Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following questions. Provide arguments for why your answers are correct! (3 points) (a) Consider a symmetric encryption scheme with E(k, m) = 1 for every message m and every key k. Does this scheme provide perfect secrecy? Yes, it does! Given two different messages m and m, the encryption scheme E satisfies the condition for perfect secrecy: P rc = 0 k K, c E(k, m) = 1 = P rc = 0 k K, c E(k, m ) (2 points) (b) Does DES with key-length k satisfy perfect secrecy for messages with length larger than k? In the proof of optimality of the OTP, we have seen that the keyspace needs to be at least as big as the message space in order to guarantee perfect secrecy. This implies that messages of length k + 1 cannot be encrypted by a k-bit key in a way that perfect secrecy is achieved. (2 points) (c) Alice uses the same key k to encrypt two messages m 1 and m 2 to get ciphertexts c i = E(k, m i ) = k m i. Eve later manages to learn the message m 2 in addition to both ciphertexts c 1 and c 2. Show how Eve can reconstruct m 1 with the available information. Since Eve knows m 2, she can reconstruct the key by xor-ing c 2 with m 2, i.e. c 2 m 2 = k m 2 m 2 = k. She can the retrieve the message m 1 with c 1 k = k m 1 k = m 1. (2 points) (d) Suppose you have a randomly chosen key k of length n to encrypt your messages. Unfortunately, you do not have enough to communicate and your message m 1/7
only has length n 2. You decide to pad your message with some additional bits. Does the resulting encryption scheme E 1 with provide perfect secrecy? E 1 (k, m) = k (01 m), m {0, 1} n 2, k {0, 1} n (Note: x y is the concatenation operator that combines the two strings x and y to one string.) E 1 does indeed provide perfect secrecy. Intuitively, as the key is chosen randomly, the last bit of E 1 is always random. The rest of E 1 is an OTP, which already provides perfect secrecy. (3 points) (e) Suppose you have a message m of length n, but you can only generate random keys of length k and l with k + l = n 1. You decide to generate two random keys and combine them with an additioanl bit. Does the resulting encryption scheme E 2 with E 2 (k 1, k 2, m) = (k 1 0 k 2 ) m, m {0, 1} n, k 1 {0, 1} k, k 2 {0, 1} l provide perfect secrecy? E 2 corresponds to an OTP where an intermediate bit of the key is fixed. Thus, the corresponding bit of the ciphertext only depends on the chosen message. For two messages m 0 and m 1 that differ in this intermediate bit the probability that some c C is the output of E 2 (k, m 0 ) is not equal to the probability that c is the output of E 2 (k, m 1 ). More specifically, c can only be the output of the encryption of a message where the last bit of c and the message are the same. A suitable counterexample for E 2 could be: m 0 = 000, m 1 = 111. For every key combined k = k 1 0 k 2, the second bit of E 2 (k, m 0 ) is 0 and the second bit of E 2 (k, m 1 ) is 1. Given a ciphertext c, e.g., c = 110, Pr c = c : k K, c = E 2 (k, m 1 ) = 0, while Pr c = c : k K, c = E 2 (k, m 1 ) = 1 2 > 0. 2 Encryption Schemes and Perfect Secrecy Consider the following encryption scheme. Let M := {0, 1} and C := {1, 2, 3} denote the set of plaintexts and ciphertexts, respectively. The key generation algorithm K randomly selects a key from {1, 2, 3}. Let the encryption algorithm E be defined by the following table: 2/7
m E(1, m) E(2, m) E(3, m) 0 3 2 1 1 2 1 3 (5 points) (a) Give a decryption function D such that (K, E, D) constitutes a correct encryption scheme with message space M and ciphertext space C. One possible decryption function is the following: c D(1, c) D(2, c) D(3, c) 1 ( ) 1 0 2 1 0 ( ) 3 0 ( ) 1 Notice that the entries marked with a star ( ) are not fixed by the correctness property of encryption. However, decryption is defined as a function from C to M { }, so one needs to specify these values to get a function. The distinguished error symbol is the typical choice here, however this is not enforced by the definition of a symmetric encryption scheme (see Definition 1.1 in the lecture notes), so any other value in M is also fine. (8 points) (b) Does your scheme have perfect secrecy? Explain why or give a counterexample. To prove that this scheme provides perfect secrecy, one simply checks that, for any c C, m M, the following holds: Pr c = c ; K R K, c E(K, m) = 1 K = 1 3. Since this value does not depend on m, we have that for all m 0, m 1 M and for all c C Pr c = c ; K R K, c E(K, m 0 ) = Pr c = c ; K R K, c E(K, m 1 ). As desired, this is the definition of perfect secrecy. 3 Imperfect Randomness Consider a random source that outputs bits b 1, b 2,... that are uncorrelated but biased, i.e., for all i = 1, 2,..., Pr b i = 0 = 1 Pr b i = 1 = p for some 0 < p < 1. We now use the following method to obtain unbiased bits: First, take two bits from the source. If they are identical, throw them away and take the next two bits from the source. Continue until the bits you obtain are (0, 1) or (1, 0). Output 0 in the first case and 1 in the second case. Repeat the whole process by taking two bits 3/7
again from the source. (3 points) (a) What is the probability that you throw away your two bits? We add the probabilities that both bits have the same value. Since Pr b = 0 = p, we get a probability of p 2 for getting 00, and a probability of (1 p) 2 for 11. (7 points) (b) Prove that the output c 1, c 2,... of the above method are unbiased coins, i.e., Pr c i = 1 = Pr c i = 0 = 1/2 for all i = 1, 2,.... (Hint: Consider the conditional probabilities Pr c = 0 method outputs a bit and Pr c = 1 method outputs a bit, where c is the output of the method above. You can find a refresher on conditional probabilities here: http://www.stat.yale.edu/courses/1997-98/101/condprob.htm) We calculate the probability that the algorithm, on input b 1, b 2, outputs a specific bit c. More formally, Pr c = 0 outputs a bit = Pr c = 0 b 1 b 2 = Pr c = 0 b 1 b 2 Pr b 1 b 2 = Pr b 1 = 0 b 2 = 1 Pr b 1 b 2 p(1 p) = p(1 p) + (1 p)p = 1 2. This also implies that Pr c = 1 outputs a bit = 1 2, thus the output of the above method is unbiased. 4 Perfect Secrecy for Two-time Key Use In the lecture notes we have given the definition of perfect secrecy for the case that the adversary sees the encryption of a single message: namely, for all m 0, m 1 M and for all c C, we have Pr c = c ; k K, c E(k, m 0 ) = Pr c = c ; k K, c E(k, m 1 ). (8 points) (a) Formulate a definition of perfect secrecy for the case that the adversary sees the encryption of two messages (using the same key k). (Hint: You should have messages m 0, m 1, m 0, m 1 in your definition.) 4/7
This is probably the toughest exercise on the sheet, so let s step through this slowly. Recall the intuition behind the definition of perfect secrecy above: For any ciphertext c that the adversary sees, the probability that this ciphertext c is the encryption of some message m 0 with a random key is equal to the probability that it is the encryption of some message m 1 with a random key (i.e., c contains any plaintext with equal likelihood.) So, to define perfect secrecy in the case the adversary sees two ciphertexts c 0 and c 1, encrypted using the same key, we would like to say this: the probability that c 0 is the encryption of some message m 0 and that c 1 is the encryption of some message m 1, with the same random key, is equal to the probability that c 0 is the encryption of some message m 0 and c 1 is the encryption of some message m 1, with the same random key (which may be different from the random key used to encrypt m 0 and m 1.) Hence, the most natural solution is the following: A cipher (E, D) provides perfect secrecy for two-time key use iff for all m 0, m 1, m 0, m 1 M and for all c 0, c 1 C the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) = P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) Intuitively, this means that no adversary can tell which two plaintexts have been encrypted, seeing the two ciphertexts. (7 points) (b) Assume your encryption scheme is deterministic, i.e. for a given message m and key k it always produces the same ciphertext c. Show that such a deterministic encryption scheme cannot satisfy your definition in part (a). (Hint: Consider the case that some messages of m 0, m 1, m 0, m 1 are equal.) Since our above definition of perfect secrecy for two-time key use must hold for all messages m 0, m 1, m 0, m 1 and all ciphertexts c 0, c 1, we only need to find one instantiation of these messages and ciphertexts for which the above definition cannot hold, in order to prove that the definition cannot be fulfilled by any encryption scheme. So, let us choose any m 0 = m 0 = m 1 m 1. Additionally, let us fix some key k and choose c 0 = c 1 = E(k, m 0 ). 5/7
Then, if encryption is deterministic, we will show that the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) 1 K > 0, but P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) = 0. (2) This violates the definition given in (a), and so no deterministic encryption scheme can fulfill our definition of perfect secrecy for two-time key use. Intuitively, what this means, and what we will show below, is that if the adversary sees a ciphertext c 0 = c 1, the probability that it is the encryption of a message m 0 and also the encryption of an identical message m 1 is non-zero, but the probability that it is the encryption of a message m 0 and at the same time the encryption of a different message m 1 is 0. First, consider equation (1). We know that c 0 = c 1 = E(k, m 0 ). Since m 0 = m 1, we also have that c 0 = c 1 = E(k, m 0) for a randomly chosen k. Clearly, if encryption is deterministic and k = k, we get that c 0 = c 0 c 1 = c 1. The event that k = k happens with probability 1 / K, which is why we know that the probability given in equation (1) is at least 1 / K (which is strictly greater than 0). For example, if E was the one-time pad, then the probability would be exactly 1 / K. However, in general, we can only say that it is greater or equal than 1 / K, because there are encryption schemes that produce the same ciphertext with different keys. (For example, imagine an encryption scheme where the key is one bit longer than the message, and encryption/decryption simply ignore the last bit of the key and otherwise operate like the one-time pad; this may be useless, but it shows that there exist encryption schemes where different keys map to the same ciphertext. For this particular encryption scheme, the probability given in equation (1) would be 2 / K.) Next, consider equation (2). Recall once more that c 0 = c 1 = E(k, m 0 ). We also have that c 0 = E(k, m 0 ) and c 1 = E(k, m 1 ), where m 0 m 1, for a randomly chosen k. By the correctness of the encryption scheme, we thus know that c 0 c 1, because they encrypt different messages with the same key (i.e., if encryption mapped two different messages with the same key to the same ciphertext, then decryption, which is necessarily always determinisic, could not be unambiguously defined, contradicting correctness.) We consider two cases: this case distinction is exhaustive, i.e., one of these cases always holds true. c 0 = c 0 : In this case, then since we also know that c 0 = c 1 and that c 0 c 1, we get that c 1 c 1. Hence, in this case the probability of the event c 0 = c 0 c 1 = c 1 in equation (2) is 0. (1) 6/7
c 0 c 0 : Actually, in this case we are already done since the probability of the event c 0 = c 0 c 1 = c 1 is obviously 0. Thus, we find that the probability given in equation (2) is 0. Finally, we see that the probabilities given in equations (1) and (2) are different, which concludes the proof. 7/7