Presentation is loading. Please wait.

Presentation is loading. Please wait.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy."— Presentation transcript:

1 Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy

2 2 Themes of Crypto  Formal Definitions  Probability  Quantifiers Notations:Distribution D - a set and probability function on the set Supp(D) = set of elements x s.t. Pr[x] > 0 x  R D : x distributed according to D x  R S : x distributed according to uniform dist on S U n : uniform distribution on {0,1} n Lemma: Let D dist. s.t. 8 x, Pr D [x] · . Let D’ be independent distribution. Then Pr[ D=D’] · . Proof: 8 x,y Pr[ D=x,D’=y ] = Pr[ D=x ] ¢ Pr[ D=y ] ·  ¢ Pr[D’=y] Pr[ D=D’ ] =  y Pr[ D=y, D’=y ] ·  y  Pr[ D’=y] =  y Pr[ D’=y ] =  ¢1

3 3 How do we define security of encryption scheme. Rules of the game:  Encryption algorithm: E  Decryption algorithm: D  Secret key: k Notations:  n – length of key  m – length of plaintext  m’ – length of ciphertext  p – plaintext  c – ciphertext c = E_k(p) p = D_k(c)

4 4 (Perfect) Semantic Security For every:  Distribution on plaintexts P over {0,1} m  Function f:{0,1} m  {0,1} * Define:  = prob. of most likely value in f(P) a-priori chance of guessing f(p) for unknown plaintext p  R P Then for every adversary Adv, Pr [ Adv(E k (p)) = f(p) ] ·  k  R {0,1} n, p  R P I.e., posteriori prob of learning f(p) = a-priori prob. of learning f(p) (probabilistic, w/ unlimited computation)

5 5 Semantic Security – Game ViewS P, f pR PpR P k  R {0,1} n c=E k (p) y Adv successful if y=f(p) (E,D) is semantically secure if Pr [ Adv successful ] · 

6 6 A Different Definition - IndistinguishabilityS P, f pR PpR P k  R {0,1} n c=E k (p) y Adv successful if y=f(p) (E,D) is semantically secure if Pr [ Adv successful ] ·  S p 1,p 2 2{0,1} m k  R {0,1} n i  R {1,2} c=E k (p i ) j2{1,2} Adv successful if j=i (E,D) is indistinguishable if Pr [ Adv successful ] · ½ Theorem: (E,D) is semantically secure, (E,D) indistinguishable Proof: (Shannon Security)

7 7 A Perfectly Secure Encryption Def (XOR operation): For a2{0,1}, a©0 = a, a © 1 = a c For x,y2{0,1} n, (x© y) i = x i © y i The one-time pad scheme:  Key length = message length (n)  Encryption: E k (p) = p©k  Decryption: D k (c) = c©k Known facts:  a©a = 0  XOR = addition mod 2  XOR commutative: a©b = b©a  XOR associative: a©(b©c) = (a©b)© c D k (E k (p)) = (p©k)©k = p©(k©k) = p©0 n = p p = p 1 p 2 p 3 p n k = k 1 k 2 k 3 k n c = c 1 c 2 c 3 c n ©

8 8 OTP Has Perfect Secrecy Def: (E,D) is Shannon secure if 9 dist. C s.t. 8 p2{0,1} m E U (p) ~ C. n The one-time pad scheme:  Key length = message length (n)  Encryption: E k (p) = p©k  Decryption: D k (c) = c©k p = p 1 p 2 p 3 p n k = k 1 k 2 k 3 k n c = c 1 c 2 c 3 c n © Thm: OTP is Shannon secure. Proof:We’ll show that 8 p, E (p) ~ U n UnUn I.e., 8 p, 8 c Pr k [ p©k = c ] = 2 -n I.e., 8 p, 8 c Pr k [ k = p©c ] = 2 -n Exactly one k among 2 n possible, s.t. k = p©c.

9 9 Recap Saw 3 equivalent defs for perfectly secure encryption:  Semantic security – matches intuition, applications  Indistinguishability, perfect secrecy – easier to work with Saw that a simple scheme (one-time pad) is perfectly secure. Is this the end of the course? No - Normally we want encryption to use one key for many messages. As a minimum we want key to be shorter than message. Is there a perfectly secure enc. with key shorter than message?

10 10 No. Thm: @ perfectly secure scheme (E,D) with |k|<|p| Before seeing proof, consider the one-time-pad. Natural extension to longer messages – use pad twice. k2{0,1} n, p2{0,1} 2n E k (p) = ( k©p 1..n, k©p n+1..2n ) Is this secure?

11 11 Statistical Security Perhaps perfect secrecy is too much. For example, no harm if Adv learns something with 2 -100 probability. (E,D) is semantically secure if S P, f pR PpR P k  R {0,1} n c=E k (p) y Adv successful if y=f(p) Pr [ Adv successful ] ·  S p 1,p 2 2{0,1} m k  R {0,1} n i  R {1,2} c=E k (p i ) j2{1,2} Adv successful if j=i (E,D) is indistinguishable if Pr [ Adv successful ] · ½ Definitions are still equivalent, but do they help us get the key size down?

12 12 Statistical SecurityS p 1,p 2 2{0,1} m k  R {0,1} n i  R {1,2} c=E k (p i ) j2{1,2} Adv successful if j=i (E,D) is indistinguishable if Pr [ Adv successful ] · ½   Focus on indist. definition. Previous implication: 8 p 1,p 2 E U [p 1 ] ~ E U [p 2 ] nn Lemma 1: If (E,D)  -indist. then 8 p 1,p 2  (E U [p 1 ], E U [p 2 ]) <  n n Def: The statistical distance of X and Y is defined as:  X,Y) = ½  w | Pr X [w] – Pr Y [w] | Thm: @ (E,D) with |k|<|p| that is 0.1-indistinguishable.

13 13 Proof need n bits of key Define statistical security Proof need n bits of key

14 14 (Perfect) Semantic Security For every:  Distribution on plaintexts P over {0,1} m  Function f:{0,1} m  {0,1} * Define:  = prob. of most likely value in f(P) a-priori chance of guessing f(p) for unknown plaintext p  R P Then for every adversary Adv, Pr [ Adv(E k (p)) = f(p) ] ·  k  R {0,1} n, p  R P

Download ppt "Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy."

Similar presentations

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 1-7: Short Recap.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 1-7: Short Recap.
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.

SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.

Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Information Theory and Security pt. 2. Lecture Motivation Previous lecture talked about a way to measure “information”. In this lecture, our objective.

Information Theory and Security pt. 2. Lecture Motivation Previous lecture talked about a way to measure “information”. In this lecture, our objective.
Information Theory and Security. Lecture Motivation Up to this point we have seen: –Classical Crypto –Symmetric Crypto –Asymmetric Crypto These systems.

Information Theory and Security. Lecture Motivation Up to this point we have seen: –Classical Crypto –Symmetric Crypto –Asymmetric Crypto These systems.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Shannon ’ s theory part II Ref. Cryptography: theory and practice Douglas R. Stinson.

Shannon ’ s theory part II Ref. Cryptography: theory and practice Douglas R. Stinson.

Similar presentations

Ads by Google