Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1
Outline Definition of encryption schemes Shannon's notion of perfect secrecy Shannon's Theorems Limitions of perfect secrecy Perfect indistinguishability 2
Symmetric-ey encryption scheme An encryption scheme consists of three algorithms Gen, Enc, Dec and three spaces, M, C., M, C : ey space, message space, ciphertext space. ey generation algorithm Gen generates eys according to some distribution (usually uniform distribution). We write Gen. Encryption algorithm : c Enc ( m) Decryption algorithm : m : Dec ( c) Note: Gen and Enc are probabilistic algorithms, Dec is deterministic. 3
Note: We don't need to explicitly specify and C as they are implicitly defined by Gen and Enc, respectively. Correctness requirement: for any and mm, Dec Enc ( m) m. To use the scheme, Alice and Bob run Gen to generate a ey, and eep it secret. Question: What is the security requirement? 4
Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bit b {0,1}. Let Enc ( m) ( m 5 b)mod 26. ( m ) mod 26 with probability 1 2 I.e., Enc ( m) ( m 5) mod 26 with probability 1 2 Decryption:? 5
The notion of security Consider a ciphertext-only attac, where the adversary is an eavesdropper with a single ciphertext c Enc ( m). Adversary's possible objectives: 1. To recover the secret ey. 2. To recover the plaintext m. 3. To recover any information about m. We will adopt and formalize the last one (#3). Informally, an encryption scheme is secu re if from a ciphertext c no adversary can obtain any information about its plaintext m. 6
Shannon's notion of perfect secrecy Adversary: an eavesdropper with unlimited computing power and being able to see a single ciphertext. Encryption scheme: ( Gen, Enc, Dec,, M, C) Envision an experiment: Alice generates a ey Gen, pics a message M from the message space M according to some probability distribution, and obtains a ciphertext C Enc ( M). M,, C are random variables over M,, C, respectively. 7
Notation: Pr[ M m] probability that message m is piced. Pr[ ] probability that ey is generated by Gen. Pr[ C c] probability that c is the ciphertext. The distribution of M is a characteristic of M. The distribution of is determined by Gen. The distribution of C is induced by Enc and depends on the distributions of Mand C: Pr[ c] Pr[ m] Pr Pr Enc ( m) c C M mm, 8
Conditional probabilities: C c M m Enc m c Pr Pr[ ] Pr ( ) Pr M m C c Pr ( M m) ( C c) Pr C c M m Enc m c PrC c Pr ( ) ( ) ( ( ) ) M m Enc m c PrC c Pr Pr Pr ( ) ( M and and the randomness of Enc are assumed to be independent.) 9
Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: {0,,25}. u ( m ) mod 26 with probability 1 2 Encryption: Enc ( m) ( m5) mod 26 with probability 1 2 Assume Pr M m ( m1) 10. Enc m c Enc m c Get familiar with these: Pr ( ), Pr ( ), Enc M c C c c m m c Pr ( ), Pr, Pr, Pr C M M C 10
Shannon's Definition of Perfect Scerecy: An encryption scheme is perfectly secret if for every probability distribution over cc for which Lemma M, every message m M, and every ciphertext Pr C 0, it holds: M m C c M m Pr Pr 1: An encryption scheme is perfectly secret if and only if for all m, m M and c C, it holds: c PrEnc ( m) c Pr Enc ( m) c Enc m c Enc m c where Pr ( ) Pr[ ] Pr ( ). 11
To show a scheme not perfectly secret, it suffices to show a counterexample, i.e., to construct a distribution over M, a message such that: mm, and a ciphertext c C with Pr C c 0, M m C c M m Pr Pr Or construct two messages m, mm and a c C such that Enc m c P Enc ( m) c Pr ( ) r 12
Example encryption scheme Consider Caesar's shift cipher with M {a,b,c,d} represented as {0,1, 2,3}. ey generation: u {0,,25}. Encryption: Randomly generate a bi t b {0,1}. Let Enc ( m) ( m 5 b)mod 26. For every mm, c C, it holds: Enc m c m b c 1 2 Pr ( c m)mod 26 1 2 Pr ( c m 5) mod 26 Pr ( ) Pr ( 5 )mod 26 1 26. This scheme is perfectly secret by Lemma 1. 13
Vernam's one-time pad encryption scheme M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n u n One-time pad: each ey is used only once. The scheme is perfectly secret (against eavesdroppers having a single ciphertext). Reasons: n Enc m c m c m, c 0,1, Enc ( m) c iff m c. Thus, n Pr ( ) Pr 1 2. Apply Lemma1. 14
If a pad is used twice M C 0,1, n fixed. ey generation: 0,1. Encryption: c : m. n n If a ey is used to encrypt two messages: c : m and c: m From c and c, the adversary can tell something about the messages: m m c c. The scheme is not secure against eavesdroppers with multiple ciphertexts. 15
If a pad is used twice We may regard the scheme as having 0,1 and M C 2 0,1, with encryption algorithm: Enc ( m) m ( ). It is not perfectly secret since n n n n n n n n Pr M 0 0 C 0 1 0 Pr M 0 0 0 for the uniform distribution over M. 16
One-time pad for messages of varying length M C 0,1 0,1, n fixed. n 0,1. ey generation: 0,1. Encryption: c : E ( m) : m n u where if m 0,1 then only the first bit of is used. Questio n: Is this scheme perfectly secret? n 17
Shannon's Theorems Theorem 1: [a necessary condition for perfect secrecy] If an encryption scheme is perfectly secrect, then M. n l Thus, if M {0,1} and {0,1}, then n l, i.e., eys mus t be at least as long as messages. Theorem 2: When M C, the encryption scheme is perfectly secret if and only if both of the following hold: Every ey is generated by Gen with equal probability 1 ; For every m M and c C, there is a unique such that Enc ( m) c. (Encrypting a message m with different eys will yield different ciphertexts c.) 18
Proof of M (Theorem 1) Consider the uniform distribution over M. Let c be any ciphertext such that Pr C c 0. Let M ( c) Dec ( c) :, the set of all messages that may be encrypted to c with non-zero probability. Clearly, M ( c). If M ( c) M m C c M m M, then there is a message mm M ( c) for which Pr 0 Pr, contradicting the assumption of perfect secrecy. Hence, M ( c) M, and thus M ( c). 19
Proof of Theorem 2 Observation: M C Enc is deterministic. Sufficiency: The two conditions hold For every m M and c C, Pr Enc ( m) c 1 For all m, m M and c C, r Enc ( m ) c Pr Enc ( m) c P Perfect secrecy (by Lemma 1). 20
Necessity: Assume M C and perfect secrecy. Consider any arbitrary (but fixed) cc. Let ( m) : Enc ( m) c, the set of all eys encryping m to c. Note: ( m) ( m) if m m. There is an m M with Pr Enc ( m) c 0, since M C. By Lemma 1, Pr Enc ( m) c 0 for every m M. Thus, ( m) 1 for every mm. This, together with M, implies m ( ) 1. Let m be the unique ey in ( m) that encrypts m to c. Enc m c m Then, Pr ( ) Pr. Since Pr Enc ( m) c Pr Enc ( m ) c for all m, m M, Pr Pr 1 for all m, m M. m m 21
Applying Shannon's Theorem With Shannon's theorem, it is trivial to see that Vernam's one-time pad is perfectly secret. It is easy to design another perfectly secret encryption scheme. For example, tae Caesar s shift cipher: M C {0, 1,..., 25} { a, b,..., z}. ey generation:. Encryption: E ( m) ( m ) mod 26 u Caesar s shift cipher is perfectly secret if it is used to encrypt only one letter. 22
Is it perfectly secret? Suppose we use Caesar s shift cipher to encrypt a message (any sequence of letters), but uniformly randomly generate a new ey for each letter. * * Thus, M C {0, 1,..., 25} { a, b,..., z}. To encrypt a message m m m m : 1 2 1 2 Generate a ey, with for each i. t i u Let Enc ( m) c c c, where c ( m ) mod 26. 1 2 t i i i t Each plaintext letter entire message. m i is perfectly protected, but not the 23
Limitations of Perfect Secrecy To achieve perfect secrecy: l n eys must be as long as messages (if {0,1} and M {0,1} ); a new ey must be generated for each message. It is desired to use a short ey to encrypt multiple messages. To this end, we need to relax the security requirement. Unfortunately, it is hard to relax the conditions of perfect secrecy. W e will define a different notion of security that is equivalent to perfect secrecy and can be easily relaxed. 24
Perfect Indistinguishability Experiment Priv A eav, Imagine an experiment on an encryption scheme : The adversary A chooses two messages m, m M, not necessarily of the same length. 0 1 Bob generates a ey Gen and a bit b {0,1}. He computes and gives the ciphertext c Enc ( m ) to A. ( c is called the challenge ciphertext.) A outputs a bit b, triying to tell whether c is the encryption of m or m. 0 1 The output, Priv (i.e., A succeed s.) eav A,, of the experiment is 1 iff b b u b 25
Definition of Perfect Indistinguishability Encryption scheme: ( Gen, Enc, Dec) with message space M. Adversary: an eavesdropper with unlimited computing power. We model the adversary as a probabilistic algorithm A that on input m, m M and c C outputs a bit b{0,1}. 0 1 An encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, eav A, 0 1 0 1 0 1 eav 1 Pr Priv A, ( m0, m1 ) 1 2 or, equivalently, for every A and every two m, m M, Pr Priv ( m, m ) 1 1 2 26
eav Some authors write Pr Priv A, ( m0, m1 ) 1 as 0 0 1 1 Pr A m0, m1, Enc ( mb ) b : bu {0,1}, Gen where A m, m, Enc ( m ) indicate the output of input m, m, Enc ( m ). b b A on Thus, an encryption scheme is perfectly indistinguishable if for every adversary A and every two messages m, m M, 0 1 Pr A m0, m1, Enc ( mb ) b : b u {0,1}, Gen or, equivalently, Pr A m0, m1, Enc ( m0 ) 1: Gen Pr A m0, m1, Enc ( m1 ) 1: Gen 1 2 27
Remar eav Pr Priv A, ( m0, m1 ) 1 b{0,1} = Pr A m0, m1, E( mb) b : b{0,1}, cc {0, 1}, Gen = Pr[ b] Pr[ ] Pr A m0, m1, Enc( mb) b b Enc ( m ) c A, = Pr[ b] Pr[ ] Pr b Pr m0, m1 c b b{0,1} cc ( ),, = Pr[ b] Pr Enc mb c Pr A m0 m1 c b u 0, 1, mb = output of on i 0 1 A m m Enc ( ) A nput m, m, Enc ( m ). b 28
Equivalence of perfect secrecy and perfect indistinguishability Theorem: An encryption scheme is perfectly secret if and only if it is perfectly indistinguishable. 29
Perfect secrecy perfect indistinguishability If the encryption scheme is perfectly secret, then Pr Enc ( m ) c Pr Enc ( m ) c for all m, m M, c C. 0 1 0 1 eav Pr Priv A, ( m0, m1 ) 1 Pr A wins i0,1; cc cc i0,1 Pr b i, Enc ( m ) c, A( m, m, c) i i b i Enc m c A m m c i 0 1 Pr Pr ( ) Pr (,, ) i 0 1 1 1 Pr Enc( m0 ) c Pr A( m0, m1, c) i 2 cc i0,1 2 30
Perfect secrecy perfect indistinguishability If not perfectly secret, then there exist m, m M such that 0 1 * * * Pr Enc( m0) c Pr Enc( m1) c for some ciphertext c C. Define an adversary A as follows. A chooses the above two messages m, m. 0 1 On a given challenge ciphertext c, Enc m0 c Enc m1 c 0 if Pr ( ) Pr ( ) A( m0, m1, c) 1 if Pr Enc( m0 ) c Pr Enc( m1 ) c b u 0,1 otherwise It can be verified that A succeeds with probability >1 2. The scheme is not perfectly indistinguisha ble. 31