I538/B609: Introduction to Cryptography Fall 2015 · Lecture 4

Lectures so far: Today’s lecture: Discrete probability Proving things Perfectly secret encryption

Assignment 1 is due on Tuesday, September 8 (that’s one week from today!) Thursday, September 10 (Srijita and I will answer questions until 2:30pm on Monday, September 7)

Privacy in the age of mass surveillance: The Library Freedom Project Tomorrow!! Friday, September 4 at 3:00pm in LH 102: Alison Macrina, The Library Freedom Project Privacy in the age of mass surveillance: The Library Freedom Project This talk will examine the state of surveillance in the digital age from the intelligence agencies' dragnet to the corporate business model of total information awareness.  These conclusions will be connected to historical examples showing how surveillance is used against marginalized people conducting lawful First Amendment activities.  She will illustrate why privacy is still possible and why it matters now more than ever, offering practical tips for protecting individual privacy and fighting back against pervasive surveillance.  In closing, she will outline the work of the Library Freedom Project, which brings privacy and surveillance education to librarians and their local communities.

Perfectly secret encryption Aka. “Unconditionally secret” encryption “Information-theoretically secret” encryption

What is encryption? An encryption scheme is a method for “scrambling” messages in such a way that they can only be “unscrambled” by their intended recipient Enc(m 1) Enc(m 2) Alice Bob Eve m 1 = ? m 2 = ?

Encryption schemes K is the key space M is the message space Defn: An encryption scheme (or cipher) is a triple of algorithms (Gen, Enc, Dec) such that Gen: 1 ℕ → K is a randomized “key generation” algorithm; Enc: K ⨉ M → C is an (often randomized) “encryption” algorithm; Dec: K ⨉ C → M is a deterministic “decryption” algorithm. Usually write Enck(m) and Deck(m) instead of Enc(k,m) and Dec(k,m) K is the key space M is the message space C is the ciphertext space (the set of possible keys) (the set of possible messages) (the set of possible ciphertexts)

Pr[ Deck( Enck(m) ) = m ]= 1 Correctness Intuitively: Correctness is the property of being able to decrypt (given knowledge of the correct key) Note: it is possible (but relatively uncommon) to allow correctness with probability p < 1 Defn: An encryption scheme (Gen, Enc, Dec) with key space K and message space M is correct if ∀k ∈ K and ∀m ∈ M , Pr[ Deck( Enck(m) ) = m ]= 1

Defining secrecy (aka Confidentiality) Recall the three steps in modern crypto propose a precise threat model propose a construction prove that breaking construction is “equivalent” to solving an intractable problem (or impossible) Our threat model (for now): ciphertext-only attacks Attacker can see a single ciphertext; we want to ensure “perfect secrecy” of the corresponding plaintext

Defining secrecy Consider the following candidate “definitions” Attempt 1: Attacker cannot recover the secret key The “identity” scheme Enck(m) := m would be “secure” under this definition! Attempt 2: Attacker cannot recover entire plaintext Enck(m0 11 m1) := m0 11 (k ⨁ m1) would be secure under this definition! Attempt 3: Attacker learns nothing about the plaintext This is the right idea, but how do we make it rigorous?

Perfect secrecy: Definition 1 Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m0,m1 ∈ M (such that 1m01 = 1m11 = n) and ∀c∈ C, Pr[Enck(m0) = c 1 k ← Gen(1 n)]= Pr[Enck(m1) = c 1 k ← Gen(1 n)] Q: Why is this the “right” definition? A: Given (a single) ciphertext, it is impossible to tell if the plaintext was m0 or m1 (or any other message)

Perfect secrecy: Definition 2 Consider an attacker A that knows some prior distribution on the message space M That is, A has prior knowledge about what the message will be Let M and C denote random variables describing the plaintext and ciphertext when k ← Gen(1 n) Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m ∈ M and ∀c∈ C such that Pr[C = c]> 0, Pr[ M = m 1 C = c ]= Pr[ M = m ]

Perfect secrecy: Definition 2 Let M and C denote random variables describing the plaintext and ciphertext when k ← Gen(1 n) Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m ∈ M and ∀c∈ C such that Pr[C = c]> 0, Pr[ M = m 1 C = c ]= Pr[ M = m ] Q: Why is this the “right” definition? A: No matter what prior knowledge the attacker has, seeing a ciphertext reveals nothing more about plaintext

Perfect secrecy: Definition 3 Challenger (C) Attacker (A) 1 n 1 n k ← Gen(1 n) m0, m1 ∈ M (1 m0 1 = 1 m1 1 = n) m0, m1 b ∈ 𝑅 {0, 1} c c ← Enck(mb) b‘ ∈ {0, 1} Let E be the event that b=b’ in the above game Define A’s advantage to be Adv(A) := Pr[E]- 1/2 A’s guess for b Defn: An encryption scheme (Gen, Enc, Dec) is perfectly secret if Adv(A) = 0 for every attacker A.

Gilbert Vernam Engineer at AT&T Bell Labs 1890 — 1960 Engineer at AT&T Bell Labs “Invented” stream ciphers and the one-time pad in 1919 U.S. Patent 1,310,719 Actually, the patent was for a machine that encrypts a plaintext by (mechanically) XORing it with a secret key

One-time pad (Aka. Vernam cipher) Messages, ciphertexts and keys are all n-bit strings (that is, M = C = K = {0, 1}n) Gen(1n) outputs a uniform random key k ∈ 𝑅 {0, 1}n Enck(m) exclusive-ORs the message and key; that is, c := m ⊕ k Deck(c) exclusive-ORs the ciphertext and key; that is, m := c ⊕ k Correctness: Deck(Enck(m)) = Enck(m) ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m ⊕ 0n = m

One-time pad example Encryption Decryption 1 1 1 1 1 1 Plaintext: 0 0 1 0 1 1 1 0 1 0 0 1 Key: 0 1 0 1 1 1 0 1 0 0 0 1 Ciphertext: Decryption Ciphertext: 0 1 1 1 0 0 1 1 1 0 0 0 Key: 0 1 0 1 1 1 0 1 0 0 0 1 Plaintext: 0 0 1 0 1 1 1 0 1 0 0 1 1 1 1 1 1 1

Secrecy of the one-time pad Recall theorem from first lecture: Thm (XOR preserves uniformity): If Y is a uniform random variable on {0, 1}n and X is an arbitrary random variable on {0, 1}n, then Z := X⊕Y is a uniform random variable on {0, 1}n. Proof (for n=1): Pr[Z = 0]= Pr[(x, y) = (0, 0) or (x, y) = (1, 1)] (definition) = Pr[(x, y) = (0, 0)]+ Pr[(x, y) = (1, 1)] (independence) = Pr[x = 0]∙ Pr[y=0]+Pr[x=1]∙ Pr[y=1](independence) = Pr[y=0]/ 2 + Pr[y=1]/ 2 (by assumption) = ( Pr[y=0]+ Pr[y=1]) / 2 = 1 / 2

Secrecy of the one-time pad Recall theorem from first lecture: Thm (XOR preserves uniformity): If Y is a uniform random variable on {0, 1}n and X is an arbitrary random variable on {0, 1}n, then Z := X⊕Y is a uniform random variable on {0, 1}n. Corollary: If (Gen, Enc, Dec) is the one-time pad encryption scheme, then ∀m ∈ M Pr[ Enck(m) = c 1 k←Gen(1 n) ]= 2-n ⇒ ∀m0,m1 ∈ M, Pr[Enck(m0) 1 k← Gen(1n)]= Pr[Enck(m1) 1 k← Gen(1n)]

A better one-time pad (?) Observation: If k=0n, then Enck(m) = m ⨁ 0n = m. Idea: Never choose k = 0n Is this a good idea? If Pr[k = 0n]= 0, then Pr[M = m 1 C = m]= 0, and the scheme cannot satisfy Definition 2 for perfect secrecy! Intuitively, c = Enck(m) leaks information about m; namely, that m ≠ c NO! It is a terrible idea! (But why?)

Perfect secrecy ≠ perfect cryptosystem Thm: If (Gen, Enc, Dec) is perfectly secret then 1M1 = 1C1 = 1K1. (Question 4 on Assignment 1 asks you to prove or disprove the converse of this theorem.) Large keys make OTP hard to use in practice! Idea: Fix a key k ← Gen(1n) once and for all, and then use to it encrypt many plaintexts! Is this a good idea? key must be as long as message!! NO! It is a terrible idea! (But why?)

Two-time pad Never , ever, EVER use OTP key more than once!! c0 = m0 ⊕ k c1 = m1 ⊕ k Eavesdropper can compute c0 ⨁ c1 = Sufficient redundancy in English to uniquely determine m0,m1 from m0 ⨁ m1 with high probability! (Eg, Question 8 on Assignment 1!) m0 ⨁ m1 ???

Malleability of the one-time pad Thm: The one-time pad encryption scheme is malleable; that is, given a ciphertext c0 = Enck(m0), an attacker (without knowledge of k or m0) can produce a ciphertext c1 such that m1 = Deck(c1) has a “known relationship” to m0 (For instance, see Question 6 on Assignment 1!)

That’s all for today, folks!