and its Extension to Authenticity

Similar documents
and Other Fun Stuff James L. Massey

Correcting Codes in Cryptography

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Perfectly-Secret Encryption

Optimum Binary-Constrained Homophonic Coding

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Topics. Probability Theory. Perfect Secrecy. Information Theory

PERFECTLY secure key agreement has been studied recently

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

Introduction to Cryptography Lecture 4

Perfectly secure cipher system.

Chapter 2 : Perfectly-Secret Encryption

Lecture 1: Introduction to Public key cryptography

MODULAR ARITHMETIC. Suppose I told you it was 10:00 a.m. What time is it 6 hours from now?

Cryptographic Engineering

Public Key Cryptography

Information Theoretical Analysis of Digital Watermarking. Multimedia Security

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Shannon s Theory of Secrecy Systems

Cryptography 2017 Lecture 2

Lecture 2: Perfect Secrecy and its Limitations

Lecture Notes. Advanced Discrete Structures COT S

ASPECIAL case of the general key agreement scenario defined

Notes for Lecture 17

Historical cryptography. cryptography encryption main applications: military and diplomacy

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Week 7 An Application to Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Cryptography. pieces from work by Gordon Royle

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Lecture 8 - Cryptography and Information Theory

The simple ideal cipher system

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Computer Science A Cryptography and Data Security. Claude Crépeau

Information-theoretic Secrecy A Cryptographic Perspective

Lecture 9 - Symmetric Encryption

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

CRYPTOGRAPHY AND NUMBER THEORY

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Cryptography and Number Theory

8.1 Principles of Public-Key Cryptosystems

CPSC 467b: Cryptography and Computer Security

Simple Codes MTH 440

Notes on Alekhnovich s cryptosystems

Great Theoretical Ideas in Computer Science

Gentry s SWHE Scheme

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Turbo Codes Can Be Asymptotically Information-Theoretically Secure

Paper from European Trans. on Telecomm., Vol. 5, pp , July-August 1994.

Secrecy and the Quantum

The BB84 cryptologic protocol

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Question: Total Points: Score:

Introduction to Cryptology. Lecture 2

Chapter 3 Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 12: Block ciphers

6.080/6.089 GITCS April 8, Lecture 15

Jay Daigle Occidental College Math 401: Cryptology

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Lecture Note 3 Date:

Information-Theoretic Security: an overview

Chapter 3 Cryptography

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Detection of Eavesdropping in Quantum Key Distribution using Bell s Theorem and Error Rate Calculations

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Information Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper

Exam Security January 19, :30 11:30

Lecture 10: HMAC and Number Theory

A UNIVERSAL ALGORITHM FOR HOMOPHONIC CODING

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Leftovers from Lecture 3

An Introduction to Cryptography

A New Algorithm to Construct. Secure Keys for AES

Number theory (Chapter 4)

Enhancements of the Non-linear Knapsack Cryptosystem

Quantum Wireless Sensor Networks

RSA RSA public key cryptosystem

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

William Stallings Copyright 2010

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Dan Boneh. Stream ciphers. The One Time Pad

Entanglement and information

Cryptography IV: Asymmetric Ciphers

Transcription:

EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of Denmar Trondhjemsgade 3, 2TH DK-2100 Copenhagen East JamesMassey@compuserve.com 1

Cryptology ( hidden word ) Cryptography (code maing) Cryptanalysis (code breaing) The good guys The bad guys 2

Goals of cryptography Secrecy Authenticity Xuejia Lai has given a useful razor for deciding whether something is a matter of secrecy or a matter of authenticity. 3

Secrecy - concerned with who has access to (or can read) a legitimate message. Secrecy deals with safeguarding the future by ensuring that only authorized recipients will be able to gain access to (or read) a legitimate message. 4

Authenticity - concerned with who can create (or write) a legitimate message. Authenticity deals with protecting the past by ensuring that the creator (or author) was entitled to create (or write) the message ensuring that the contents of the message have not been altered 5

A secrecy scheme: The Caesar Cipher 23 24 25 Y X Z 0 1 A B C...... 2 Arithmetic on a CIRCLE (Modulo 26 arithmetic) Encrypt = Add 3 (move clocwise 3 places) Decrypt = Subtract 3 (move counterclocwise 3 places) SECRET KEY = 3 C A E S A R F D H V D U plaintext ciphertext M A S S E Y D V V H B plaintext ciphertext 6

Today we use a SMALLER CIRCLE! 1 0 Arithmetic on this CIRCLE (Modulo 2 arithmetic) Encrypt = Add (move clocwise) Decrypt = Subtract (move counterclocwise) = (move clocwise) Decrypt = Encrypt and a LONGER SECRET KEY! 1 0 0 1 1 1 0 1 plaintext 0 1 1 0 0 1 1 1 secret ey 1 1 1 1 1 0 1 0 ciphertext 7

Everybody lies to mae secret codes! 8

hotograph of Shannon at home in 1962. (from the New Yor Times Magazine, 30 December 2001) 9

As a first step in the mathematical analysis of cryptography, it is necessary to idealize the situation suitably, and to define in a mathematically acceptable way what we shall mean by a secrecy system. C.E. Shannon, "Communication Theory of Secrecy Systems", Bell System Tech. J., vol. 28, pp. 656-715, Oct., 1949. This was a radical departure from previous papers in cryptography where (as in Steen and Stoffer) conjecture and imprecision reigned. Just how did Shannon define a secrecy system in a mathematically acceptable way? 10

He drew a picture! (Shannon, 1949) 11

Claude Elwood Shannon (1916-2001) (photographed 17 April 1961 by Göran Einarsson) 12

Shannon s Fig. 1 Schematic of a general secrecy system maes the following assumptions crystal clear: The message M and the ey K are independent random variables. The sender and receiver both now the ey. The attacer nows only the cryptogram E (i.e., a ciphertext-only attac is assumed). The receiver is able to recover the message M from nowledge of the cryptogram E and ey K. No assumption is made about who generates the ey. You don t need a lot of words and/or equations to mae yourself mathematically precise! 13

Kerchoffs rinciple A cipher should be secure when the enemy cryptanalyst nows all details of the enciphering process and deciphering process except for the value of the secret ey. This principle was first stated in 1881 by the Dutchman Auguste Kerchoffs (1835-1903). When evaluating security, one assumes that the enemy cryptanalyst nows everything (including the source statistics and ey statistics) except the secret ey. 14

What does unbreaable mean? To Shannon, a cipher is unbreaable in a ciphertext-only attac if it provides unconditional security, i.e., no matter how hard or how long the attacer wors, he/she can do no better than to guess the plaintext by the best guessing rule that he/she would use without having seen the ciphertext. Shannon s 1949 definition: A cipher provides perfect secrecy against a ciphertext-only attac if the plaintext and the ciphertext, considered as random variables, are independent. 15

Vernam s 1926 Cipher: Enemy cryptanalyst in a ciphertext-only attac. Binary laintext Source M R Secure Channel R is the secret ey, a totally random BSS sequence. Binary Symmetric Source E R R M Destination Vernam claimed that his cipher was unbreaable! 16

Vernam not only claimed that his cipher was unbreaable, but also stated that he had confirmed this in field trials with the U. S. Army Signal Corps. Was Vernam right? Was his cipher the first unbreaable cipher in the many thousands of years of cryptographic history? 17

The Binary Symmetric Source (BSS) of information theory is a money with a fair binary coin ( 0 on one side and 1 on the other). 18

Cryptographic property of the BSS: The modulo-two sum of a BSS output and an arbitrary random sequence is another BSS output that is INDEENDENT of the arbitrary random sequence. Example: BSS output: 0 1 0 0 1 0 1 0 1 1 1 0 1... Arb. Ran. Seq. 1 1 1 1 1 1 1 1 1 1 1 1 1... Modulo-2 sum 1 0 1 1 0 1 0 1 0 0 0 1 0... 19

Vernam s cipher provides perfect secrecy against a ciphertext-only attac! Binary laintext Source M R E Secure Channel R BSS Destination The cryptogram E that the enemy cryptanalyst sees is independent of the plaintext message M. This simple proof of unbreaability of Vernam s 1926 cipher was first given by Shannon in 1949! R M 20

Vernam s cipher is usually today called the one-time pad to emphasize that the ey is to be used for only one message. It was used by spies on both sides in World War II and is still the cipher of choice for extremely important secret communications. (What Shannon called the plaintext is the total data that will be encrypted before the ey is changed, i.e., Shannon specified a one-time ey in his theory of secrecy systems.) 21

Vernam s cipher needs as many binary digits of secret ey as there are bits of plaintext to be encrypted. Vernam was right about his cipher being unbreaable, but does an unbreaable cipher really need this huge amount of secret ey??? 22

Shannon s 1949 Lower Bound on Key Length: For perfect secrecy, the number of different eys must be AT LEAST AS GREAT as the number of different plaintexts. roof: For any fixed ey, the number of different ciphertexts e equals the number of different plaintexts m. erfect secrecy for all possible e and any fixed m, (E=e M=m) = (E=e) 0 For a fixed m, the number of different ciphertexts e must equal at least the number of different plaintexts m. But all eys from a fixed m to different e s must be different. 23

Shannon later gave the following proof of a slightly weaer lower bound on ey length, namely H(K) H(E). erfect secrecy H(E) = H(M E) H(MK E) = H(K E) + H(M EK) = H(K E) = 0 H(K) Thus, if the cipher is to give perfect secrecy regardless of the source statistics, it must also give perfect secrecy for the BSS for which H(M) = N bits. Thus H(K) N so that the ey must be at least N binary digits long. 24

The number of different plaintext messages is about 2 H(M) where H(M) is the entropy of the plaintext message. Equivalently, one says that H(M) is the number of bits of information in the plaintext message. An ideal data compressor will compress M to about H(M) binary digits. Consider the system: M Ideal Data Compressor Vernam s Cipher E K Achieves perfect secrecy and the number of binary digits of the ey K is H(M), which satisfies Shannon s lower bound with equality. 25

Simmons Model of a Substitution Attac on an Authenticity System MESSAGE SOURCE M ENCIHERER T K E E' DECIHERER T K -1 ACCETED M' K ENEMY CRYTANALYST Secure Channel K KEY SOURCE K RECOGNIZED UNAUTHENTIC E' can be the legitimate cryptogram E or a phony cryptogram E' (E' E) inserted by the attacer. E' is accepted if and only if it is a valid cryptogram for the ey K. 26

In an impersonation attac, the attacer forms E' without seeing a legitimate cryptogram E and wins if his cryptogram is accepted. I = robability of successful impersonation when the attacer uses an optimum attac. S = robability of successful substitution when the attacer uses an optimum attac. d = robability of deception = max( I, S ) Simmons 1984 bound on the probability of deception: d 2 -I(E; K) where I(E; K) = H(K) - H(K E) is the mutual information between E and K. The only way to get unconditionally secure authenticity is to let the cryptogram give information about the ey! 27

Example of an authenticity system meeting Simmon s lower bound on I with equality: laintext is sent in the clear and the ey is added as a signature: E = [M : K] If the ey has length n binary digits, then I = 2 -n because the attacer can only mae a random guess at the secret ey in an impersonation attac. I(E; K) = n bits so that Simmons bound on I holds with equality! This authenticity system gives no secrecy! In a substitution attac, the attacer can achieve S = 1. 28

Example of an authenticity system meeting Simmon s lower bound on S and d with equality: 1-bit messages with individual signatures. K = (K 1, K 2,... K ν, K ν +1,... K 2ν ) [n = 2ν-bit ey] assumed generated by a BSS. M is 0 or 1. M = 0 E = (0, K 1, K 2,... K ν ) M = 1 E = (1, K ν +1, K ν +2,... K 2ν ) Note that again there is no secrecy! Whether the attacer observes E or not, he must guess ν bits of ey to produce a cryptogram E' that will be accepted as authentic. I = S = d = 2 -ν. But I(E; K) = ν bits so that Simmons bound on d holds with equality! 29

This example shows that we can have unconditionally secure authenticity with no secrecy. Vernam s cipher gives perfect secrecy against a ciphertext-only attac but no protection against an impersonation attac, i.e., I = 1. The important conclusion to mae is that secrecy and authenticity are independent attributes of a cryptographic system. 30

The informational divergence (or the Kullbach- Leibler distance or the relative entropy or the discrimination ) from to Q, two probability distributions on the same alphabet, is the quantity D( Q) = x supp( ) Q(x) (x) log. (x) Fundamental property of informational divergence: D ( Q) 0 with equality if and only if = Q. Let H 0 and H 1 be the two possible hypotheses and let Y be the observation used to determine which hypothesis is true. Let D 0 and D 1 be the regions of Y values in which one decides for H 0 or H 1, respectively. Let α or β be the error probabilities when H 0 or H 1 is true, respectively. 31

Let V (0 or 1) be the decision as to which hypothesis is true so that α = V H 0 (1) and β = V H1 (0). Direct calculation gives D( V H ) 0 V H1 1- β = α log α (1 α) log β. 1-α Information-theoretic bound for hypothesis testing: D( Y H 0 Y H1 1- β ) α log (1 α with equality if and only if Y H Y H 0 1 (y) (y) β α) log 1-α has the same value for all y D 0 and has the same value for all y D 1. 32

For the important special case where α = 0, i.e., where we never err when H 0 is true, the previous bound gives β 2 D ( Y H 0 Y H1 Now suppose that H 0 is the hypothesis that the observation Y = E' is the legitimate cryptogram E for the ey K =, i.e., ( y) = E K ( ), and that H 1 is the hypothesis Y H y 0 = that Y = E' is formed by the attacer according to H ( y) = ( y) ( ) ( y) 1 E = K = E K Y = which may not be the optimum attacing strategy. Let β be the error probability when K = so that β 2 D ( E K = E ) ).., 33

34 Moreover, β is just the probability I of successful impersonation, so the information-theoretic bound becomes. 2 ) ; ( E K I I ) ( ) ( log ) ( ) ( y y y D K E E y K E E K E = = = = ) ( ) ( 2 E E K K D = ) ( )2 ( ) ( = = E K E D K K β β where we have used Jensen s inequality. But ). ; ( ) ( ) ( ) ( ) ( K E I K E H E H D E E K K = = = This completes the proof of Simmons lower bound.

Simmons proof of his bound on the probability of deception (or impersonation) appears in G. J. Simmons, "Authentication Theory/Coding Theory," pp. 411-431 in Advances in Cryptology - CRYTO '84 (Eds. G. R. Blaey and D. Chaum), Lecture Notes in Computer Science No. 196. Heidelberg and New Yor: Springer, 1985. Several simplifications of his derivation have since been given. The most insightful one, which we have followed, is by Maurer, cf. U. M. Maurer, "Information Theoretic Bounds in Authentication Theory," p.12 in roc. IEEE Inst. Symp. Info. Th., Whistler, Canada, Sept. 17-22, 1995. U.M. Maurer, "A Unified and Generalized Treatment of Authentication Theory, pp. 387-398 in roc. 13th Symp. on Theoretical Aspects of Computer Science (STACS'96), Lecture Notes in Computer Science No. 1046, New Yor: Springer, 1996. Maurer based his treatment on Blahut s informationtheoretic approach to hypothesis testing, cf. R. E. Blahut, Hypothesis testing and information theory, IEEE Trans. Inform. Theory, vol. IT-20, pp. 405-417, July 1974 35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback