# Symmetric Key Encryption

Classical crypto:

- ad-hoc design
- trial and error
- empirically evaluated

Modern crypto (~1970-onwards):

- systematic development and analysis
- formal notions of security and adversity
- rigorous proofs of security or insecurity

The formal treatment of modern crypto is the fundamental notions underlying the design and evaluation of crypto primitives

The systematic process includes:

- security goals (what does it mean to be "secure"?)
  - abstracted into security definitions that are open to mathematical treatment
- threat models (which attacks are allowed, and which aren't?)
  - specified by adversarial settings and computational assumptions
- security analysis (why it is/is not secure?)
  - expressed by proofs of security, inherent limitations, and characterizations

## Symmetric Key Encryption

The same secret key is used by both parties of a conversation under the assumption that the adversary cannot learn the message from the cipher text

Abstract crypto primitive:

- defined by a message space M and a triplet of algorithms (Gen, Enc, Dec)
  - **Gen**: probabilistic algorithm that outputs a random key k
  - **Enc**: probabilistic algorithm that takes as input M and k and outputs the cipher text c
  - **Dec**: deterministic algorithm that takes input c and k and outputs M
    - must always yield the same M from the same c and k

**Probabilistic algorithm**: running the algorithm on some input multiple times yields different outputs

Satisfying properties of symmetric key encryption:

- efficiency for the key generation and message transformation processes 
- correctness: for all M, k it holds that Dec(Enc(m,k), k) = m
- security: one cannot learn M from c

**Uniform random key**: equally random chance of using any key from the range of keys

**Kerchoff's Principle**: the cipher algorithm (Enc and Dec) can be known, and as long as the key is secret the system is still secure

Application areas:

- secure communications: encrypt data in transit
  - assume that k is securely generated, distributed, and stored
- secure storage: encrypt data at rest
  - assume k is securely generated and stored (no key sharing is necessary)

### Brute Force Attack

If C, the key space, and Dec are known then an exhaustive search may be performed to try all possible keys. This requires knowledge of M, such as it's format

As a result, key spaces should be large enough to make exhaustive searches infeasible

### Probability and Symmetric Key Encryption

Gen defines the key space K, i.e. $Gen \rightarrow k \in K$

Enc defines cipher text space C, i.e. $Enc_k(m) \rightarrow c \in C$

Assumptions:

- messages and keys are chosen independently according to probability distributions $D_m, D_k$
- for any $m \in M, D_m$ defines Pr[M = m] (a priori probability that m is sent)
- for any $k \in K, D_k$ defines Pr[K = k] (typically uniform)

Facts:

- given $D_m, D_k$ and internally used randomness, Enc imposes a probability distribution $D_c$ over c
- if c denotes the sent cipher text, then for any $c \in C, D_c$ defines Pr[C = c]'

**Perfect correctness**: for any $k \in K, $m \in M$ and any cipher text c output of $Enc_k(m)$, it holds that Pr[$Dec_k(c)$ = m] = 1

**Perfect secrecy**: symmetric key encryption scheme (Gen, Enc, Dec) with message space M is perfectly secret if for every $D_m$, every message $m \in M$ and every cipher text $c \in C$ for which Pr[C = c] > 0, it holds that Pr[M = m | C = c] = Pr[M = m]

$$ \textrm{or} $$

For every message $m,m' \in M$ and every $c \in C$, Pr[$Enc_k(m)$ = c] = Pr[$Enc_k(m')$ = C]

Both definitions of perfect secrecy are equivalent 

Notes:

- probability distribution $D_c$ does not depend on the plain text
- M and C are independent random variables
- the cipher text contains no information about the plain text
- it is impossible to distinguish the encryption of m from the encryption of m'
  
## Classical Ciphers

Encrypted by mapping each plain text character into another character (shifting). The key represents the size of the shift

Frequency analysis is important here. Due to the distribution of English letters, patterns may be interpreted

### Mono-alphabetic Substitution Cipher

Key space defines permutation on the alphabet

Cryptanalysis: 

- key space is large (26!) but the cipher is vulnerable to pattern recognition due to the use of fixed key mappings
- automated attack if char i (in [0:25]) has frequency $p_i$ (in [0...1]) then frequency analysis may be performed in the following manner
  - from statistics, $\sum_i p_i^2 = .065$
  - since char i is mapped to char i + k, if $L_i = \sum_i p_iq_{i+j}$, then $L_k = .065$
  - a brute force attack can test all keys with respect to the above criteria

### Vigenere Cipher

Poly-alphabetic shift cipher. Key space defines the fixed mapping that is applied on blocks of characters

Key k is a string of letters of length t that defines the shift for blocks of size t (period t)

- example: key = "back" or (2,1,3,11). This means that each block (every four characters) is shifted respectively by 2,1,3, or 11

Plain text to cipher text is many-to-many depending on the block location 

Cryptanalysis:

- if t is known, then the problem is reduced to attacking the shift cipher
  - t-streams: cipher text subsequences that are t-positions apart
- if t is unknown:
  - repeat the above attack for guessed values of t
  - identify repeated patterns of length 2 or 3 in the cipher text
    - likely to correspond to common bigrams/trigrams such as "the"
    - t can be deduced by examining the locations of these patterns

## One-Time Pad

Unbreakable substitution cipher that uses a block of "shift keys" of size n ($k_1,k_2,...,k_n$) with each shift key being chosen uniformly at random

Perfectly secure as each shift is random. This means that every cipher text is equally likely for any plaintext

Formal definition:

- fix t to be an positive integer M=C=k=$\{0,1\}^t$
- Gen: chose t bits uniformly at random
  - Gen $\rightarrow \{0,1\}^t$
- Enc: given a key k and a message of equal lengths, compute the bitwise XOR
  - $Enc(k,m) = Enc_k(m) \rightarrow k \oplus m$ (mask message with the key)
- Dec: compute the bitwise XOR of the key and the cipher text
  - $Dec(k,c) = Dec_k(c) = k \oplus c$
- correctness: $k \oplus c = k \oplus k \oplus m = 0 \oplus m = m$

### Shannon's Theorem

Let $\pi = \{M, (Gen, Enc, Dec)\}$ be an encryption scheme with message space M, for which |M| = |k| = |c|. $\pi$ is perfectly secure if and only if:

1. every key $k \in K$ is chosen with equal probability $\frac{1}{|k|}$ by the Gen algorithm
2. for every $m \in M$ and every $c \in C$, there exists a unique key $k \in K$ such that $Enc_k(m) = C$

### Characteristics of the OTP Cipher

Substitution cipher: encrypt n-symbol m using n uniformly random shift keys

Two equivalent views:

1. $\{0,1\}^n$ bitwise XOR $(m \oplus k)$
2. $G,(G,+)$ is a group addition/subtraction (M +/- k)

Perfect secrecy as the shift is random, meaning that every cipher text is equally likely

The limitations are that shift keys:

1. are as long as messages
2. cannot be re-used

## Refined Symmetric Key Encryption

Formally defined and constructed perfectly secure cipher

By Shannon's Theorem, drawbacks are unavoidable (e.g., very large keys)

Refined model incorporates computational security, meaning that the encryption scheme is practically secure if:

- a tiny amount of plaintext information is leaked
- adversaries have bounded computational power

### Computational Security

Contrasted against information-theoretic security

Defacto way in which most crypto settings model security

Entails two relaxations:

- security is guaranteed against efficient adversaries
  - goal: make the required resources to breaks security be an unreasonable amount
- adversaries may potentially succeed as the scheme is probabilistic
  - there is a small probability that the scheme is breakable

Two approaches:

- concrete approach: bounds the max success of probability of any randomized adversary
- asymptotic approach: only realistic attackers are dealt with

An additional input to algorithms, the **security parameter**, is required to ensure the asymptotic approach 

Giving hypothetical attackers some advantages is good hygiene. Attackers may possess:

1. cipher text collection: cipher text only attack
2. collection of plain and cipher texts: known plaintext attack
3. collection of plain and cipher text pairs for plain texts selected by the attacker: chosen plain text attack
4. collection of plain and cipher text pairs for plain and cipher texts selected by the attacker