Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Similar documents
Introduction to Cryptology. Lecture 3

Chapter 2 : Perfectly-Secret Encryption

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Lecture 2: Perfect Secrecy and its Limitations

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CTR mode of operation

Perfectly-Secret Encryption

Lecture 13: Private Key Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Modern symmetric-key Encryption

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Scribe for Lecture #5

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 9 - Symmetric Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Notes on Property-Preserving Encryption

Lecture 7: CPA Security, MACs, OWFs

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Computational security & Private key encryption

III. Pseudorandom functions & encryption

Lecture 5, CPA Secure Encryption from PRFs

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Introduction to Cryptology. Lecture 2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture Note 3 Date:

Topics. Probability Theory. Perfect Secrecy. Information Theory

Modern Cryptography Lecture 4

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Semantic Security and Indistinguishability in the Quantum World

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Lecture 4: Computationally secure cryptography

Lecture 3: Lower bound on statistically secure encryption, extractors

Block Ciphers/Pseudorandom Permutations

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 17: Constructions of Public-Key Encryption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 22: RSA Encryption. RSA Encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

1 Indistinguishability for multiple encryptions

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Solutions to homework 2

2 Message authentication codes (MACs)

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

6.892 Computing on Encrypted Data September 16, Lecture 2

Public Key Cryptography

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Cryptography CS 555. Topic 4: Computational Security

Lecture 11: Key Agreement

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Cryptology. Scribe: Fabrice Mouhartem M2IF

Computer Science A Cryptography and Data Security. Claude Crépeau

Advanced Cryptography 03/06/2007. Lecture 8

5.4 ElGamal - definition

El Gamal A DDH based encryption scheme. Table of contents

Block ciphers And modes of operation. Table of contents

Lecture 7: Boneh-Boyen Proof & Waters IBE System

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Chosen Plaintext Attacks (CPA)

Gentry IBE Paper Reading

RSA-OAEP and Cramer-Shoup

10 Concrete candidates for public key crypto

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

William Stallings Copyright 2010

On the power of non-adaptive quantum chosen-ciphertext attacks

Cryptanalysis. A walk through time. Arka Rai Choudhuri

Lecture Notes on Secret Sharing

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography 2017 Lecture 2

Identity-based encryption

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 7: Pseudo Random Generators

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Symmetric Encryption

Solution of Exercise Sheet 7

Lecture 8: Computational Indistinguishability and Pseudorandomness

CPSC 467b: Cryptography and Computer Security

Solution of Exercise Sheet 6

Block Ciphers and Feistel cipher

Notes for Lecture 17

Cryptographic Engineering

Notes for Lecture 9. 1 Combining Encryption and Authentication

Transcription:

Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture, M C K m M c C k K The set of all possible messages The set of all possible ciphertexts The set of all possible keys A specific message over M A specific message over C A specific message over K M, K, C Random variables over M, K and C respectively enc k (m) = c $ Encryption of m with the key k to give ciphertext c chosen uniformly at random Perfect Secrecy Definition.1 An encryption scheme (Enc, Dec) over a message space M is perfectly secure if for every probability distribution over M, every message m M and every ciphertext c C for which Pr[C = c] > 0: Pr[M = m C = c] =. The following theorem gives an equivalent formulation of.1. Theorem. An encryption scheme (Enc, Dec) over a message space M is perfectly secure if and only if for every probability distribution over M, every message m M and every ciphertext c C: Pr[C = c M = m] = Pr[C = c]. Proof. Firstly, suppose for every message m M and every ciphertext c C, By Bayes theorem, Pr[C = c M = m] = Pr[C = c] (1) Pr[C = c M = m] = Pr[M = m C = c] Pr[C = c] () 4-1

From (3) and (), we get Pr[M = m C = c] Pr[C = c] = Pr[C = c] Pr[M = m C = c] = For the other way, we assume perfect secrecy, and hence, for every message m M and every ciphertext c C, Pr[M = m C = c] = (3) again, by Bayes theorem, and similar to the above proof, we get Pr[C = c M = m] Pr[C = c] Pr[C = c M = m] = Pr[C = c] = Hence, proved in both directions. 3 Perfect Indistinguishability We fix a message m and vary the key over the key space K, to get get a distribution of ciphertexts. This is represented either as enc K (m) or D m. Definition 3.1 An encryption scheme (Enc, Dec) over a message space M is said to have the property of perfect indistinguishability if m 0 m 1 M, D m0 and D m1 are identical. This is just another way of saying that the ciphertext contains no information about the plaintext. Theorem 3. An encryption scheme (Enc, Dec) over a message space M is perfectly secure if and only if it has perfect indistinguishability. Proof. (I) Perfect secrecy perfect indistinguishability We know by Theorem., The above equation implies, m M, c C Pr[C = c M = m] = Pr[C = c] From the above two equations, we get Pr[C = c M = m 0 ] = Pr[C = c] (4) Pr[C = c M = m 1 ] = Pr[C = c] (5) Pr[C = c M = m 0 ] = Pr[C = c M = m 1 ] 4-

Since the choice of m 0, m 1 were arbitrary, this trivially implies that D m0 and D m1 are indistinguishabile. This implies perfect indistinguishability. (II) Perfect indistinguishability perfect secrecy Fix m 0 M and c C. Let Pr[C = c M = m 0 ] = p. Since Pr[C = c M = m] = Pr[C = c M = m 0 ] = p for all m because of perfect indistinguishability, we have Pr[C = c] = m M Pr[C = c M = m] = m M p = p = p m M = Pr[C = c M = m 0 ] Since m 0 was arbitrary, we have shown Pr[C = c] = Pr[C = c M = m] for all c C and m M. from Theorem., this implies perfect secrecy. 4 Adverserial indistinguishability We define a game GA,enc dist as mentioned in [?]. Eavesdropping indistinguishability experiment (game) GA,enc dist 1. The adversary A outputs a pair of messages m 0, m 1 M.. A random key k is generated at random from K, and a random bit b $ {0, 1} is chose. (These are chose by the challenger entity that is running the experiment with A.) Then, a ciphertext enc k (m b ) is computed and given to A. 3. A outputs a bit b {0, 1}. 4. The output of the experiment is defined to be 1 if b = b, and 0 otherwise. We write = 1 if the output is 1 and in this case we say A succeeded. G dist A,enc One should think of A as trying to guess the value of b that is chosen in the experiment, and A succeeds when its guess b is correct. It should be noted that the key is chosen and does not depend on the messages it receives from the attacker A. Probability that the adversary A win, = A,enc = 1] = Pr[b = b ] Definition 4.1 An encryption scheme (Enc, Dec) over a message space M is said to have adversarial indistinguishability if A,enc = 1] = 1 4-3

Theorem 4. An encryption scheme (Enc, Dec) over a message space M has perfect secrecy if and only if it has adversarial indistinguishability. Proof. (I) Perfect secrecy adversarial indistinguishability Note: we make the assumption that the adversary will always guess the same for the same ciphertext, i.e. the adversary is deterministic. A,enc = 1] = Pr[b = b ] = Pr[b = b M = m 0 ]Pr[M = m 0 ] + Pr[b = b M = m 1 ]Pr[M = m 1 ] Essentially what the adversary does is try to partition the ciphertext space C into two subsets C 0, C 1 such that C = C 0 C 1 and C 0 C 1 = φ. If the attacker gets c C 0, it outputs 0, else if c C 1 it outputs 1. Pr[b = b M = m 0 ]Pr[M = m 0 ] + Pr[b = b M = m 1 ]Pr[M = m 1 ] = Pr[c C 0 ] 1 + Pr[c C 0] 1 = 1 (Pr[c C 0] + Pr[c C 0 ]) = 1 From the first to the second, the 1 comes from the fact that Pr[M = m 0] = Pr[M = m 1 ] = 1. The last equality follows from the fact that C 0 and C 1 are mutually exclusive and exhaustive. Hence perfect secrecy implies adversarial indistinguishability. (II) Adverserial indistinguishability perfect secrecy We prove the contrapositive of the above statement. Not perfect secrecy Not adverserial indistinguishability By not perfect secrecy, we mean m 0, m 1 M, c C, such that Pr[C = c M = m 0] Pr[C = c M = m 1] A,enc = 1] = Pr[b = b ] = Pr[b = b M = m 0]Pr[M = m 0]+Pr[b = b M = m 1]Pr[M = m 1] (6) Pr[b = b M = m 0] + Pr[b = b M = m 1] ) (7) For positive results, we don t care about what the adversary does, but for the negative result we show that there exists at least one adversary for which the probability of success is away from half. Since there will exist at least one pair m 0 and m 1, that adversary will pick these to work with and hence we can write the above equations. Construction of adversary A chooses m 0, m 1 and gives it to the challenger. If it receives C = c, output b = 0 else 4-4

output b $ {0, 1} The randomness is to ensure that we can separate out the case when C = c. Pr[b = b M = m 0 ] = Pr[C = c M = m 0]Pr[b = b M = m 0, C = c ] +Pr[C c M = m 0]Pr[b = b M = m 0, C c ] = Pr[C = c M = m 0] 1 + Pr[C c M = m 0] 1 Pr[b = b M = m 0, C = c ] = 1 since b = 0, and also b = 0 because C = c (by definition). Substituting into (7), we get 0] + 1 ) Pr[C c M = m 0] + Pr[b = b M = m 1] (8) Now, Pr[b = b M = m 1 ] = Pr[C = c M = m 1]Pr[b = b M = m 1, C = c ] +Pr[C c M = m 1]Pr[b = b M = m 1, C c ] = Pr[C = c M = m 1] 0 + Pr[C c M = m 1] 1 The reasoning follows similar to the equation done earlier. We substitute this into (8). 0] + 1 Pr[C c M = m 0] + 1 ) Pr[C c M = m 1] 0] + 1 (1 Pr[C = c M = m 0]) + 1 ) Pr[C c M = m 1] = 1 4 + 1 ( 4 0] + Pr[C c M = m 1] ) 1 4 + 1 ( 4 1] + Pr[C c M = m 1] ) = 1 4 + 1 4 = 1 The inequality comes from the fact of not perfect secrecy that we have assumed. A,enc = 1] 1 And hence, it does not have adversarial indistinguishability. 4-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback