1 / 15

CMSC 414Computer and Network SecurityLecture 3

- Jonathan Katz

JCE

- (The TA gave a brief presentation in class about

the JCE and how to use it)

HW1 out

- Meant to get you familiar with the JCE, and some

basic crypto - Use your GRACE account
- Work in teams of two students
- Both students should contribute to all problems
- JCE use and syntax fair game for the exam
- We now have a class forum
- Post on the forum if you are looking for a

partner

Computer security student club

- First meeting tomorrow night, 7PM, in CSIC 1115

Perfect secrecy

Defining secrecy (take 1)

- Even an adversary running for an unbounded amount

of time learns nothing about the message from the

ciphertext - (Except the length)
- Perfect secrecy
- Formally, for all distributions over the message

space, all m, and all c PrMm

Cc PrMm

The one-time pad

- Scheme
- Proof of security

Properties of the one-time pad?

- Achieves perfect secrecy
- No eavesdropper (no matter how powerful) can

determine any information whatsoever about the

plaintext - (Essentially) useless in practice
- Long key length
- Can only be used once (hence the name!)
- Insecure against known-plaintext attacks
- These are inherent limitations of perfect secrecy

Computational secrecy

Computational secrecy

- We can overcome the limitations of perfect

secrecy by (slightly) relaxing the definition - Instead of requiring total secrecy against

unbounded adversaries, require secrecy against

time-bounded adversaries except with some small

probability - E.g., secrecy for 100 years, except with

probability 2-80 - How to define formally?

A simpler characterization

- Perfect secrecy is equivalent to the following,

simpler definition - Given a ciphertext C which is known to be an

encryption of either M0 or M1, no adversary can

guess correctly which message was encrypted with

probability better than ½ - Computational security!
- Is this definition too strong? Why not?

2-80

The take-home message

- Weakening the definition slightly allows us to

construct much more efficient schemes! - Strictly speaking, no longer 100 absolutely

guaranteed to be secure - Security of encryption now depends on security of

building blocks (which are analyzed extensively,

and are believed to be secure) - Given enough time and/or resources, the scheme

can be broken

A computationally secure scheme

- A pseudorandom (number) generator (PRNG) is a

deterministic function that takes as input a seed

and outputs a string - To be useful, the output must be longer than the

seed - If seed chosen at random, output of the PRNG

should look random (i.e., be pseudorandom)

Notes

- Required notion of pseudorandomness is very

strong must be indistinguishable from random

for all efficient algorithms - General-purpose PRNGs not sufficient for crypto
- Pseudorandomness of the PRNG depends on the seed

being chosen at random - Note in particular that if a seed is re-used then

the output of the PRNG remains the same! - In practice from physical processes and/or user

behavior

A computationally secure scheme

- The pseudo-one-time pad
- Proof sketch
- Which drawback(s) of the one-time pad does this

address?