Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Published byῬούθ Θυία Βασιλειάδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 3 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 3 Arpita Patra © Arpita Patra

2 Recall >> Study of SKE in ‘modern’ way Definition (Perfect Security: unbounded adversary + no additional leakage) Construction (OTP / Vernam Cipher) Proof Drawbacks (on key length and key reusability) “You should never re-use a one-time pad. It’s like toilet paper; if you re-use it, things get messy.” Michael Rabin

3 Today’s Goal Inherent drawback on key space
More definitions of Perfect Security and their equivalence Captures different intuition for the same goal Some definition will be more handy to prove and disprove if a SKE is perfectly-secure Will further confirm that OTP is optimal in many other ways Summarizing & Concluding Perfect Security Find alternative relaxed security notion than perfect security Introduction to Computational Security > Formulate a formal definition (threat + break model) > Identify assumptions needed and build a construction > Prove security of the construction relative to the definition and assumption

4 Key Space Must be As Large as the Message Space
Theorem: In any perfectly-secure encryption scheme | K |  | M | OTP is optimal key length-wise and key usability-wise Proof: Assume | K | < | M | Let c be a ciphertext with Pr(C = c) > 0 Assume for instance uniform distribution over M (any dist. Where every message occurs with non-zero prob is fine) M(c) := { m | m = Deck (c) for some k} the set of all possible decrypted messages of c | M(c) | ≤ |K | < | M |  m  M s.t. m  M(c) Pr [M = m | C = c] =  Pr [M = m] No perfect Security! Show the other limitation is inevitable too!

5 Perfectly-secure Encryption : Equivalent Definition
Perfectly-secure Encryption (Shannon’s Definition): Pr[M = m | C = c] = Pr [M = m] ,  m  M, c  C Interpretation : probability of knowing a plain-text remains the same before and after seeing the cipher-text The equivalence holds for any probability distribution over M Perfectly-secure Encryption (Alternate Definition): Pr[C = c | M = m0] = Pr [C = c | M = m1],  m0, m1  M, c  C Interpretation : probability distribution of cipher-text is independent of plain-text

6 Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Why the assumption | K | = | M | = | C | ? For perfectly secure scheme: | K | ≥ | M | For correctness to hold: | C | ≥ | M | m1 m2 m3 m4 c1 c2 k c3

7 Shannon’s Theorem To prove Pr[M = m | C = c] = Pr[M = m]
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 1) To prove Pr[M = m | C = c] = Pr[M = m] For arbitrary c and m, Pr[C = c | M = m] = Pr[K = k] = 1/| K | Pr[C = c] = Σ Pr[C = c | M = m] Pr[M = m] (irrespective of p. d. over M) m in M = 1/| K | Σ Pr[M = m] = 1/| K | m in M Pr[C = c | M = m ] Pr[M = m] Pr[M = m | C = c] = = Pr[M = m] Pr[C = c] (Bayes' Theorem)

8 Shannon’s Theorem To prove (i) and (ii) as above
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above Let M = {m1, m2,…..} and c is a ciphertext that occurs with non-zero probability for some message Let Ki is the set of all keys that maps mi to c i.e. Enck (mi) = c iff k belongs to Ki Claim: Ki ≠∅ and Ki ∩ Kj = ∅ We assume that Pr[C = c | M = m] > 0, for some m Ki ≠∅ For arbitrary c, mi and mj, Pr[C = c | M = mi] = Pr[C = c | M = mj] Assume the same k maps both mi and mj to c Ki ∩ Kj = ∅ Correctness fails!!

9 Shannon’s Theorem To prove (i) and (ii) as above
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above Claim: Ki ≠∅ and Ki ∩ Kj = ∅ m1 m2 mn K1 K2 Kn | K | = | M | | Ki | = 1 Condition (ii) Pr[K = ki] = Pr[C = c | M = mi] = Pr[C = c | M = mj] = Pr[K = kj] Condition (i)

10 Shannon’s Theorem -Easy to check (i) and (ii).
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. -Easy to check (i) and (ii). -No need of any probability calculation unlike original perfect security definition

11 Perfect Secrecy: Equivalent Definitions
Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m]  m  M, c  C Definition II: For every probability dist over M Pr[C = c | M = m0] = Pr [C = c | M = m1]  m0, m1  M, c  C Definition III: For every probability distribution over M Every key k is chosen with probability 1/ | K | For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c.

12 Perfect Secrecy as an Indistinguishability game
- Formulated as a challenge-response game between adv. and a challenger  = (Gen, Enc, Dec), M Hypothetical challenger I can break  Comp. unbounded m0, m1  M (freedom to choose any pair) b  {0, 1} c  Enck(mb) b’  {0, 1} (Guess about encrypted message) Gen k Game output : 1 if b = b’  Attacker won 0 if b ≠ b’  Attacker lost

13 Perfect Secrecy as an Indistinguishability game
 = (Gen, Enc, Dec), M I can break  Comp. unbounded b  {0, 1} m0, m1  M c  Enck(mb) b’  {0, 1} Gen k PrivK A,  coa Experiment : Adversary should learn the underlying message from c only with probability ½ No better than guessing m What does the above experiment model ? m  {m0, m1} Enc c k k (I know that either m0 or m1 will be communicated with equal prob.) Perfect secrecy : adversary should not get “any advantage” by seeing c above Attacker is computationally unbounded

14 Perfect Secrecy as an Indistinguishability game
 = (Gen, Enc, Dec), M I can break  Comp. unbounded b  {0, 1} m0, m1  M c  Enck(mb) b’  {0, 1} Gen k PrivK A,  coa Experiment : Experiment output : Perfect indistinguishability 1 if b = b’  Attacker won (it found the underlying message) 0 if b ≠ b’  Attacker lost (failed to find the underlying message)  = (Gen, Enc, Dec) over M is perfectly-secure if for every attacker A Pr PrivK A,  coa = 1 =

15 Reading Assignment I: Equivalence of Definitions
Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m]  m  M, c  C Definition II: For every probability dist over M Pr[C = c | M = m0] = Pr [C = c | M = m1]  m0, m1  M, c  C Definition III: For every probability distribution over M Every key k is chosen with probability 1/ | K | For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. (Perfect Indistinguishability) b  {0, 1} I can break  Unbounded Powerful m0, m1  M c  Enck(mb) b’  {0, 1} Gen k PrivK A,  coa Experiment : PrivK A,  coa  is perfectly-secure if for every adversary A Pr = 1 =

16 RA II - Implementation of OTP for English text & Cryptanalysis of OTP when key is reused

17 Yes!! Concluding Perfect Security
Remember that- at the end of the day crypto is an applied science and we need to construct schemes that has practical relevance. The hurdles in achieving perfect security outweighs the strength of perfect security CCA Birth of Computational / Cryptographic Security. CPA A ciphertext gives out some info about the message that is additional to the prior information that the adv has Randomized Unbounded Powerful COA COA Two Inherent Limitations: - Key Space as large as message space - Keys can not be reused No point in studying perfect security by strengthening the adv by giving more capability in attacking a protocol, as the limitations will carry over. Two relaxations Unbounded Powerful No break allowed Can we overcome the hurdles? Break is allowed but with ‘very small’ probability Bounded Powerful / Polynomially Bounded Yes!!

18 Concluding Perfect Security
- Have we put the last nail in the coffin of perfect security? By all means no! - We overlooked efficiently of perfectly-secure scheme among the hullaballoos of limitations! - It’s blazing fast compared to the computationally-secure protocols that we design - Efficiency is in fact hallmark of perfectly-secure schemes - Perfect security is interesting in multi-party setting Many problems in crypto involves more than two parties- MPC, E-election etc. In crypto, we live in the world of trade-offs…

19 Perfect Security vs. Computational Security
Threat is Unbounded Powerful Threat is ‘Computationally Bounded’ No break allowed Break is allowed with ‘small’ probability A scheme is secure if any computationally bounded adversary succeeds in ‘breaking’ the scheme with at most ‘some very small probability’. A scheme is secure if Pr [M = m | C = c] = Pr [M = m]  m, c Key as large as the message A small key will do Fresh key for every encryption Key reuse is permitted. Only nerds do Perfect/information theoretic security. Is it necessary to relax the threat and break to overcome the limitations? YES Absolutely!

20 Scribe?

Download ppt "Cryptography Lecture 3 Arpita Patra © Arpita Patra."

Similar presentations

CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Lectures so far: Today’s lecture: Discrete probability Proving things

Lectures so far: Today’s lecture: Discrete probability Proving things
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.

Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Similar presentations

Ads by Google