\covertopicname{1.2: One-Time Pad \& The Provable Security Mindset}
\coverwebsite{https://appliedcryptography.page}
\begin{document}
\begin{frame}[plain]
\titlepage
\end{frame}
\begin{frame}{How it's made}
\bigimagewithcaption{fischer_theory.png}{Fischer et al., The Challenges of Bringing Cryptography from Research Papers to Products: Results from an Interview Study with Experts, USENIX Security 2024}
\end{frame}
\begin{frame}{Thinking about secrecy}
\bigimagewithcaption{naive_enc.pdf}{Source: The Joy of Cryptography}
\item We need a pseudo-random uniform distribution:
\item If $\mathcal{S}$ is a set of $m$ items, then the uniform distribution over $\mathcal{S}$ assigns probability $\frac{1}{m}$ to each item $x \in\mathcal{S}$
\item In practice, this just means we need the bits to be random, unpredictable, uniformly distributed in terms of probability
\item Sampling a $K$ from a pseudo-random uniform distribution is written as $K \twoheadleftarrow\bits^n$
\end{itemize}
\end{frame}
\begin{frame}{Adversary's access to oracle}
\begin{columns}[c]
\begin{column}{0.5\textwidth}
\begin{itemize}[<+->]
\item ``Victim'' chooses their key.
\item Adversary chooses the message and receives the ciphertext.
\item We say that \textbf{the adversary has access to an encryption oracle}.
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\imagewithcaption{attacker_interface.pdf}{Source: The Joy of Cryptography}
\imagewithcaption{attacker_interface.pdf}{Source: The Joy of Cryptography}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\begin{center}
\Large\textit{``If I use OTP according to the attack scenario (I sample keys uniformly and use each key to encrypt just one ciphertext), then no matter how the plaintexts are chosen, and no matter how the ciphertext is subsequently used, I can enjoy a certain security guarantee.''}
\end{center}
\end{frame}
\begin{frame}{One-time pad}{Correctness proof}
\begin{itemize}[<+->]
\item$\forall(n > 0,\; K \in\bits^{n},\; M \in\bits^{n}),\;\textsf{Dec}(K, \textsf{Enc}(K, M))= M$
\item For all positive $n$, any key of $n$ bits and message of $n$ bits will decrypt back to the same plaintext if encrypted into a ciphertext.
\item\textbf{Proof}:
\begin{align*}
\textsf{Dec}(K, \textsf{Enc}(K, M)) & = \textsf{Dec}(K, K \oplus M) \\
& = K \oplus (K \oplus M) \\
& = (K \oplus K) \oplus M \\
& = 0^n \oplus M \\
& = M \quad\qed
\end{align*}
\end{itemize}
\end{frame}
\begin{frame}{One-time pad}{How do we prove security?}
\begin{columns}[c]
\begin{column}{0.5\textwidth}
\begin{itemize}[<+->]
\item\textbf{Generally}: a cipher is secure if the adversary can't distinguish the output of calls to $ATTACK$ from random junk.
\item\textbf{Formally}: For all positive integers $n$ and all choices of plaintext $M \in\{\texttt{0}, \texttt{1}\}^n$, the output of the following subroutine is uniformly distributed:
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\sssubroutine{Attack}{M}{
$K \twoheadleftarrow\bits^{n}$\\
$C \coloneq K \oplus M$\\
return $C$
}{1.5}
\end{column}
\end{columns}
\end{frame}
\begin{frame}{One-time pad}{How do we prove security?}
\begin{columns}[c]
\begin{column}{0.7\textwidth}
\begin{itemize}[<+->]
\item If the key is random, the output will be uniformly distributed!
\item Suppose $M =\bit{01}$:
\begin{itemize}[<+->]
\item$K =\bit{00}$ is chosen with probability $1/4$:\\$C = K \oplus M =\bit{00}\oplus\bit{01}=\bit{01}$.
\item$K =\bit{01}$ is chosen with probability $1/4$:\\$C = K \oplus M =\bit{01}\oplus\bit{01}=\bit{00}$.
\item$K =\bit{10}$ is chosen with probability $1/4$:\\$C = K \oplus M =\bit{10}\oplus\bit{01}=\bit{11}$.
\item$K =\bit{11}$ is chosen with probability $1/4$:\\$C = K \oplus M =\bit{11}\oplus\bit{01}=\bit{10}$.
\end{itemize}
\end{itemize}
\end{column}
\begin{column}{0.3\textwidth}
\sssubroutine{Attack}{M}{
$K \twoheadleftarrow\bits^{n}$\\
$C \coloneq K \oplus M$\\
return $C$
}{1.5}
\end{column}
\end{columns}
\end{frame}
\begin{frame}{One-time pad}{How do we prove security?}
\begin{columns}[c]
\begin{column}{0.7\textwidth}
\begin{itemize}[<+->]
\item What if this is true only for $M =\bit{01}$?
\item Fine, let's pick any $M, C \in\bits^n$.
\item What is \prob{\textsc{Attack}$(M)= C$}?
\item Answer: Exactly when $C =\textsf{Enc}(K, M)= K \oplus M$.
\item ...which occurs for exactly one $K$.
\item Since $K$ is chosen uniformly from $\bits^n$, the probability of choosing that $K$ is $\frac{1}{2^n}. \quad\qed$
\end{itemize}
\end{column}
\begin{column}{0.3\textwidth}
\sssubroutine{Attack}{M}{
$K \twoheadleftarrow\bits^{n}$\\
$C \coloneq K \oplus M$\\
return $C$
}{1.5}
\end{column}
\end{columns}
\end{frame}
\begin{frame}{One-time pad}{From the adversary's perspective...}
\begin{columns}[c]
\begin{column}{0.35\textwidth}
\sssubroutine{Attack}{M}{
$K \twoheadleftarrow\bits^{n}$\\
$C \coloneq K \oplus M$\\
return $C$
}{1.5}
\end{column}
\begin{column}{0.3\textwidth}
\begin{center}
{\huge{$\approxeq$}}\\[1em]
{\scriptsize\textit{(indistinguishable \\ from)}}
\end{center}
\end{column}
\begin{column}{0.35\textwidth}
\sssubroutine{Junk}{M}{
$C \twoheadleftarrow\bits^{n}$\\
return $C$
}{2}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\begin{center}
\huge\textit{``Real or random?''}
\end{center}
\end{frame}
\begin{frame}{Limitations of security proofs}{Part 1}
\begin{itemize}[<+->]
\item Rigor and the real world famously don't mix.
\item Security proofs are good for rigor but address very little regarding real-world concerns:
\begin{itemize}[<+->]
\item How can Alice \& Bob obtain a secret key, which only they know?
\item How can they keep $K$ secret?
\item How can a computer sample from the uniform distribution?
\item How can Alice ensure that $C$ is sent reliably to Bob?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Limitations of security proofs}{Part 2}
\begin{itemize}[<+->]
\item More questions proofs don't address:
\begin{itemize}[<+->]
\item How can Alice hide the fact that she is talking to Bob (rather than hide only the content)?
\item How can Alice be sure that she is communicating with Bob, not an impostor?
\item How can we incentivize Alice and Bob to use encryption?
\item Should the government be allowed to obtain a warrant to read encrypted communications?
\end{itemize}
\item Security proofs are about specific properties within specific models.
\item Real-world security depends on many factors beyond what our models capture.
\item Having a security proof is necessary but not sufficient for real-world security.
\end{itemize}
\end{frame}
\begin{frame}{The value of security proofs}
\begin{itemize}[<+->]
\item Despite limitations, security proofs provide important benefits:
\begin{itemize}[<+->]
\item\textbf{Precise guarantees}: Clearly define what security properties are achieved.
\item\textbf{Confidence}: When properly structured, proofs ensure no obvious attacks exist.
\item\textbf{Foundation for composition}: Proven components can be securely combined.
\item\textbf{Precise terminology}: Forces us to clearly define our terms and assumptions.
\end{itemize}
\item Security proofs help identify the \textit{boundaries} of security:
\begin{itemize}[<+->]
\item What assumptions are necessary?
\item What threats are addressed vs. unaddressed?
\item What conditions must hold for security to be maintained?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{The provable security mindset}
\begin{itemize}[<+->]
\item Building systems with provable security in mind:
\begin{itemize}[<+->]
\item Start with clear security goals and adversary model.
\item Design systems whose security can be formally analyzed.
\item Identify and document necessary assumptions.
\item Distinguish between proven properties and conjectures.
\end{itemize}
\item Good practical security requires both:
\begin{itemize}[<+->]
\item Rigorous proofs for core mechanisms.
\item Practical engineering to address real-world constraints.
