Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Published byBritton Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 3 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 3 Arpita Patra © Arpita Patra

2 Recall o Definition (Perfect Security: unbounded adversary + no additional leakage) o Construction (OTP / Vernam Cipher) o Proof o Drawbacks (on key length and key reusability) >> Study of SKE in ‘modern’ way “You should never re-use a one-time pad. It’s like toilet paper; if you re-use it, things get messy.” Michael Rabin

3 Today’s Goal -More definitions of Perfect Security and their equivalence o Some definition will be more handy to prove and disprove if a SKE is perfectly-secure o Will further confirm that OTP is optimal in many other ways > Formulate a formal definition (threat + break model) > Identify assumptions needed and build a construction > Prove security of the construction relative to the definition and assumption -Find alternative relaxed security notion than perfect security o Introduction to Computational Security -Inherent drawback on key space -Summarizing & Concluding Perfect Security o Captures different intuition for the same goal

4 Key Space Must be As Large as the Message Space Theorem: In any perfectly-secure encryption scheme | K |  | M |  m  M s.t. m  M(c) Proof: Assume | K | < | M | Let c be a ciphertext with Pr(C = c) > 0 M(c) := { m | m = Dec k (c) for some k} the set of all possible decrypted messages of c | M(c) | < | M | Pr [M = m | C = c] = 0  Pr [M = m] Assume for instance uniform distribution over M (any dist. Where every message occurs with non-zero prob is fine) No perfect Security! Show the other limitation is inevitable too! OTP is optimal key length-wise and key usability-wise

5 Perfectly-secure Encryption : Equivalent Definition Perfectly-secure Encryption (Shannon’s Definition): Pr[M = m | C = c] = Pr [M = m],  m  M, c  C Interpretation : probability of knowing a plain-text remains the same before and after seeing the cipher-text Perfectly-secure Encryption (Alternate Definition): Pr[C = c | M = m 0 ] = Pr [C = c | M = m 1 ],  m 0, m 1  M, c  C Interpretation : probability distribution of cipher-text is independent of plain-text The equivalence holds for any probability distribution over M

6 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. Why the assumption | K | = | M | = | C | ? c1c1 c2c2 m1m1 m2m2 m3m3 m4m4 c3c3 k

7 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if Proof: (Part 1) (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. To prove Pr[M = m | C = c] = Pr[M = m] For arbitrary c and m, Pr[C = c | M = m]= Pr[K = k] = 1/| K | Pr[C = c] m in M (irrespective of p. d. over M ) = 1/| K | Σ Pr[M = m] m in M = 1/| K | = Σ Pr[C = c | M = m] Pr[M = m] Pr[M = m | C = c] = Pr[C = c | M = m ] Pr[M = m] Pr[C = c] = Pr[M = m] (Bayes' Theorem)

8 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if Proof: (Part 2) (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. To prove (i) and (ii) as above For arbitrary c, m i and m j, Pr[C = c | M = m i ]= Pr[C = c | M = m j ] Let M = {m 1, m 2,…..} and c is a ciphertext that occurs with non-zero probability for some message Assume the same k maps both m i and m j to c Let K i is the set of all keys that maps m i to c i.e. Enc k (m i ) = c iff k belongs to K i Correctness fails!! We assume that Pr[C = c | M = m] > 0, for some m

9 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if Proof: (Part 2) (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. To prove (i) and (ii) as above m1m1 m2m2 mnmn K1K1 K2K2 KnKn | K | = | M | | K i | = 1 Condition (ii) Pr[C = c | M = m i ] = Pr[C = c | M = m j ] Pr[K = k i ] = = Pr[K = k j ] Condition (i)

10 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. -Easy to check (i) and (ii). -No need of any probability calculation unlike original perfect security definition

11 Perfect Secrecy: Equivalent Definitions Definition II: For every probability dist over M Pr[C = c | M = m 0 ] = Pr [C = c | M = m 1 ]  m 0, m 1  M, c  C Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m]  m  M, c  C Definition III: For every probability distribution over M (i)Every key k is chosen with probability 1/ | K | (ii)For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c.

12 Perfect Secrecy as an Indistinguishability game - Formulated as a challenge-response game between adv. and a verifier  = (Gen, Enc, Dec), M Hypothetical verifier m 0, m 1  M (freedom to choose any pair) b  {0, 1} c  Enc k (m b ) b’  {0, 1} (Guess about encrypted message) I can break  Comp. unbounded Gen k  Game output :  1 if b = b’  Attacker won  0 if b ≠ b’  Attacker lost

13 Perfect Secrecy as an Indistinguishability game  = (Gen, Enc, Dec), M m 0, m 1  M b  {0, 1} b’  {0, 1} I can break  Comp. unbounded Gen k  What does the above experiment model ? c  Enc k (m b ) Experiment : PrivK A,  coa Enc m  {m 0, m 1 } c  Attacker is computationally unbounded k (I know that either m 0 or m 1 will be communicated with equal prob.) k  Perfect secrecy : adversary should not get “any advantage” by seeing c above  Adversary should learn the underlying message from c only with probability ½  No better than guessing m

14 Perfect Secrecy as an Indistinguishability game  = (Gen, Enc, Dec), M m 0, m 1  M b  {0, 1} b’  {0, 1} I can break  Comp. unbounded Gen k c  Enc k (m b ) Experiment : PrivK A,  coa  Experiment output :  1 if b = b’  Attacker won (it found the underlying message)  0 if b ≠ b’  Attacker lost (failed to find the underlying message)  = (Gen, Enc, Dec) over M is perfectly-secure if for every attacker A ½ Pr PrivK A,  coa = 1 = Perfect indistinguishability

15 Chalk & Talk I (for two): Equivalence of Definitions Definition II: For every probability dist over M Pr[C = c | M = m 0 ] = Pr [C = c | M = m 1 ]  m 0, m 1  M, c  C Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m]  m  M, c  C Definition III: For every probability distribution over M (i)Every key k is chosen with probability 1/ | K | (ii)For every m in M and every c in C, there is a unique key k s.t. Enc k (m) = c. m 0, m 1  M b  {0, 1} b’  {0, 1} I can break  Unbounded Powerful Gen k c  Enc k (m b ) Experiment : PrivK A,  coa  is perfectly-secure if for every adversary A ½ = (Perfect Indistinguishability) Pr PrivK A,  coa = 1

16 Chalk & Talk II (for one) - Implementation of OTP for English text & Cryptanalysis of OTP when key is reused

17 Concluding Perfect Security -Randomized -Unbounded Powerful -COA No break allowed A ciphertext gives out some info about the message that is additional to the prior information that the adv has Two relaxations Unbounded Powerful Bounded Powerful / Polynomially Bounded COA CPA CCA Two Inherent Limitations: - Key Space as large as message space - Keys can not be reused No point in studying perfect security by strengthening the adv by giving more capability in attacking a protocol, as the limitations will carry over. Remember that- at the end of the day crypto is an applied science and we need to construct schemes that has practical relevance. The hurdles in achieving perfect security outweighs the strength of perfect security Yes!! Birth of Computational / Cryptographic Security. Break is allowed but with ‘very small’ probability Can we overcome the hurdles?

18 Concluding Perfect Security - Have we put the last nail in the coffin of perfect security? Many problems in crypto involves more than two parties- MPC, E-election etc. By all means no! - It’s blazing fast compared to the computationally-secure protocols that we design - We overlooked efficiently of perfectly-secure scheme among the hullaballoos of limitations! - Efficiency is in fact hallmark of perfectly-secure schemes - Perfect security is interesting in multi-party setting In crypto, we live in the world of trade-offs…

19 Perfect Security vs. Computational Security Threat is Unbounded Powerful Threat is ‘Computationally Bounded’ Key as large as the message Fresh key for every encryption A small key will do Key reuse is permitted. A scheme is secure if Pr [M = m | C = c] = Pr [M = m]  m, c A scheme is secure if any computationally bounded adversary succeeds in ‘breaking’ the scheme with at most ‘some very small probability’. No break allowedBreak is allowed with ‘small’ probability YES Absolutely! Is it necessary to relax the threat and break to overcome the limitations?

20

Download ppt "Cryptography Lecture 3 Arpita Patra © Arpita Patra."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
CIS 5371 Cryptography Introduction.

CIS 5371 Cryptography Introduction.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Similar presentations

Ads by Google