ebook img

The Joy of Cryptography PDF

283 Pages·2020·4.091 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Joy of Cryptography

The Joy of Cryptography MikeRosulek (cid:104)[email protected](cid:105) SchoolofElectricalEngineering&ComputerScience OregonStateUniversity,Corvallis,Oregon,USA DraftofFebruary6,2020 (cid:62) Preface The Joy of Cryptography is an undergraduate textbook in cryptography. This book grew outoflecturenotesIdevelopedforthecs427courseatOregonStateUniversity(andbefore that,cs473attheUniversityofMontana). I am well aware that the title is ridiculous, but all of the serious titles were already taken. At this point I’m committed to the gag, for better or worse. Anyway, actual joy notguaranteed. Information for Students WhatWillYouLearnInThisBook? I’mnotgoingtolie. Thisbookhasatheoreticalflavor,thatreflectsmypersonalbiasasa theoretician. Iunderstandthattheory-for-theory’s-sakedoesn’tmotivateeveryoneinthesameway thatitmotivatesme. IfIcan’tgeteveryonetofallinlovewiththetheory,myinstructional goalistoensurethateveryonecanatleastappreciateit. InthebookItrytokeepthereal- worldimplicationsofthetheoryinview. Thebookdoescover: (cid:73) How it is possible to formally define security properties and reason about them mathematically. (cid:73) How the most common cryptographic constructions work: what makes them se- cure,whilesimilarconstructionsareinsecure? (cid:73) Thedifferencebetweendifferentkindsofcryptographicprimitives(PRFs,blockci- phers, encryption, MACs, hash functions, etc). This includes differences in their interfaces, differences in their security properties, and most importantly, how to thinkaboutwhichprimitiveisbestsuitedforaparticularsecuritygoal. Thebookdoesnotcover: (cid:73) Howtouseencryption/privacysoftwarelikePGP,TrueCrypt,Signal,etc. (cid:73) CryptocurrencieslikeBitcoin. (cid:73) Howtosafelyimplementproduction-readycryptographicalgorithms. Attimesthe bookhintsatsomeimplementationissues,mostlytoshowhowincrediblydifficult itistogetthingsright. ©CopyrightMikeRosulek.CreativeCommonsBY-NC-SA4.0.Latestversionatjoyofcryptography.com. Draft:February6,2020 (cid:73) Whatgoesinsidelow-levelprimitiveslikeblockciphersandhashfunctions. Ithink readersofthisbookaremuchmorelikelytobuildsystemsoutoftheseprimitives, ratherthandesigntheirownprimitives. Thus,thefocusisonunderstandingwhat thesedifferentprimitivesprovide,andhowtocombinetheminsoundways. BackgroundKnowledge You will get the most out of this book if you have a solid foundation in standard under- graduatecomputersciencematerial: (cid:73) Discretemathematics(ofthekindyoutypicallyfindinyear2or3ofanundergrad- uateCSprogram)isrequiredbackground. Thebookassumesfamiliaritywithba- sic modular arithmetic, discreteprobabilities, simple combinatorics, and especially prooftechniques. (cid:73) Algorithms&datastructuresbackgroundishighlyrecommended,andtheoryof computation(automata,formallanguages&computability)isalsorecommended. Wedealwithcomputationsandalgorithmsatahighlevelofabstraction, andwith mathematical rigor. This can be a significant challenge if you haven’t had prior experiencefromthesecourses. A quick look at Chapter 0 will give you more specifics about what kind of knowledge is assumedinthisbook. Information for Teachers Disclaimers&Apologies Although I’ve used this book as a primary course reference for several years now, I still considerittobeadraft.OfcourseImakeeveryefforttoensuretheaccuracyofthecontent, buttherearesuretobeplentyofbugs,rangingintheirseverity. Caveatemptor! Iteacha10-weekcryptographycourse,sincemyinstitutionisonthequartersystem. I managetocoveressentiallyallofthisbookinthose10weeks. Becauseofthis,itisalways easierformetofocusonpolishingtheexistingmaterialratherthanaddingentirelynew chapters. SomedayIwilladdthosenewchapters(seetheroadmapbelow), butcurrently therearesomequiteshamefulomissions. Thereisnosolutionsmanual,andIcurrentlyhavenoplanstomakeone. Iwelcomefeedbackofallkinds—notjustonerrorsandtyposbutalsoontheselection, organization,andpresentationofthematerial. Code-basedgames The security definitions and proofs in these notes are presented in a style that is known to the research community as code-based games. I’ve chosen this style because I think it offerssignificantpedagogicalbenefits: (cid:73) Everysecuritydefinitioncanbeexpressedinthesamestyle,astheindistinguisha- bility of two games. In my terminology, the games are libraries with a common iii Draft:February6,2020 interface/API but different internal implementations. An adversary is any calling program on that interface. These libraries use a concrete pseudocode that reduces ambiguity about an adversary’s capabilities. For instance, the adversary controls argumentstosubroutinesthatitcallsandseesonlythereturnvalue. Theadversary cannotseeanyvariablesthatareprivatelyscopedtothelibrary. (cid:73) Aconsistentframeworkfordefinitionsleadstoaconsistentprocessforprovingand breakingsecurity—thetwofundamentalactivitiesincryptography. Inthesenotes,breakingaconstructionalwayscorrespondstowritingaprogramthat expectsaparticularinterfaceandbehavesasdifferentlyaspossibleinthepresence oftwoparticularimplementationsoftheinterface. Provingsecuritynearlyalwaysreferstoshowingasequenceoflibraries(calledhy- brids), eachofwhichisindistinguishablefromthepreviousone. Eachofthesehy- brids is written in concrete pseudocode. By identifying what security property we wishtoprove,weidentifywhattheendpointsofthissequencemustbe. Thesteps that connect adjacent hybrids are stated in terms of syntactic rewriting rules for pseudocode, including down-to-earth steps like factoring out and inlining subrou- tines,changingthevalueofunusedvariables,andsoon. (cid:73) Cryptography is full of conditional statements of security: “if A is a secure thinga- majig,thenBisasecuredoohickey.” Aconventionalproofofsuchastatementwould address the contrapositive: “given an adversary that attacks the doohickey-security ofB,Icanconstructanattackonthethingamajig-securityofA.” Inmyexperience,studentsstruggletofindtherightwaytotransformanabstract, hypothetical B-attacking adversary into a successful A-attacking adversary. By defining security in terms of games/libraries, we can avoid this abstract challenge, and indeed avoid the context switch into the contrapositive altogether. In these notes,thethingamajig-securityofAgivesthestudentanewrewritingrulethatcan beplacedinhis/hertoolboxandusedtobridgehybridswhenprovingthedoohickey- securityofB. Code-based games were first proposed by Shoup1 and later expanded by Bellare & Rog- away.2 Thesenotesadoptasimplifiedandunifiedstyleofgames,sincethegoalisnotto encompass every possible security definition but only the fundamental ones. The most significantdifferenceinstyleisthatthegamesinthesenoteshavenoexplicitInitialize orFinalizestep. Asaresult, allsecuritydefinitionsareexpressedasindistinguishability of two games/libraries, even security definitions that are fundamentally about unforge- ability. Yet,wecanstillreasonaboutunforgeabilitypropertieswithinthisframework. For instance,tosaythatnoadversarycanforgeaMAC,itsufficestosaythatnoadversarycan distinguish a MAC-verification subroutine from a subroutine that always returns false. Anindexofsecuritydefinitionshasbeenprovidedattheendofthebook. One instance where the approach falls short, however, is in defining collision resis- tance. Ihavenotbeenabletodefineitinthisframeworkinawaythatisbotheasytouse 1VictorShoup:SequencesofGames:AToolforTamingComplexityinSecurityProofs.ia.cr/2004/332 2MihirBellare&PhilipRogaway:Code-BasedGame-PlayingProofsandtheSecurityofTripleEncryption. ia.cr/2004/331 iv Draft:February6,2020 and easy to interpret (and perhapsI achieved neither in the end). See Chapter 11 for my bestattempt. SupplementaryMaterial Security proofs in this book follow a standard pattern: We start from one “library” and perform a sequence of small, cumulative modifications. Each modification results in a separatehybridlibrarythatisindistinguishablefromthepreviousone. I have prepared PDF slide decks to supplement the security proofs contained in the book. Theyareavailablefromthecoursewebsite. Theslidesallowthereadertostepfor- wardandbackwardthroughtheproof’ssequenceoflogicalsteps,seeingonlythecurrent hybridlibraryatanytime(withchangeshighlightedandannotated). Other Boring Stuff Copyright ThisworkiscopyrightbyMikeRosulekandmadeavailableundertheCreativeCommons BY-NC-SA4.0license. Underthislicense,youarefreeto: Share: copyandredistributethematerialinanymediumorformat. Adapt: remix,transform,andbuilduponthematerial. The licensor cannot revoke these freedoms as long as you follow the following license terms: Attribution: Youmustgiveappropriatecredit,providealinktothelicense,andin- dicateifchangesweremade. Youmaydosoinanyreasonableman- ner, but not in any way that suggests the licensor endorses you or youruse. NonCommercial: Youmaynotusethematerialforcommercialpurposes. ShareAlike: If you remix, transform, or build upon the material, you must dis- tributeyourcontributionsunderthesamelicenseastheoriginal. Youmaynotapplylegaltermsortechnologicalmeasuresthatlegallyrestrictothersfrom doinganythingthelicensepermits. Aboutthecover ThecoverdesignconsistsofassortedshellillustrationsfromBibliothèqueconchyliologique, publishedin1846. Theimagesarenolongerundercopyright,andwereobtainedfromthe Biodiversity Heritage Library (http://biodiversitylibrary.org/bibliography/11590). Like a properly deployed cryptographic primitive, a properly deployed shell is the most robust lineofdefenseforamollusk. Toanuniformedobserver,ashellisjustashell,andcryptois justcrypto. However,thereareawidevarietyofcryptographicprimitives,eachofwhich providesprotectionagainstadifferentkindofattack. Justasforaseasonedconchologist, v Draft:February6,2020 the joy is in appreciating the unique beauty of each form and understanding the subtle differencesamongthem. Acknowledgements Some financial support for writing this book has been kindly provided by the National Science Foundation (awards #1149647, #1617197) and the Oregon State University Open TextbookInitiative. ThankstoBrentCarmer&LeoReyzinformanythoughtfulsuggestionsandcomments aboutthematerial. IamalsogratefulforthemanystudentsinCS427whohavereported countlessbugs. Changelog 2020-02-05: Overhaul of Chapter 2 (provable security fundamentals). The structure is arguably more coherent now. The total number of examples is increased. I now also include both a successful security proof and an example of where an attempted security proofgoeswrong(sincetheschemeisactuallyinsecure). 2020-01-09: High-frequencywinterrevisionsarecontinuing. Thisupdatefocusesen- tirelyonChapter13(RSA):Manymanymoreexamplesareincluded,inSage! Discussion of CRT is (hopefully) clearer. Digital signatures content is finally there. There’s a new discussion of how to actually compute modular exponentiation on huge numbers, and a couplefunnewexercises. 2020-01-05: RevisinginpreparationforteachingCS427duringWinterterm. (cid:73) Chapter0:Moreexamples.Expandedtreatmentofmodulararithmetic.Tips&tricks formodulararithmeticandprobabilities. (cid:73) Chapter 1: Moderate reorganization of “things that cryptographers blissfully ig- nore.” (cid:73) Chapters12–15: MovedAEADchapterintopositionaschapter12. Public-keystuff isnowchapters13–15. (cid:73) Chapter13(RSA):More(butnotenough)examplesofmultiplicativeinverses. New discussionofalgorithmicaspectsofexponentiationmodN. Thischapterwilleven- tuallyfocusonsignaturesexclusively,butwe’renotyearthat. Expectupdatesover thenextfewmonths. 2019-03-21: Chapter 11 (hash functions) significant revisions: no more impenetrable securitydefinitionforcollision-resistance;explicittreatmentofsalts;betterexamplesfor Merkle-Damgårdandlength-extension. NewdraftChapter15onAEAD(afternextrevi- sionwillbeinsertedafterChapter11). 2019-01-07: Extensive revisions; only the major ones listed here. Lots of homework problemsadded/updatedthroughout. ItriedtorevisetheentirebookintimeformyWin- ter2019offering,butranoutoftime. vi Draft:February6,2020 (cid:73) Addedachangelog! (cid:73) Chapter1:Kerckhoffs’Principlenowdiscussedhere(previouslyonlymentionedfor thefirsttimeinCh2). (cid:73) Chapter2:Nowtheconceptsareintroducedincontextofspecificone-timesecurity definition,notintheabstract. Moreexamplesofinterchangeablelibraries. (cid:73) Chapter3: PolynomialinterpolationnowshownexplicitlywithLaGrangepolyno- mials(ratherthanVandermondematrices). Fullinterpolationexampleworkedout. (cid:73) Chapter 4: Better organization. Real-world contextual examples of extreme (large &small)2n values. Fullproofofbad-eventlemma. Generalizedavoidance-sampling libraries. (cid:73) Chapter5:MotivatePRGsviapseudo-OTPidea. BetterillustrationofPRGfunction, andconceptualpitfalls. HowNOTtobuildaPRG.Newsectiononstreamcipher& symmetricratchet. (cid:73) Chapter6: CombinedPRF&PRPchapters. MotivatePRFsviam (cid:55)→ (r,F(k,r)⊕m) construction. Better discussion of eager vs. lazy sampling of exponentially large table. How NOT to build a PRF. New section on constructing PRG from PRF, and moreclarityonsecurityproofswithvariablenumberofhybrids. Betterillustrations &formalpseudocodeforFeistelconstructions. (cid:73) Chapter 7: Other ways to avoid insecurity of deterministic encryption (stateful & nonce-based). Ridiculous Socratic dialog on the security of the PRF-based encryp- tionscheme. (cid:73) Chapter8: Compare&contrastCTR&CBCmodes. RoadMap Thefollowingtopicsareshamefullymissingfromthebook,butareplannedorbeingcon- sidered: 1. authenticatedkeyagreement,securemessaging/ratcheting(highpriority) 2. randomoracle&idealciphermodels(mediumpriority) 3. ellipticcurves,post-quantumcrypto(butIwouldneedtolearnthemfirst) 4. DH-based socialist millionaires, PSI, PAKE, simple PIR, basic MPC concepts (low priority) vii Contents 0 ReviewofConcepts&Notation 1 0.1 Logs&Exponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0.2 ModularArithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 0.4 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 0.5 Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 0.6 NotationinPseudocode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 0.7 Asymptotics(Big-O) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1 One-TimePad&Kerckhoffs’Principle 10 1.1 WhatIs[Not]Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.2 SpecificsofOne-TimePad . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2 TheBasicsofProvableSecurity 21 2.1 HowtoWriteaSecurityDefinition . . . . . . . . . . . . . . . . . . . . . . 21 2.2 FormalismsforSecurityDefinitions . . . . . . . . . . . . . . . . . . . . . . 25 2.3 HowtoDemonstrateInsecuritywithAttacks . . . . . . . . . . . . . . . . . 30 2.4 HowtoProveSecuritywithTheHybridTechnique . . . . . . . . . . . . . 33 2.5 HowtoCompare/ContrastSecurityDefinitions . . . . . . . . . . . . . . . 38 3 SecretSharing 47 3.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.2 ASimple2-out-of-2Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3 PolynomialInterpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.4 ShamirSecretSharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 (cid:63) 3.5 VisualSecretSharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 BasingCryptographyonIntractableComputations 67 4.1 WhatQualifiesasa“ComputationallyInfeasible”Attack? . . . . . . . . . . 67 4.2 WhatQualifiesasa“Negligible”SuccessProbability? . . . . . . . . . . . . 70 4.3 Indistinguishability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 4.4 BirthdayProbabilities&SamplingWith/outReplacement . . . . . . . . . . 76 5 PseudorandomGenerators 85 5.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.2 PseudorandomGeneratorsinPractice . . . . . . . . . . . . . . . . . . . . . 87 5.3 Application: ShorterKeysinOne-Time-SecretEncryption . . . . . . . . . 90 (cid:63) 5.4 ContrapositivePointofViewonSecurityProofs . . . . . . . . . . . . . . . 92 5.5 ExtendingtheStretchofaPRG . . . . . . . . . . . . . . . . . . . . . . . . . 94 (cid:63) 5.6 Applications: StreamCipher&SymmetricRatchet . . . . . . . . . . . . . . 96 6 PseudorandomFunctions&BlockCiphers 104 6.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 6.2 PRFsvsPRGs;Variable-HybridProofs . . . . . . . . . . . . . . . . . . . . . 108 6.3 BlockCiphers(PseudorandomPermutations) . . . . . . . . . . . . . . . . . 118 ©CopyrightMikeRosulek.CreativeCommonsBY-NC-SA4.0.Latestversionatjoyofcryptography.com. Draft:February6,2020 6.4 RelatingPRFsandBlockCiphers . . . . . . . . . . . . . . . . . . . . . . . . 119 6.5 PRFsandBlockCiphersinPractice . . . . . . . . . . . . . . . . . . . . . . 122 (cid:63) 6.6 StrongPseudorandomPermutations . . . . . . . . . . . . . . . . . . . . . . 123 7 SecurityAgainstChosenPlaintextAttacks 128 7.1 LimitsofDeterministicEncryption . . . . . . . . . . . . . . . . . . . . . . 128 7.2 PseudorandomCiphertexts . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.3 CPA-SecureEncryptionBasedOnPRFs . . . . . . . . . . . . . . . . . . . . 133 8 BlockCipherModesofOperation 142 8.1 ATourofCommonModes . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.2 CPASecurityandVariable-LengthPlaintexts . . . . . . . . . . . . . . . . . 145 8.3 SecurityofOFBMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 8.4 Padding&CiphertextStealing . . . . . . . . . . . . . . . . . . . . . . . . . 150 9 ChosenCiphertextAttacks 160 9.1 PaddingOracleAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 9.2 WhatWentWrong? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 9.3 DefiningCCASecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 (cid:63) 9.4 ASimpleCCA-SecureScheme . . . . . . . . . . . . . . . . . . . . . . . . . 169 10 MessageAuthenticationCodes 180 10.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 (cid:63) 10.2 APRFisaMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 10.3 MACsforLongMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 10.4 Encrypt-Then-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 11 HashFunctions 199 11.1 SecurityPropertiesforHashFunctions . . . . . . . . . . . . . . . . . . . . 199 11.2 Merkle-DamgårdConstruction . . . . . . . . . . . . . . . . . . . . . . . . . 203 11.3 HashFunctionsvs.MACs: Length-ExtensionAttacks . . . . . . . . . . . . 206 12 AuthenticatedEncryption&AEAD 212 12.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 12.2 AchievingAE/AEAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 12.3 Carter-WegmanMACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 12.4 GaloisCounterModeforAEAD . . . . . . . . . . . . . . . . . . . . . . . . 223 13 RSA&DigitalSignatures 225 13.1 “Dividing”Modn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 13.2 TheRSAFunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 13.3 DigitalSignatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 13.4 ChineseRemainderTheorem . . . . . . . . . . . . . . . . . . . . . . . . . . 238 13.5 TheHardnessofFactoringN . . . . . . . . . . . . . . . . . . . . . . . . . . 242 14 Diffie-HellmanKeyAgreement 252 14.1 CyclicGroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 ix Draft:February6,2020 14.2 Diffie-HellmanKeyAgreement . . . . . . . . . . . . . . . . . . . . . . . . . 253 14.3 DecisionalDiffie-HellmanProblem . . . . . . . . . . . . . . . . . . . . . . 254 15 Public-KeyEncryption 258 15.1 SecurityDefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 15.2 One-TimeSecurityImpliesMany-TimeSecurity . . . . . . . . . . . . . . . 259 15.3 ElGamalEncryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 15.4 HybridEncryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 IndexofSecurityDefinitions 269 x

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.