1 files changed, 214 insertions, 0 deletions
diff --git a/ss2017/cryptography/Notes02.txt b/ss2017/cryptography/Notes02.txt
new file mode 100644
index 0000000..59da143
--- /dev/null
+++ b/ss2017/cryptography/Notes02.txt
@@ -0,0 +1,214 @@
+2 Principles of  cryptography (KL1.1, KL1.2, KL1.4, KL2)
+--------------------------------------------------------
+These considerations and similar ones applying to other historical
+ciphers have led to the principles for the design of cryptosystems.
+Before stating these we describe somewhat more formally what a
+(private-key) cryptosystem is. 
+A cryptosystem comprises three algorithms:
+- A key generation algorithm Gen which outputs a key according to some
+  format an probability distribution.
+- An encryption algorithm Enc which given plaintext m and key k
+  produces a ciphertext Enc_k(m)
+- A decryption algorithm Dec which given ciphertext c and key k
+  produces a plaintext Dec_k(m).
+The set of all keys possibly put out by the key generator Gen is
+called keyspace (K).  For every key k produced by Gen it must hold
+that Dec_k(Enc_k(m)) = m. There is also a finite set of possible
+messages M and ciphertexts C. Clearly, Gen must be randomized,
+otherwise it would always return the same key. Sometimes Enc is also
+randomized, i.e. ciphertexts may contain some random information and
+do not depend functionally on plaintext and key.
+One of the most important design principles is Kerckhoff's rule (19th
+century): Security of the cryptosystem should rely on secrecy of the
+key not on secrecy of the method. In other words, the cryptosystem
+should remain secure if everything about the three algorithms involved
+is publicly known. "No security through obscurity".
+In addition to this, the cryptosystem should withstand some or all of
+the following kinds of attack:
+Ciphertext only attack: an eavesdropper observes ciphertext and aims
+at determining the underlying plaintexts.
+Known plaintext attack (KPA): This is when the eavesdropper knows some
+ciphertext-plaintext pairs for one and the same key and tries to use
+this information to then decrypt additional ciphertexts (again
+w.r.t. the same key).
+Chosen plaintext attack (CPA): Here the adversary may prepare
+plaintexts of its choice and request the corresponding ciphertexts.
+Chosen ciphertext attack (CCA): Here the adversary can even request
+the decryption of ciphertexts of its choice.
+Modern cryptography, say since WW2, holds the following additional
+principles:
+Principle 1: Formulation of exact definitions
+Which notion of security is one aiming at?
+No adversary should be able to know the key ... But what if they can
+decrypt ciphertexts without knowing the key?
+No adversary should be able to decrypt any ciphertext unless they know
+the key. But what if they can find out some bits of the ciphertext,
+e.g. every second letter, or a block of letters somewhere in the
+middle?
+Principle 2: Reliance on precise assumptions
+Typically, security of a cryptosystem can be guaranteed only by making
+assumptions on the computational power of an adversary (with unlimited
+resources they could always try out all plaintexts) and also on the
+computational difficulty of solving certain algorithmic
+problems. Desirable as it would be to have unconditional security; if
+one has to work with assumptions one should at least state them
+precisely. Sometimes, security can only be proven for idealized
+versions of cryptosystems that use components not known to exist but
+which are believed to be "approximated" by existing components. Again,
+it is then important to clearly state what these idealized components
+or versions are.
+Principle 3: Rigorous proofs of security 
+Once the desired notion of security and the assumptions are clearly
+defined one should then establish a rigorous mathematical proof of
+conditional security.
+"Given that Assumption X is true, Construction Y is secure according
+to the given definition."
+As an example, we now look at perfect security in the sense of Shannon
+and see how Vernam's cipher (patented in 1919) implements it.
+In order to get around the fact that an adversary can always try out
+all possible plaintexts but that this kind of attack "doesn't count"
+Claude Shannon suggested to use probabilities: if one out of two
+messages is selected at random and the adversary gets to see the
+ciphertexts only it has a chance of no more than 50% of determining
+the plaintext correctly from the ciphertext. For cryptosystem Pi and
+adversary A we thus define the following
+Eavesdropping indistinguishability experiment PrivK^eav_{A,Pi}:
+  1. The adversary produces two messages m0, m1 from the message space M.
+  2. Gen is used to generate a (random) key k and a bit b <- {0,1} is
+     chosen uniformly at random (50/50). The (or rather a) ciphertext
+     c = Enc_k(m_b) is then given to A. 
+  3. A answers by outputting a bit b'.
+  4. The output of the experiment is defined 1 if b=b' and 0 otherwise.
+Definition (perfect secrecy): The encryption scheme Pi=(Gen,Enc,Dec)
+is perfectly secret if for all adversaries A it holds that
+                Pr[PrivK^eav_{A,Pi} = 1] = 0.5
+The following cryptosystems are not perfectly secure:
+A book cipher which uses a secret code book containing for each *word*
+another word to replace it. E,g. "bomb" gets enciphered as "cake" and
+"dollars" gets enciphered as "grams". Here the adversary could select
+m0="bomb bomb" and m1="dollar bomb". If the received ciphertext has
+the form c = x x then it will output b'=0 and if c = x y with x =/= y
+it goes for 1.
+The Vigenere cipher with key length uniformly chosen at random from
+{1,2} (and once the length is fixed keys also chosen at random).  The
+adversary can choose m0 = aa and m1=ab. If the ciphertext has the form
+xx it goes for b'=0. Otherwise it returns b'=1.
+Now, if b=0 then there is a 1/2+1/2*1/26 chance that the ciphertext
+has the form xx (key length 1 or key length 2 with equal letters) and thus
+the adversary is right with probability 1/2+1/52
+If b=1 then the adversary is right with probability 1-1/52 (the only
+way to be wrong is key length two and two key letters of distance 1).
+Thus, the total probability for A to be right is 1/2*(1/2+1/52) +
+1/2*(1-1/52) = 3/4.
+Proposition: Fix a cryptosystem Pi and suppose that plaintexts and
+keys are drawn according to some, not necessarily uniform
+distribution. The sytem Pi is perfectly secret if and only if
+               Pr[M=m | C=c] = Pr[M=m]
+for every fixed plaintext m and ciphertext c such that Pr[C=c] !=
+0.
+Proof (sketch): Suppose that Pr[M=m | C=c] != Pr[M=m] for some c and
+m. Since sum_m Pr[M=m | C=c] = sum_m Pr[M=m] = 1 (both are probability
+measures) there must exist m_0,m_1 (one of them m) such that Pr[M=m0 |
+C=c] < Pr[M=m0] and Pr[M=m1 | C=c] > Pr[M=m1].  By Bayes' theorem it
+follows that Pr[C=c|M=m0]<Pr[C=c] and Pr[C=c|M=m1]>Pr[C=c], thus in
+particular, Pr[C=c|M=m0] < Pr[C=c|M=m1].
+Now, consider the adversary who presents these messages m_0, m_1 and
+if the ciphertext returned is c
+then outputs b'=1, i.e. assume that the plaintext was not
+m0 and outputs b'=0 otherwise. Its success probability is 
+1/2*(1-Pr[C=c|M=m0]) + 1/2*Pr[C=c|M=m1] =
+1/2 + 1/2(Pr[C=c|M=m1] - Pr[C=c|M=m0])
+which is strictly above 1/2.
+For the converse, one uses the fact that all the adversary knows is
+the ciphertext, but according to the assumed equality Pr[M=m | C=c] =
+Pr[M=m] this does not help.                                  Q.E.D.
+Now, such perfectly secret cryptosystems exist indeed: for fixed n:N
+put M=C=K={0,1}^n and let Gen return k:K uniformly at random. The
+encryption function is Enc_k(m) = m+k and Dec_k(m) = m+k as well,
+where + denotes pointwise addition modulo 2 (XOR). For example, if n=5
+and k=11010 and m=11100 then Enc_k(m)=00110.
+This system is known as Vernam's cipher or "one time pad" the point
+being that its secrecy relies on the key being chosen afresh at random
+every time one wants to use the scheme. It can also be seen as a
+special case of the Vigenere cipher with the key being as long as the
+entire text to be enciphered.
+Proposition: The Vernam cipher is perfectly secret.
+Proof: This is because for a given plaintext m the ciphertexts are
+uniformly distributed, i.e., their distributions are identical and
+independent for m0 and m1. As a result, the adversary cannot have an
+advantage. Q.E.D.
+The obvious disadvantage of the one-time pad is the key length,
+nevertheless it is sometimes used, e.g. purportedly during the Cold
+War for secure communication between the White House and the Kremlin. 
+Unfortunately, this key length is the price of perfect secrecy:
+Theorem: If Pi is a perfectly secret cryptosystem with key space K and
+message space M then |K|>=|M|, i.e. there have to be at least as many
+possible keys as there are possible messages ("the key must be as long
+as the message").
+Proof: Suppose for a contradiction that |K|<|M| and that ciphertext
+c:C occurs with nonzero probability. Let M(c) = {m | Dec_k(c)=m for
+some k:K}.  We must have |M(c)|<=|K| since for each m:M(c) there is at
+least one k:K such that m=Dec_k(c) and the keys thus corresponding to
+distinct messages are distinct. If now |K|<|M| there must exist some
+m' not in M(c). But then Pr[M=m'|C=c] = 0 =/= Pr[M=m'], so the scheme
+is not perfectly secret.
+This result is due to Claude Shannon who gives in fact a more precise
+characterisation of perfect secrecy, see (KL2.4).

diff --git a/ss2017/cryptography/Notes02.txt b/ss2017/cryptography/Notes02.txt new file mode 100644 index 0000000..59da143 --- /dev/null +++ b/ss2017/cryptography/Notes02.txt
@@ -0,0 +1,214 @@
	1	2 Principles of cryptography (KL1.1, KL1.2, KL1.4, KL2)
	2	--------------------------------------------------------
	3
	4	These considerations and similar ones applying to other historical
	5	ciphers have led to the principles for the design of cryptosystems.
	6
	7	Before stating these we describe somewhat more formally what a
	8	(private-key) cryptosystem is.
	9
	10	A cryptosystem comprises three algorithms:
	11
	12	- A key generation algorithm Gen which outputs a key according to some
	13	format an probability distribution.
	14
	15	- An encryption algorithm Enc which given plaintext m and key k
	16	produces a ciphertext Enc_k(m)
	17
	18	- A decryption algorithm Dec which given ciphertext c and key k
	19	produces a plaintext Dec_k(m).
	20
	21	The set of all keys possibly put out by the key generator Gen is
	22	called keyspace (K). For every key k produced by Gen it must hold
	23	that Dec_k(Enc_k(m)) = m. There is also a finite set of possible
	24	messages M and ciphertexts C. Clearly, Gen must be randomized,
	25	otherwise it would always return the same key. Sometimes Enc is also
	26	randomized, i.e. ciphertexts may contain some random information and
	27	do not depend functionally on plaintext and key.
	28
	29	One of the most important design principles is Kerckhoff's rule (19th
	30	century): Security of the cryptosystem should rely on secrecy of the
	31	key not on secrecy of the method. In other words, the cryptosystem
	32	should remain secure if everything about the three algorithms involved
	33	is publicly known. "No security through obscurity".
	34
	35	In addition to this, the cryptosystem should withstand some or all of
	36	the following kinds of attack:
	37
	38	Ciphertext only attack: an eavesdropper observes ciphertext and aims
	39	at determining the underlying plaintexts.
	40
	41	Known plaintext attack (KPA): This is when the eavesdropper knows some
	42	ciphertext-plaintext pairs for one and the same key and tries to use
	43	this information to then decrypt additional ciphertexts (again
	44	w.r.t. the same key).
	45
	46	Chosen plaintext attack (CPA): Here the adversary may prepare
	47	plaintexts of its choice and request the corresponding ciphertexts.
	48
	49	Chosen ciphertext attack (CCA): Here the adversary can even request
	50	the decryption of ciphertexts of its choice.
	51
	52	Modern cryptography, say since WW2, holds the following additional
	53	principles:
	54
	55
	56	Principle 1: Formulation of exact definitions
	57
	58	Which notion of security is one aiming at?
	59
	60	No adversary should be able to know the key ... But what if they can
	61	decrypt ciphertexts without knowing the key?
	62
	63	No adversary should be able to decrypt any ciphertext unless they know
	64	the key. But what if they can find out some bits of the ciphertext,
	65	e.g. every second letter, or a block of letters somewhere in the
	66	middle?
	67
	68
	69	Principle 2: Reliance on precise assumptions
	70
	71	Typically, security of a cryptosystem can be guaranteed only by making
	72	assumptions on the computational power of an adversary (with unlimited
	73	resources they could always try out all plaintexts) and also on the
	74	computational difficulty of solving certain algorithmic
	75	problems. Desirable as it would be to have unconditional security; if
	76	one has to work with assumptions one should at least state them
	77	precisely. Sometimes, security can only be proven for idealized
	78	versions of cryptosystems that use components not known to exist but
	79	which are believed to be "approximated" by existing components. Again,
	80	it is then important to clearly state what these idealized components
	81	or versions are.
	82
	83
	84	Principle 3: Rigorous proofs of security
	85
	86	Once the desired notion of security and the assumptions are clearly
	87	defined one should then establish a rigorous mathematical proof of
	88	conditional security.
	89
	90	"Given that Assumption X is true, Construction Y is secure according
	91	to the given definition."
	92
	93	As an example, we now look at perfect security in the sense of Shannon
	94	and see how Vernam's cipher (patented in 1919) implements it.
	95
	96
	97	In order to get around the fact that an adversary can always try out
	98	all possible plaintexts but that this kind of attack "doesn't count"
	99	Claude Shannon suggested to use probabilities: if one out of two
	100	messages is selected at random and the adversary gets to see the
	101	ciphertexts only it has a chance of no more than 50% of determining
	102	the plaintext correctly from the ciphertext. For cryptosystem Pi and
	103	adversary A we thus define the following
	104
	105	Eavesdropping indistinguishability experiment PrivK^eav_{A,Pi}:
	106
	107	1. The adversary produces two messages m0, m1 from the message space M.
	108	2. Gen is used to generate a (random) key k and a bit b <- {0,1} is
	109	chosen uniformly at random (50/50). The (or rather a) ciphertext
	110	c = Enc_k(m_b) is then given to A.
	111	3. A answers by outputting a bit b'.
	112	4. The output of the experiment is defined 1 if b=b' and 0 otherwise.
	113
	114	Definition (perfect secrecy): The encryption scheme Pi=(Gen,Enc,Dec)
	115	is perfectly secret if for all adversaries A it holds that
	116
	117	Pr[PrivK^eav_{A,Pi} = 1] = 0.5
	118
	119	The following cryptosystems are not perfectly secure:
	120
	121	A book cipher which uses a secret code book containing for each word
	122	another word to replace it. E,g. "bomb" gets enciphered as "cake" and
	123	"dollars" gets enciphered as "grams". Here the adversary could select
	124	m0="bomb bomb" and m1="dollar bomb". If the received ciphertext has
	125	the form c = x x then it will output b'=0 and if c = x y with x =/= y
	126	it goes for 1.
	127
	128	The Vigenere cipher with key length uniformly chosen at random from
	129	{1,2} (and once the length is fixed keys also chosen at random). The
	130	adversary can choose m0 = aa and m1=ab. If the ciphertext has the form
	131	xx it goes for b'=0. Otherwise it returns b'=1.
	132
	133	Now, if b=0 then there is a 1/2+1/2*1/26 chance that the ciphertext
	134	has the form xx (key length 1 or key length 2 with equal letters) and thus
	135	the adversary is right with probability 1/2+1/52
	136
	137	If b=1 then the adversary is right with probability 1-1/52 (the only
	138	way to be wrong is key length two and two key letters of distance 1).
	139
	140	Thus, the total probability for A to be right is 1/2*(1/2+1/52) +
	141	1/2*(1-1/52) = 3/4.
	142
	143
	144	Proposition: Fix a cryptosystem Pi and suppose that plaintexts and
	145	keys are drawn according to some, not necessarily uniform
	146	distribution. The sytem Pi is perfectly secret if and only if
	147
	148	Pr[M=m \| C=c] = Pr[M=m]
	149
	150	for every fixed plaintext m and ciphertext c such that Pr[C=c] !=
	151	0.
	152
	153	Proof (sketch): Suppose that Pr[M=m \| C=c] != Pr[M=m] for some c and
	154	m. Since sum_m Pr[M=m \| C=c] = sum_m Pr[M=m] = 1 (both are probability
	155	measures) there must exist m_0,m_1 (one of them m) such that Pr[M=m0 \|
	156	C=c] < Pr[M=m0] and Pr[M=m1 \| C=c] > Pr[M=m1]. By Bayes' theorem it
	157	follows that Pr[C=c\|M=m0]<Pr[C=c] and Pr[C=c\|M=m1]>Pr[C=c], thus in
	158	particular, Pr[C=c\|M=m0] < Pr[C=c\|M=m1].
	159
	160	Now, consider the adversary who presents these messages m_0, m_1 and
	161	if the ciphertext returned is c
	162	then outputs b'=1, i.e. assume that the plaintext was not
	163	m0 and outputs b'=0 otherwise. Its success probability is
	164
	165	1/2(1-Pr[C=c\|M=m0]) + 1/2Pr[C=c\|M=m1] =
	166	1/2 + 1/2(Pr[C=c\|M=m1] - Pr[C=c\|M=m0])
	167
	168	which is strictly above 1/2.
	169
	170	For the converse, one uses the fact that all the adversary knows is
	171	the ciphertext, but according to the assumed equality Pr[M=m \| C=c] =
	172	Pr[M=m] this does not help. Q.E.D.
	173
	174	Now, such perfectly secret cryptosystems exist indeed: for fixed n:N
	175	put M=C=K={0,1}^n and let Gen return k:K uniformly at random. The
	176	encryption function is Enc_k(m) = m+k and Dec_k(m) = m+k as well,
	177	where + denotes pointwise addition modulo 2 (XOR). For example, if n=5
	178	and k=11010 and m=11100 then Enc_k(m)=00110.
	179
	180	This system is known as Vernam's cipher or "one time pad" the point
	181	being that its secrecy relies on the key being chosen afresh at random
	182	every time one wants to use the scheme. It can also be seen as a
	183	special case of the Vigenere cipher with the key being as long as the
	184	entire text to be enciphered.
	185
	186	Proposition: The Vernam cipher is perfectly secret.
	187
	188	Proof: This is because for a given plaintext m the ciphertexts are
	189	uniformly distributed, i.e., their distributions are identical and
	190	independent for m0 and m1. As a result, the adversary cannot have an
	191	advantage. Q.E.D.
	192
	193	The obvious disadvantage of the one-time pad is the key length,
	194	nevertheless it is sometimes used, e.g. purportedly during the Cold
	195	War for secure communication between the White House and the Kremlin.
	196
	197	Unfortunately, this key length is the price of perfect secrecy:
	198
	199	Theorem: If Pi is a perfectly secret cryptosystem with key space K and
	200	message space M then \|K\|>=\|M\|, i.e. there have to be at least as many
	201	possible keys as there are possible messages ("the key must be as long
	202	as the message").
	203
	204	Proof: Suppose for a contradiction that \|K\|<\|M\| and that ciphertext
	205	c:C occurs with nonzero probability. Let M(c) = {m \| Dec_k(c)=m for
	206	some k:K}. We must have \|M(c)\|<=\|K\| since for each m:M(c) there is at
	207	least one k:K such that m=Dec_k(c) and the keys thus corresponding to
	208	distinct messages are distinct. If now \|K\|<\|M\| there must exist some
	209	m' not in M(c). But then Pr[M=m'\|C=c] = 0 =/= Pr[M=m'], so the scheme
	210	is not perfectly secret.
	211
	212	This result is due to Claude Shannon who gives in fact a more precise
	213	characterisation of perfect secrecy, see (KL2.4).
	214