encryption of M1.
  • 11:43 - 11:47
    As a result we put this limitation here,
    that says that he can in fact submit any
  • 11:47 - 11:51
    ciphertext of his choice except. For the
    challenge ciphertext. So the attacker
  • 11:51 - 11:55
    could ask for the decryption of any
    ciphertext of his choice other than the
  • 11:55 - 11:59
    challenge ciphertext. And even though he
    was given all these decryptions, he still
  • 11:59 - 12:03
    shouldn't be able to tell whether he was
    given the encryption of M0 or the
  • 12:03 - 12:09
    encryption of M1. So you notice this is a
    very conservative definition. It gives the
  • 12:09 - 12:14
    attacker more power than what we saw in
    the previous slide. On the previous slide,
  • 12:14 - 12:19
    the attacker could only decrypt messages
    where the plain text began with the words
  • 12:19 - 12:24
    "to: attacker". Here, we're saying the attacker
    can decrypt any ciphertext of his choice,
  • 12:24 - 12:30
    as long as it's different from the
    challenge ciphertext C. Okay? And then his
  • 12:30 - 12:34
    goal is to say whether the challenge
    ciphertext is the encryption of M0 or the
  • 12:34 - 12:38
    encryption of M1. And as usual, if he
    can't do that, in other words, his
  • 12:38 - 12:42
    behavior in experiment zero is basically
    the same as his behavior in experiment
  • 12:42 - 12:47
    one, so he wasn't able to distinguish the
    encryption of M0 from the encryption of
  • 12:47 - 12:51
    M1, even though he had all this power Then
    we say that the system is chosen
  • 12:51 - 12:56
    ciphertext secure, CCA secure. And
    sometimes there is an acronym, the acronym
  • 12:56 - 13:01
    for this is indistinguishability under a
    chosen ciphertext attack, but I'm just
  • 13:01 - 13:06
    gonna say CCA secured. So let's see how
    this captures, the email example we saw
  • 13:06 - 13:11
    before. So suppose the encryption system
    being used is such that just given the
  • 13:11 - 13:15
    encryption of a message the attacker can
    change the intended recipient from to
  • 13:15 - 13:20
    Alice say to, to Charlie. Then here's how
    we would win the CCA game. Well in the
  • 13:20 - 13:25
    first step he's given the public key of
    course. And then what the attacker will do
  • 13:25 - 13:30
    is he would issue two equal length
    messages, namely in the first message, the
  • 13:30 - 13:34
    body is zero. In the second message the
    body is one. But both messages are
  • 13:34 - 13:40
    intended for Alice. And in response, he
    would be given the challenge ciphertext C.
  • 13:40 - 13:45
    Okay, so now here we have our challenge
    ciphertext C. Now what the attacker is
  • 13:45 - 13:50
    gonna do is he's gonna use his, his
    ability here to modify the intended
  • 13:50 - 13:55
    recipient. And he's gonna send back a
    ciphertext C', where C' is the encryption
  • 13:55 - 14:02
    of the message to Charlie with body being
    the challenge body b. So if you remember is
  • 14:02 - 14:08
    either zero or one. Now, because the plain
    text is different, we know that the
  • 14:08 - 14:12
    ciphertext must also be different. So in
    particular, C prime must be different from
  • 14:12 - 14:17
    the challenge ciphertext C, yeah? So the
    C prime here must be different from C. And
  • 14:17 - 14:22
    as a result, the poor challenger now has
    to decrypt by definition of the CCA game.
  • 14:22 - 14:26
    The challenger must decrypt any ciphertext
    that's not equal to a challenge
  • 14:26 - 14:31
    ciphertext. So the challenger decrypts
    give the adversary M prime. Basically he
  • 14:31 - 14:35
    gave the adversary B, and now the
    adversary can output the challenge B and
  • 14:35 - 14:40
    he wins the game with advantage one. So
    he's advantage with this particular scheme
  • 14:40 - 14:45
    is one. So, simply because the attacker
    was able to change the challenge ciphertext
  • 14:45 - 14:50
    from one recipient to another that
    allows him to, to win the CCA game with
  • 14:50 - 14:55
    advantage one. So as I said, chosen
    ciphertext security turns out actually is
  • 14:55 - 14:59
    the correct notion of security for public
    key encryption systems. And it's a very,
  • 14:59 - 15:04
    very interesting concept, right? Basically, somehow
    even though the attacker has this ability
  • 15:04 - 15:08
    to decrypt anything he wants. Other than
    the challenge ciphertext, still he can't
  • 15:08 - 15:12
    learn what the challenge ciphertext is.
    And so the goal for the remainder of this module
  • 15:12 - 15:16
    and actually the next module as well, is
    to construct CCA secure systems. It's
  • 15:16 - 15:20
    actually quite remarkable that this is
    achievable and I'm going to show you
  • 15:20 - 15:24
    exactly how to do it. And in fact those
    CCA secure systems that we build are the
  • 15:24 - 15:29
    ones that are used in the real world. And
    every time a system has tried to deploy
  • 15:29 - 15:33
    a public key encryption mechanism that's not
    CCA secure someone has come up with an
  • 15:33 - 15:37
    attack and was able to break it. And we're
    going to see some of these example attacks
  • 15:37 - 15:39
    actually in the next few segments.
Title:
Definitions and security (16 min)
Video Language:
English

English subtitles

Revisions

Our website uses cookies for analysis purposes.