Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security CS 526 Topic 3

Published byมุกดา เคนเนะดิ Modified over 5 years ago

Similar presentations

Presentation on theme: "Information Security CS 526 Topic 3"— Presentation transcript:

1 Information Security CS 526 Topic 3
Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers CS526 Topic 3: One-time Pad and Perfect Secrecy

2 Topic 3: One-time Pad and Perfect Secrecy
Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days HW2 will be assigned on Sept 11, due on Sept 25 Planned project 1: implementation of file encryption, to be assigned on Sept 25 CS526 Topic 3: One-time Pad and Perfect Secrecy

3 Readings for This Lecture
Required reading from wikipedia One-Time Pad Information theoretic security Stream cipher Pseudorandom number generator CS526 Topic 3: One-time Pad and Perfect Secrecy

4 Topic 3: One-time Pad and Perfect Secrecy
Begin Math CS526 Topic 3: One-time Pad and Perfect Secrecy

5 Topic 3: One-time Pad and Perfect Secrecy
Random Variable Definition A discrete random variable, X, consists of a finite set X, and a probability distribution defined on X. The probability that the random variable X takes on the value x is denoted Pr[X =x]; sometimes, we will abbreviate this to Pr[x] if the random variable X is fixed. It must be that CS526 Topic 3: One-time Pad and Perfect Secrecy

6 Example of Random Variables
Let random variable D1 denote the outcome of throwing one die (with numbers 0 to 5 on the 6 sides) randomly, then D={0,1,2,3,4,5} and Pr[D1=i] = 1/6 for 0 i  5 Let random variable D2 denote the outcome of throwing a second such die randomly Let random variable S1 denote the sum of the two dice, then S ={0,1,2,…,10}, and Pr[S1=0] = Pr[S1=10] = 1/36 Pr[S1=1] = Pr[S1=9] = 2/36 = 1/18 … Let random variable S2 denote the sum of the two dice modulo 6, what is the distribution of S2? Pr[S2 = s] = 1/6 for any s in {0, 1, ..., 5} CS526 Topic 3: One-time Pad and Perfect Secrecy

7 Relationships between Two Random Variables
Definitions Assume X and Y are two random variables, then we define: - joint probability: Pr[x, y] is the probability that X takes value x and Y takes value y. - conditional probability: Pr[x|y] is the probability that X takes value x given that Y takes value y. Pr[x|y] = Pr[x, y] / Pr[y] - independent random variables: X and Y are said to be independent if Pr[x,y] = Pr[x]P[y], for all x  X and all y  Y. CS526 Topic 3: One-time Pad and Perfect Secrecy

8 Topic 3: One-time Pad and Perfect Secrecy
Examples Joint probability of D1 and D2 for 0i,j5, Pr[D1=i, D2=j] = ? Are D1 and D2 independent? Suppose D1 is plaintext and D2 is key, and S1 and S2 are ciphertexts of two different ciphers, which cipher would you use? D1 and D2 are independent. S2 achieves perfect secrecy. S1 is insecure and leaks information about D1. CS526 Topic 3: One-time Pad and Perfect Secrecy

9 Examples to think after class
What is the joint probability of D1 and S1? What is the joint probability of D2 and S2? What is the conditional probability Pr[S1=s | D1=i] for 0i5 and 0s10? What is the conditional probability Pr[D1=i | S2=s] for 0i5 and 0s5? Are D1 and S1 independent? Are D1 and S2 independent? Pr[D1 = i, S1 = s] with 0<=i<=5; 0<=s<=10 = Pr[D1 = i] * Pr[S1 = s | D1 = i] = (1/6) * Pr[D2 = (s-i)] -> 1/6 * 1/6 = 1/36 if i <= s <= i + 6 = | -> 0 if otherwise (i.e. s < i or s > i + 6) Pr[D2 = i, S2 = s] with 0<=i<=5; 0<=s<=5 = Pr[D2 = i] * Pr[S2 = s | D2 = i] = (1/6) * (Pr[S1 = s | D2 = i] + Pr[S1 = s + 6 | D2 = i]) Observe that for any pair of s and i: + If s >= i then Pr[S1 = s | D2 = i] = Pr[D1 = s - i] = 1/6 and Pr[S1 = s + 6 | D2 = i] = 0. + If s < i then Pr[S1 = s | D2 = i] = 0 and Pr[S1 = s + 6 | D2 = i] = Pr[D1 = s+6-i] = 1/6. Thus Pr[S1 = s | D2 = i] + Pr[S1 = s + 6 | D2 = i] = 1/6 always Therefore Pr[D2 = i, S2 = s] = 1/36 always. What is the conditional probability Pr[S1 = s|D1 = i], Pr[D1 = i|S2 = s]? Pr[S1 = s|D1 = i] = 1/6 if i<=s<=i+6, and = 0 otherwise. This probability is different from Pr[S1=s], thus S1 and D1 is not independent. Pr[D1 = i|S2 = s] = 1/6 and equals to Pr[D1 = i]. Thus D1 and S2 is independent. CS526 Topic 3: One-time Pad and Perfect Secrecy

10 Topic 3: One-time Pad and Perfect Secrecy
Bayes’ Theorem If P[y] > 0 then Corollary X and Y are independent random variables iff P[x|y] = P[x], for all x  X and all y  Y. Example: What is Pr[D1=1 | S1=3] ? CS526 Topic 3: One-time Pad and Perfect Secrecy

11 Topic 3: One-time Pad and Perfect Secrecy
End Math CS526 Topic 3: One-time Pad and Perfect Secrecy

12 Topic 3: One-time Pad and Perfect Secrecy
Fix the vulnerability of the Vigenere cipher by using very long keys Key is a random string that is at least as long as the plaintext Encryption is similar to shift cipher Invented by Vernam in the 1920s CS526 Topic 3: One-time Pad and Perfect Secrecy

13 Topic 3: One-time Pad and Perfect Secrecy
Let Zm ={0,1,…,m-1} be the alphabet. Plaintext space = Ciphtertext space = Key space = (Zm)n The key is chosen uniformly randomly Plaintext X = (x1 x2 … xn) Key K = (k1 k2 … kn) Ciphertext Y = (y1 y2 … yn) ek(X) = (x1+k1 x2+k2 … xn+kn) mod m dk(Y) = (y1-k1 y2-k2 … yn-kn) mod m CS526 Topic 3: One-time Pad and Perfect Secrecy

14 The Binary Version of One-Time Pad
Plaintext space = Ciphtertext space = Keyspace = {0,1}n Key is chosen randomly For example: Plaintext is Key is Then ciphertext is CS526 Topic 3: One-time Pad and Perfect Secrecy

15 Topic 3: One-time Pad and Perfect Secrecy
Bit Operators Bit AND 0  0 =  1 =  0 = 0 1  1 = 1 Bit OR 0  0 =  1 =  0 = 1 1  1 = 1 Addition mod 2 (also known as Bit XOR) 0  0 =  1 =  0 = 1 1  1 = 0 Can we use operators other than Bit XOR for binary version of One-Time Pad? CS526 Topic 3: One-time Pad and Perfect Secrecy

16 How Good is One-Time Pad?
Intuitively, it is secure … The key is random, so the ciphertext is completely random How to formalize the confidentiality requirement? Want to say “certain thing” is not learnable by the adversary (who sees the ciphertext). But what is the “certain thing”? Which (if any) of the following is the correct answer? The key. The plaintext. Any bit of the plaintext. Any information about the plaintext. E.g., the first bit is 1, the parity is 0, or that the plaintext is not “aaaa”, and so on Answer used in modern cryptography: Any information about the plaintext except the length of it. CS526 Topic 3: One-time Pad and Perfect Secrecy

17 Shannon (Information-Theoretic) Security = Perfect Secrecy
Basic Idea: Ciphertext should reveal no “information” about Plaintext Definition. An encryption over a message space M is perfectly secure if  probability distribution over M  message mM  ciphertext cC for which Pr[C=c] > 0 We have Pr [PT=m | CT=c] = Pr [PT = m]. CS526 Topic 3: One-time Pad and Perfect Secrecy

18 Explanation of the Definition
Pr [PT = m] is what the adversary believes the probability that the plaintext is m, before seeing the ciphertext Pr [PT = m | CT=c] is what the adversary believes after seeing that the ciphertext is c Pr [PT=m | CT=c] = Pr [PT = m] means that after knowing that the ciphertext is C0, the adversary’s belief does not change. CS526 Topic 3: One-time Pad and Perfect Secrecy

19 An Equivalent Definition of Perfect Secrecy
Definition. An encryption scheme is perfectly secure if and only if for any ciphertext c, and any two plaintext m1 and m2, the probability that m1 is encrypted to c is the same as the probability that m2 is encrypted to c.  message m1 ,m2  ciphertext c Pr [CT=c | PT = m1] = Pr [CT = c | PT = m2] Another equivalent definition. An encryption scheme over a message space M is perfectly secure if  probability distribution over M, the random variables PT and CT are independent. That is,  message mM  ciphertext c C Pr [PT=m CT=c] = Pr [PT = m] Pr [CT = c] Note that this is equivalent to: When Pr [CT = c] 0, we have Pr [PT = m] = Pr [PT=m CT=c] / Pr [CT = c] = Pr [PT=m | CT=c] This is also equivalent to: When Pr [PT = m] 0, we have Pr [CT = c] = Pr [PT=m CT=c] / Pr [PT = m] = Pr [CT=c | PT=m] CS555 Spring 2012/Topic 3

20 Example for Information Theoretical Security
Consider an example of encrypting the result of a 6-side dice (1 to 6). Method 1: randomly generate K=[1..6], ciphertext is result + K. What is plaintext distribution? After seeing that the ciphertext is 3, what could be the plaintext. After seeing that the ciphertext is 12, what could be the plaintext? Method 2: randomly generate K=[1..6], ciphertext is (result + K) mod 6. Same questions. Can one do a brute-force attack? CS526 Topic 3: One-time Pad and Perfect Secrecy

21 Topic 3: One-time Pad and Perfect Secrecy
Fact: When keys are uniformly chosen in a cipher, the cipher has perfect secrecy iff. the number of keys encrypting M to C is the same for any (M,C) This implies that cm1m2 Pr[CT=c | PT=m1] = Pr[CT=c | PT=m2] One-time pad has perfect secrecy when limited to messages over the same length (Proof?) When you see the ciphertext is, say, “Hello”, any five-word plaintext is possible. CS526 Topic 3: One-time Pad and Perfect Secrecy

22 Key Randomness in One-Time Pad
One-Time Pad uses a very long key, what if the key is not chosen randomly, instead, texts from, e.g., a book are used as keys. this is not One-Time Pad anymore this does not have perfect secrecy this can be broken How? The key in One-Time Pad should never be reused. If it is reused, it is Two-Time Pad, and is insecure! Why? Given a ciphertext that is the XOR of two English texts, how to break it by bruteforce attack? How to break it without bruteforce attack? Exploiting the structure of the message. CS526 Topic 3: One-time Pad and Perfect Secrecy

23 Topic 3: One-time Pad and Perfect Secrecy
Usage of One-Time Pad To use one-time pad, one must have keys as long as the messages. To send messages totaling certain size, sender and receiver must agree on a shared secret key of that size. typically by sending the key over a secure channel Key agreement is difficult to do in practice. Can’t one use the channel for sending the key to send the messages instead? Why is OTP still useful, even though difficult to use? CS526 Topic 3: One-time Pad and Perfect Secrecy

24 Topic 3: One-time Pad and Perfect Secrecy
Usage of One-Time Pad The channel for distributing keys may exist at a different time from when one has messages to send. The channel for distributing keys may have the property that keys can be leaked, but such leakage will be detected Such as in Quantum cryptography CS526 Topic 3: One-time Pad and Perfect Secrecy

25 The “Bad News” Theorem for Perfect Secrecy
Question: OTP requires key as long as messages, is this an inherent requirement for achieving perfect secrecy? Answer. Yes. Perfect secrecy implies that key-length  msg-length Proof: Implication: Perfect secrecy difficult to achieve in practice Cipherttext space Plaintext space Consider one ciphertext C0, for any plaintext M in the plaintext space, there must exist at least one key such that under the key C0 can be decrypted into M. Furthermore, for any two plaintexts, the corresponding keys must be different, because otherwise, one cannot uniquely decrypt the ciphertext. Hence, the number of keys must be at least as large as the number of plaintexts. Consider the plaintext space, ciphertext space, and key space, what relations their sizes must satisfy, for any encryption system? What about for a system that satisfy perfect secrecy? CS526 Topic 3: One-time Pad and Perfect Secrecy

26 Topic 3: One-time Pad and Perfect Secrecy
Stream Ciphers In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: Idea: replace “rand” by “pseudo rand” Use Pseudo Random Number Generator PRNG: {0,1}s  {0,1}n expand a short (e.g., 128-bit) random seed into a long (e.g., 106 bit) string that “looks random” Secret key is the seed Basic encryption method: Ekey[M] = M  PRNG(key) CS526 Topic 3: One-time Pad and Perfect Secrecy

27 Topic 3: One-time Pad and Perfect Secrecy
The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output length unbounded Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, first part of output biased, when used as stream cipher, should use RC4-Drop[n] Which drops first n bytes before using the output Conservatively, set n=3072 CS526 Topic 3: One-time Pad and Perfect Secrecy

28 Pseudo Random Number Generator
Useful for cryptography, simulation, randomized algorithm, etc. Stream ciphers, generating session keys The same seed always gives the same output stream Why is this necessary for stream ciphers? Simulation requires uniform distributed sequences E.g., having a number of statistical properties Cryptographically secure pseudo-random number generator requires unpredictable sequences satisfies the "next-bit test“: given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG’s are weak: knowing output sequence of sufficient length, can recover key. Do not use these for cryptographic purposes CS526 Topic 3: One-time Pad and Perfect Secrecy

29 Properties of Stream Ciphers
Typical stream ciphers are very fast Widely used, often incorrectly Content Scrambling System (uses Linear Feedback Shift Registers incorrectly), Wired Equivalent Privacy (uses RC4 incorrectly) SSL (uses RC4, SSLv3 has no known major flaw) CS526 Topic 3: One-time Pad and Perfect Secrecy

30 Security Properties of Stream Ciphers
Under known plaintext, chosen plaintext, or chosen ciphertext, the adversary knows the key stream (i.e., PRNG(key)) Security depends on PRNG PRNG must be “unpredictable” Do stream ciphers have perfect secrecy? How to break a stream cipher in a brute-force way? If the same key stream is used twice, then easy to break. This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong Brute force CS526 Topic 3: One-time Pad and Perfect Secrecy

31 Using Stream Ciphers in Practice
If the same key stream is used twice, then easy to break. This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong In practice, one key is used to encrypt many messages Example: Wireless communication Solution: Use Initial vectors (IV). Ekey[M] = [IV, M  PRNG(key || IV)] IV is sent in clear to receiver; IV needs integrity protection, but not confidentiality protection IV ensures that key streams do not repeat, but does not increase cost of brute-force attacks Without key, knowing IV still cannot decrypt Need to ensure that IV never repeats! How? CS526 Topic 3: One-time Pad and Perfect Secrecy

32 Topic 3: One-time Pad and Perfect Secrecy
Coming Attractions … Cryptography: Semantic Security, Block ciphers, encryption modes, cryptographic functions CS526 Topic 3: One-time Pad and Perfect Secrecy

Download ppt "Information Security CS 526 Topic 3"

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.

CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Topic 21 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography CS555.

Topic 21 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography CS555.
Stream Ciphers Making the one-time pad practical.

Stream Ciphers Making the one-time pad practical.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Stream Cipher July 2011.

Stream Cipher July 2011.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Similar presentations

Ads by Google