“Cryptography is about communication in the presence of an adversary.”
– Prof. Ron Rivest
Encryption is one of the main tools that we use to protect data confidentiality. The goal of Part 3 of this course is to study encryption and its role in:
Encryption is a powerful tool with immense social consequences.
“Cryptography rearranges power: it configures who can do what, from what.”
– Prof. Phillip Rogaway (UC Davis)
For this reason, I encourage you to put yourself in the role of Mallory and ask “what if” questions.
In particular, encryption has an all-or-nothing property: anyone who possesses the secret key can decrypt and read a message. It does not matter whether or not you wanted them to!
A symmetric key encryption scheme has three methods: KeyGen, Enc, and Dec. It satisfies two properties.
Correctness: Dec undoes the action of Enc. That is, for any key \(k\), message \(P\), and randomness \(R\) it holds that \[\text{Dec}(k, \text{Enc}(k, P; R)) = P.\]
Secrecy (informally): If an attacker Mallory sees the ciphertext \(C\) but not the symmetric key \(k\), then she has no chance of learning any part of the plaintext message \(P\).
Question. How can Alice encode messages so Mallory cannot read them?
Last time, we discussed the idea of a one-time pad, which satisfies perfect secrecy but has several downsides.
Modern symmetric encryption schemes are designed using a pseudorandom permutation \(f: \{0, 1\}^n \to \{0, 1\}^n\). This function is deterministic but “acts random.”
A pseudorandom permutation (or PRP) is almost like a cryptographic hash function, except that:
As a result, this primitive is somewhat easier to build, and therefore faster, than a cryptographic hash function.
Still though, we require that the truth table (that maps inputs to outputs) “appears random.”
In other words, the pseudorandom permutation acts as a “foreign language” that removes all structure from the (say) English-language input… except that using the exact same input twice will result in the same output.
Today, we will look at the inner workings of a newer NIST standard: the SHA-3 cryptographic hash function.
Why NIST chose Keccak, in their words:
The notion of security margins is also related to Schneier’s law.
The design of Keccak contains two main components.
Fixed-length permutation: a deterministic, pseudorandom permutation called Keccak-\(f\) with a fixed input/output length of \(b = 1600\) bits, which is carefully designed to act like a truly random function.
Mode of operation: an interative way to make many calls to the \(f\) function in order to process each chunk of a variable-length input.
The mode used by Keccak is called a sponge function. It has two stages.
At any given time, the sponge function remembers \(b\) bits of state. It cleverly partitions the state into two components.
The first \(r\) bits are called the rate. This part determines the throughput of the sponge function, i.e., the number of bits of the message that get processed by each call to the Keccak-\(f\) function.
The remaining \(c\) bits are called the capacity. This part determines the security of the sponge function, up to a birthday bound attack (i.e., about \(2^{c/2}\) work is required to break it).
“When for instance \(c = 512\), a random sponge offers the same resistance as a random oracle but with a maximum of \(2^{256}\) in complexity.”
– Bertoni, Daemen, Peeters, and Van Assche. On the Indifferentiability of the Sponge Construction
When used as a cryptographic hash function, Keccak is instantiated with a fixed output length (e.g., 224, 256, 384, or 512 bits).
Note that the message only touches the rate bits of the state. Meanwhile, the capacity bits are only influenced by the Keccak-\(f\) function itself, and therefore always remain “random-looking.”
By a birthday bound, two states with random-looking capacity bits are unlikely to collide.
In many applications that use hash functions, it is common to add a nonce to the input. This random, public value is used to:
In hash function lingo, this nonce is typically called a salt.
Have you ever wondered how your computer stores the password to log into itself? It seems like circular logic if:
For this reason:
Remember the preimage resistance guarantee provided by cryptographic hash functions: given a random \(y\), it is difficult to find any preimage \(x\) such that \(H(x) = y\).
However, passwords are generated by people. As a result, they are not chosen uniformly at random, and in practice they tend to follow Zipf’s law.
Some passwords are extremely common and guessable, like 123456 or password.
Many passwords are short and brute-forceable.
Some people choose long, strong passwords.
As a result, password hash functions are specifically designed to be slow and resource-consuming.
Question. How do you make a function deliberately slow, in a way that is impossible to speed up?
Keccak’s sponge function design provides an elegant way to design a computationally-slow hash function: simply absorb more data.
Newer password hash functions like argon2 are also designed to require a lot of memory, so that a brute-force attack is harder to execute on a GPU or dedicated hardware device.
Recall that two of the problems with a one-time pad were key length and key reuse.
We can use a sponge function to address these issues. Given only:
we can pseudorandomly build a long key stream that Alice and Bob can XOR with their private data.
It is imperative that each IV be used only once. If an IV is reused, then we are back to the two-time pad problem. That said, the IV does not need to be kept hidden from the adversary.
In other words:
The Keccak sponge function construction can be used to design a MAC for variable length messages.
Because symmetric key encryption and MACs are so useful (and fast!), it is common to use them together. That is: for most messages that we send over the Internet, we want data confidentiality and integrity!
Question. Suppose there is a message \(P\) that we want to be private and authenticated. What is the best way to combine encryption and MACs?
If you don’t know anything about the specific symmetric key encryption and MAC constructions used, then the most important thing to remember is that the MAC does not provide data confidentiality.
This leads us to the right answer for this question, and more generally to the cryptographic doom principle.
“If you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom!”
– Moxie Marlinspike
If you do know the specific encryption and MAC used, then it is possible to combine them in a more efficient manner. For instance, once again we can use the Keccak sponge function design to build a combined Enc+MAC.
This combined primitive is called authenticated encryption. In general, suppose that the sender Alice has:
Definition. Authenticated encryption with associated data (AEAD) contains three algorithms:
KeyGen: randomly choose \(k\), as usualEnc\((k, P, A, N)\): produces a ciphertext/tag \(C\) of length \(|C| \geq |P|\)Dec\((k, C, A, N)\): returns the original private message \(P\)The AEAD security game combines aspects of ciphertext indistinguishability and tag unforgeability. The simplest way to explain it is via the following thought experiment: Mallory cannot tell the difference between the two sides of this picture.
Why should we combine authentication and encryption?
Next time, we will apply authenticated encryption in order to protect data at rest on your hard drive.