Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Transcription

1 Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev

2 Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern cryptography Security definition = computational ability type of attack notion of break 2

3 Outline Perfect secrecy The one-time pad Limitations of perfect secrecy 3

4 Symmetric-Key Encryption Syntax: Three algorithms (KeyGen, Enc, Dec) Key-generation algorithm KeyGen outputs a key k K Encryption algorithm Enc takes a key k K and a plaintext m M, and outputs a ciphertext c C Decryption algorithm Dec takes a key k K and ciphertext c C, and outputs a plaintext m M m Enc c Dec m k k 4

5 Perfect Secrecy Define Pr M = m & Pr C = c for every m M & c C Eve knows a distribution over M A key k K is sampled independently A ciphertext c should reveal no information to Eve on the encrypted message m Enc c Dec m k k 5

6 Perfect Secrecy Definition 2.1 (Perfect Secrecy): A symmetric-key encryption scheme Π = (KeyGen, Enc, Dec) is perfectly secret if for every distribution over M, for every m M, and for every c C it holds that Pr M = m C = c = Pr M = m m Enc c Dec m k k Simplifying assumption: Pr M = m > 0 & Pr C = c > 0 for every m M & c C 6

7 Perfect Secrecy Definition 2.1 (Perfect Secrecy): A symmetric-key encryption scheme Π = (KeyGen, Enc, Dec) is perfectly secret if for every distribution over M, for every m M, and for every c C it holds that Pr M = m C = c = Pr M = m Lemma 2.2: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m M, and for every c C it holds that Pr C = c M = m = Pr C = c 7

8 Perfect Secrecy Lemma 2.2: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m M, and for every c C it holds that Pr C = c M = m = Pr C = c Proof ( ): Fix a distribution over M, m M, and c C and assume that Pr C = c M = m = Pr C = c Therefore, Pr M = m C = c = Pr C = c M = m Pr M = m Pr C = c Bayes theorem = Pr M = m 8

9 Perfect Secrecy Lemma 2.2: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m M, and for every c C it holds that Pr C = c M = m = Pr C = c Proof ( ): Fix a distribution over M, m M, and c C and assume that Pr M = m C = c = Pr M = m Therefore, Pr C = c M = m = Pr M = m C = c Pr C = c Pr M = m Bayes theorem = Pr C = c 9

10 Perfect Secrecy Definition 2.1 (Perfect Secrecy): A symmetric-key encryption scheme Π = (KeyGen, Enc, Dec) is perfectly secret if for every distribution over M, for every m M, and for every c C it holds that Pr M = m C = c = Pr M = m Lemma 2.3: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m 0, m 1 M, and for every c C it holds that Pr C = c M = m 0 = Pr C = c M = m 1 The random variables Enc k m 0 & Enc k m 1 are identically distributed 10

11 Perfect Secrecy Lemma 2.3: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m 0, m 1 M, and for every c C it holds that Pr C = c M = m 0 = Pr C = c M = m 1 Proof ( ): Fix a distribution over M, m M, and c C. Perfect secrecy implies (by the previous lemma) that Pr C = c M = m 0 = Pr C = c and Pr C = c M = m 1 = Pr C = c 11

12 Perfect Secrecy Lemma 2.3: A symmetric-key encryption scheme Π is perfectly secret if and only if for every distribution over M, for every m 0, m 1 M, and for every c C it holds that Proof ( ): Exercise. Pr C = c M = m 0 = Pr C = c M = m 1 12

13 Perfect Secrecy Claim 2.4: The shift and substitution ciphers are not perfectly secret for plaintexts of length l > 1. Shift Cipher: KeyGen uniformly samples k {0,, 25} M = {a,, z} l and C = {A,, Z} l Enc shifts each letter k positions forward (wrapping around from Z to A) Dec shifts backward Pr C = "AB" M = "ab" = 1 0 = Pr C = "AB" M = "aa" 26 13

14 The One-Time Pad K = M = C = 0,1 l KeyGen uniformly samples k 0,1 l Enc k m = m k Dec k c = c k Pr K = k = 2 l for every k 0,1 l Correctness: k K, m M Dec k Enc k m = Dec k m k = m k k = m Theorem 2.5: The one-time pad is perfectly secret for plaintexts of any length l. 14

15 The One-Time Pad Theorem 2.5: The one-time pad is perfectly secret for plaintexts of any length l. Proof: Fix m 0, m 1 M and c C. We will prove that Indeed, for each b 0,1 it holds that Pr C = c M = m 0 = Pr C = c M = m 1 Pr C = c M = m b = Pr M K = c M = m b = Pr m b K = c = Pr K = c m b = 1 2 l 15

16 The One-Time Pad -- Limitations Keys are as long as plaintexts Two-time insecurity: Given c = Enc k m and c = Enc k m can learn c c = m m Insecurity against known-plaintext attacks From m and c = Enc k m can recover k = m c Theorem 2.6: Let Π = (KeyGen, Enc, Dec) be a symmetric-key encryption scheme with key space K and message space M. If Π is perfectly secret then K M. 16

17 The One-Time Pad -- Limitations Proof: Assume that K < M, and we show that the scheme is not perfectly secret. Consider the uniform distribution over M and fix some m M. Fix some c C which is a possible encryption of m. Let M c m m = Dec k c for some k K, then M c K. m m c Thus, the assumption K < M implies that M c < M. In particular, there exists some m M s.t. m M c. m This implies that Pr M = m C = c = 0 1 M = Pr M = m M C and so the scheme is not perfectly secret. 17

18 Characterizing Perfect Secrecy Theorem 2.7 (Shannon s Theorem): Let Π = (KeyGen, Enc, Dec) be symmetric-key encryption scheme for which K = M = C. Then Π is perfectly secret if and only if the following two conditions hold: 1. Every k K is chosen by KeyGen with probability 1/ K. 2. For every m M and c C there exists exactly one k K such that Enc k (m) outputs c. 18

19 Recommended Reading J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chapter 2 (Perfectly Secret Encryption) 19