Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Similar documents
Introduction to Cryptology. Lecture 2

Introduction to Cryptology. Lecture 3

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Chapter 2 : Perfectly-Secret Encryption

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Perfectly-Secret Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Lecture 2: Perfect Secrecy and its Limitations

CPSC 467b: Cryptography and Computer Security

CTR mode of operation

Historical cryptography. cryptography encryption main applications: military and diplomacy

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Classical Cryptography

Modern Cryptography Lecture 4

Lecture 13: Private Key Encryption

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Data and information security: 2. Classical cryptography

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Solution of Exercise Sheet 6

Computational security & Private key encryption

Lecture 28: Public-key Cryptography. Public-key Cryptography

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 8 - Cryptography and Information Theory

Lecture Notes on Secret Sharing

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Winter 17 CS 485/585. Intro to Cryptography

Winter 18 CS 485/585. Intro to Cryptography

CSCI3381-Cryptography

Public Key Cryptography

Cryptography 2017 Lecture 2

Chapter 2. A Look Back. 2.1 Substitution ciphers

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Modern symmetric-key Encryption

Cook-Levin Theorem. SAT is NP-complete

1 Indistinguishability for multiple encryptions

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

William Stallings Copyright 2010

Shannon s Theory of Secrecy Systems

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Dan Boneh. Introduction. Course Overview

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

Lecture 5, CPA Secure Encryption from PRFs

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

What is Cryptography? by Amit Konar, Dept. of Math and CS, UMSL

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Block ciphers And modes of operation. Table of contents

Lecture Notes. Advanced Discrete Structures COT S

Errata/Typos for Introduction to Modern Cryptography

Dan Boneh. Stream ciphers. The One Time Pad

Scribe for Lecture #5

Topics. Probability Theory. Perfect Secrecy. Information Theory

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Computer Science A Cryptography and Data Security. Claude Crépeau

Cryptography. P. Danziger. Transmit...Bob...

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

10 Modular Arithmetic and Cryptography

NET 311D INFORMATION SECURITY

Security of Networks (12) Exercises

Lecture (04) Classical Encryption Techniques (III)

one approach to improve security was to encrypt multiple letters invented by Charles Wheatstone in 1854, but named after his

Lecture 9 - Symmetric Encryption

Lecture Note 3 Date:

Provable security. Michel Abdalla

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

Cryptographic Engineering

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

MATH3302 Cryptography Problem Set 2

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Block Ciphers/Pseudorandom Permutations

Computational and Statistical Learning Theory

El Gamal A DDH based encryption scheme. Table of contents

Innovation and Cryptoventures. Cryptology. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc.

An Introduction to Cryptography

Chapter 2 Classical Cryptosystems

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Great Theoretical Ideas in Computer Science

5. Classical Cryptographic Techniques from modular arithmetic perspective

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

1/16 2/17 3/17 4/7 5/10 6/14 7/19 % Please do not write in the spaces above.

CS 6260 Applied Cryptography

Computational and Statistical Learning Theory

Introduction to Cryptography

Transcription:

Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C goodmorning JRRGPRUQLQJ

Frequency Analysis If plaintext is known to be grammatically correct English, can use frequency analysis to break monoalphabetic substitution ciphers:

An Improved Attack on Shift/Caesar Cipher using Frequency Analysis Associate letters of English alphabet with numbers 0...25 Let p i denote the probability of the i-th letter in English text. Using the frequency table: 25 p 2 i=0 i 0.065 Let q i denote the probability of the i-th letter in this ciphertext: # of occurrences/length of ciphertext 25 Compute I j = i=0 p i q i+j for each possible shift value j Output the value k for which I k is closest to 0.065.

Vigenere Cipher (1500 A.D.) Poly-alphabetic shift cipher: Maps the same plaintext character to different ciphertext characters. Vigenere Cipher applies multiple shift ciphers in sequence. Example: Plaintext: t e l l h i m a b o u t m e Key: c a f e c a f e c a f e c a Ciphertext: W F R Q K J S F E P A Y P F

Breaking the Vigenere cipher Assume length of key t is known. Ciphertext C = c 1, c 2, c 3, Consider sequences c 1, c 1+t, c 1+2t, c 2, c 2+t, c 2+2t,.. For each one, run the analysis from before to determine the shift k j for each sequence j.

Index of Coincidence Method How to determine the key length? Consider the sequence: c 1, c 1+t c 1+2t, where t is the true key length 25 2 25 2 We expect i=0 q i i=0 p i 0.065 To determine the key length, try different values 25 2 of τ and compute S τ = i=0 q i for subsequence c 1, c 1+τ, c 1+2τ, When τ = t, we expect S τ to be 0.065 When τ t, we expect that all characters will occur with roughly the same probability so we expect S τ to be 1 0.038. 26

What have we learned? Sufficient key space principle: A secure encryption scheme must have a key space that cannot be searched exhaustively in a reasonable amount of time. Designing secure ciphers is a hard task!! All historical ciphers can be completely broken. First problem: What does it mean for an encryption scheme to be secure?

Recall our setting Sender k c Enc k (m) c Receiver k m = Dec k (c)

Coming up with the right definition After seeing various encryption schemes that are clearly not secure, can we formalize what it means to for a private key encryption scheme to be secure?

Coming up with the right definition First Attempt: An encryption scheme is secure if no adversary can find the secret key when given a ciphertext Problem: The aim of encryption is to protect the message, not the secret key. Ex: Consider an encryption scheme that ignores the secret key and outputs the message.

Coming up with the right definition Second Attempt: An encryption scheme is secure if no adversary can find the plaintext that corresponds to the ciphertext Problem: An encryption scheme that reveals 90% of the plaintext would still be considered secure as long as it is hard to find the remaining 10%.

Coming up with the right definition Third Attempt: An encryption scheme is secure if no adversary learns meaningful information about the plaintext after seeing the ciphertext How do you formalize learns meaningful information?

Coming Up With The Right Definition How do you formalize learns meaningful information? Two ways: An information-theoretic approach of Shannon (next couple of lectures) A computational approach (the approach of modern cryptography)

New Topic: Information-Theoretic Security

Probability Background

Terminology Discrete Random Variable: A discrete random variable is a variable that can take on a value from a finite set of possible different values each with an associated probability. Example: Bag with red, blue, yellow marbles. Random variable X describes the outcome of a random draw from the bag. The value of X can be either red, blue or yellow, each with some probability.

More Terminology A discrete probability distribution assigns a probability to each possible outcomes of a discrete random variable. Ex: Bag with red, blue, yellow marbles. An experiment or trial (see below) is any procedure that can be infinitely repeated and has a well-defined set of possible outcomes, known as the sample space. Ex: Drawing a marble at random from the bag. An event is a set of outcomes of an experiment (a subset of the sample space) to which a probability is assigned Ex: A red marble is drawn. Ex: A red or yellow marble is drawn.

Conditional Probability A conditional probability measures the probability of an event given that (by assumption, presumption, assertion or evidence) another event has occurred. Probability of event X, conditioned on event Y: Pr [X Y] Example: Probability the second marble drawn will be red, conditioned on the first marble being yellow.

Basic Facts from Probability If two events are independent if and only if Pr [X Y] = Pr [X]. AND of two events: Pr X Y = Pr X Pr [Y X] AND of two independent events: Pr X Y = Pr X Pr [Y] OR of two events: Pr X Y Pr [X] + Pr [Y] This is called a union bound.

Formally Defining a Symmetric Key Encryption Scheme

Syntax An encryption scheme is defined by three algorithms Gen, Enc, Dec Specification of message space M with M > 1. Key-generation algorithm Gen: Probabilistic algorithm Outputs a key k according to some distribution. Keyspace K is the set of all possible keys Encryption algorithm Enc: Takes as input key k K, message m M Encryption algorithm may be probabilistic Outputs ciphertext c Enc k (m) Ciphertext space C is the set of all possible ciphertexts Decryption algorithm Dec: Takes as input key k K, ciphertext c C Decryption is deterministic Outputs message m Dec_k(c)

Distributions over K, M, C Distribution over K is defined by running Gen and taking the output. For k K, Pr K = k denotes the prob that the key output by Gen is equal to k. For m M, Pr[M = m] denotes the prob. That the message is equal to m. Models a priori knowledge of adversary about the message. E.g. Message is English text. Distributions over K and M are independent. For c C, Pr[C = c] denotes the probability that the ciphertext is c. Given Enc, distribution over C is fully determined by the distributions over K and M.

Definition of Perfect Secrecy An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m M, and every ciphertext c C for which Pr C = c > 0: Pr M = m C = c] = Pr[M = m].

An Equivalent Formulation Lemma: An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every message m M, and every ciphertext c C: Pr C = c M = m] = Pr[C = c].

Basic Logic Usually want to prove statements like P Q ( if P then Q ) To prove a statement P Q we may: Assume P is true and show that Q is true. Prove the contrapositive: Assume that Q is false and show that P is false.

Basic Logic Consider a statement P Q (P if and only if Q) Ex: Two events X, Y are independent if and only if Pr X Y = Pr X Pr Y. To prove a statement P Q it is sufficient to prove: P Q Q P

Proof (Preliminaries) Recall Bayes Theorem: Pr A B] = Pr B A Pr[A] Pr[B] We will use it in the following way: Pr M = m C = c] = Pr C=c M=m] Pr[M=m] Pr[C=c]

Proof Proof: To prove: If an encryption scheme is perfectly secret then for every probability distribution over M, every message m M, and every ciphertext c C: Pr C = c M = m] = Pr[C = c]. "

Proof (cont d) Fix some probability distribution over M, some message m M, and some ciphertext c C. By perfect secrecy we have that Pr M = m C = c] = Pr[M = m]. By Bayes Theorem we have that: Pr M = m C = c] = Pr C = c M = m] Pr[M = m] Pr[C = c] Rearranging terms we have: Pr C = c M = m] = Pr[C = c]. = Pr[M = m].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback