Perfectly-Secret Encryption

Similar documents
Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Chapter 2 : Perfectly-Secret Encryption

Lecture 2: Perfect Secrecy and its Limitations

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Introduction to Cryptology. Lecture 3

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Solution of Exercise Sheet 6

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 13: Private Key Encryption

Computational security & Private key encryption

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CPA-Security. Definition: A private-key encryption scheme

Scribe for Lecture #5

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography 2017 Lecture 2

Modern Cryptography Lecture 4

Lecture 9 - Symmetric Encryption

Computer Science A Cryptography and Data Security. Claude Crépeau

El Gamal A DDH based encryption scheme. Table of contents

Cryptography and Security Midterm Exam

Modern symmetric-key Encryption

CTR mode of operation

Lecture 28: Public-key Cryptography. Public-key Cryptography

Historical cryptography. cryptography encryption main applications: military and diplomacy

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 5, CPA Secure Encryption from PRFs

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Public-Key Encryption

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

III. Pseudorandom functions & encryption

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Shannon s Theory of Secrecy Systems

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Introduction to Cryptology. Lecture 2

Block ciphers And modes of operation. Table of contents

a Course in Cryptography rafael pass abhi shelat

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

Notes on Property-Preserving Encryption

8 Security against Chosen Plaintext

Cryptography CS 555. Topic 4: Computational Security

Great Theoretical Ideas in Computer Science

Lecture Note 3 Date:

CS 6260 Applied Cryptography

Lectures 2+3: Provable Security

Dan Boneh. Stream ciphers. The One Time Pad

Block Ciphers/Pseudorandom Permutations

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Introduction to Cryptography. Lecture 8

William Stallings Copyright 2010

CPSC 467b: Cryptography and Computer Security

1 Indistinguishability for multiple encryptions

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Chapter 11 : Private-Key Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

CPSC 467b: Cryptography and Computer Security

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Introduction to Cryptography Lecture 4

Notes for Lecture 17

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Chapter 2. A Look Back. 2.1 Substitution ciphers

MATH3302 Cryptography Problem Set 2

1 Number Theory Basics

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Introduction to Cybersecurity Cryptography (Part 4)

Symmetric Encryption

Lecture 7: CPA Security, MACs, OWFs

Notes for Lecture 16

Lecture 17: Constructions of Public-Key Encryption

Lecture 11: Key Agreement

Introduction to Cybersecurity Cryptography (Part 4)

CS 6260 Applied Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

Lecture 22: RSA Encryption. RSA Encryption

Solution to Midterm Examination

Exercise Sheet Cryptography 1, 2011

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 8 - Cryptography and Information Theory

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

and its Extension to Authenticity

2 Message authentication codes (MACs)

Public Key Cryptography

1 Secure two-party computation

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

On the power of non-adaptive quantum chosen-ciphertext attacks

10 Modular Arithmetic and Cryptography

7 Security Against Chosen Plaintext

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Transcription:

Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1

Outline Definition of encryption schemes Shannon's notion of perfect secrecy Shannon's Theorems Limitions of perfect secrecy Perfect indistinguishability 2

Symmetric-ey encryption scheme An encryption scheme consists of three algorithms Gen, Enc, Dec and three spaces, M, C., M, C : ey space, message space, ciphertext space. ey generation algorithm Gen generates eys according to some distribution (usually uniform distribution). We write Gen. Encryption algorithm : c Enc ( m) Decryption algorithm : m : Dec ( c) Note: Gen and Enc are probabilistic algorithms, Dec is deterministic. 3

Note: We don't need to explicitly specify and C as they are implicitly defined by Gen and Enc, respectively. Correctness requirement: for any and mm, Dec Enc ( m) m. To use the scheme, Alice and Bob run Gen to generate a ey, and eep it secret. Question: What is the security requirement? 4

Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bit b {0,1}. Let Enc ( m) ( m 5 b)mod 26. ( m ) mod 26 with probability 1 2 I.e., Enc ( m) ( m 5) mod 26 with probability 1 2 Decryption:? 5

The notion of security Consider a ciphertext-only attac, where the adversary is an eavesdropper with a single ciphertext c Enc ( m). Adversary's possible objectives: 1. To recover the secret ey. 2. To recover the plaintext m. 3. To recover any information about m. We will adopt and formalize the last one (#3). Informally, an encryption scheme is secu re if from a ciphertext c no adversary can obtain any information about its plaintext m. 6

Shannon's notion of perfect secrecy Adversary: an eavesdropper with unlimited computing power and being able to see a single ciphertext. Encryption scheme: ( Gen, Enc, Dec,, M, C) Envision an experiment: Alice generates a ey Gen, pics a message M from the message space M according to some probability distribution, and obtains a ciphertext C Enc ( M). M,, C are random variables over M,, C, respectively. 7

Notation: Pr[ M m] probability that message m is piced. Pr[ ] probability that ey is generated by Gen. Pr[ C c] probability that c is the ciphertext. The distribution of M is a characteristic of M. The distribution of is determined by Gen. The distribution of C is induced by Enc and depends on the distributions of Mand C: Pr[ c] Pr[ m] Pr Pr Enc ( m) c C M mm, 8

Conditional probabilities: C c M m Enc m c Pr Pr[ ] Pr ( ) Pr M m C c Pr ( M m) ( C c) Pr C c M m Enc m c PrC c Pr ( ) ( ) ( ( ) ) M m Enc m c PrC c Pr Pr Pr ( ) ( M and and the randomness of Enc are assumed to be independent.) 9

Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: {0,,25}. u ( m ) mod 26 with probability 1 2 Encryption: Enc ( m) ( m5) mod 26 with probability 1 2 Assume Pr M m ( m1) 10. Enc m c Enc m c Get familiar with these: Pr ( ), Pr ( ), Enc M c C c c m m c Pr ( ), Pr, Pr, Pr C M M C 10

Shannon's Definition of Perfect Scerecy: An encryption scheme is perfectly secret if for every probability distribution over cc for which Lemma M, every message m M, and every ciphertext Pr C 0, it holds: M m C c M m Pr Pr 1: An encryption scheme is perfectly secret if and only if for all m, m M and c C, it holds: c PrEnc ( m) c Pr Enc ( m) c Enc m c Enc m c where Pr ( ) Pr[ ] Pr ( ). 11

To show a scheme not perfectly secret, it suffices to show a counterexample, i.e., to construct a distribution over M, a message such that: mm, and a ciphertext c C with Pr C c 0, M m C c M m Pr Pr Or construct two messages m, mm and a c C such that Enc m c P Enc ( m) c Pr ( ) r 12

Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bi t b {0,1}. Let Enc ( m) ( m 5 b)mod 26. For every mm, c C, it holds: Enc m c m b c 1 2 Pr ( c m)mod 26 1 2 Pr ( c m 5) mod 26 Pr ( ) Pr ( 5 )mod 26 1 26. This scheme is perfectly secret by Lemma 1. 13

Vernam's one-time pad encryption scheme M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n u n One-time pad: each ey is used only once. The scheme is perfectly secret (against eavesdroppers having a single ciphertext). Reasons: n Enc m c m c m, c 0,1, Enc ( m) c iff m c. Thus, n Pr ( ) Pr 1 2. Apply Lemma1. 14

If a pad is used twice M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n n If a ey is used to encrypt two messages: c : m and c: m From c and c, the adversary can tell something about the messages: m m c c. The scheme is not secure against eavesdroppers with multiple ciphertexts. 15

If a pad is used twice We may regard the scheme as having 0,1 and M C 2 0,1, with encryption algorithm: Enc ( m) m ( ). It is not perfectly secret since n n n n n n n n Pr M 0 0 C 0 1 0 Pr M 0 0 0 for the uniform distribution over M. 16

One-time pad for messages of varying length M C 0,1 0,1, n fixed. n 0,1. ey generation: 0,1. Encryption: c : E ( m) : m n u where if m 0,1 then only the first bit of is used. Questio n: Is this scheme perfectly secret? n 17

Shannon's Theorems Theorem 1: [a necessary condition for perfect secrecy] If an encryption scheme is perfectly secrect, then M. n l Thus, if M {0,1} and {0,1}, then n l, i.e., eys mus t be at least as long as messages. Theorem 2: When M C, the encryption scheme is perfectly secret if and only if both of the following hold: Every ey is generated by Gen with equal probability 1 ; For every m M and c C, there is a unique such that Enc ( m) c. (Encrypting a message m with different eys will yield different ciphertexts c.) 18

Proof of M (Theorem 1) Consider the uniform distribution over M. Let c be any ciphertext such that Pr C c 0. Let M ( c) Dec ( c) :, the set of all messages that may be encrypted to c with non-zero probability. Clearly, M ( c). If M ( c) M m C c M m M, then there is a message mm M ( c) for which Pr 0 Pr, contradicting the assumption of perfect secrecy. Hence, M ( c) M, and thus M ( c). 19

Proof of Theorem 2 Observation: M C Enc is deterministic. Sufficiency: The two conditions hold For every m M and c C, Pr Enc ( m) c 1 For all m, m M and c C, r Enc ( m ) c Pr Enc ( m) c P Perfect secrecy (by Lemma 1). 20

Necessity: Assume M C and perfect secrecy. Consider any arbitrary (but fixed) cc. Let ( m) : Enc ( m) c, the set of all eys encryping m to c. Note: ( m) ( m) if m m. There is an m M with Pr Enc ( m) c 0, since M C. By Lemma 1, Pr Enc ( m) c 0 for every m M. Thus, ( m) 1 for every mm. This, together with M, implies m ( ) 1. Let m be the unique ey in ( m) that encrypts m to c. Enc m c m Then, Pr ( ) Pr. Since Pr Enc ( m) c Pr Enc ( m ) c for all m, m M, Pr Pr 1 for all m, m M. m m 21

Applying Shannon's Theorem With Shannon's theorem, it is trivial to see that Vernam's one-time pad is perfectly secret. It is easy to design another perfectly secret encryption scheme. For example, tae Caesar s shift cipher: M C {0, 1,..., 25} { a, b,..., z}. ey generation:. Encryption: E ( m) ( m ) mod 26 u Caesar s shift cipher is perfectly secret if it is used to encrypt only one letter. 22

Is it perfectly secret? Suppose we use Caesar s shift cipher to encrypt a message (any sequence of letters), but uniformly randomly generate a new ey for each letter. * * Thus, M C {0, 1,..., 25} { a, b,..., z}. To encrypt a message m m m m : 1 2 1 2 Generate a ey, with for each i. t i u Let Enc ( m) c c c, where c ( m ) mod 26. 1 2 t i i i t Each plaintext letter entire message. m i is perfectly protected, but not the 23

Limitations of Perfect Secrecy To achieve perfect secrecy: l n eys must be as long as messages (if {0,1} and M {0,1} ); a new ey must be generated for each message. It is desired to use a short ey to encrypt multiple messages. To this end, we need to relax the security requirement. Unfortunately, it is hard to relax the conditions of perfect secrecy. W e will define a different notion of security that is equivalent to perfect secrecy and can be easily relaxed. 24

Perfect Indistinguishability Experiment Priv A eav, Imagine an experiment on an encryption scheme : The adversary A chooses two messages m, m M, not necessarily of the same length. 0 1 Bob generates a ey Gen and a bit b {0,1}. He computes and gives the ciphertext c Enc ( m ) to A. ( c is called the challenge ciphertext.) A outputs a bit b, triying to tell whether c is the encryption of m or m. 0 1 The output, Priv (i.e., A succeed s.) eav A,, of the experiment is 1 iff b b u b 25

Definition of Perfect Indistinguishability Encryption scheme: ( Gen, Enc, Dec) with message space M. Adversary: an eavesdropper with unlimited computing power. We model the adversary as a probabilistic algorithm A that on input m, m M and c C outputs a bit b{0,1}. 0 1 An encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, eav A, 0 1 0 1 0 1 eav 1 Pr Priv A, ( m0, m1 ) 1 2 or, equivalently, for every A and every two m, m M, Pr Priv ( m, m ) 1 1 2 26

eav Some authors write Pr Priv A, ( m0, m1 ) 1 as 0 0 1 1 Pr A m0, m1, Enc ( mb ) b : bu {0,1}, Gen where A m, m, Enc ( m ) indicate the output of input m, m, Enc ( m ). b b A on Thus, an encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, 0 1 Pr A m0, m1, Enc ( mb ) b : b u {0,1}, Gen or, equivalently, Pr A m0, m1, Enc ( m0 ) 1: Gen Pr A m0, m1, Enc ( m1 ) 1: Gen 1 2 27

Remar eav Pr Priv A, ( m0, m1 ) 1 b{0,1} = Pr A m0, m1, E( mb) b : b{0,1}, cc {0, 1}, Gen = Pr[ b] Pr[ ] Pr A m0, m1, Enc( mb) b b Enc ( m ) c A, = Pr[ b] Pr[ ] Pr b Pr m0, m1 c b b{0,1} cc ( ),, = Pr[ b] Pr Enc mb c Pr A m0 m1 c b u 0, 1, mb = output of on i 0 1 A m m Enc ( ) A nput m, m, Enc ( m ). b 28

Equivalence of perfect secrecy and perfect indistinguishability Theorem: An encryption scheme is perfectly secret if and only if it is perfectly indistinguishable. 29

Perfect secrecy perfect indistinguishability If the encryption scheme is perfectly secret, then Pr Enc ( m ) c Pr Enc ( m ) c for all m, m M, c C. 0 1 0 1 eav Pr Priv A, ( m0, m1 ) 1 Pr A wins i0,1; cc cc i0,1 Pr b i, Enc ( m ) c, A( m, m, c) i i b i Enc m c A m m c i 0 1 Pr Pr ( ) Pr (,, ) i 0 1 1 1 Pr Enc( m0 ) c Pr A( m0, m1, c) i 2 cc i0,1 2 30

Perfect secrecy perfect indistinguishability If not perfectly secret, then there exist m, m M such that 0 1 * * * Pr Enc( m0) c Pr Enc( m1) c for some ciphertext c C. Define an adversary A as follows. A chooses the above two messages m, m. 0 1 On a given challenge ciphertext c, Enc m0 c Enc m1 c 0 if Pr ( ) Pr ( ) A( m0, m1, c) 1 if Pr Enc( m0 ) c Pr Enc( m1 ) c b u 0,1 otherwise It can be verified that A succeeds with probability >1 2. The scheme is not perfectly indistinguisha ble. 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback