Cryptographic Engineering

Similar documents
Topics. Probability Theory. Perfect Secrecy. Information Theory

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Computer Science A Cryptography and Data Security. Claude Crépeau

Chapter 2 : Perfectly-Secret Encryption

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

Cryptography 2017 Lecture 2

Lecture Notes. Advanced Discrete Structures COT S

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

William Stallings Copyright 2010

Shannon s Theory of Secrecy Systems

Lecture Note 3 Date:

Lecture 2: Perfect Secrecy and its Limitations

Cryptography - Session 2

Historical cryptography. cryptography encryption main applications: military and diplomacy

Private-key Systems. Block ciphers. Stream ciphers

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Perfectly-Secret Encryption

Lecture 8 - Cryptography and Information Theory

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

A block cipher enciphers each block with the same key.

Introduction to Cryptology. Lecture 3

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Winter 17 CS 485/585. Intro to Cryptography

STREAM CIPHER. Chapter - 3

02 Background Minimum background on probability. Random process

Winter 18 CS 485/585. Intro to Cryptography

Dan Boneh. Introduction. Course Overview

and its Extension to Authenticity

Dan Boneh. Stream ciphers. The One Time Pad

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

6.080/6.089 GITCS April 8, Lecture 15

Introduction to Cryptography Lecture 4

Solution of Exercise Sheet 6

Scribe for Lecture #5

3F1 Information Theory, Lecture 1

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Lecture 13: Private Key Encryption

Information-theoretic Secrecy A Cryptographic Perspective

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Shannon s Theory. Objectives

Cryptographic Engineering

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

CPA-Security. Definition: A private-key encryption scheme

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Galois Field Commitment Scheme

Public-key Cryptography: Theory and Practice

CTR mode of operation

Perfectly secure cipher system.

CRC Press has granted the following specific permissions for the electronic version of this book:

Computational security & Private key encryption

PERFECTLY secure key agreement has been studied recently

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Mathematical Foundations of Computer Science Lecture Outline October 18, 2018

Provable security. Michel Abdalla

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Probability. VCE Maths Methods - Unit 2 - Probability

Entropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39

ELEG 3143 Probability & Stochastic Process Ch. 1 Probability

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Modern Cryptography Lecture 4

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

and Other Fun Stuff James L. Massey

CPSC 467b: Cryptography and Computer Security

Channel Coding for Secure Transmissions

Origins of Probability Theory

Review (Probability & Linear Algebra)

MATH3302 Cryptography Problem Set 2

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

5 Pseudorandom Generators

The simple ideal cipher system

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lecture 5 - Information theory

Block encryption of quantum messages

Cryptography and Security Midterm Exam

Computational and Statistical Learning Theory

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Data and information security: 2. Classical cryptography

Information Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper

Block Ciphers and Feistel cipher

The BB84 cryptologic protocol

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Attainable Unconditional Security for Shared-Key Cryptosystems

Random Sampling - what did we learn?

Random Sampling - what did we learn? Homework Assignment

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Towards Provable Security of Substitution-Permutation Encryption Networks

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Block Cipher Cryptanalysis: An Overview

Transcription:

Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP

Outline Unconditional security of symmetric cryptosystem Probabilities and information theory Unconditional security of symmetric cryptosystems

Outline Unconditional security of symmetric cryptosystem Probabilities and information theory Unconditional security of symmetric cryptosystems

Discrete Random Variable (1/2) Sample space S: finite set whose elements are called "elementary events" Eg: can be viewed as a possible outcome of an experiment an event is a subset of S. = the null event S= the certain event events A and B are mutually exclusive iff A B = Probability distribution a function Pr : X S [0, 1] satisfying probability axioms: 1. event A: Pr(A) 0; 2. if A and B mutually exclusive: Pr(A B) = Pr(A) + Pr(B) 3. Pr(S) = 1

Discrete Random Variable (2/2) Definition: Discrete Random Variable a function X from a finite space S to the real numbers. quantity whose values are random For a real number x, the event X = x is {s S : X(s) = x}. Thus Pr(X = x) = Pr(s) s S:X(s)=x Experiment = rolling a pair of fair 6-sided dice Random variable X: the maximum of the two values Pr(X = 3) = 5 36

Conditional probability and independence Def. : Conditional prob. of an event A given an event B Pr(A B) = Pr(A B) Pr(B) Def: Two events A and B are independent iff Pr(A B) = Pr(A). Pr(B) So, if Pr(B) 0, A and B independent Pr(A B) = Pr(A) Bayes theorem Pr(A B) = Pr(B A) = Pr(B) Pr(A B) = Pr(A) Pr(B A). Hence, if Pr(B) 0, we have: Pr(A B) = Pr(A) Pr(B A) Pr(B)

Information and entropy Shannon s measure of information 1 Hartley s measure of information: I(E) = log 2 E bit (logon) Def: entropy H(X) (or uncertainty) of a disc. rand. var. X: H(X) = x Supp(X) Pr(X = x). log 2 Pr(X = x) i.e. the "average Hartley information". Basic properties of entropy Let n =Card(Sample space); then H(X) log 2 n The entropy is maximum for the uniform probability distribution Gibbs lemma H(XY) = H(X) + H(Y X) H(X Y) H(X) with equality iff X, Y are indep. H(XY Z) = H(Y Z) + H(X YZ) H(X Y) H(XZ Y)

Unconditional security / Perfect secrecy Characterization of perfect secrecy The knowledge of the ciphertext Y brings no additional information on the plaintext X, i.e. H(X Y) = H(X)

Outline Unconditional security of symmetric cryptosystem Probabilities and information theory Unconditional security of symmetric cryptosystems

Model of a symmetric cryptosystem General model Simplified model Definition: Undistinguishability or Perfect secrecy C P 1 P 2 : Pr K (E K (P 1 ) = C) = Pr K (E K (P 2 ) = C) The symmetric cipher is unconditionally secure iff H(P C) = H(P) i.e. the cryptanalyst s a-posteriori probability distribution of the plaintext, after having seen the ciphertext, is identical to its a-priori distribution. Shannon s theorem: necessary condition, lower bound on K In any unconditionally secure cryptosystem: H(K) H(P). Proof: H(P) = H(P C) H((P, K) C) = H(K C) + H(P (K, C)) = H(K C) H(K)

Vernam s cipher: unconditionally secure Shannon s Theorem part 2: existence There exists an unconditionally secure cipher. Example: OTP (One-Time Pad) / Vernam s cipher Symmetric cipher of a bit stream: let = boolean xor; let n = P. for i = 1,..., n: C i = P i K i Vernam s patent, 1917 OTP: One-Time Pad [AT&T Bell labs] NB: size of the (boolean) key K = size of the (boolean) plaintext P. OTP applications Unbreakable if used properly. A one-time pad must be truly random data and must be kept secure in order to be unbreakable. intensively used for diplomatic communications security in the 20th century. E.g. telex line Moscow Washington: keys were generated by hardware random bit stream generators and distributed via trusted couriers. In the 1940s, the (Soviet Union) KGB used recycled one-time pads, leading to the success of the NSA code-breakers of the project VENONA [http://www.nsa.gov/venona/]

Generalized Vernam s cipher Generalization to a group (G, ) with m = G elements For 1 i n, let K i be uniformly randomly chosen in G. Ciphertext C = E K (P) is computed by: C i = P i K i What is the deciphering P = D K (P)?

Generalized Vernam s cipher Generalization to a group (G, ) with m = G elements For 1 i n, let K i be uniformly randomly chosen in G. Ciphertext C = E K (P) is computed by: C i = P i K i What is the deciphering P = D K (P)? Theorem: Generalized Vernam s cipher provides undistinguishability Proof: Pr K(P 1 ) = C) K = Pr 1 = C) = Pr 1) = 1 K K #K = Pr 2) = Pr K(P 2 ) = C) K K

Generalized Vernam s cipher Generalization to a group (G, ) with m = G elements For 1 i n, let K i be uniformly randomly chosen in G. Ciphertext C = E K (P) is computed by: C i = P i K i What is the deciphering P = D K (P)? Theorem: Generalized Vernam s cipher provides undistinguishability Proof: Pr K(P 1 ) = C) K = Pr 1 = C) = Pr 1) = 1 K K #K = Pr 2) = Pr K(P 2 ) = C) K K One Time Pad must be used only once! Re-use with another message: (M 1 K) (M 2 K) = M 1 M 2 Known plaintext attack: (M K) M) = K

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback