Understanding Cryptography: Key Agreement and Secure Communication
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for free
If you found this summary useful, consider buying us a coffee. It would help us a lot!
Introduction
Cryptography plays a crucial role in ensuring secure communication over public channels in today's digital world. In this comprehensive lecture, we delve into the fundamental problems posed by cryptography, particularly focusing on the key agreement and secure communication problems. We also explore various types of cryptographic primitives, with detailed discussions on both symmetric and asymmetric key cryptography. Furthermore, we will discuss the syntax of symmetric encryption, informal security definitions, and conclude with insights on Kof's principle.
Fundamental Problems in Cryptography
Cryptography primarily addresses two central problems: the key agreement problem and the secure communication problem. Let's explore each of these problems in detail.
Key Agreement Problem
The key agreement problem arises when two parties, a sender and a receiver, wish to share a key without any prior shared information. The process must ensure the following:
- Both parties communicate over a public channel without prior knowledge of each other.
- It must be guaranteed that the sender is indeed talking to the intended receiver.
- At the end of the protocol, both parties output a common secret key.
The security requirement here is that even if a third party eavesdrops on the communication, they should not be able to deduce the shared key. This scenario serves as the foundation for public key cryptography.
Secure Communication Problem
Once the common key is established through the key agreement process, the secure communication problem comes into play. Here, we assume that the sender and receiver possess a secret key K that they share. The objective is to ensure:
- Confidentiality: No third party should decipher the contents shared by the sender and receiver.
- Integrity: If an intermediary alters the communication, both sender and receiver should be alerted to the tampering.
Types of Cryptographic Primitives
Cryptographic primitives can be classified into two major types: symmetric key primitives and asymmetric key primitives.
Symmetric Key Primitives
In symmetric key cryptography (or private key cryptography), both the sender and receiver use the same key K. Though symmetric cryptography is efficient computationally, the major challenge lies in the secure agreement of the key itself. Therefore, both parties need a secure way to exchange or agree upon the key without any unauthorized access.
Properties of Symmetric Key Encryption
- Computational Efficiency is high.
- Key Agreement poses significant challenges, requiring secure channels for key exchange.
Asymmetric Key Primitives
Asymmetric key cryptography (or public key cryptography) operates with two separate keys: one public key that is available publicly and a secret key only known to the receiver. The advantages of asymmetric primitives are that they eliminate the need for pre-shared keys, allowing anyone to encrypt a message for the key holder without prior agreement.
Challenges and Properties
- Asymmetric algorithms are computationally less efficient compared to symmetric algorithms.
- However, they significantly improve security through not requiring mutual key agreement before communication.
The Syntax of Symmetric Encryption
The symmetric encryption process involves three algorithms:
- Key Generation Algorithm: Outputs a random key K.
- Encryption Algorithm: Takes a plaintext M and the key K as inputs and produces ciphertext C.
- Decryption Algorithm: Uses the ciphertext C and key K to retrieve the original plaintext M.
Distinguishing Deterministic from Randomized Algorithms
- Deterministic Algorithms yield the same output for given inputs, whereas Randomized Algorithms may produce different outputs due to internal random bits utilized.
Properties of Secure Encryption Schemes
For any secure symmetric encryption scheme, two critical properties need to be satisfied:
- Correctness: Ensures that decryption retrieves the original plaintext when the encryption is applied correctly.
- Privacy: By observing the ciphertext, adversaries should not be able to determine any meaningful information about the plaintext.
Attack Models in Cryptography
Understanding various attack models is essential to evaluate the security of cryptographic systems. These models highlight different scenarios under which an adversary may attempt to breach security. The most common attack models are:
- Ciphertext-Only Attack (COA): The adversary only has access to the ciphertext.
- Known-Plaintext Attack (KPA): The adversary knows specific plaintext-ciphertext pairs.
- Chosen-Plaintext Attack (CPA): The adversary can choose plaintexts to be encrypted and analyze the ciphertexts.
- Chosen-Ciphertext Attack (CCA): The adversary can submit ciphertexts for decryption and analyze the output.
Kof's Principle
Kof's principle posits that a cryptographic system should remain secure even if everything about it is public knowledge, except for the secret key. This principle emphasizes the significance of key secrecy in maintaining the integrity of cryptographic processes and argues against proprietary algorithms. It's easier to keep a short, randomized key confidential than to conceal complex encryption algorithms.
Conclusion
Cryptography addresses critical challenges regarding secure communication and key agreements. Understanding both symmetric and asymmetric key primitives, their implementation, and the various attack models helps fortify our communication systems against potential threats. Adhering to Kof's principle ensures our cryptographic algorithms and processes maintain their integrity in public scrutiny, offering robust security for sensitive data exchange.
follows we will discuss the fundamental problems addressed by cryptography namely the key agreement problem and a
secure communication problem then we will discuss the various types of cryptographic Primitives namely the
discussion on symmetric key Primitives where we will see the syntax of symmetric encryption mechanism and
informal security definition and then we will finish the lecture with K's principle right so if you remember in
the last lecture we discussed that the central problem addressed by cryptography is that of secure
communication and in it it turns out that secure communication is actually solved by solving two core problems and
the first core problem is that of key agreement so in the key agreement problem the scenario is the following we
have two entities a sender and a receiver who do not know know each other and who do not have any kind of
agreement protocol is is that as for the protocol the sender and the receiver should talk to each other over a public
Channel and it should be guaranteed to the sender that indeed it is talking to the Ram uh receiver and vice versa and
at the end of the protocol both sender and receiver should output a common Kik the security requirement from the key
agreement protocol is that even though the sender and the receiver are talking publicly and if there is a third party
who is actually e dropping the communication or noting down the entire communication which is happening between
the sender and the receiver then the third party should not be able to figure out what exactly is the key which sender
and receiver are going to Output at the end of the protocol so it's like saying the following that if I consider a class
and the key agreement protocol should require that if I want to agree upon a key with a particular student then using
the key agreement protocol I should shout something in the class and in response that particular student should
shout back something to me and using whatever I communicated to him and whatever he communicated back to me both
of us should be able to compute a common key and no one else in the class who have actually seen the actual messages
that I have communicated to that particular student and that student has communicated ated to me should not be
able to figure out what exactly is the key that myself and that particular student are going to Output that's a
first core problem addressed by cryptography and this will be the theme of the second half of the course where
we will see how using public cryptography which we can solve this key agreement problem the second core
problem which is addressed by cryptography is that of secure communication and here the setting is as
follows we imagine that sender and receiver now have a secret key K which has been agreed upon by some magical
mean in this context actually by running a key exchange protocol so we imagine that sender and receiver have executed a
secure key exchange protocol and as a result they have a common key already available with them now using the common
key the goal of the sender and the receiver is to talk over a public Channel such that the confidentiality of
the communication and the Integrity of the communication is ensured by confidentiality I mean any third party
who do not have the knowledge of the key should not be able to figure out what exactly are the contents which sender
and receiver are exchanging to each other and by Integrity I mean that if there is a third party who actually
intercepts some of the communication and tries to change the contents of the messages then it should be deductable at
both the ends so that's the second problem the second core problem addressed by cryptography and this will
be the theme of the first half of the course namely symmetric cryptography where we will assume that somehow the
sender and the receiver have already agreed upon the key and our goal will be to solve the problems of confidentiality
kind of Primitives are the symmetric symmetric key Primitives which are also called as private key Primitives and
here the same key is going to be used by both the sender as well as the receiver that's why the name symmetrically
primitive or private key cryptography symmetric because it's symmetric in nature the same key is getting used at
both the senders end as well as the receivers end and the name private key cryptography because the key K which is
common to both the sender and the receiver is going to be private it won't be available in the public domain now
there are both pros and cons of these kind of primitive the good side of these Primitives is that they are
computationally very efficient in practice and the downside of these Primitives is that the key agreement is
going to be a big issue that means all these Primitives Works under the assumption that the common key has been
already agreed upon by some magical mechanism and which is a big assumption so as ensuring that both sender and
Primitives the second kind of Primitives are called as asymmetric Primitives or public cryptographic Primitives where
the Primitive is operated with two keys one of the keys which is the the public key will be available in the public
domain whereas the other key namely the secret key will be available only to one of the entities or in the context of
encryption scheme it will be available only with the receiver that means this has asymmetry nature that's why the name
asymmetry primitive and the reason it is called public key primitive is that one of the keys is available in the public
domain again it has these kinds of Primitives have both plus as well as the down side the good side about this primi
is that you do not read any kind of key agreement that means if I take a public encryption scheme for instance then
there is no requirement to do any kind of key agreement whoever wants to encrypt a message for me it can take my
public key which will be available in the public domain so I don't need to explicitly agree upon a key with that
particular Center the downside of these kind of Primitives is that they are computationally inefficient that means
the amount of computation which are involved in this kind of primitive is of several orders of magn itude compared to
the computation required in the symmetric Primitives in practice we use a combination of both so when we will be
winding up our course and we will be discussing the real world protocols such as SSL we will see that how we combine
both these two Primitives to get best of the both world so now let's start our discussion
on private key or symmetry key encryption schemes so on a very high level the goal is the following the
setting is as follows we have a sender and a receiver and by some magical mechanism we assume that a random key
has been shared up agreed upon between the sender and the receiver so I denote the key as K which is actually going to
be a bit string now sender is interested to send some message M which is again going to be a bit string and in the
cryptographic jagon we call this string M to be the plain text now using the key sender is going to use an encryption
algorithm which takes the message and the key as the input and it produces another bit string denoted as C which is
the cipher text or the scramble text which is going to be communicated over a public channel to the
receiver at the receiving end receiver is going to take the cipher text which is a bit string and the key which H the
same key with which the sender has operated the encryption process and it's going to operate a decryption algorithm
now so the decryption algorithm is going to take the scramble text and the key and it's going to Output the plain text
which sender has actually encrypted using the encryption algorithm so the reason this encryption
mechanism is called symmetric encryption mechanism is that we have a symmetry that the same key is getting used both
for the encryption as well as the decryption so before going into the formal description of a symmetric
encryption process let's first try to understand the difference difference between a deterministic and a randomized
algorithm so a deterministic algorithm in a deterministic algorithm the output is a deterministic function of the input
that means if we consider the straight transition in the algorith inside the algorithm then the flow from the input
to the output is always a deterministic function what I mean by this is if I run a deterministic algorithm on an input x
100 times I going to get the same output y 100 times I won't get different output that means the output Y is a
deterministic function of the input X whereas in a randomized algorithm the flow from the input to Output is non-
deterministic and the flow is going to be decided by the value of random bit strings which are going to be generated
inside the algorithm as part of the algorithm that means in a randomized algorithm it is not guaranteed that if I
call that algorithm with the same input again and again it's not guaranteed that I'm going to get the same output and
output may depend upon the sequence of random bits which I'm going to generate inside the algorithm and depending upon
the value of those random bits what path I followed inside the algorithm so that's a very high level difference
between a deterministic algorithm and a randomized algorithm now let's see the syntax of a
symmetric ke encryption scheme so any symmetric key encryption scheme which is also called as a cipher is going to
consist of three algorithms the first algorithm is the key generation algorithm which is denoted by gen and
is as part of the algorithm inside there will be some random bit strings which are going to be generated which I denote
by this particular notation so when I say when when I write this notation that someone is tossing the coin I mean that
inside the algorithm random bit strings are going to be generated and based on the value of that bit string
the output is going to be determined so the output of this key generation algorithm is a key denoted by the symbol
K and since it's a randomized algorithm every time I run the key generation algorithm I am bound to get a
different output I won't get the same output the syntax that we use to denote the key generation algorithm is the
following we say that the key generation algorithm gen it does not take any input so that's why the brackets are left as
which I denote by K and this K belongs to a larger set this caligraphic K which is the set of all possible Keys which
this key algorith key generation algorithm can output and the important thing here is that since this algorithm
is a randomized algorithm that's why I do not say that the output of gen is assigned the value k instead I say that
the output of gen is going to take one of the possible value K from the set of all possible keys I am not using the
assignment operator because it's not a deterministic function it's a randomized function it's a randomized algorithm so
here this caligraphic K is the or the capital K is the set of all possible Keys which your key generation algorithm
could output so for instance if we know that a key generation algorithm is going to Output a 256bit key then I know that
this caligraphic key is a set of all possible 256bit strings namely the key space k is 2 to ^ 256 and as I said
earlier this key generation algorithm is going to be a randomized algorithm the second algorithm in any
symmetric encryption scheme is the encryption algorithm denoted as as ink and it is going to take two external
inputs namely the plane test which the sender wants to encrypt which is going to be a bit string which I denote by the
symbol B and the key K which the key generation algorithm would have output and apart from these two inputs it has
an internal input namely the internal random coins which are generated or the random bits which are generated as part
of this encryption process and as a result this encryption algorithm is a randomized algorithm So based on the
message the key space and the random bits which are generated inside the encryption algorithm the encryption
algorithm is going to Output a cipher text denoted as C so as I said that since the encryption
algorithm could generate internal random bits to decide the outcome C it is a randomized algorithm and the syntax that
we use to denote the encryption algorithm we is the following we say that the encryption of the plain text M
So within the brackets I'm writing the message M as the input that means that's the external input which this in deson
function takes as input and the K the key K is put as a subscript so I will say that the message m is encrypted
under the key K and since this algorithm is a randomized algorithm I am not using the assignment operator to denote the
output of this encryption algorithm instead I am saying that the output of this encryption algorithm is going to be
one of the possible Cipher text from the set of all possible Cipher text which you're encryption algorithm could
produce so since this encryption process is a randomized algorithm what it means is that even if I call this encryption
process with the same value of M and the same value of K multiple times I am going to get different Cipher text
because every time I call this encryption process the set of random bit strings which are generated as part of
the algorithm will be different and since C is going to be a function of both me of the message key and internal
random bits the value of C will be different for different invocations of C so that's the syntax of encryption
algorithm now the decryption algorithm takes the cipher text C as the external input and the key K which has been
generated by the key generation algorithm and in return it produces the plain text M so the syntax that I follow
to denote the decryption Alor is the following we say that decryption of the input C so here C is the external input
which is fed to the decryption function along with the key K so I will say that the decryption of the cipher text C
under the key K is going to produce the message M and the message M belongs to the largest set of possible plain text
namely capital M which is the plain text space now notice that my decryption algorithm here is a deterministic
function there are no random bit strings which are generated inside the decryption algorithm to decide the
outcome M and as a result of that I am not using the uh notation Arrow arrow notation to denote the outcome of
decryption instead I am using the assignment operator to denote the outcome of the decryption function what
I mean by that is if I call the decryption algorithm multiple times with the same value of K and the same value
of c i Am bound to get the same M again and again I won't get different M for the different invocations of deck on the
same value of c and k in that sense it's a deterministic function and as a result we use the assignment operator to denote
the output of the deck function so that's the syntax of your key generation algorithm encryption
algorithm and the decryption algorithm so notice that we require the key generation algorithm and the encryption
algorithm to be randomized whereas the deck algorithm should be deterministic and there is a reason for that which we
lecture now how to typically use a symmetric Cipher so imagine we have a symmetric encryption scheme namely we
have a collection of key generation algorithm encryption algorithm and decryption algorithm and we assume that
the steps of this key generation encryption and decryption algorithm is publicly known that means the steps are
known even to the sender and the receiver or to any third party in this world now to use this symmetric ke
Cipher what sender is going to do is it's going to run the key generation algorithm which is going to Output one
of the candidate Keys namely K from the key space and this key will be agreed upon with the receiver by some magical
mechanism at the beginning of the session so we imagine that at the beginning of the session sender runs
this key generation algorithm and in that session there are several messages which sender would like to encrypt and
communicate to the receiver using this key so the first step of the session will be the key generation algorithm and
agreement of that key with the receiver by some magical mechanism now once the key is agreed upon every time sender
wants to encrypt a plain text M using this key what is going to run is the following it's going to run the
encryption algorithm to produce the cipher text and the cipher text will be communicated over the public Channel
which through which sender is communicated to the receiver and as and when the receiver receives the cipher
text what it is going to do is receiver will be knowing what encryption process has been used by the sender so it will
know the corresponding decryption process and not only that it will also know the key using which the sender has
operated the encryption process so using the same key it will operate the decryption process and will recover the
plain text that's how typically we are going to use a symmetric encryption process now what are the properties that
we need from any secure encryption scheme or a symmet secure symmetric key encryption scheme so roughly we need two
properties the first property is the correctness property which says that that for any key which the key
generation algorithm has output and for any plane text M which has been encrypted by m the following condition
should hold if I encrypt a plain text M under the key K to to obtain a cipher text C and if I decrypt that Cipher text
C using the decryption process under the same key K I should get back the original n that's a correctness property
to give you the analogy if you have a physical Lock And if I have two copies of the key what this correctness
property demand is that if I actually lock that key using the key and send that lock in the lock condition to you
and if you have also the same key and if you try to open that lock Lo in the locked position using the key that you
also own you should be able to open the lock from the locked condition to the open condition that's roughly the
property which we need or expect from a secure symmetric encryption process is that of privacy and now we are going to
see that what are the challenges we face when we try to formalize the Privacy requirement intuitively when we say that
a symmetric encryption process is secure or it achieves the Privacy property I mean that by seeing the cipher Tex C the
adversary or the bad guy who has observed a cyer Tex C should not be able to compute anything about the message M
that means imagine there's a third party who is the bad guy who has intercepted the cipher text who knows the details of
the key generation process the encryption process and the decryption process the only thing the bad guy does
not know is the the value of key with which the sender has operated the encryption process the Privacy property
demands informally that even after this knowledge the knowledge of Cipher text should not give any information about
there are several challenges that we face so what I'm going to do next is I will propose a series of definition to
formalize the Privacy condition and then we will see a potential loophole in each of these potential definitions which is
going to show you that what how difficult it is indeed to come up with a right definition of privacy so my first
candidate definition to formalize the Privacy definition is the following I will say that an encryption process is
secure if the cipher text does not reveal the underlying key the intuition behind this definition is that the if
the key is revealed to the adversary then it can find out any subsequent message which has been encrypted under
that key so the minimum requirement which I require from any private encryption scheme is that it the cipher
Tex should not reveal the underlying key well it turns out that the requirement is definitely meaningful from any secure
encryption process this definition is completely useless for example consider an encryption algorithm which always
outputs a cipher text which is same as the plane text that means the cipher text does not depend upon the pl key at
all and the value of the Cipher text is the same as the plain text if you see this definition and this this candidate
encryption process definitely the encryption process is not revealing anything about the key and as per this
definition you can label this encryption algorithm as a secure encryption algorithm but this kind of encryption
algorithm is completely useless to use in practice because it is completely revealing your plain
text so now let's Rectify this definition and let me come up with the second candidate definition to formalize
the Privacy definition and my definition two is I will say an encryption process is secure if the cipher text does not
reveal anything about the underlying plain text because that's what is the basic intuition of the Privacy the
problem with this kind of definition is what do you mean by Cipher text does not reveal the underlying plain text how
much it should reveal how much it should not reveal for example you might have an encryption process where 90 9% of the
plane text is not revealed by the cipher text but unfortunately the cipher text might be revealing 1% of the plain text
and that 1% of the plain text which is getting leaked by the cipher might be the critical information which you want
to hide again this definition and this candidate encryption process this candidate encryption process might look
like satisfying the definition too but actually such kind of encryption algorithm I cannot use in practice the
problem with this definition is I am not EX exactly specifying what it means by revealing and not revealing and how much
to reveal and how much not to reveal so to fix this definition let me propose the third definition potential
definition to formalize the Privacy definition the definition three says that an encryption process will be
considered as secure if the cipher text does not reveal any character of the underlying plantex so this will take
care of the potential bug which was there in our definition two or the candidate encryption that we propose to
violate definition 2 because now even if 1% is revealed it's not going to satisfy definition 3 but again there is a
potential loophole in this definition consider an encryption algorithm where Cipher text does not indeed reveal any
of the underlying characters of the plane text but the cipher text might reveal the range of the plane text
namely it might reveal whether the plane text is less than a particular threshold or whether it is greater than a
particular threshold again if I view the definition this candidate encryption scheme indeed satisfies the property
because no character of the underlying plane text is revealed but what is getting revealed is whether the plan
text is less than a certain value or greater than a certain value and that might itself be a security breach so I
cannot afford to use such kind of encryption algorithm to encrypt sensitive data because if the cipher
text is going to reveal the range of the sensitive data I might be in trouble so let's try to fix this
potential problem in definition four and the definition four says that an encryption process will be considered as
secure if the cipher text does not reveal any meaningful information about the underlying PL text that means not
only it should not only it should not it should hide not only the underlying PL text it should also hide whether the
message is less than a certain value greater than a certain value and so on well intuitively this definition is good
but the problem here is what exactly constitutes a meaning mean ful information varies from application to
application for certain application the underlying characters of the plain text might be the sensitive information for
another application whether the message is less than a certain value or greater than certain value that might be the
meaningful information and so on so you cannot exhaustively list down what it constitutes a meaningful information for
a particular application that's a downside of this definition so that's as a result I cannot take it as a
meaningful definition of privacy so to fix that problem let's come up with the next alternate next
possible definition of the privacy and this definition says that an encryption process will be called as secure if the
cipher text does not help the attacker to compute any function of the underlying plane text that means imagine
an attacker who has seen the cyer text who knows the encryption process and the attacker is interested to compute some
function say F of the underlying message which sender has actually encrypted in the cyer text we will say okay the the
encryption process is secure if using the knowledge of the cipher text adversary is not able to compute the
function of the underlying message well this is precisely what we expect from a secure Cipher but still there are
certain loopholes in this definition namely there are two loopholes the first loophole is that how do you formalize
whether a particular Cipher text has helped adversary to compute a function of the underlying plain text or not how
do you judge that how do you mathematically formalize that that's the first loophole in this definition and
the second def loophole in this definition is what exactly are the capabilities of the adversary you are
considering that is not specified in this definition that means whether you are considering an e stoer adversary who
is simply observing the cipher text and trying to compute the function or whether you are considering an adversary
or malicious adversary who could change the contents of the cipher text and see the behavior of the or the response of
the receiver and then trying to comp the functions of the underlying messages also this definition does not specify is
the adversary also provided with any kind of additional information that means what are the various capabilities
of the adversary which you are considering so even though intuitively definition five is the right definition
the two potential shortcomings of this definition is the exact formalization of whether the cipher text is helping the
adversary to compute any function of the underlying plane text and what precisely is the attack model or the adversarial
which we consider in the cryptography so typically in cryptography we consider the following four attack models the
first attack model is the cipher text only attack or the COA attack model the next attack model is the known PL text
attack model or kPa model the next attack model is the chosen plain text attack or CPA model and a final attack
model is the chosen cortex attack model or CC attack in all these attack models the scenario is the same we have a
sender and a receiver who have agreed upon some common Key by running the key generation algorithm and agreeing the
key with the other entity by some magical mechanism such that the adversary or the bad guy or the attacker
is not aware of the key and the adversary has intercepted some cyer text and the goal of the adversary is to
compute some function of the underlying plain text which has been in rted in this C what differs in these attack
models is the power of the attacker that means what kind of additional information apart from the CER text is
available to the attacker so what we are going to do next is we will go upon we will go through each of these attack
models and see what are the capabilities of the attack so let's start with the cipher text only attack model or the co
attack model which is the simplest possible attack scenario and here the scenario is the following we have the
sender and the receiver who have agreed upon a common key not known to the attacker and sender has encrypted
several messages using the same K as per the encryption process and the details of the encryption process is known to
the attacker the attacker has e dropped and intercepted those Cipher text so attacker does not have to do anything
fancy here it just have to listen over the channel what Cipher text contents have been communicated so that's why
this attack is passive in nature and the goal of the attacker here is to compute some functions of the underlying plane
text so apart from the cipher text knowledge no additional information is available to the attacker in this attack
model the next attack model is the kPa attack model which is slightly stronger attack model than the COA attack model
because here the adversary is available with some additional information compared to the previous model so the
additional information which is available to the adversary is the following the adversary is available
with a collection of messages comma Cipher text payer namely message M1 comma C1 message M2 comma C2 message Mt
comma CT that means it got a database of several message comma Cipher text pairer where each of the cipher text in the
pair is an encryption of the corresponding message in the pair under the same unknown key that's important
here all the messages and the cipher text are under the same unknown key which is not known to the attacker now
you might be wondering what exactly how exactly it is possible for an attacker to come up with such pairs of message
comma Cipher text in real life so there could be several scenarios through which it is possible for an attacker to get
access to such message comma ciper text pairer for instance all encrypted messages do not remain private
indefinitely Or if you consider the messages to be Email exchange then the first message in any email is usually
the message hello dear hi Etc in that sense the encryption of certain messages under the unknown key is going to be
revealed to the attacker so in this attack model we assume that attacker has already got a collection of several
message comma Cipher text payers and now a fresh message has been encrypted by the sender under the same key K and
communicated over the public Channel and the goal of the attacker is to compute some function of this message M using
the help of the cipher text I stress that that the message the fresh message which is now getting encrypted by the
sender might already belong to the collection of messages and Cipher text pays which adversary
possess and this shows the importance of your encryption process to be randomized so recall when we discuss the syntax of
symmetric encryption process I stress that the encryption process should be randomized that means even if I encrypt
the same message under the same key I should obtain a different Cipher text if you do not use a randomized encryption
process but instead use a deterministic encryption process and if the the same message is getting encrypted multiple
times then just by observing whether the cipher text gets repeated over the channel adversary could come to know
whether the same message is getting encrypted or not in this specific case if the fresh message M which sender is
actually communicating to the receiver is already present in the list and if my encryption process is a deterministic
encryption process then this C is going to be already present in the list of message comma CER text pairer and
adversary could easily find out the exact contents of the fresh message that's why I need my encryption process
to be a randomized encryption process so that's the kPa attack model and as you can see this is a more
powerful attack model because not only the adversary is available with the encryption of the message M he is also
available with the encryption of several earlier messages and there he's already available with the encryption of several
prior messages under the kyk the next attack model is a more powerful attack model and this is called
The Chosen PL Tex attack model or the CP attack model the scenario here is the following we have a common kyk agreed
upon between the sender and the receiver by some magical mechanism and now we assume here that the adversary gets an
encryption Oracle service to the encryption box what I mean by that is the adversary can force or it can
influence one of these two parties say for example the sender to encrypt any message of adversary's choice under the
keyk and importantly the sender who is actually providing the encryption Oracle service won't be aware that actually it
is encrypting messages of adversary's choice and providing those Cipher text to the adversary so that's why we say or
we model this kind of service as an encryption Oracle because adversary won't be knowing the value of the key
but still it will be able to get or see the encryption of messages of any of its choice of any message of its Choice
under that unknown key and it can get the encryption Oracle service for any number of message as long as it is polom
bounded or it is practical in nature that means it should not be possible for the adversary to get the encryption orle
service for an infinite amount of time he should be able to get encryption Oracle service only for a limited amount
of time or for a practical amount of time so we assume that it gets or it interacts with the encryption Oracle
service and some messages of its Choice the plain text of its choice and sees the corresponding Cipher text and it
builds upon a dictionary of messages comma Cipher text pirs in this particular case the message M1 comma C1
M2 comma C2 and the message Mt comma CT where all the cipher text are the encryptions of the corresponding message
messages under the unknown key ke so the amount the the kind of information that is available to the attacker here is
same as in the kPa namely in kPa model also adversary was provided with several message comma Cipher text payers under
the unknown keyk and here in the CPA model also adversary is available with several message comma Cipher text paays
under the unknown keyk the difference here is the messages in the adversary's database in the CPM model is now under
the underlying application is already aware that these are the potential messages which sender might encrypt in
the future the CPA model allows the adversary to see encryption of those messages in advance by getting an
encryption Oracle service right now you might be wondering that how in reality it is possible for
an adversary to influence the sender that please encryp this messages for me without actually sender knowing that she
or he is providing the encryption Oracle service to the attacker when we will be discussing the CPA attack model in some
some of our subsequent uh lectures we will see how in reality it is possible to launch CPA attack so now assume that
adversary is already available with this message comma ciper text pays the goal of the adversary is the following a
fresh message has been encrypted by the sender under the same unknown keyk and has been communicated over the cipher
open channel to the receiver and adversary has intercepted this Cipher text and the goal of the attacker is to
compute some function of the message which has been encrypted in this fresh Cipher text I stress here that a message
which is freshly encrypted might already belong to the database of message comma Cipher text paay which adversary possess
I also stress that this CP attack model is active in nature that means to get this encryption Oracle service the
adversary not only has to listen over the public Channel between the sender and the receiver it also need to change
the contents of the cipher text which are getting communicated between the sender and the receiver and see the
response of the receiver or the sender to get the encryption Oracle service that means this kind of this particular
type of attack is no longer an e dropping attack this is now an active attack so that's the CPA attack model
for you now let's go to the next attack model which is the strongest possible attack model which we call as the CCA
attack model and here adversary can now get two kind of encryption Oracle two kind of Oracle service it has got access
to the encryption Oracle service that means it can ask for encryption of any message of its Choice by influencing the
sender or the receiver plus it can get the decryption Oracle Service as as well from any of the two parties say for
example from the receiver what I mean by the decryption Oracle service is that it can submit any Cipher text of his choice
because adversary might be already aware that what could be the candidate Cipher text that your encryption and decryption
that your encryption process might produce so it can come up with any candidate Cipher text and submit it to
the the uh it can influence the receiver to decrypt those Cipher text for the adversary and in response the receiver
is going to decrypt those Cipher text and send back the corresponding plane text back to the adversary in that sense
we say that the adversary gets access to the decryption Oracle and there is no restriction on the order in which the
adversary could get the encryption and the decryption Oracle service it could see or it could ask for the encryption
Oracle service for certain number of steps and then it could ask for the decryption oral service for certain
number of steps and there is absolutely no restriction on what messages he could get encrypted under the encryption
Oracle and there is absolutely no restriction on what Cipher text it could get decrypted from the decryption Oracle
so we make no such a restriction and now adversary has two kinds of database so the first database
is what it gets from the encryption Oracle service so this is nothing but the encryption of several messages of
adversary's choice under the key k and the second database is the decryption of several candidate Cipher
text of adversary's choice and the important thing here is that all the encryptions and decryptions are done
under the same unknown keyk that's important here so adversary is now more powerful here and the goal of the
adversary is the following that now imagine sender has a fresh message which has been encrypted and the adversary e
drops the cyers C the goal of the adversary is to to compute some function of the underlying plain text M with the
help of the database that adversary has already prepared I stress that the message fresh message which sender is
sending might already belong to the list database that adversary produce the goal of the adversary is to compute that
message M which has been freshly encrypted using the help of the database that is available to that attacker so
these are the four attack models which we consider in the literature now when I say say that a particular encryption
scheme is secure in a particular attack model for example if I say that an encryption scheme is secure in the CCA
model by that I mean that even if an adversary is launching a CCA attack that means adversary got access to the
encryption Oracle service it got access to the decryption Oracle service still it should be difficult for the adversary
to compute any comp any function of the underlying plane text which has been freshly encrypted and communicated over
the channel any the same way if I say an encryption process is secure in the COA model or the cipher text only attack
model I mean that just by looking into the cipher text adversary should not be able to compute any function of the
underlying plain text right so these are the four attack models which we will discuss in this course regly now the
final thing which I want to discuss for this uh for this for this lecture is the Kos principle so definitely to maintain
the security the key with which the encryption and the decryption process are operated should be a secret because
if the key is leaked to the adversary adversary can definitely find out what has been encrypted or decrypted now you
might be wondering what about the encryption and decryption algorithm will I get more security by keeping the
strictly say that we should not follow this principle and this is coming from a well-known principle which we call as
kof's principle so kop was a well-known 19th century Dutch cryptographer and he let down several guidelines which should
be followed by any good practical secure Cipher and one of the guidelines states that that a crypto system should be
secure if everything about the system is public knowledge except the key that means what this principle clearly states
that the secrecy of the system should only rely on the secrecy of the key and not on the secret of the encryption and
decryption process now what is what is the importance of kido's principle what I mean by that what are the arguments in
the favor of kof's principle so the first argument in the favor of kof's principle is the following maintaining
the privacy of a key is a relatively easier task compared to maintaining the privacy of a pair of algorithm because
keys are roughly of size 100 bits 200 bits whereas programs are of thousand times larger than the size of the key so
that's why maintaining the private prac of a key is relatively an easier task than maintaining the privacy of a large
algorithm also the algorithm can be leaked or reverse engineer that means even if you assume that encryption and
decryption process which are operated by the sender and receiver are private just by launching on kPa attack where
adversary gets access to several messages and Cipher text pair adversary could reverse engineer the steps of the
encryption and decryption process also another argument in the favor of K's principle is that if you're key is
magnitude right whereas if a program is leaked then it is or if your encryption process is leaked then it is very very
difficult to come up with a substitute because as you will see in this course coming up with new encryption algorithm
is really really a very challenging task also it is invisible to imagine a scenario where a user selects a pair of
secret encryption and decryption process for every party with it with it with which it want to do the secure
communication for example if I want to do secure communication with 100 parties I cannot come up with 100 secret
algorithms or 100 secret encryption algorithms for each of these users whereas it is feasible to imagine that
I'm going to use the same encryption and decryption process with each of the 100 users but I'm going to use 100 different
and most importantly if your encryption and decryption algorithms are publicly available they go through public
scrutiny and if something has been proved to be secure even after they are existing for last 30 40 years then we
have a strong confidence that indeed those published algorithms are more secure compared to an algorithm about
which you do not know any details right so the summary here is it is extremely dangerous to use any kind of proprietary
encryption process so if someone says that hey I'm not going to leak the description of my encryption process but
I give you the guarantee that it gives you a very good amount of security you should not believe such encryption
process because you do not know what kind of loopholes might be present in such an algorithm so it's always
recommended to go or use algorithms which are available in public domain and has been scrutinized publicly so that
brings us in that brings us then to the end of this lecture to summarize we discuss the various types of of
cryptographic Primitives that we use in uh cryptography we also discussed the syntax of symmetric encryption process
and we focused on the importance of the key generation algorithm and the encryption algorithm to be randomized
because this comes as an implication of K chos principle which says that the secrecy of the whole system should rely
on the fact that only the key is hidden not the algorithms right we also discussed the various kinds of attack
models namely the co attack model the KP attack model the CPA attack model and the CC attack model I hope you enjoyed