Crypto Foundations & Threat Models

• Goals: confidentiality, integrity, authenticity
• Threat models define the attacker before the defense
• Security levels and work factors
• Randomness, entropy, and bias
• Why key/nonce reuse breaks everything

Security goals

• Confidentiality: hide content
• Integrity: detect modification
• Authenticity: bind data to identity
• Availability: stay usable under attack

Encryption alone != integrity

Threat models

• Passive vs active attacker
• CPA vs CCA vs KPA
• Online vs offline
• Attack surface: oracles, errors, side channels

No threat model -> no real security claim

Computational security

• Breaks are possible in theory, infeasible in practice
• Work factor measured in operations
• Compare to realistic budgets

Security levels

• Preimage on b-bit hash ~ 2^b
• Collision on b-bit hash ~ 2^(b/2)
• Symmetric key k-bit -> 2^k work

Birthday bound dominates collisions

Randomness and entropy

• Uniformity is not enough
• Unpredictability is required
• Min-entropy measures worst-case guessability

Modulo bias

• x % n is biased unless 2^64 % n == 0
• Fix with rejection sampling
• Bias can be attacker-visible

One-time pad

• Perfect secrecy requires:
  • truly random key
  • key length == message length
  • key used once

Reuse collapses to XOR of plaintexts

Determinism leaks

• Deterministic encryption leaks equality
• Nonce or randomness makes encryption probabilistic
• Reuse of nonces reintroduces determinism

Implementation pitfalls

• Timing leaks
• Error oracles
• Parsing and padding bugs
• State reuse

Security is end-to-end

What you will build

• XorShift64* toy PRNG
• Unbiased modulo reduction
• Birthday collision threshold
• Two-time pad recovery