CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

Similar documents
Chapter 2. A Look Back. 2.1 Substitution ciphers

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

BLOCK CIPHERS KEY-RECOVERY SECURITY

Solution of Exercise Sheet 6

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Introduction to Cryptology. Lecture 2

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

CS 6260 Applied Cryptography

Modern Cryptography Lecture 4

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 28: Public-key Cryptography. Public-key Cryptography

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Great Theoretical Ideas in Computer Science

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Chapter 2 : Perfectly-Secret Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Klein s and PTW Attacks on WEP

Data and information security: 2. Classical cryptography

CS 6260 Applied Cryptography

CTR mode of operation

CPA-Security. Definition: A private-key encryption scheme

Introduction to Cryptology. Lecture 3

Lecture 2: Perfect Secrecy and its Limitations

1 Indistinguishability for multiple encryptions

ASYMMETRIC ENCRYPTION

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Symmetric Encryption

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Efficient Cryptanalysis of Homophonic Substitution Ciphers

Lecture 13: Private Key Encryption

Lattice Cryptography

Computational security & Private key encryption

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Introduction to Cryptography Lecture 4

Jay Daigle Occidental College Math 401: Cryptology

Cryptography and Number Theory

CSCI3381-Cryptography

Classical Cryptography

Historical cryptography. cryptography encryption main applications: military and diplomacy

Number theory (Chapter 4)

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

HASH FUNCTIONS. Mihir Bellare UCSD 1

ECS 189A Final Cryptography Spring 2011

Pseudorandom Generators

Implementation Tutorial on RSA

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Perfectly-Secret Encryption

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Lecture 5, CPA Secure Encryption from PRFs

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Number Theory in Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Week 7 An Application to Cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Block ciphers And modes of operation. Table of contents

Lecture 11: Key Agreement

Lecture Notes. Advanced Discrete Structures COT S

CPSC 467b: Cryptography and Computer Security

Lecture Notes on Secret Sharing

Topics. Probability Theory. Perfect Secrecy. Information Theory

Scribe for Lecture #5

Cryptography. P. Danziger. Transmit...Bob...

Provable security. Michel Abdalla

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture Notes 15 : Voting, Homomorphic Encryption

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Chosen Plaintext Attacks (CPA)

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

MODULAR ARITHMETIC KEITH CONRAD

Introduction to Cryptography. Lecture 8

10 Concrete candidates for public key crypto

CPSC 467b: Cryptography and Computer Security

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

8 Security against Chosen Plaintext

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 9 - Symmetric Encryption

CPSC 467: Cryptography and Computer Security

Cryptography 2017 Lecture 2

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

MODULAR ARITHMETIC. Suppose I told you it was 10:00 a.m. What time is it 6 hours from now?

5 Pseudorandom Generators

Lectures 2+3: Provable Security

DD2448 Foundations of Cryptography Lecture 3

Powers in Modular Arithmetic, and RSA Public Key Cryptography

1 Secure two-party computation

The Hill Cipher A Linear Algebra Perspective

Practice Assignment 2 Discussion 24/02/ /02/2018

Advanced Cryptography 1st Semester Public Encryption

Polyalphabetic Ciphers

Exercise Sheet Cryptography 1, 2011

Lattice Cryptography

Public-Key Cryptosystems CHAPTER 4

Symmetric Encryption. Adam O Neill based on

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Transcription:

CLASSICAL ENCRYPTION Mihir Bellare UCSD 1

Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2

Correct decryption requirement For all K, M we have D K (E K (M)) = M Mihir Bellare UCSD 3

Terminology recall Alphabets: Σ 1 = {A, B, C,..., Z} Σ 2 = {A, B, C,..., Z} {,.,?,...} Σ 3 = {0, 1} Strings: Over Σ 1 : HELLO, BZYK,... Over Σ 2 : HOW ARE YOU? Over Σ 3 : 01101 Denote by Σ the set of all strings over alphabet Σ: {A, B,..., Z} {0, 1} Mihir Bellare UCSD 4

Length and size If s is a string then s is the number of symbols in it: HELLO = 5 HOW ARE YOU? = Mihir Bellare UCSD 5

Length and size If s is a string then s is the number of symbols in it: HELLO = 5 HOW ARE YOU? = 12 Mihir Bellare UCSD 6

Length and size If s is a string then s is the number of symbols in it: HELLO = 5 HOW ARE YOU? = 12 01101 = 5 We denote by s[i] the i-th symbol of string s: s[3] = L if s = HELLO s[5] = A if s = HOW ARE YOU? s[2] = 1 if s = 01101 If S is a set then S is its size: {A, B,..., Z} = 26 {0, 1} 8 = Mihir Bellare UCSD 7

Length and size If s is a string then s is the number of symbols in it: HELLO = 5 HOW ARE YOU? = 12 01101 = 5 We denote by s[i] the i-th symbol of string s: s[3] = L if s = HELLO s[5] = A if s = HOW ARE YOU? s[2] = 1 if s = 01101 If S is a set then S is its size: {A, B,..., Z} = 26 {0, 1} 8 = 2 8 Mihir Bellare UCSD 8

Functions Then notation π : D R means π is a map (function) with inputs drawn from the set D (the domain) outputs falling in the set R (the range) Example: Define π : {1, 4, 6} {0, 1} by x 1 4 6 π(x) 1 1 0 Functions can be specified as above or sometimes by code. Example: The above can also be specified by Alg π(x) Return x mod 3 Mihir Bellare UCSD 9

Permutations A map (function) π : S S is a permutation if it is one-to-one. Equivalently, it has an inverse map π 1 : S S. Example: S = {A, B, C} A permutation and its inverse: x A B C π(x) C A B y A B C π 1 (x) B C A Not a permutation: x A B C π(x) C B B Mihir Bellare UCSD 10

Counting permutations There are many different possible permutations π: S S on a given set S. How many? To be specific: How many permutations π : S S are there on the set S = {A, B, C}? Mihir Bellare UCSD 11

Counting permutations There are many different possible permutations π: S S on a given set S. How many? To be specific: How many permutations π : S S are there on the set S = {A, B, C}? Answer: 3! = 3 2 1 = 6 x A B C π(x) 3 choices: A,B,C 2 choices: not π(a) 1 choice: not π(a),π(b) In general there are S! permutations π : S S. We let Perm(S) denote the set of all these permutations. Mihir Bellare UCSD 12

Substitution ciphers Alphabet Σ Key is a permutation π : Σ Σ definining the encoding rule Plaintext M Σ is a string over Σ Encryption of M = M[1] M[n] is C = π(m[1]) π(m[n]) Decryption of C = C[1] C[n] is M = π 1 (C[1]) π 1 (C[n]) Mihir Bellare UCSD 13

Substitution ciphers A substitution cipher over alphabet Σ is a symmetric encryption scheme SE = (K, E, D) in which the key output by K is a permutation π : Σ Σ, and Algorithm E π (M) For i = 1,..., M do C[i] π(m[i]) Return C Algorithm D π (C) For i = 1,..., C do M[i] π 1 (C[i]) Return M Mihir Bellare UCSD 14

Setup for Examples Σ = {A, B,..., Z} {,.,?,!,...} Plaintexts are members of Σ, which means any English text (sequence of sentences) is a plaintext. For simplicity we only consider permutations that are punctuation respecting: π( ) =, π(.) =., π(?) =?,... so punctuation is left unchanged by encryption. Mihir Bellare UCSD 15

Example σ A B C D E F G H I J K L M π(σ) B U P W I Z L A F N S G K σ N O P Q R S T U V W X Y Z π(σ) D H T J X C M Y O V E Q R Then encryption of plaintext M = HI THERE is C = π(h)π(i)π( )π(t)π(h)π(e)π(r)π(e) = AF MAIXI τ A B C D E F G H I J K L M π 1 (τ) H A S N X I L O E Q M G T τ N O P Q R S T U V W X Y Z π 1 (τ) J V C Y Z K P B W D R U F Decryption of ciphertext C = AF MAIXI is π 1 (A)π 1 (F)π 1 ( )π 1 (M)π 1 (A)π 1 (I)π 1 (X)π 1 (I) = HI THERE Mihir Bellare UCSD 16

Cryptanalysis Basic adversary goal is plaintext recovery: given ciphertext C it aims to compute M = D(π, C). This is easy if adversary knows π (hence π 1 ), but adversary is not given the key π. However it does know what encryption scheme is used. (Meaning, in this case, a substitution cipher.) Mihir Bellare UCSD 17

Kerchoff s principle K e M E C In some cases, designers hope to get security by keeping the description of the encryption procedure E private. But this prohibits standardization and usage. And it tends not to add to security since adversaries are remarkably good at reverse engineering a description of E from its executable. Example: RC4 and alleged-rc4 Good design (Kerchoff s principle): Adversary knows system The only thing it doesn t know is the key in use Mihir Bellare UCSD 18

Cryptanalysis of a substitution cipher Adversary has a ciphertext COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI OX PTI. Exploit structure of English: In typical text E is the most common letter Next are T, A, O, I, N, S, H, R A letter by itself (like T in ciphertext) can only be A or I. Etc. Mihir Bellare UCSD 19

Frequency counts COXBX TBX CVK CDGXR DI T GTI R A DHX VOXI OX ROKQA U IKC RNXPQA TCX: VOXI OX PTI C THHKBU DC, TIU VOXI OX PTI. A B C D E F G H I J K L M 3 N O P Q R S T U V W X Y Z Mihir Bellare UCSD 20

Frequency counts COXB X TB X CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU IKC RNXPQATCX: VOXI OX PTI C THHKB U DC, TIU VOXI OX PTI. A B C D E F G H I J K L M 3 3 N O P Q R S T U V W X Y Z Mihir Bellare UCSD 21

Frequency counts COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI OX PTI. A B C D E F G H I J K L M 3 3 7 4 0 0 2 3 9 0 4 0 0 N O P Q R S T U V W X Y Z 1 8 3 2 4 0 8 3 4 0 13 0 0 Mihir Bellare UCSD 22

Cryptanalysis E E E E E E E COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU E E: E E, E IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI E. OX PTI. A B C D E F G H I J K L M 3 3 7 4 0 0 2 3 9 0 4 0 0 N O P Q R S T U V W X Y Z 1 8 3 2 4 0 8 3 4 0 13 0 0 τ A B C D E F G H I J K L M π 1 (τ) τ N O P Q R S T U V W X Y Z π 1 (τ) E Mihir Bellare UCSD 23

Cryptanalysis E E E E E E E COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU E E: E E, E IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI E. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) τ N O P Q R S T U V W X Y Z π 1 (τ) H E OX in ciphertext π 1 (O) {B,H,M,W} Guess π 1 (O) = H since O has pretty high frequency Mihir Bellare UCSD 24

Cryptanalysis HE E E E E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU E E: HE HE, HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) τ N O P Q R S T U V W X Y Z π 1 (τ) H E Mihir Bellare UCSD 25

Cryptanalysis HE E E E E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU E E: HE HE, HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE. OX PTI. *HE*E COXBX Could be: THERE,THESE,WHERE,... Guess π 1 (C) = T since there is no? in ciphertext so WHERE is unlikely. So π 1 (B) {R,S} Mihir Bellare UCSD 26

Cryptanalysis THE E E T T E E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU T E TE: HE HE T T, HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) T τ N O P Q R S T U V W X Y Z π 1 (τ) H E Mihir Bellare UCSD 27

Cryptanalysis THE E E T T E E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU T E TE: HE HE T T, HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) T τ N O P Q R S T U V W X Y Z π 1 (τ) H E T is a single-letter word so π 1 (T ) {A, I} We know π 1 (B) {R,S} So TBX could be: ARE,ASE,IRE,ISE We guess ARE Mihir Bellare UCSD 28

Cryptanalysis THERE ARE T T E A A E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU T E ATE: HE HE A T A R T, A HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE A. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) R T τ N O P Q R S T U V W X Y Z π 1 (τ) H A E Mihir Bellare UCSD 29

Cryptanalysis THERE ARE T T E A A E HE HE H COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU T E ATE: HE HE A T A R T, A HE IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE A. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) R T τ N O P Q R S T U V W X Y Z π 1 (τ) H A E *T DC D must be: A or I but T is A so D is I. Etc...! Mihir Bellare UCSD 30

Cryptanalysis THERE ARE TWO TIMES IN A MAN S LIFE WHEN HE SHOULD COXBX TBX CVK CDGXR DI T GTI R ADHX VOXI OX ROKQAU NOT SPECULATE: WHEN HE CAN T AFFORD IT, AND WHEN IKC RNXPQATCX: VOXI OX PTI C THHKBU DC, TIU VOXI HE CAN. OX PTI. τ A B C D E F G H I J K L M π 1 (τ) L R T I M F N O τ N O P Q R S T U V W X Y Z π 1 (τ) P H C U S A D W E Mihir Bellare UCSD 31

Assessment of security of substitution ciphers Defenders may argue Cryptanalysis requires long ciphertext Harder if π is not punctuation-respecting In fact substitution ciphers or variations and enhancements have been almost universally used until relatively recently. Yet they are fundamentally flawed. Mihir Bellare UCSD 32

Voting Vote Y or N for Prop 8 Obama or Romney Voters V 1, V 2, V 3, V 4, V 5 cast votes at polling station. Example votes: YNYYN Polling station π(y)π(n)π(y)π(y)π(n) Tally center Is this secure? Mihir Bellare UCSD 33

Voting Say π(y) = A and π(n) = B. Adversary sees π(y)π(n)π(y)π(y)π(n) = ABAAB Adversary can infer relations: V 1, V 3 had same vote. Adversary might be V 1 It knows its own vote is Y So given ciphertext ABAAB it infers that A represents Y But then B must represent N Adversary knows everyone s vote! Mihir Bellare UCSD 34

The weakness The weakness of a substitution cipher exploited above is simply that the same symbol is always encoded in the same way. Attack does not require long plaintexts, and does not need π to be punctuation-respecting. Mihir Bellare UCSD 35

What happened? Critical security thinking yielded a scenario where substitution ciphers fail miserably: Few possible plaintext symbols (Y or N) Adversary is one of the users (voters) Mihir Bellare UCSD 36

What did we learn? Security depends on usage Evaluating security requires being creative about coming up with usage scenarios that test the scheme Mihir Bellare UCSD 37

Good cryptography A good scheme is one that Is secure in ALL (reasonable) scenarios Is secure regardless of what type of data (e.g., Y,N strings) is being encrypted Even if adversary knows some decryptions, it shouldn t be able to produce others. Mihir Bellare UCSD 38

One time pad Key K $ {0, 1} m is a random m-bit string Plaintext M {0, 1} m is an m-bit string Algorithm E K (M) C K M Return C Algorithm D K (C) M K C Return M Assume only a single message M is ever encrypted under one key. Mihir Bellare UCSD 39

Voting Represent Y by 1 and N by 0 Voters V 1,..., V m cast votes 1, 0, 1, 1, 0,... Let M = 10110 Encryption is C = K M Adversary has C but NOT K Adversary cannot tell whether two people have same vote. Even if adversary is V 1 and knows its own vote is 1, it cannot determine votes of other parties. Mihir Bellare UCSD 40

A measure of security Let SE = (K, E, D) be a symmetric encryption scheme. For any message M and ciphertext C we are interested in Pr [E K (M) = C] where the probability is over the random choice K tossed by E if any. $ K and over the coins Mihir Bellare UCSD 41

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = Mihir Bellare UCSD 42

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = 2 4 = 1 2 Pr[E K (01) = 01] = Mihir Bellare UCSD 43

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = 2 4 = 1 2 Pr[E K (01) = 01] = 0 Pr[E k (10) = 11] = Mihir Bellare UCSD 44

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = 2 4 = 1 2 Pr[E K (01) = 01] = 0 Pr[E k (10) = 11] = 1 4 Mihir Bellare UCSD 45

Perfect security Definition: Let SE = (K, E, D) be a symmetric encryption scheme. We say that SE is perfectly secure if for any two messages M 1, M 2 Plaintexts and any C Pr [E K (M 1 ) = C] = Pr [E K (M 2 ) = C]. In both cases, the probability is over the random choice K the coins tossed by E if any. $ K and over Intuitively: Given C, and even knowing the message is either M 1 or M 2 the adversary cannot determine which. Mihir Bellare UCSD 46

Perfect security Definition requires that For all M 1, M 2, C we have Pr[E K (M 1 ) = C] = Pr[E K (M 2 ) = C]. If we want to show the definition is not met, we need to show that There exists M 1, M 2, C such that Pr[E K (M 1 ) = C] Pr[E K (M 2 ) = C]. Mihir Bellare UCSD 47

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = 2 4 = 1 2 Pr[E K (01) = 01] = 0 Is this encryption scheme perfectly secure? Mihir Bellare UCSD 48

Example Keys: Messages: 00 01 10 11 00 01 10 11 00 01 01 11 10 00 10 00 11 01 11 11 11 10 01 11 The table entry in row K and column M is E K (M). Pr[E K (00) = 01] = 2 4 = 1 2 Pr[E K (01) = 01] = 0 Is this encryption scheme perfectly secure? No, because for M 1 = 00, M 2 = 01 and C = 01 we have Pr [E K (M 1 ) = C] }{{} 1/2 Pr [E K (M 2 ) = C] }{{} 0 Mihir Bellare UCSD 49.

Perfect security of substitution ciphers A substitution cipher is NOT perfectly secure. Formally: Claim: Let SE = (K, E, D) be a substitution cipher over the alphabet Σ consisting of the 26 English letters. Assume that K picks a random permutation over Σ as the key. That is, its code is π $ Perm(Σ) ; return π. Let Plaintexts be the set of all three letter English words. Then SE is not perfectly secure. Mihir Bellare UCSD 50

Proof of claim To show: there exist M 1, M 2, C Σ 3 such that Pr [E π (M 1 ) = C] Pr [E π (M 2 ) = C]. We have replaced K with π because the key here is a permutation. Mihir Bellare UCSD 51

Proof of claim To show: there exist M 1, M 2, C Σ 3 such that Pr [E π (M 1 ) = C] Pr [E π (M 2 ) = C]. We have replaced K with π because the key here is a permutation. Let C = XYY M 1 = FEE M 2 = FAR Mihir Bellare UCSD 52

Proof of claim To show: there exist M 1, M 2, C Σ 3 such that Pr [E π (M 1 ) = C] Pr [E π (M 2 ) = C]. We have replaced K with π because the key here is a permutation. Let C = XYY M 1 = FEE M 2 = FAR Then Pr [E π (M 2 ) = C] = Pr [π(f)π(a)π(r) = XYY] Mihir Bellare UCSD 53

Proof of claim To show: there exist M 1, M 2, C Σ 3 such that Pr [E π (M 1 ) = C] Pr [E π (M 2 ) = C]. We have replaced K with π because the key here is a permutation. Let C = XYY M 1 = FEE M 2 = FAR Then Pr [E π (M 2 ) = C] = Pr [π(f)π(a)π(r) = XYY] = 0 Because π(a) cannot equal π(r) Mihir Bellare UCSD 54

Proof of claim Pr [E π (M 1 ) = C] = Pr [E π (FEE) = XYY] = { π Perm(Σ) : E π(fee) = XYY } Perm(Σ) = { π Perm(Σ) : π(f)π(e)π(e) = XYY } Perm(Σ) Mihir Bellare UCSD 55

Proof of claim Pr [E π (M 1 ) = C] = Pr [E π (FEE) = XYY] = { π Perm(Σ) : E π(fee) = XYY } Perm(Σ) = { π Perm(Σ) : π(f)π(e)π(e) = XYY } Perm(Σ) = 24! 26! = 1 650. Mihir Bellare UCSD 56

Summary Definition: Let SE = (K, E, D) be a symmetric encryption scheme. We say that SE is perfectly secure if for any two messages M 1, M 2 Plaintexts and any C Pr [E K (M 1 ) = C] = Pr [E K (M 2 ) = C]. Claim: Let SE = (K, E, D) be a substitution cipher over the alphabet Σ consisting of the 26 English letters. Assume that K picks a random permutation over Σ as the key. Let Plaintexts be the set of all three letter English words. Then SE is not perfectly secure. We have proved the claim by presenting M 1, M 2, C such that Pr [E K (M 1 ) = C] Pr [E K (M 2 ) = C]. Mihir Bellare UCSD 57

Intuition for OTP security E K (M) = K M Suppose adversary gets ciphertext C = 101 and knows the plaintext M is either M 1 = 010 or M 2 = 001. Can it tell which? No, because C = K M so M = 010 iff K = 111 M = 001 iff K = 100 but K is equally likely to be 111 or 100 and adversary does not know K. Mihir Bellare UCSD 58

Perfect security of OTP Claim: Let SE = (K, E, D) be the OTP scheme with key-length m 1. Then SE is perfectly secure. Want to show that for any M 1, M 2, C Pr [E K (M 1 ) = C] = Pr [E K (M 2 ) = C] That is Pr [K M 1 = C] = Pr [K M 2 = C] when K $ {0, 1} m. Mihir Bellare UCSD 59

Example: m = 2 Keys: Messages: 00 01 10 11 00 00 01 10 11 01 01 00 11 10 10 10 11 00 01 11 11 10 01 00 The entry in row K, column M of the table is E K (M) = K M. Pr[E K (00) = 01] = Mihir Bellare UCSD 60

Example: m = 2 Keys: Messages: 00 01 10 11 00 00 01 10 11 01 01 00 11 10 10 10 11 00 01 11 11 10 01 00 The entry in row K, column M of the table is E K (M) = K M. Pr[E K (00) = 01] = 1 4 Pr[E K (10) = 01] = Mihir Bellare UCSD 61

Example: m = 2 Keys: Messages: 00 01 10 11 00 00 01 10 11 01 01 00 11 10 10 10 11 00 01 11 11 10 01 00 The entry in row K, column M of the table is E K (M) = K M. Pr[E K (00) = 01] = 1 4 Pr[E K (10) = 01] = 1 4 Mihir Bellare UCSD 62

Proof of claim Pr [E K (M 1 ) = C] = Pr [K M 1 = C] Mihir Bellare UCSD 63

Proof of claim Pr [E K (M 1 ) = C] = Pr [K M 1 = C] = { K {0, 1}m : K M 1 = C } {0, 1} m Mihir Bellare UCSD 64

Proof of claim Pr [E K (M 1 ) = C] = Pr [K M 1 = C] = { K {0, 1}m : K M 1 = C } {0, 1} m = 1 2 m. Mihir Bellare UCSD 65

Proof of claim Pr [E K (M 2 ) = C] = Pr [K M 2 = C] = { K {0, 1}m : K M 2 = C } {0, 1} m = 1 2 m. Mihir Bellare UCSD 66

Exercise Let Z 10 = {0, 1,..., 9}. Consider the symmetric encryption scheme in which a message M = M[1]M[2]M[3]M[4] Z 4 10 is a four-digit string, a key π $ Perm(Z 10 ) is a random permutation on Z 10, and the ciphertext C = C[1]C[2]C[3]C[4] = E π (M) Z 4 10 is computed as follows: E π (M) For i = 1,..., 4 do P[i] (M[i] + i) mod 10 C[i] π(p[i]) Return C Mihir Bellare UCSD 67

Exercise 1. [10 points] Specify a decryption algorithm D such that SE = (K, E, D) is a symmetric encryption scheme (Slide 2) meeting the correct decryption requirement (Slide 3). 2. [25 points] Is this scheme a substitution cipher as per the definition of Slides 13, 14? Why or why not? 3. [25 points] Is this encryption scheme perfectly secure as per the definition of Slide 46? Why or why not? Mihir Bellare UCSD 68

Perfect security: Plusses and Minuses + - Very good privacy Key needs to be as long as message Mihir Bellare UCSD 69

What next We want schemes to securely encrypt arbitrary amounts of data with a single, short (e.g., 128 bit) key This will be possible once we relax our goal from perfect to computational security. Plan: Study the primitives we will use, namely block ciphers Understand and define computational security of block ciphers and encryption schemes Use (computationally secure) block ciphers to build (computationally secure) encryption schemes Mihir Bellare UCSD 70

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback