Solution of Exercise Sheet 6

Similar documents
Solution of Exercise Sheet 7

Perfectly-Secret Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Lecture 2: Perfect Secrecy and its Limitations

Lecture 13: Private Key Encryption

Cryptography 2017 Lecture 2

Chapter 2 : Perfectly-Secret Encryption

CPA-Security. Definition: A private-key encryption scheme

Topics. Probability Theory. Perfect Secrecy. Information Theory

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Introduction to Cryptology. Lecture 3

2 Message authentication codes (MACs)

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Solution to Midterm Examination

Introduction to Cybersecurity Cryptography (Part 4)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cybersecurity Cryptography (Part 4)

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Chapter 2. A Look Back. 2.1 Substitution ciphers

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

Lecture 12: Block ciphers

5 Pseudorandom Generators

Lecture Note 3 Date:

7 Security Against Chosen Plaintext

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

8 Security against Chosen Plaintext

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

1 Indistinguishability for multiple encryptions

CS 6260 Applied Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CPSC 467b: Cryptography and Computer Security

Lecture 9 - Symmetric Encryption

Computational security & Private key encryption

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 5, CPA Secure Encryption from PRFs

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture Notes. Advanced Discrete Structures COT S

Scribe for Lecture #5

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

William Stallings Copyright 2010

Block ciphers And modes of operation. Table of contents

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Computer Science A Cryptography and Data Security. Claude Crépeau

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

MATH3302 Cryptography Problem Set 2

PERFECTLY secure key agreement has been studied recently

Modern Cryptography Lecture 4

Lecture 3,4: Multiparty Computation

Introduction to Cryptography Lecture 4

Lecture Notes on Secret Sharing

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 17: Constructions of Public-Key Encryption

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 7: CPA Security, MACs, OWFs

Dan Boneh. Stream ciphers. The One Time Pad

CS 6260 Applied Cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

CTR mode of operation

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

Historical cryptography. cryptography encryption main applications: military and diplomacy

Adaptive Security of Compositions

Recommended Reading. A Brief History of Infinity The Mystery of the Aleph Everything and More

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Shannon s Theory of Secrecy Systems

Notes on Property-Preserving Encryption

CPSC 467b: Cryptography and Computer Security

Lectures 2+3: Provable Security

ASYMMETRIC ENCRYPTION

15 Public-Key Encryption

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

10 Concrete candidates for public key crypto

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Entropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Private-key Systems. Block ciphers. Stream ciphers

Symmetric Encryption

Exercise Sheet Cryptography 1, 2011

Cryptography and Security Midterm Exam

Introduction to Cryptology. Lecture 2

Number theory (Chapter 4)

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

RSA RSA public key cryptosystem

Transcription:

Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following questions. Provide arguments for why your answers are correct! (3 points) (a) Consider a symmetric encryption scheme with E(k, m) = 1 for every message m and every key k. Does this scheme provide perfect secrecy? Yes, it does! Given two different messages m and m, the encryption scheme E satisfies the condition for perfect secrecy: P rc = 0 k K, c E(k, m) = 1 = P rc = 0 k K, c E(k, m ) (2 points) (b) Does DES with key-length k satisfy perfect secrecy for messages with length larger than k? In the proof of optimality of the OTP, we have seen that the keyspace needs to be at least as big as the message space in order to guarantee perfect secrecy. This implies that messages of length k + 1 cannot be encrypted by a k-bit key in a way that perfect secrecy is achieved. (2 points) (c) Alice uses the same key k to encrypt two messages m 1 and m 2 to get ciphertexts c i = E(k, m i ) = k m i. Eve later manages to learn the message m 2 in addition to both ciphertexts c 1 and c 2. Show how Eve can reconstruct m 1 with the available information. Since Eve knows m 2, she can reconstruct the key by xor-ing c 2 with m 2, i.e. c 2 m 2 = k m 2 m 2 = k. She can the retrieve the message m 1 with c 1 k = k m 1 k = m 1. (2 points) (d) Suppose you have a randomly chosen key k of length n to encrypt your messages. Unfortunately, you do not have enough to communicate and your message m 1/7

only has length n 2. You decide to pad your message with some additional bits. Does the resulting encryption scheme E 1 with provide perfect secrecy? E 1 (k, m) = k (01 m), m {0, 1} n 2, k {0, 1} n (Note: x y is the concatenation operator that combines the two strings x and y to one string.) E 1 does indeed provide perfect secrecy. Intuitively, as the key is chosen randomly, the last bit of E 1 is always random. The rest of E 1 is an OTP, which already provides perfect secrecy. (3 points) (e) Suppose you have a message m of length n, but you can only generate random keys of length k and l with k + l = n 1. You decide to generate two random keys and combine them with an additioanl bit. Does the resulting encryption scheme E 2 with E 2 (k 1, k 2, m) = (k 1 0 k 2 ) m, m {0, 1} n, k 1 {0, 1} k, k 2 {0, 1} l provide perfect secrecy? E 2 corresponds to an OTP where an intermediate bit of the key is fixed. Thus, the corresponding bit of the ciphertext only depends on the chosen message. For two messages m 0 and m 1 that differ in this intermediate bit the probability that some c C is the output of E 2 (k, m 0 ) is not equal to the probability that c is the output of E 2 (k, m 1 ). More specifically, c can only be the output of the encryption of a message where the last bit of c and the message are the same. A suitable counterexample for E 2 could be: m 0 = 000, m 1 = 111. For every key combined k = k 1 0 k 2, the second bit of E 2 (k, m 0 ) is 0 and the second bit of E 2 (k, m 1 ) is 1. Given a ciphertext c, e.g., c = 110, Pr c = c : k K, c = E 2 (k, m 1 ) = 0, while Pr c = c : k K, c = E 2 (k, m 1 ) = 1 2 > 0. 2 Encryption Schemes and Perfect Secrecy Consider the following encryption scheme. Let M := {0, 1} and C := {1, 2, 3} denote the set of plaintexts and ciphertexts, respectively. The key generation algorithm K randomly selects a key from {1, 2, 3}. Let the encryption algorithm E be defined by the following table: 2/7

m E(1, m) E(2, m) E(3, m) 0 3 2 1 1 2 1 3 (5 points) (a) Give a decryption function D such that (K, E, D) constitutes a correct encryption scheme with message space M and ciphertext space C. One possible decryption function is the following: c D(1, c) D(2, c) D(3, c) 1 ( ) 1 0 2 1 0 ( ) 3 0 ( ) 1 Notice that the entries marked with a star ( ) are not fixed by the correctness property of encryption. However, decryption is defined as a function from C to M { }, so one needs to specify these values to get a function. The distinguished error symbol is the typical choice here, however this is not enforced by the definition of a symmetric encryption scheme (see Definition 1.1 in the lecture notes), so any other value in M is also fine. (8 points) (b) Does your scheme have perfect secrecy? Explain why or give a counterexample. To prove that this scheme provides perfect secrecy, one simply checks that, for any c C, m M, the following holds: Pr c = c ; K R K, c E(K, m) = 1 K = 1 3. Since this value does not depend on m, we have that for all m 0, m 1 M and for all c C Pr c = c ; K R K, c E(K, m 0 ) = Pr c = c ; K R K, c E(K, m 1 ). As desired, this is the definition of perfect secrecy. 3 Imperfect Randomness Consider a random source that outputs bits b 1, b 2,... that are uncorrelated but biased, i.e., for all i = 1, 2,..., Pr b i = 0 = 1 Pr b i = 1 = p for some 0 < p < 1. We now use the following method to obtain unbiased bits: First, take two bits from the source. If they are identical, throw them away and take the next two bits from the source. Continue until the bits you obtain are (0, 1) or (1, 0). Output 0 in the first case and 1 in the second case. Repeat the whole process by taking two bits 3/7

again from the source. (3 points) (a) What is the probability that you throw away your two bits? We add the probabilities that both bits have the same value. Since Pr b = 0 = p, we get a probability of p 2 for getting 00, and a probability of (1 p) 2 for 11. (7 points) (b) Prove that the output c 1, c 2,... of the above method are unbiased coins, i.e., Pr c i = 1 = Pr c i = 0 = 1/2 for all i = 1, 2,.... (Hint: Consider the conditional probabilities Pr c = 0 method outputs a bit and Pr c = 1 method outputs a bit, where c is the output of the method above. You can find a refresher on conditional probabilities here: http://www.stat.yale.edu/courses/1997-98/101/condprob.htm) We calculate the probability that the algorithm, on input b 1, b 2, outputs a specific bit c. More formally, Pr c = 0 outputs a bit = Pr c = 0 b 1 b 2 = Pr c = 0 b 1 b 2 Pr b 1 b 2 = Pr b 1 = 0 b 2 = 1 Pr b 1 b 2 p(1 p) = p(1 p) + (1 p)p = 1 2. This also implies that Pr c = 1 outputs a bit = 1 2, thus the output of the above method is unbiased. 4 Perfect Secrecy for Two-time Key Use In the lecture notes we have given the definition of perfect secrecy for the case that the adversary sees the encryption of a single message: namely, for all m 0, m 1 M and for all c C, we have Pr c = c ; k K, c E(k, m 0 ) = Pr c = c ; k K, c E(k, m 1 ). (8 points) (a) Formulate a definition of perfect secrecy for the case that the adversary sees the encryption of two messages (using the same key k). (Hint: You should have messages m 0, m 1, m 0, m 1 in your definition.) 4/7

This is probably the toughest exercise on the sheet, so let s step through this slowly. Recall the intuition behind the definition of perfect secrecy above: For any ciphertext c that the adversary sees, the probability that this ciphertext c is the encryption of some message m 0 with a random key is equal to the probability that it is the encryption of some message m 1 with a random key (i.e., c contains any plaintext with equal likelihood.) So, to define perfect secrecy in the case the adversary sees two ciphertexts c 0 and c 1, encrypted using the same key, we would like to say this: the probability that c 0 is the encryption of some message m 0 and that c 1 is the encryption of some message m 1, with the same random key, is equal to the probability that c 0 is the encryption of some message m 0 and c 1 is the encryption of some message m 1, with the same random key (which may be different from the random key used to encrypt m 0 and m 1.) Hence, the most natural solution is the following: A cipher (E, D) provides perfect secrecy for two-time key use iff for all m 0, m 1, m 0, m 1 M and for all c 0, c 1 C the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) = P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) Intuitively, this means that no adversary can tell which two plaintexts have been encrypted, seeing the two ciphertexts. (7 points) (b) Assume your encryption scheme is deterministic, i.e. for a given message m and key k it always produces the same ciphertext c. Show that such a deterministic encryption scheme cannot satisfy your definition in part (a). (Hint: Consider the case that some messages of m 0, m 1, m 0, m 1 are equal.) Since our above definition of perfect secrecy for two-time key use must hold for all messages m 0, m 1, m 0, m 1 and all ciphertexts c 0, c 1, we only need to find one instantiation of these messages and ciphertexts for which the above definition cannot hold, in order to prove that the definition cannot be fulfilled by any encryption scheme. So, let us choose any m 0 = m 0 = m 1 m 1. Additionally, let us fix some key k and choose c 0 = c 1 = E(k, m 0 ). 5/7

Then, if encryption is deterministic, we will show that the following holds: P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0 ), c 1 E(k, m 1 ) 1 K > 0, but P c 0 = c 0 c 1 = c 1; k R K, c 0 E(k, m 0), c 1 E(k, m 1) = 0. (2) This violates the definition given in (a), and so no deterministic encryption scheme can fulfill our definition of perfect secrecy for two-time key use. Intuitively, what this means, and what we will show below, is that if the adversary sees a ciphertext c 0 = c 1, the probability that it is the encryption of a message m 0 and also the encryption of an identical message m 1 is non-zero, but the probability that it is the encryption of a message m 0 and at the same time the encryption of a different message m 1 is 0. First, consider equation (1). We know that c 0 = c 1 = E(k, m 0 ). Since m 0 = m 1, we also have that c 0 = c 1 = E(k, m 0) for a randomly chosen k. Clearly, if encryption is deterministic and k = k, we get that c 0 = c 0 c 1 = c 1. The event that k = k happens with probability 1 / K, which is why we know that the probability given in equation (1) is at least 1 / K (which is strictly greater than 0). For example, if E was the one-time pad, then the probability would be exactly 1 / K. However, in general, we can only say that it is greater or equal than 1 / K, because there are encryption schemes that produce the same ciphertext with different keys. (For example, imagine an encryption scheme where the key is one bit longer than the message, and encryption/decryption simply ignore the last bit of the key and otherwise operate like the one-time pad; this may be useless, but it shows that there exist encryption schemes where different keys map to the same ciphertext. For this particular encryption scheme, the probability given in equation (1) would be 2 / K.) Next, consider equation (2). Recall once more that c 0 = c 1 = E(k, m 0 ). We also have that c 0 = E(k, m 0 ) and c 1 = E(k, m 1 ), where m 0 m 1, for a randomly chosen k. By the correctness of the encryption scheme, we thus know that c 0 c 1, because they encrypt different messages with the same key (i.e., if encryption mapped two different messages with the same key to the same ciphertext, then decryption, which is necessarily always determinisic, could not be unambiguously defined, contradicting correctness.) We consider two cases: this case distinction is exhaustive, i.e., one of these cases always holds true. c 0 = c 0 : In this case, then since we also know that c 0 = c 1 and that c 0 c 1, we get that c 1 c 1. Hence, in this case the probability of the event c 0 = c 0 c 1 = c 1 in equation (2) is 0. (1) 6/7

c 0 c 0 : Actually, in this case we are already done since the probability of the event c 0 = c 0 c 1 = c 1 is obviously 0. Thus, we find that the probability given in equation (2) is 0. Finally, we see that the probabilities given in equations (1) and (2) are different, which concludes the proof. 7/7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback