and its Extension to Authenticity

Transcription

1 EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of Denmar Trondhjemsgade 3, 2TH DK-2100 Copenhagen East JamesMassey@compuserve.com 1

2 Cryptology ( hidden word ) Cryptography (code maing) Cryptanalysis (code breaing) The good guys The bad guys 2

3 Goals of cryptography Secrecy Authenticity Xuejia Lai has given a useful razor for deciding whether something is a matter of secrecy or a matter of authenticity. 3

4 Secrecy - concerned with who has access to (or can read) a legitimate message. Secrecy deals with safeguarding the future by ensuring that only authorized recipients will be able to gain access to (or read) a legitimate message. 4

5 Authenticity - concerned with who can create (or write) a legitimate message. Authenticity deals with protecting the past by ensuring that the creator (or author) was entitled to create (or write) the message ensuring that the contents of the message have not been altered 5

6 A secrecy scheme: The Caesar Cipher Y X Z 0 1 A B C Arithmetic on a CIRCLE (Modulo 26 arithmetic) Encrypt = Add 3 (move clocwise 3 places) Decrypt = Subtract 3 (move counterclocwise 3 places) SECRET KEY = 3 C A E S A R F D H V D U plaintext ciphertext M A S S E Y D V V H B plaintext ciphertext 6

7 Today we use a SMALLER CIRCLE! 1 0 Arithmetic on this CIRCLE (Modulo 2 arithmetic) Encrypt = Add (move clocwise) Decrypt = Subtract (move counterclocwise) = (move clocwise) Decrypt = Encrypt and a LONGER SECRET KEY! plaintext secret ey ciphertext 7

8 Everybody lies to mae secret codes! 8

9 hotograph of Shannon at home in (from the New Yor Times Magazine, 30 December 2001) 9

10 As a first step in the mathematical analysis of cryptography, it is necessary to idealize the situation suitably, and to define in a mathematically acceptable way what we shall mean by a secrecy system. C.E. Shannon, "Communication Theory of Secrecy Systems", Bell System Tech. J., vol. 28, pp , Oct., This was a radical departure from previous papers in cryptography where (as in Steen and Stoffer) conjecture and imprecision reigned. Just how did Shannon define a secrecy system in a mathematically acceptable way? 10

11 He drew a picture! (Shannon, 1949) 11

12 Claude Elwood Shannon ( ) (photographed 17 April 1961 by Göran Einarsson) 12

13 Shannon s Fig. 1 Schematic of a general secrecy system maes the following assumptions crystal clear: The message M and the ey K are independent random variables. The sender and receiver both now the ey. The attacer nows only the cryptogram E (i.e., a ciphertext-only attac is assumed). The receiver is able to recover the message M from nowledge of the cryptogram E and ey K. No assumption is made about who generates the ey. You don t need a lot of words and/or equations to mae yourself mathematically precise! 13

14 Kerchoffs rinciple A cipher should be secure when the enemy cryptanalyst nows all details of the enciphering process and deciphering process except for the value of the secret ey. This principle was first stated in 1881 by the Dutchman Auguste Kerchoffs ( ). When evaluating security, one assumes that the enemy cryptanalyst nows everything (including the source statistics and ey statistics) except the secret ey. 14

15 What does unbreaable mean? To Shannon, a cipher is unbreaable in a ciphertext-only attac if it provides unconditional security, i.e., no matter how hard or how long the attacer wors, he/she can do no better than to guess the plaintext by the best guessing rule that he/she would use without having seen the ciphertext. Shannon s 1949 definition: A cipher provides perfect secrecy against a ciphertext-only attac if the plaintext and the ciphertext, considered as random variables, are independent. 15

16 Vernam s 1926 Cipher: Enemy cryptanalyst in a ciphertext-only attac. Binary laintext Source M R Secure Channel R is the secret ey, a totally random BSS sequence. Binary Symmetric Source E R R M Destination Vernam claimed that his cipher was unbreaable! 16

17 Vernam not only claimed that his cipher was unbreaable, but also stated that he had confirmed this in field trials with the U. S. Army Signal Corps. Was Vernam right? Was his cipher the first unbreaable cipher in the many thousands of years of cryptographic history? 17

18 The Binary Symmetric Source (BSS) of information theory is a money with a fair binary coin ( 0 on one side and 1 on the other). 18

19 Cryptographic property of the BSS: The modulo-two sum of a BSS output and an arbitrary random sequence is another BSS output that is INDEENDENT of the arbitrary random sequence. Example: BSS output: Arb. Ran. Seq Modulo-2 sum

20 Vernam s cipher provides perfect secrecy against a ciphertext-only attac! Binary laintext Source M R E Secure Channel R BSS Destination The cryptogram E that the enemy cryptanalyst sees is independent of the plaintext message M. This simple proof of unbreaability of Vernam s 1926 cipher was first given by Shannon in 1949! R M 20

21 Vernam s cipher is usually today called the one-time pad to emphasize that the ey is to be used for only one message. It was used by spies on both sides in World War II and is still the cipher of choice for extremely important secret communications. (What Shannon called the plaintext is the total data that will be encrypted before the ey is changed, i.e., Shannon specified a one-time ey in his theory of secrecy systems.) 21

22 Vernam s cipher needs as many binary digits of secret ey as there are bits of plaintext to be encrypted. Vernam was right about his cipher being unbreaable, but does an unbreaable cipher really need this huge amount of secret ey??? 22

23 Shannon s 1949 Lower Bound on Key Length: For perfect secrecy, the number of different eys must be AT LEAST AS GREAT as the number of different plaintexts. roof: For any fixed ey, the number of different ciphertexts e equals the number of different plaintexts m. erfect secrecy for all possible e and any fixed m, (E=e M=m) = (E=e) 0 For a fixed m, the number of different ciphertexts e must equal at least the number of different plaintexts m. But all eys from a fixed m to different e s must be different. 23

24 Shannon later gave the following proof of a slightly weaer lower bound on ey length, namely H(K) H(E). erfect secrecy H(E) = H(M E) H(MK E) = H(K E) + H(M EK) = H(K E) = 0 H(K) Thus, if the cipher is to give perfect secrecy regardless of the source statistics, it must also give perfect secrecy for the BSS for which H(M) = N bits. Thus H(K) N so that the ey must be at least N binary digits long. 24

25 The number of different plaintext messages is about 2 H(M) where H(M) is the entropy of the plaintext message. Equivalently, one says that H(M) is the number of bits of information in the plaintext message. An ideal data compressor will compress M to about H(M) binary digits. Consider the system: M Ideal Data Compressor Vernam s Cipher E K Achieves perfect secrecy and the number of binary digits of the ey K is H(M), which satisfies Shannon s lower bound with equality. 25

26 Simmons Model of a Substitution Attac on an Authenticity System MESSAGE SOURCE M ENCIHERER T K E E' DECIHERER T K -1 ACCETED M' K ENEMY CRYTANALYST Secure Channel K KEY SOURCE K RECOGNIZED UNAUTHENTIC E' can be the legitimate cryptogram E or a phony cryptogram E' (E' E) inserted by the attacer. E' is accepted if and only if it is a valid cryptogram for the ey K. 26

27 In an impersonation attac, the attacer forms E' without seeing a legitimate cryptogram E and wins if his cryptogram is accepted. I = robability of successful impersonation when the attacer uses an optimum attac. S = robability of successful substitution when the attacer uses an optimum attac. d = robability of deception = max( I, S ) Simmons 1984 bound on the probability of deception: d 2 -I(E; K) where I(E; K) = H(K) - H(K E) is the mutual information between E and K. The only way to get unconditionally secure authenticity is to let the cryptogram give information about the ey! 27

28 Example of an authenticity system meeting Simmon s lower bound on I with equality: laintext is sent in the clear and the ey is added as a signature: E = [M : K] If the ey has length n binary digits, then I = 2 -n because the attacer can only mae a random guess at the secret ey in an impersonation attac. I(E; K) = n bits so that Simmons bound on I holds with equality! This authenticity system gives no secrecy! In a substitution attac, the attacer can achieve S = 1. 28

29 Example of an authenticity system meeting Simmon s lower bound on S and d with equality: 1-bit messages with individual signatures. K = (K 1, K 2,... K ν, K ν +1,... K 2ν ) [n = 2ν-bit ey] assumed generated by a BSS. M is 0 or 1. M = 0 E = (0, K 1, K 2,... K ν ) M = 1 E = (1, K ν +1, K ν +2,... K 2ν ) Note that again there is no secrecy! Whether the attacer observes E or not, he must guess ν bits of ey to produce a cryptogram E' that will be accepted as authentic. I = S = d = 2 -ν. But I(E; K) = ν bits so that Simmons bound on d holds with equality! 29

30 This example shows that we can have unconditionally secure authenticity with no secrecy. Vernam s cipher gives perfect secrecy against a ciphertext-only attac but no protection against an impersonation attac, i.e., I = 1. The important conclusion to mae is that secrecy and authenticity are independent attributes of a cryptographic system. 30

31 The informational divergence (or the Kullbach- Leibler distance or the relative entropy or the discrimination ) from to Q, two probability distributions on the same alphabet, is the quantity D( Q) = x supp( ) Q(x) (x) log. (x) Fundamental property of informational divergence: D ( Q) 0 with equality if and only if = Q. Let H 0 and H 1 be the two possible hypotheses and let Y be the observation used to determine which hypothesis is true. Let D 0 and D 1 be the regions of Y values in which one decides for H 0 or H 1, respectively. Let α or β be the error probabilities when H 0 or H 1 is true, respectively. 31

32 Let V (0 or 1) be the decision as to which hypothesis is true so that α = V H 0 (1) and β = V H1 (0). Direct calculation gives D( V H ) 0 V H1 1- β = α log α (1 α) log β. 1-α Information-theoretic bound for hypothesis testing: D( Y H 0 Y H1 1- β ) α log (1 α with equality if and only if Y H Y H 0 1 (y) (y) β α) log 1-α has the same value for all y D 0 and has the same value for all y D 1. 32

33 For the important special case where α = 0, i.e., where we never err when H 0 is true, the previous bound gives β 2 D ( Y H 0 Y H1 Now suppose that H 0 is the hypothesis that the observation Y = E' is the legitimate cryptogram E for the ey K =, i.e., ( y) = E K ( ), and that H 1 is the hypothesis Y H y 0 = that Y = E' is formed by the attacer according to H ( y) = ( y) ( ) ( y) 1 E = K = E K Y = which may not be the optimum attacing strategy. Let β be the error probability when K = so that β 2 D ( E K = E ) ).., 33

34 34 Moreover, β is just the probability I of successful impersonation, so the information-theoretic bound becomes. 2 ) ; ( E K I I ) ( ) ( log ) ( ) ( y y y D K E E y K E E K E = = = = ) ( ) ( 2 E E K K D = ) ( )2 ( ) ( = = E K E D K K β β where we have used Jensen s inequality. But ). ; ( ) ( ) ( ) ( ) ( K E I K E H E H D E E K K = = = This completes the proof of Simmons lower bound.

35 Simmons proof of his bound on the probability of deception (or impersonation) appears in G. J. Simmons, "Authentication Theory/Coding Theory," pp in Advances in Cryptology - CRYTO '84 (Eds. G. R. Blaey and D. Chaum), Lecture Notes in Computer Science No Heidelberg and New Yor: Springer, Several simplifications of his derivation have since been given. The most insightful one, which we have followed, is by Maurer, cf. U. M. Maurer, "Information Theoretic Bounds in Authentication Theory," p.12 in roc. IEEE Inst. Symp. Info. Th., Whistler, Canada, Sept , U.M. Maurer, "A Unified and Generalized Treatment of Authentication Theory, pp in roc. 13th Symp. on Theoretical Aspects of Computer Science (STACS'96), Lecture Notes in Computer Science No. 1046, New Yor: Springer, Maurer based his treatment on Blahut s informationtheoretic approach to hypothesis testing, cf. R. E. Blahut, Hypothesis testing and information theory, IEEE Trans. Inform. Theory, vol. IT-20, pp , July