reading Notes on
author: Jonathan Katz and Yehuda Lindell
之前看得一些密码学教材要么是很偏应用层次(如Cryptography and Network Security:Principles and Practice),全书没有给出一些重要的证明,只给出结果,要么是全部在数学层面加以阐述(如Oded Goldreich 或Micali等人写的书),没有(或很少)任何的应用考虑。感觉本书恰好的弥补了这一点,取得了一定的均衡:
"suitable for self-study( especially for beginning graduate students"
"a rigorous threament of modern cryptography in an accessible manner appropriate for an introduction to the topic."
在preface中作者还总结了现代密码学的一些核心的研究方式上的贡献:
1“ The Central role of definitions: ...recognition that formal definitions of security are an essential first step in the design of any cryptographic primitive or protocol. ”
2,"The importance of formal and precise assumptions:...any such assumptions must be clearly and unambiguously defined. "
3,"The possibility of rigorous proofs of security:...cryptographic constructions can be proven secure with respect to a given definition of security and relative to a well-defined cryptographic assumption. This is the essence of modern cryptography"
所以本书就是很适合中间路线的~,当然感觉美中不足的就是内容还是过于传统了,涉及的内容还是不太全面。(当然从introduction的角度上看应该算是优点:-))。
chapter 1 : Introduction and Classical Ciphers
1,现代密码学的研究范围更加广泛,包括:
“the scientific study of techniques for securing digital information, transactions, and distributed computations.”
“cryptography has gone from an art form that dealt with secret communication for the military to a science that helps to secure systems for ordinary people all across the globe. ”
2,对于classical 密码学的介绍有助于我们了解现代密码学的发展背景。
3,Private-key encryption的 系统模型:
The setting in which the communicating parties share some secret information in advance is now known as the private-key (or the symmetric-key) setting.
The shared key serves to distinguish the communicating parties from any other parties who may be eavesdropping on their communication 。
the same key is used to convert the plaintext into a ciphertext and back.
An implicit assumption in any system using private-key encryption is that the communicating parties have some way of initially sharing a key in a secret manner.
(In many modern settings, however, parties cannot arrange any such physical meeting.)
A private-key encryption scheme, or cipher, is comprised of three algorithms: the first is a procedure for generating keys, the second a procedure for encrypting, and the third a procedure for decrypting.
即系统由三部分组成:KeyGen, Enc_k,Dec_c.
(这些都是最基本的知识了,在此不细述)
4,Kerckhoffs’ principle:
The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.
In other words, the encryption scheme itself should not be kept secret, and so only the key should constitute the secret information shared by the communicating parties.
(很重要,而且虽然简单,但是在实际的密码系统控制中,我们常常有忘掉这一基本前提的倾向,必须吸取教训。security rely solely on the secrecy of the key.)
5,接下来介绍了四大attack model,两种passive,两种active的攻击。
Ciphertext-only attack, Known-plaintext attack, Chosen-plaintext attack, Chosen-ciphertext attack。
6,1.3部分十分简约而又有目的的介绍了几种一脉相承的古典加密方法。这些密码的方法都可以或通过暴力破解key space小的系统,或通过字母频率统计规律加以破解。有新收获的一点是除了直接比较字母频率表外,我们还可以通过其存在的:这一规律更好的自动算法化加以快速破解!
7,通过对这些古典密码方法的分析,可以得到两点最基本的其实,一是key space必须足够的大,以免被暴力破解。二是密码算法是很难设计的,复杂的并不一定是安全的。必须要由专家加以设计。
8. The Basic Principles of Modern Cryptography(非常重要的部分)
Principle 1 — the first step in solving any cryptographic problem is the formulation of a rigorous and precise definition of security.
Principle 2 — when the security of a cryptographic construction relies on an unproven assumption, this assumption must be precisely stated. Furthermore, the assumption should be as minimal as possible.
Principle 3 — cryptographic constructions should be accompanied with a rigorous proof of security with respect to a definition formulated according to principle 1, and relative to an assumption stated as in principle 2 (if an assumption is needed at all).
这部分介绍了现代密码学的一些研究范式,即argue了为何现代密码学采用rigorous approach方式加以研究。很大一方面的原因在于密码学的高要求,以及一旦出问题的严重后果。
何为严格?就是必须建立在formal的数学基础之上,这进一步意味着首先要有严格形式化的definition,没有definition何谈数学形式化?其次是严格形式化的一些基本假设assumption,因为由于复杂性理论上仍然有一些没有解决的问题,所以密码学的许多构造都是建立在或weak或strong的假设基础上的,当然这个假设应该是尽量low-level以及具有通用性的。然后就是严格的安全性证明,因为密码系统的正确性要求更高,不能指望像挑普通的程序中的bug一样,很少有用户会可以专门攻击它们。
9, it is not easy, in general, to turn our intuition into a “good” definition.
definitions of security should suffice for all potential applications.
our formal definition must also specify the attack model. The first is what is considered to be a break, and the second is what is assumed regarding the power of the adversary.
The power of the adversary relates to assumptions regarding the the actions the adversary is assumed able to take, as well as the adversary’s computational power.
In summary, any definition of security will take the following general form:
A cryptographic scheme for a given task is secure if no adversary of a specified power can achieve a specified break.
the definition never assumes anything about the adversary’s strategy.
“arbitrary adversary principle”: security must be guaranteed for any adversary within the class of adversaries with the specified power.
关于数学模型与real-world之间的关系,以Turing 为解决可计算性给出严格计算模型为例,说明了几点基本思想,一是来源于直觉intuition,但必须高于直觉,因为直觉是不可靠的。
a definition of security must accurately model the real world security needs in order for it to deliver on its mathematical promise of security.
10. study of an assumption can provide positive evidence of its validity by showing that it is implied by some other assumption that is also widely believed.
有了假设我们就有了可以加以比较的基础。If the assumptions used by the two schemes are incomparable, then the general rule is to prefer the scheme that is based on the better-studied assumption
an assumption that has been tested over the years is preferable to a new assumption that is introduced just to prove a given construction secure.
11, Experience has shown that intuition in cryptography and computer security is disastrous.
Although proofs of correctness are always desirable in computer science, they are absolutely essential in the realm of cryptography and computer security.
更具体的介绍了常用的归约证明方式:
Given that Assumption X is true, Construction Y is secure according to the given definition,
Chapter 2 : Perfectly-Secret Encryption
本章内容比较清晰。即介绍信息论下实现完美加密的相关理论内容。首先,与上一章相契合,给出了严格的perfect secret的几个等价定义,其核心在于使得adversary在获取cipertext之后(此处仅考虑最基本的ciphertext-onlyattack)不能对priori的相关plaintext的概率分布有任何新的知识,即posteriori的与之相同。
Ideally, observing this ciphertext should have no effect on the knowledge of the adversary
a posteriori likelihood that some message m was sent (even given the ciphertext that was seen) should be no different from the a priori probability that m would be sent.
a ciphertext reveals nothing about the underlying plaintext, and thus an adversary who intercepts a ciphertext learns absolutely nothing about the plaintext that was encrypted.
Pr[M = m | C = c] = Pr[M = m]. ( the distributions over messages and ciphertexts are independent.)
Pr[C = c | M = m] = Pr[C = c].
(perfect indistinguishability )Pr[C = c | M = m0] = Pr[C = c | M = m1 ].( it is impossible to distinguish an encryption of m0 from an encryption of m1 )
(adversarial indistinguishability. the inability of the adversary to distinguish the encryption of one plaintext from the encryption of another):The adversarial indistinguishability experiment PrivKeav^{Adv}_{A,Π}
1,The adversary A outputs a pair of messages m0 , m1 ∈ M.
2, A random key k is generated by running Gen, and a random
bit b ← {0, 1} is chosen. (These are chosen by some imaginary
entity that is running the experiment with A.) Then, the ciphertext
c ← Enck(mb ) is computed and given to A.
3, A outputs a bit b .
4,The output of the experiment is defined to be 1 if b = b, and
0 otherwise. We write PrivKeav^{Adv}_{A,Π} if the output is 1 and in
this case we say that A succeeded.
(显然最后一个定义和现代的常见的定义是统一的)
不同的定义让我们在证明中可以选择一种适合的,简便的。在理解上则是从不同的角度来看。
接下来介绍了具体的一个scheme,One-time pad,即key为与plaintext等长的0-1串,加密解密都是进行异或操作,在此不述。重要的是引出了perfect secret的一些缺陷,对于one time pad而言,就是key太长,只能用一次,否则就会有frequency attack,以及只能是cipertext-onely attack的强度。
下一部以定理形式给出了perfect secret inherent的缺陷。即key必须至少要长于plaintext。本质上这是香农定理给出的关于perfect secret的等价刻画characterization:
(注意:1,这个定理是从key自身的角度加以刻画的;2,是iff,即等价)
chapter 3 Private-Key Encryption and Pseudorandomness
3.1 A Computational Approach to Cryptography
information-theoretically secure => computational security
首先我们通过上一章已经知道了perfect secret有其inherent的limitation。所以我们必须compromise一下,从实际的角度来看,并不一定要数学上彻底的zero information的信息论安全,而是可以基于图灵机模型、算法复杂度理论领域的计算复杂度角度来考虑。
本节首先介绍了一系列相关的complexity theory的基本notation,便于之后的形式化。核心的思想其实很简单,就是acceptablely weak对于secure的定义,adversary不再是with unbounded computational power,而是很honest user一样的(至少根据Church-Turing Thesis,在复杂性类上是)为probabilistic polynomial time (PPT).
A [cipher] must be practically, if not mathematically, indecipherable.
The computational approach incorporates two relaxations of the notion of perfect security:
1. Security is only preserved against efficient adversaries, and
2. Adversaries can potentially succeed with some very small probability (small enough so that we are not concerned that it will ever really happen).
“efficient algorithms”: (probabilistic) algorithms running in time polynomial in n,
“small probability of success” : success probabilities smaller than any inverse-polynomial in n, meaning that
for every constant c the adversary’s success probability is smaller than n^{-c} for large enough values of n . A function that grows slower than any inverse polynomial is called negligible.
it is necessary in practice to understand exactly what level of concrete security is implied by a particular asymptotically-secure scheme.
一个技术注意点:we will thus provide the adversary and the honest parties with the security parameter in unary as 1n (i.e., a string of n 1’s) when necessary.
这一部分还回顾了一些基本的complexity theory的基本asymptotic notation以及相关知识。
(whether or not probabilistic polynomial-time adversaries are more powerful than deterministic polynomial-time adversaries is unresolved. In fact, recent results in complexity theory indicate that randomness does not help. )
在实际中,我们对于随机数的生成必须要比一般程序更严格:One must careful in how random bits are chosen, and the use of badly designed or inappropriate random number generators can often leave a good cryptosystem vulnerable to attack. Particular care must be taken to use a random number generator that is designed for cryptographic use, rather than a “general-purpose” random number generator
we consider inverse-polynomial probabilities to be significant. Thus, if an adversary could succeed in breaking a
scheme with probability 1/p(n) for some (positive) polynomial p, then the scheme would not be considered secure.
Events that occur with negligible probability are so unlikely to occur that they can be ignored for all practical purposes. Therefore, a break of a cryptographic scheme that occurs with negligible probability is not considered a break.
据此我们可以给出一般的安全性证明的目标定理的模式:
A scheme is secure if for every probabilistic polynomial-time adversary A carrying out an attack of some specified type, the probability that A succeeds in this attack (where success is also welldefined) is negligible.
进一步看,基本上所有的针对密码scheme的安全证明都是通过归约为基本complexity problem的证明加以实现的。
to assume that some low-level problem is hard to solve, and to then prove that the construction in question is secure given this assumption.
convert any efficient adversary A that succeeds in “breaking” the construction with non-negligible probability into an efficient algorithm A' that succeeds in solving the problem that was assumed to be hard.
基本的套路如下: