CMSC 414
Computer and Network Security
Lecture 3
Jonathan Katz
JCE
 (The TA gave a brief presentation in class about
the JCE and how to use it)
HW1 out
 Meant to get you familiar with the JCE, and some
basic crypto
 Use your GRACE account
 Work in teams of two students
– Both students should contribute to all problems
– JCE use and syntax fair game for the exam
 We now have a class forum
– Post on the forum if you are looking for a partner
Computer security student club
 First meeting tomorrow night, 7PM, in CSIC 1115
Perfect secrecy
Defining secrecy (take 1)
 Even an adversary running for an unbounded
amount of time learns nothing about the message
from the ciphertext
– (Except the length)
 Perfect secrecy
 Formally, for all distributions over the message
space, all m, and all c:
Pr[M=m | C=c] = Pr[M=m]
The one-time pad
 Scheme
 Proof of security
Properties of the one-time pad?
 Achieves perfect secrecy
– No eavesdropper (no matter how powerful) can
determine any information whatsoever about the
plaintext
 (Essentially) useless in practice…
– Long key length
– Can only be used once (hence the name!)
– Insecure against known-plaintext attacks
 These are inherent limitations of perfect secrecy
Computational secrecy
Computational secrecy
 We can overcome the limitations of perfect
secrecy by (slightly) relaxing the definition
 Instead of requiring total secrecy against
unbounded adversaries, require secrecy against
time-bounded adversaries except with some small
probability
– E.g., secrecy for 100 years, except with probability 2-80
 How to define formally?
A simpler characterization
 Perfect secrecy is equivalent to the following,
simpler definition:
– Given a ciphertext C which is known to be an
encryption of either M0 or M1, no adversary can guess
correctly which message was encrypted with
probability better than ½ + 2-80
running for 100 years
 Computational security!
 Is this definition too strong? Why not?
The take-home message
 Weakening the definition slightly allows us to
construct much more efficient schemes!
 Strictly speaking, no longer 100% absolutely
guaranteed to be secure
– Security of encryption now depends on security of
building blocks (which are analyzed extensively, and
are believed to be secure)
– Given enough time and/or resources, the scheme can
be broken
A computationally secure scheme
 A pseudorandom (number) generator (PRNG) is a
deterministic function that takes as input a seed
and outputs a string
– To be useful, the output must be longer than the seed
 If seed chosen at random, output of the PRNG
should “look random” (i.e., be pseudorandom)
Notes
 Required notion of pseudorandomness is very
strong – must be indistinguishable from random
for all efficient algorithms
– General-purpose PRNGs not sufficient for crypto
 Pseudorandomness of the PRNG depends on the
seed being chosen “at random”
– Note in particular that if a seed is re-used then the
output of the PRNG remains the same!
– In practice: from physical processes and/or user
behavior
A computationally secure scheme
 The pseudo-one-time pad…
 Proof sketch
 Which drawback(s) of the one-time pad does this
address?