Cryptography Reference
In-Depth Information
In either case, the encryption functions may be probabilistic in the sense that
they also take into account some random input data (not expressed in Definition 2.6).
Typically,
}
∗
(i.e., the set of binary strings of arbitrary but finite
M
=
C
=
{
0
,
1
l
for some fixed key length
l
(e.g.,
l
= 128). The notion
of a function family (or family of functions, respectively) is formally introduced in
Section 3.1.1. In the meantime, it is sufficient to have an intuitive understanding for
the term.
The working principle of a symmetric encryption system is illustrated in
Figure 2.4. On the left side, the sender encrypts the message
m
length), and
K
=
{
0
,
1
}
with his
or her implementation of the encryption function
E
(parametrized with the secret
key
k
). The resulting ciphertext
E
k
(
m
)=
c
∈M
is sent to the recipient over a
potentially unsecure channel (drawn as a dotted line in Figure 2.4). On the right side,
the recipient decrypts
c
with his or her implementation of the decryption function
D
(again, parametrized with the secret key
k
). If the decryption is successful, then the
recipient is able to recover the plaintext message
m
.
Many examples of symmetric encryption systems are described in the litera-
ture. Some of these systems are relevant and used in practice, whereas others are
not (i.e., they are only theoretically or historically relevant, or they are used only in
small and typically closed communities). In Chapter 10, we overview and discuss
two symmetric encryption systems that are in widespread use today: the DES and
the
advanced encryption standard
(AES). We use them as examples and note that
many other symmetric encryption systems can be used instead. Unfortunately, all
practically relevant symmetric encryption systems are only conditionally or com-
putationally secure. We also elaborate on symmetric encryption systems that are
unconditionally or information-theoretically secure. These systems, however, are
not used in practice, because most of them require keys that are at least as long
as the plaintext messages that are encrypted. The key management of such a system
is prohibitively expensive for practical use.
∈C
2.2.2
Message Authentication Codes
It is not always necessary to encrypt messages and to protect their confidentiality.
Sometimes, it is sufficient to protect their authenticity and integrity, meaning that
it must be possible for the recipient of a message to verify its authenticity and
integrity (note that authenticity and integrity properties always go together when one
considers messages). In this case, one can add an
authentication tag
to a message
and have the recipient verify the tag before he or she accepts the message as being
genuine. A message and a tag computed from it are illustrated in Figure 2.5.
One possibility to compute and verify an authentication tag is to use public key
cryptography in general, and a DSS in particular (as explained later in this topic).