# Understanding Cryptography: Key Agreement and Symmetric Encryption

Heads up!

This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.

Generate a summary for freeIf you found this summary useful, consider buying us a coffee. It would help us a lot!

## Introduction

In the realm of cybersecurity, cryptography plays a pivotal role in establishing secure communication channels. In this lecture, we delve deeply into the essential problems addressed by cryptography, including the key agreement issue and the secure communication challenge. Additionally, we explore various types of cryptographic primitives, focusing primarily on symmetric and asymmetric encryption. This discussion will be supported by practical examples and definitions crucial for understanding these concepts.

## The Fundamental Problems in Cryptography

Cryptography primarily addresses two core problems that are vital for maintaining secure communication:

### Key Agreement Problem

- The first problem is the
**key agreement issue**. In scenarios where two parties, a**sender**and a**receiver**, wish to communicate securely, they often do not share any prior secrets. The goal here is for both parties to establish a common secret key that they can use for subsequent communications, all while ensuring that any third party, or eavesdropper, cannot derive this key from their exchanges.

### Secure Communication Problem

- The second core problem involves
**secure communication**. Once the sender and receiver have established a common key, they need to ensure the confidentiality and integrity of their messages. Confidentiality means that third parties cannot decipher the messages, while integrity ensures that the messages remain unchanged during transmission.

## Types of Cryptographic Primitives

Cryptographic primitives can be classified into two main categories:

### Symmetric Key Primitives

**Symmetric key primitives**, also known as private key primitives, use the same key for both encryption and decryption processes. This symmetry reduces computational overhead, making symmetric schemes efficient.

#### Advantages of Symmetric Cryptography

**Computational efficiency**- Generally faster due to less complex algorithms.**Simple key management**- Works well for smaller networks where secure key distribution is manageable.

#### Challenges of Symmetric Cryptography

- The major drawback lies in
**key distribution**; securing the initial exchange or agreement on the key becomes complex, especially over insecure channels.

### Asymmetric Key Primitives

**Asymmetric key primitives**, or public key cryptography, employ a pair of keys for encryption and decryption—a public key which can be shared widely and a private key that remains confidential. This eliminates the need for prior key agreements.

#### Benefits of Asymmetric Cryptography

**Easy key distribution**- Users can share public keys without needing to establish a secure communication beforehand.**Reduces risks of key sharing**- Since only the public key is shared, it reduces the likelihood of the key being intercepted.

#### Drawbacks of Asymmetric Cryptography

- The primary downside involves
**computational overhead**, making it slower compared to symmetric methods.

## In-Depth Discussion on Symmetric Key Primitives

To further understand symmetric encryption, let's analyze the key-generation, encryption, and decryption processes:

### Key Generation

- The sender activates the
**key generation algorithm**, which produces a random key**K**. - The algorithm leverages randomness to ensure that the key is unique for every session.

### Encryption Process

- With the key
**K**established, the sender encrypts the plaintext message**M**using the encryption algorithm. - This outputs cipher text
**C**, which is sent to the receiver.

### Decryption Process

- Upon receiving
**C**, the receiver uses the same key**K**to decrypt the cipher text. - The decryption algorithm restores the original plaintext
**M**.

## Importance of K's Principle

K's principle emphasizes that the security of the cryptographic system should ideally rely only on the secrecy of the key, while the encryption and decryption algorithms can be public knowledge. The advantages include:

- Simplicity in key management.
- Greater confidence in the system’s security through community scrutiny.

## Security Requirements for Symmetric Encryption

### Correctness Property

- This property mandates that encrypting a plaintext message with the key must allow the accurate retrieval of the original plaintext when decrypted with the same key.

### Privacy Property

- A fundamental requirement is that the encryption process should not unveil any information about the plaintext to an unauthorized observer. The various attack models serve as a framework for evaluating the security of the encryption scheme against potential threats.

## Attack Models in Cryptography

Cryptography recognizes different attack models that define the adversary’s capabilities, which include:

### Ciphertext-Only Attack (COA)

- The attacker has access only to the cipher text, seeking to derive meaningful information from it.

### Known-Plaintext Attack (KPA)

- Here, the attacker has access to both the cipher text and corresponding plaintexts, facilitating a potential analysis of the encryption scheme.

### Chosen-Plaintext Attack (CPA)

- In this model, the attacker can choose arbitrary plaintexts for encryption, analyzing the resultant cryptograms to uncover vulnerabilities.

### Chosen-Ciphertext Attack (CCA)

- This is the most potent model where the adversary can choose cipher texts to be decrypted, gaining insights into potential weaknesses in the algorithm.

## Conclusion

In summary, understanding the fundamental principles of cryptography, including key agreement and symmetric encryption, is critical for developing secure communication systems. The distinguishing characteristics of symmetric and asymmetric keys provide unique advantages and challenges that cybersecurity professionals must navigate. The principles laid out here guide the implementation of robust cryptographic methods aimed at safeguarding communications from potential threats. Critical reflection on the K's principle and an awareness of various attack models will further enhance one’s capability to design secure cryptographic systems.

### Key Takeaways:

- The key agreement and secure communication are central to cryptography.
- Symmetric and asymmetric primitives each hold distinct benefits and challenges.
- The K's principle highlights the importance of maintaining only key secrecy for security.
- Understanding attack models is essential for developing resilient cryptographic solutions.

follows we will discuss the fundamental problems addressed by cryptography namely the key agreement problem and a

secure communication problem then we will discuss the various types of cryptographic Primitives namely the

discussion on symmetric key Primitives where we will see the syntax of symmetric encryption mechanism and

informal security definition and then we will finish the lecture with K's principle right so if you remember in

the last lecture we discussed that the central problem addressed by cryptography is that of secure

communication and in it it turns out that secure communication is actually solved by solving two core problems and

the first core problem is that of key agreement so in the key agreement problem the scenario is the following we

have two entities a sender and a receiver who do not know know each other and who do not have any kind of

agreement protocol is is that as for the protocol the sender and the receiver should talk to each other over a public

Channel and it should be guaranteed to the sender that indeed it is talking to the Ram uh receiver and vice versa and

at the end of the protocol both sender and receiver should output a common Kik the security requirement from the key

agreement protocol is that even though the sender and the receiver are talking publicly and if there is a third party

who is actually e dropping the communication or noting down the entire communication which is happening between

the sender and the receiver then the third party should not be able to figure out what exactly is the key which sender

and receiver are going to Output at the end of the protocol so it's like saying the following that if I consider a class

and the key agreement protocol should require that if I want to agree upon a key with a particular student then using

the key agreement protocol I should shout something in the class and in response that particular student should

shout back something to me and using whatever I communicated to him and whatever he communicated back to me both

of us should be able to compute a common key and no one else in the class who have actually seen the actual messages

that I have communicated to that particular student and that student has communicated ated to me should not be

able to figure out what exactly is the key that myself and that particular student are going to Output that's a

first core problem addressed by cryptography and this will be the theme of the second half of the course where

we will see how using public cryptography which we can solve this key agreement problem the second core

problem which is addressed by cryptography is that of secure communication and here the setting is as

follows we imagine that sender and receiver now have a secret key K which has been agreed upon by some magical

mean in this context actually by running a key exchange protocol so we imagine that sender and receiver have executed a

secure key exchange protocol and as a result they have a common key already available with them now using the common

key the goal of the sender and the receiver is to talk over a public Channel such that the confidentiality of

the communication and the Integrity of the communication is ensured by confidentiality I mean any third party

who do not have the knowledge of the key should not be able to figure out what exactly are the contents which sender

and receiver are exchanging to each other and by Integrity I mean that if there is a third party who actually

intercepts some of the communication and tries to change the contents of the messages then it should be deductable at

both the ends so that's the second problem the second core problem addressed by cryptography and this will

be the theme of the first half of the course namely symmetric cryptography where we will assume that somehow the

sender and the receiver have already agreed upon the key and our goal will be to solve the problems of confidentiality

kind of Primitives are the symmetric symmetric key Primitives which are also called as private key Primitives and

here the same key is going to be used by both the sender as well as the receiver that's why the name symmetrically

primitive or private key cryptography symmetric because it's symmetric in nature the same key is getting used at

both the senders end as well as the receivers end and the name private key cryptography because the key K which is

common to both the sender and the receiver is going to be private it won't be available in the public domain now

there are both pros and cons of these kind of primitive the good side of these Primitives is that they are

computationally very efficient in practice and the downside of these Primitives is that the key agreement is

going to be a big issue that means all these Primitives Works under the assumption that the common key has been

already agreed upon by some magical mechanism and which is a big assumption so as ensuring that both sender and

Primitives the second kind of Primitives are called as asymmetric Primitives or public cryptographic Primitives where

the Primitive is operated with two keys one of the keys which is the the public key will be available in the public

domain whereas the other key namely the secret key will be available only to one of the entities or in the context of

encryption scheme it will be available only with the receiver that means this has asymmetry nature that's why the name

asymmetry primitive and the reason it is called public key primitive is that one of the keys is available in the public

domain again it has these kinds of Primitives have both plus as well as the down side the good side about this primi

is that you do not read any kind of key agreement that means if I take a public encryption scheme for instance then

there is no requirement to do any kind of key agreement whoever wants to encrypt a message for me it can take my

public key which will be available in the public domain so I don't need to explicitly agree upon a key with that

particular Center the downside of these kind of Primitives is that they are computationally inefficient that means

the amount of computation which are involved in this kind of primitive is of several orders of magn itude compared to

the computation required in the symmetric Primitives in practice we use a combination of both so when we will be

winding up our course and we will be discussing the real world protocols such as SSL we will see that how we combine

on private key or symmetry key encryption schemes so on a very high level the goal is the following the

setting is as follows we have a sender and a receiver and by some magical mechanism we assume that a random key

has been shared up agreed upon between the sender and the receiver so I denote the key as K which is actually going to

be a bit string now sender is interested to send some message M which is again going to be a bit string and in the

cryptographic jagon we call this string M to be the plain text now using the key sender is going to use an encryption

algorithm which takes the message and the key as the input and it produces another bit string denoted as C which is

the cipher text or the scramble text which is going to be communicated over a public channel to the

receiver at the receiving end receiver is going to take the cipher text which is a bit string and the key which H the

same key with which the sender has operated the encryption process and it's going to operate a decryption algorithm

now so the decryption algorithm is going to take the scramble text and the key and it's going to Output the plain text

which sender has actually encrypted using the encryption algorithm so the reason this encryption

mechanism is called symmetric encryption mechanism is that we have a symmetry that the same key is getting used both

for the encryption as well as the decryption so before going into the formal description of a symmetric

encryption process let's first try to understand the difference difference between a deterministic and a randomized

algorithm so a deterministic algorithm in a deterministic algorithm the output is a deterministic function of the input

that means if we consider the straight transition in the algorith inside the algorithm then the flow from the input

to the output is always a deterministic function what I mean by this is if I run a deterministic algorithm on an input x

100 times I going to get the same output y 100 times I won't get different output that means the output Y is a

deterministic function of the input X whereas in a randomized algorithm the flow from the input to Output is non-

deterministic and the flow is going to be decided by the value of random bit strings which are going to be generated

inside the algorithm as part of the algorithm that means in a randomized algorithm it is not guaranteed that if I

call that algorithm with the same input again and again it's not guaranteed that I'm going to get the same output and

output may depend upon the sequence of random bits which I'm going to generate inside the algorithm and depending upon

the value of those random bits what path I followed inside the algorithm so that's a very high level difference

symmetric ke encryption scheme so any symmetric key encryption scheme which is also called as a cipher is going to

consist of three algorithms the first algorithm is the key generation algorithm which is denoted by gen and

is as part of the algorithm inside there will be some random bit strings which are going to be generated which I denote

by this particular notation so when I say when when I write this notation that someone is tossing the coin I mean that

inside the algorithm random bit strings are going to be generated and based on the value of that bit string

the output is going to be determined so the output of this key generation algorithm is a key denoted by the symbol

K and since it's a randomized algorithm every time I run the key generation algorithm I am bound to get a

different output I won't get the same output the syntax that we use to denote the key generation algorithm is the

following we say that the key generation algorithm gen it does not take any input so that's why the brackets are left as

which I denote by K and this K belongs to a larger set this caligraphic K which is the set of all possible Keys which

this key algorith key generation algorithm can output and the important thing here is that since this algorithm

is a randomized algorithm that's why I do not say that the output of gen is assigned the value k instead I say that

the output of gen is going to take one of the possible value K from the set of all possible keys I am not using the

assignment operator because it's not a deterministic function it's a randomized function it's a randomized algorithm so

here this caligraphic K is the or the capital K is the set of all possible Keys which your key generation algorithm

could output so for instance if we know that a key generation algorithm is going to Output a 256bit key then I know that

this caligraphic key is a set of all possible 256bit strings namely the key space k is 2 to ^ 256 and as I said

earlier this key generation algorithm is going to be a randomized algorithm the second algorithm in any

symmetric encryption scheme is the encryption algorithm denoted as as ink and it is going to take two external

inputs namely the plane test which the sender wants to encrypt which is going to be a bit string which I denote by the

symbol B and the key K which the key generation algorithm would have output and apart from these two inputs it has

an internal input namely the internal random coins which are generated or the random bits which are generated as part

of this encryption process and as a result this encryption algorithm is a randomized algorithm So based on the

message the key space and the random bits which are generated inside the encryption algorithm the encryption

algorithm is going to Output a cipher text denoted as C so as I said that since the encryption

algorithm could generate internal random bits to decide the outcome C it is a randomized algorithm and the syntax that

we use to denote the encryption algorithm we is the following we say that the encryption of the plain text M

So within the brackets I'm writing the message M as the input that means that's the external input which this in deson

function takes as input and the K the key K is put as a subscript so I will say that the message m is encrypted

under the key K and since this algorithm is a randomized algorithm I am not using the assignment operator to denote the

output of this encryption algorithm instead I am saying that the output of this encryption algorithm is going to be

one of the possible Cipher text from the set of all possible Cipher text which you're encryption algorithm could

produce so since this encryption process is a randomized algorithm what it means is that even if I call this encryption

process with the same value of M and the same value of K multiple times I am going to get different Cipher text

because every time I call this encryption process the set of random bit strings which are generated as part of

the algorithm will be different and since C is going to be a function of both me of the message key and internal

random bits the value of C will be different for different invocations of C so that's the syntax of encryption

algorithm now the decryption algorithm takes the cipher text C as the external input and the key K which has been

generated by the key generation algorithm and in return it produces the plain text M so the syntax that I follow

to denote the decryption Alor is the following we say that decryption of the input C so here C is the external input

which is fed to the decryption function along with the key K so I will say that the decryption of the cipher text C

under the key K is going to produce the message M and the message M belongs to the largest set of possible plain text

namely capital M which is the plain text space now notice that my decryption algorithm here is a deterministic

function there are no random bit strings which are generated inside the decryption algorithm to decide the

outcome M and as a result of that I am not using the uh notation Arrow arrow notation to denote the outcome of

decryption instead I am using the assignment operator to denote the outcome of the decryption function what

I mean by that is if I call the decryption algorithm multiple times with the same value of K and the same value

of c i Am bound to get the same M again and again I won't get different M for the different invocations of deck on the

same value of c and k in that sense it's a deterministic function and as a result we use the assignment operator to denote

the output of the deck function so that's the syntax of your key generation algorithm encryption

algorithm and the decryption algorithm so notice that we require the key generation algorithm and the encryption

algorithm to be randomized whereas the deck algorithm should be deterministic and there is a reason for that which we

lecture now how to typically use a symmetric Cipher so imagine we have a symmetric encryption scheme namely we

have a collection of key generation algorithm encryption algorithm and decryption algorithm and we assume that

the steps of this key generation encryption and decryption algorithm is publicly known that means the steps are

known even to the sender and the receiver or to any third party in this world now to use this symmetric ke

Cipher what sender is going to do is it's going to run the key generation algorithm which is going to Output one

of the candidate Keys namely K from the key space and this key will be agreed upon with the receiver by some magical

mechanism at the beginning of the session so we imagine that at the beginning of the session sender runs

this key generation algorithm and in that session there are several messages which sender would like to encrypt and

communicate to the receiver using this key so the first step of the session will be the key generation algorithm and

agreement of that key with the receiver by some magical mechanism now once the key is agreed upon every time sender

wants to encrypt a plain text M using this key what is going to run is the following it's going to run the

encryption algorithm to produce the cipher text and the cipher text will be communicated over the public Channel

which through which sender is communicated to the receiver and as and when the receiver receives the cipher

text what it is going to do is receiver will be knowing what encryption process has been used by the sender so it will

know the corresponding decryption process and not only that it will also know the key using which the sender has

operated the encryption process so using the same key it will operate the decryption process and will recover the

plain text that's how typically we are going to use a symmetric encryption process now what are the properties that

we need from any secure encryption scheme or a symmet secure symmetric key encryption scheme so roughly we need two

properties the first property is the correctness property which says that that for any key which the key

generation algorithm has output and for any plane text M which has been encrypted by m the following condition

should hold if I encrypt a plain text M under the key K to to obtain a cipher text C and if I decrypt that Cipher text

C using the decryption process under the same key K I should get back the original n that's a correctness property

to give you the analogy if you have a physical Lock And if I have two copies of the key what this correctness

property demand is that if I actually lock that key using the key and send that lock in the lock condition to you

and if you have also the same key and if you try to open that lock Lo in the locked position using the key that you

also own you should be able to open the lock from the locked condition to the open condition that's roughly the

property which we need or expect from a secure symmetric encryption process is that of privacy and now we are going to

see that what are the challenges we face when we try to formalize the Privacy requirement intuitively when we say that

a symmetric encryption process is secure or it achieves the Privacy property I mean that by seeing the cipher Tex C the

adversary or the bad guy who has observed a cyer Tex C should not be able to compute anything about the message M

that means imagine there's a third party who is the bad guy who has intercepted the cipher text who knows the details of

the key generation process the encryption process and the decryption process the only thing the bad guy does

not know is the the value of key with which the sender has operated the encryption process the Privacy property

demands informally that even after this knowledge the knowledge of Cipher text should not give any information about

there are several challenges that we face so what I'm going to do next is I will propose a series of definition to

formalize the Privacy condition and then we will see a potential loophole in each of these potential definitions which is

going to show you that what how difficult it is indeed to come up with a right definition of privacy so my first

candidate definition to formalize the Privacy definition is the following I will say that an encryption process is

secure if the cipher text does not reveal the underlying key the intuition behind this definition is that the if

the key is revealed to the adversary then it can find out any subsequent message which has been encrypted under

that key so the minimum requirement which I require from any private encryption scheme is that it the cipher

Tex should not reveal the underlying key well it turns out that the requirement is definitely meaningful from any secure

encryption process this definition is completely useless for example consider an encryption algorithm which always

outputs a cipher text which is same as the plane text that means the cipher text does not depend upon the pl key at

all and the value of the Cipher text is the same as the plain text if you see this definition and this this candidate

encryption process definitely the encryption process is not revealing anything about the key and as per this

definition you can label this encryption algorithm as a secure encryption algorithm but this kind of encryption

algorithm is completely useless to use in practice because it is completely revealing your plain

text so now let's Rectify this definition and let me come up with the second candidate definition to formalize

the Privacy definition and my definition two is I will say an encryption process is secure if the cipher text does not

reveal anything about the underlying plain text because that's what is the basic intuition of the Privacy the

problem with this kind of definition is what do you mean by Cipher text does not reveal the underlying plain text how

much it should reveal how much it should not reveal for example you might have an encryption process where 90 9% of the

plane text is not revealed by the cipher text but unfortunately the cipher text might be revealing 1% of the plain text

and that 1% of the plain text which is getting leaked by the cipher might be the critical information which you want

to hide again this definition and this candidate encryption process this candidate encryption process might look

like satisfying the definition too but actually such kind of encryption algorithm I cannot use in practice the

problem with this definition is I am not EX exactly specifying what it means by revealing and not revealing and how much

to reveal and how much not to reveal so to fix this definition let me propose the third definition potential

definition to formalize the Privacy definition the definition three says that an encryption process will be

considered as secure if the cipher text does not reveal any character of the underlying plantex so this will take

care of the potential bug which was there in our definition two or the candidate encryption that we propose to

violate definition 2 because now even if 1% is revealed it's not going to satisfy definition 3 but again there is a

potential loophole in this definition consider an encryption algorithm where Cipher text does not indeed reveal any

of the underlying characters of the plane text but the cipher text might reveal the range of the plane text

namely it might reveal whether the plane text is less than a particular threshold or whether it is greater than a

particular threshold again if I view the definition this candidate encryption scheme indeed satisfies the property

because no character of the underlying plane text is revealed but what is getting revealed is whether the plan

text is less than a certain value or greater than a certain value and that might itself be a security breach so I

cannot afford to use such kind of encryption algorithm to encrypt sensitive data because if the cipher

text is going to reveal the range of the sensitive data I might be in trouble so let's try to fix this

potential problem in definition four and the definition four says that an encryption process will be considered as

secure if the cipher text does not reveal any meaningful information about the underlying PL text that means not

only it should not only it should not it should hide not only the underlying PL text it should also hide whether the

message is less than a certain value greater than a certain value and so on well intuitively this definition is good

but the problem here is what exactly constitutes a meaning mean ful information varies from application to

application for certain application the underlying characters of the plain text might be the sensitive information for

another application whether the message is less than a certain value or greater than certain value that might be the

meaningful information and so on so you cannot exhaustively list down what it constitutes a meaningful information for

a particular application that's a downside of this definition so that's as a result I cannot take it as a

meaningful definition of privacy so to fix that problem let's come up with the next alternate next

possible definition of the privacy and this definition says that an encryption process will be called as secure if the

cipher text does not help the attacker to compute any function of the underlying plane text that means imagine

an attacker who has seen the cyer text who knows the encryption process and the attacker is interested to compute some

function say F of the underlying message which sender has actually encrypted in the cyer text we will say okay the the

encryption process is secure if using the knowledge of the cipher text adversary is not able to compute the

function of the underlying message well this is precisely what we expect from a secure Cipher but still there are

certain loopholes in this definition namely there are two loopholes the first loophole is that how do you formalize

whether a particular Cipher text has helped adversary to compute a function of the underlying plain text or not how

do you judge that how do you mathematically formalize that that's the first loophole in this definition and

the second def loophole in this definition is what exactly are the capabilities of the adversary you are

considering that is not specified in this definition that means whether you are considering an e stoer adversary who

is simply observing the cipher text and trying to compute the function or whether you are considering an adversary

or malicious adversary who could change the contents of the cipher text and see the behavior of the or the response of

the receiver and then trying to comp the functions of the underlying messages also this definition does not specify is

the adversary also provided with any kind of additional information that means what are the various capabilities

of the adversary which you are considering so even though intuitively definition five is the right definition

the two potential shortcomings of this definition is the exact formalization of whether the cipher text is helping the

adversary to compute any function of the underlying plane text and what precisely is the attack model or the adversarial

which we consider in the cryptography so typically in cryptography we consider the following four attack models the

first attack model is the cipher text only attack or the COA attack model the next attack model is the known PL text

attack model or kPa model the next attack model is the chosen plain text attack or CPA model and a final attack

model is the chosen cortex attack model or CC attack in all these attack models the scenario is the same we have a

sender and a receiver who have agreed upon some common Key by running the key generation algorithm and agreeing the

key with the other entity by some magical mechanism such that the adversary or the bad guy or the attacker

is not aware of the key and the adversary has intercepted some cyer text and the goal of the adversary is to

compute some function of the underlying plain text which has been in rted in this C what differs in these attack

models is the power of the attacker that means what kind of additional information apart from the CER text is

available to the attacker so what we are going to do next is we will go upon we will go through each of these attack

models and see what are the capabilities of the attack so let's start with the cipher text only attack model or the co

attack model which is the simplest possible attack scenario and here the scenario is the following we have the

sender and the receiver who have agreed upon a common key not known to the attacker and sender has encrypted

several messages using the same K as per the encryption process and the details of the encryption process is known to

the attacker the attacker has e dropped and intercepted those Cipher text so attacker does not have to do anything

fancy here it just have to listen over the channel what Cipher text contents have been communicated so that's why

this attack is passive in nature and the goal of the attacker here is to compute some functions of the underlying plane

text so apart from the cipher text knowledge no additional information is available to the attacker in this attack

model the next attack model is the kPa attack model which is slightly stronger attack model than the COA attack model

because here the adversary is available with some additional information compared to the previous model so the

additional information which is available to the adversary is the following the adversary is available

with a collection of messages comma Cipher text payer namely message M1 comma C1 message M2 comma C2 message Mt

comma CT that means it got a database of several message comma Cipher text pairer where each of the cipher text in the

pair is an encryption of the corresponding message in the pair under the same unknown key that's important

here all the messages and the cipher text are under the same unknown key which is not known to the attacker now

you might be wondering what exactly how exactly it is possible for an attacker to come up with such pairs of message

comma Cipher text in real life so there could be several scenarios through which it is possible for an attacker to get

access to such message comma ciper text pairer for instance all encrypted messages do not remain private

indefinitely Or if you consider the messages to be Email exchange then the first message in any email is usually

the message hello dear hi Etc in that sense the encryption of certain messages under the unknown key is going to be

revealed to the attacker so in this attack model we assume that attacker has already got a collection of several

message comma Cipher text payers and now a fresh message has been encrypted by the sender under the same key K and

communicated over the public Channel and the goal of the attacker is to compute some function of this message M using

the help of the cipher text I stress that that the message the fresh message which is now getting encrypted by the

sender might already belong to the collection of messages and Cipher text pays which adversary

possess and this shows the importance of your encryption process to be randomized so recall when we discuss the syntax of

symmetric encryption process I stress that the encryption process should be randomized that means even if I encrypt

the same message under the same key I should obtain a different Cipher text if you do not use a randomized encryption

process but instead use a deterministic encryption process and if the the same message is getting encrypted multiple

times then just by observing whether the cipher text gets repeated over the channel adversary could come to know

whether the same message is getting encrypted or not in this specific case if the fresh message M which sender is

actually communicating to the receiver is already present in the list and if my encryption process is a deterministic

encryption process then this C is going to be already present in the list of message comma CER text pairer and

adversary could easily find out the exact contents of the fresh message that's why I need my encryption process

to be a randomized encryption process so that's the kPa attack model and as you can see this is a more

powerful attack model because not only the adversary is available with the encryption of the message M he is also

available with the encryption of several earlier messages and there he's already available with the encryption of several

prior messages under the kyk the next attack model is a more powerful attack model and this is called

The Chosen PL Tex attack model or the CP attack model the scenario here is the following we have a common kyk agreed

upon between the sender and the receiver by some magical mechanism and now we assume here that the adversary gets an

encryption Oracle service to the encryption box what I mean by that is the adversary can force or it can

influence one of these two parties say for example the sender to encrypt any message of adversary's choice under the

keyk and importantly the sender who is actually providing the encryption Oracle service won't be aware that actually it

is encrypting messages of adversary's choice and providing those Cipher text to the adversary so that's why we say or

we model this kind of service as an encryption Oracle because adversary won't be knowing the value of the key

but still it will be able to get or see the encryption of messages of any of its choice of any message of its Choice

under that unknown key and it can get the encryption Oracle service for any number of message as long as it is polom

bounded or it is practical in nature that means it should not be possible for the adversary to get the encryption orle

service for an infinite amount of time he should be able to get encryption Oracle service only for a limited amount

of time or for a practical amount of time so we assume that it gets or it interacts with the encryption Oracle

service and some messages of its Choice the plain text of its choice and sees the corresponding Cipher text and it

builds upon a dictionary of messages comma Cipher text pirs in this particular case the message M1 comma C1

M2 comma C2 and the message Mt comma CT where all the cipher text are the encryptions of the corresponding message

messages under the unknown key ke so the amount the the kind of information that is available to the attacker here is

same as in the kPa namely in kPa model also adversary was provided with several message comma Cipher text payers under

the unknown keyk and here in the CPA model also adversary is available with several message comma Cipher text paays

under the unknown keyk the difference here is the messages in the adversary's database in the CPM model is now under

the underlying application is already aware that these are the potential messages which sender might encrypt in

the future the CPA model allows the adversary to see encryption of those messages in advance by getting an

encryption Oracle service right now you might be wondering that how in reality it is possible for

an adversary to influence the sender that please encryp this messages for me without actually sender knowing that she

or he is providing the encryption Oracle service to the attacker when we will be discussing the CPA attack model in some

some of our subsequent uh lectures we will see how in reality it is possible to launch CPA attack so now assume that

adversary is already available with this message comma ciper text pays the goal of the adversary is the following a

fresh message has been encrypted by the sender under the same unknown keyk and has been communicated over the cipher

open channel to the receiver and adversary has intercepted this Cipher text and the goal of the attacker is to

compute some function of the message which has been encrypted in this fresh Cipher text I stress here that a message

which is freshly encrypted might already belong to the database of message comma Cipher text paay which adversary possess

I also stress that this CP attack model is active in nature that means to get this encryption Oracle service the

adversary not only has to listen over the public Channel between the sender and the receiver it also need to change

the contents of the cipher text which are getting communicated between the sender and the receiver and see the

response of the receiver or the sender to get the encryption Oracle service that means this kind of this particular

type of attack is no longer an e dropping attack this is now an active attack so that's the CPA attack model

for you now let's go to the next attack model which is the strongest possible attack model which we call as the CCA

attack model and here adversary can now get two kind of encryption Oracle two kind of Oracle service it has got access

to the encryption Oracle service that means it can ask for encryption of any message of its Choice by influencing the

sender or the receiver plus it can get the decryption Oracle Service as as well from any of the two parties say for

example from the receiver what I mean by the decryption Oracle service is that it can submit any Cipher text of his choice

because adversary might be already aware that what could be the candidate Cipher text that your encryption and decryption

that your encryption process might produce so it can come up with any candidate Cipher text and submit it to

the the uh it can influence the receiver to decrypt those Cipher text for the adversary and in response the receiver

is going to decrypt those Cipher text and send back the corresponding plane text back to the adversary in that sense

we say that the adversary gets access to the decryption Oracle and there is no restriction on the order in which the

adversary could get the encryption and the decryption Oracle service it could see or it could ask for the encryption

Oracle service for certain number of steps and then it could ask for the decryption oral service for certain

number of steps and there is absolutely no restriction on what messages he could get encrypted under the encryption

Oracle and there is absolutely no restriction on what Cipher text it could get decrypted from the decryption Oracle

so we make no such a restriction and now adversary has two kinds of database so the first database

is what it gets from the encryption Oracle service so this is nothing but the encryption of several messages of

adversary's choice under the key k and the second database is the decryption of several candidate Cipher

text of adversary's choice and the important thing here is that all the encryptions and decryptions are done

under the same unknown keyk that's important here so adversary is now more powerful here and the goal of the

adversary is the following that now imagine sender has a fresh message which has been encrypted and the adversary e

drops the cyers C the goal of the adversary is to to compute some function of the underlying plain text M with the

help of the database that adversary has already prepared I stress that the message fresh message which sender is

sending might already belong to the list database that adversary produce the goal of the adversary is to compute that

message M which has been freshly encrypted using the help of the database that is available to that attacker so

these are the four attack models which we consider in the literature now when I say say that a particular encryption

scheme is secure in a particular attack model for example if I say that an encryption scheme is secure in the CCA

model by that I mean that even if an adversary is launching a CCA attack that means adversary got access to the

encryption Oracle service it got access to the decryption Oracle service still it should be difficult for the adversary

to compute any comp any function of the underlying plane text which has been freshly encrypted and communicated over

the channel any the same way if I say an encryption process is secure in the COA model or the cipher text only attack

model I mean that just by looking into the cipher text adversary should not be able to compute any function of the

underlying plain text right so these are the four attack models which we will discuss in this course regly now the

final thing which I want to discuss for this uh for this for this lecture is the Kos principle so definitely to maintain

the security the key with which the encryption and the decryption process are operated should be a secret because

if the key is leaked to the adversary adversary can definitely find out what has been encrypted or decrypted now you

might be wondering what about the encryption and decryption algorithm will I get more security by keeping the

strictly say that we should not follow this principle and this is coming from a well-known principle which we call as

kof's principle so kop was a well-known 19th century Dutch cryptographer and he let down several guidelines which should

be followed by any good practical secure Cipher and one of the guidelines states that that a crypto system should be

secure if everything about the system is public knowledge except the key that means what this principle clearly states

that the secrecy of the system should only rely on the secrecy of the key and not on the secret of the encryption and

decryption process now what is what is the importance of kido's principle what I mean by that what are the arguments in

the favor of kof's principle so the first argument in the favor of kof's principle is the following maintaining

the privacy of a key is a relatively easier task compared to maintaining the privacy of a pair of algorithm because

keys are roughly of size 100 bits 200 bits whereas programs are of thousand times larger than the size of the key so

that's why maintaining the private prac of a key is relatively an easier task than maintaining the privacy of a large

algorithm also the algorithm can be leaked or reverse engineer that means even if you assume that encryption and

decryption process which are operated by the sender and receiver are private just by launching on kPa attack where

adversary gets access to several messages and Cipher text pair adversary could reverse engineer the steps of the

encryption and decryption process also another argument in the favor of K's principle is that if you're key is

magnitude right whereas if a program is leaked then it is or if your encryption process is leaked then it is very very

difficult to come up with a substitute because as you will see in this course coming up with new encryption algorithm

is really really a very challenging task also it is invisible to imagine a scenario where a user selects a pair of

secret encryption and decryption process for every party with it with it with which it want to do the secure

communication for example if I want to do secure communication with 100 parties I cannot come up with 100 secret

algorithms or 100 secret encryption algorithms for each of these users whereas it is feasible to imagine that

I'm going to use the same encryption and decryption process with each of the 100 users but I'm going to use 100 different

and most importantly if your encryption and decryption algorithms are publicly available they go through public

scrutiny and if something has been proved to be secure even after they are existing for last 30 40 years then we

have a strong confidence that indeed those published algorithms are more secure compared to an algorithm about

which you do not know any details right so the summary here is it is extremely dangerous to use any kind of proprietary

encryption process so if someone says that hey I'm not going to leak the description of my encryption process but

I give you the guarantee that it gives you a very good amount of security you should not believe such encryption

process because you do not know what kind of loopholes might be present in such an algorithm so it's always

recommended to go or use algorithms which are available in public domain and has been scrutinized publicly so that

brings us in that brings us then to the end of this lecture to summarize we discuss the various types of of

cryptographic Primitives that we use in uh cryptography we also discussed the syntax of symmetric encryption process

and we focused on the importance of the key generation algorithm and the encryption algorithm to be randomized

because this comes as an implication of K chos principle which says that the secrecy of the whole system should rely

on the fact that only the key is hidden not the algorithms right we also discussed the various kinds of attack

models namely the co attack model the KP attack model the CPA attack model and the CC attack model I hope you enjoyed