UCB - CS161 - Lecture 5

1. Kerckhoff’s Principle

Cryptosystems should remain secure even when the attacker knows all internal details of the system.
The key should be the only thing that must be kept secret, and the system should be designed to make it easy to change keys that are leaked (or suspected to be leaked).
If your secrets are leaked, it is usually a lot easier to change the key than to replace every instance of the running software.

加解密算法公开的,加解密密钥保密的:

  1. 维护密钥的保密性更容易。

  2. 若密钥暴露,换密钥即可。

  3. 面对多对加密通信的需求,使用相同的加密算法不同的密钥即可。相比于使用不同的加密算法,设计成本和复杂程度及各方面代价都大大降低。

开放密码学设计的优势:

  1. 可以使该算法承受公开的钻研和分析,因此可以变得更加强壮

  2. 公开后有更大的可能被正义黑客发现,比被敌人发现要好。

  3. 公开设计使标准更容易建立

  4. 系统的安全取决于算法的保密性,对代码的逆向抵抗力很差。密钥不是代码的一部分,不存在这个问题。

b818b2e3aa2c33626c3b36f34e338011.png

2. Symmetric-Key Encryption

c1f0066cee11ca14ad211050fcd6b570.png

密文的长度无需成为加密的信息(从反面的角度来论证这种做法的优势)。

对称加密的大体模式:

fe47de9731e7fdb5ae631b863f5448fa.png

安全性的考量:

  • partial information leak(通过加密程序返回的密文试探有关信息)

  • deterministic encryptions(相同明文的密文一旦相同,被破解后能大大加快破解全部密文的速度)

2.1 IND-CPA Security

IND-CPA:Indistinguishability under Chosen-plaintext Attack(选择明文攻击下的不可区分性)。

fc2a281f2c2edc434ff843d088a74074.png

ef4e92d934165ea24e773cf94f0dae30.png

2.2 One-Time Pad

虽安全性极高,但只能用于一次性加密解密,不符合 IND-CPA。

Both the size of key $K$ and message $M$ is $n$,$K = k_1k_2 \cdots k_n$(randomly chosen), $C = Enc(K, M) = K \oplus M$,$Dec(K, C) = K \oplus C = K \oplus K \oplus M = M$。

2.3 Block Ciphers

Intuitively, a block cipher transforms a fixed-length, $n$-bit input into a fixed-length $n$-bit output. The block cipher has $2 ^ k$ different settings for scrambling, so it also takes in a $k$-bit key as input to determine which scrambling setting should be used.

Encryption function $E:{0, 1} ^ k \times { 0, 1} ^ n \rightarrow { 0, 1} ^ n$,This notation means we are mapping a $k$-bit input (the key) and an $n$-bit input (the plaintext message) to an $n$-bit output (the ciphertext).

Once we fix the key $K$, we get a function mapping $n$ bits to $n$ bits:$E_k : { 0, 1} ^ n \rightarrow { 0, 1} ^ n$.

The inverse mapping of this permutation is the decryption algorithm $D_k$:$D_k(E_k(M)) = M$.

2.3.1 ECB Mode

9d483e76a915d4d8aee6b992efc93bf7.png

2.3.2 CBC Mode

f3dc8e4a67b820a7c0734f95940aa2cd.png

2.3.3 CFB Mode

44d6f474b7c824422c5503b90dd6b3ba.png

作者

Zylll

发布于

2024-02-27

更新于

2024-02-29

许可协议