Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lectures so far: Today’s lecture: Discrete probability Proving things

Published byChad Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "Lectures so far: Today’s lecture: Discrete probability Proving things"— Presentation transcript:

0 I538/B609: Introduction to Cryptography
Fall · Lecture 4

1 Lectures so far: Today’s lecture: Discrete probability Proving things
Perfectly secret encryption

2 Assignment 1 is due on Tuesday, September 8 (that’s one week from today!)
Thursday, September 10 (Srijita and I will answer questions until 2:30pm on Monday, September 7)

3 Privacy in the age of mass surveillance: The Library Freedom Project
Tomorrow!! Friday, September 4 at 3:00pm in LH 102: Alison Macrina, The Library Freedom Project Privacy in the age of mass surveillance: The Library Freedom Project This talk will examine the state of surveillance in the digital age from the intelligence agencies' dragnet to the corporate business model of total information awareness.  These conclusions will be connected to historical examples showing how surveillance is used against marginalized people conducting lawful First Amendment activities.  She will illustrate why privacy is still possible and why it matters now more than ever, offering practical tips for protecting individual privacy and fighting back against pervasive surveillance.  In closing, she will outline the work of the Library Freedom Project, which brings privacy and surveillance education to librarians and their local communities.

4 Perfectly secret encryption
Aka. “Unconditionally secret” encryption “Information-theoretically secret” encryption

5 What is encryption? An encryption scheme is a method for “scrambling” messages in such a way that they can only be “unscrambled” by their intended recipient Enc(m 1) Enc(m 2) Alice Bob Eve m 1 = ? m 2 = ?

6 Encryption schemes K is the key space M is the message space
Defn: An encryption scheme (or cipher) is a triple of algorithms (Gen, Enc, Dec) such that Gen: 1 ℕ → K is a randomized “key generation” algorithm; Enc: K ⨉ M → C is an (often randomized) “encryption” algorithm; Dec: K ⨉ C → M is a deterministic “decryption” algorithm. Usually write Enck(m) and Deck(m) instead of Enc(k,m) and Dec(k,m) K is the key space M is the message space C is the ciphertext space (the set of possible keys) (the set of possible messages) (the set of possible ciphertexts)

7 Pr[ Deck( Enck(m) ) = m ]= 1
Correctness Intuitively: Correctness is the property of being able to decrypt (given knowledge of the correct key) Note: it is possible (but relatively uncommon) to allow correctness with probability p < 1 Defn: An encryption scheme (Gen, Enc, Dec) with key space K and message space M is correct if ∀k ∈ K and ∀m ∈ M , Pr[ Deck( Enck(m) ) = m ]= 1

8 Defining secrecy (aka Confidentiality)
Recall the three steps in modern crypto propose a precise threat model propose a construction prove that breaking construction is “equivalent” to solving an intractable problem (or impossible) Our threat model (for now): ciphertext-only attacks Attacker can see a single ciphertext; we want to ensure “perfect secrecy” of the corresponding plaintext

9 Defining secrecy Consider the following candidate “definitions”
Attempt 1: Attacker cannot recover the secret key The “identity” scheme Enck(m) := m would be “secure” under this definition! Attempt 2: Attacker cannot recover entire plaintext Enck(m0 11 m1) := m0 11 (k ⨁ m1) would be secure under this definition! Attempt 3: Attacker learns nothing about the plaintext This is the right idea, but how do we make it rigorous?

10 Perfect secrecy: Definition 1
Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m0,m1 ∈ M (such that 1m01 = 1m11 = n) and ∀c∈ C, Pr[Enck(m0) = c 1 k ← Gen(1 n)]= Pr[Enck(m1) = c 1 k ← Gen(1 n)] Q: Why is this the “right” definition? A: Given (a single) ciphertext, it is impossible to tell if the plaintext was m0 or m1 (or any other message)

11 Perfect secrecy: Definition 2
Consider an attacker A that knows some prior distribution on the message space M That is, A has prior knowledge about what the message will be Let M and C denote random variables describing the plaintext and ciphertext when k ← Gen(1 n) Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m ∈ M and ∀c∈ C such that Pr[C = c]> 0, Pr[ M = m 1 C = c ]= Pr[ M = m ]

12 Perfect secrecy: Definition 2
Let M and C denote random variables describing the plaintext and ciphertext when k ← Gen(1 n) Defn: An encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if, ∀m ∈ M and ∀c∈ C such that Pr[C = c]> 0, Pr[ M = m 1 C = c ]= Pr[ M = m ] Q: Why is this the “right” definition? A: No matter what prior knowledge the attacker has, seeing a ciphertext reveals nothing more about plaintext

13 Perfect secrecy: Definition 3
Challenger (C) Attacker (A) 1 n 1 n k ← Gen(1 n) m0, m1 ∈ M (1 m0 1 = 1 m1 1 = n) m0, m1 b ∈ 𝑅 {0, 1} c c ← Enck(mb) b‘ ∈ {0, 1} Let E be the event that b=b’ in the above game Define A’s advantage to be Adv(A) := Pr[E]- 1/2 A’s guess for b Defn: An encryption scheme (Gen, Enc, Dec) is perfectly secret if Adv(A) = 0 for every attacker A.

14 Gilbert Vernam Engineer at AT&T Bell Labs
1890 — 1960 Engineer at AT&T Bell Labs “Invented” stream ciphers and the one-time pad in 1919 U.S. Patent 1,310,719 Actually, the patent was for a machine that encrypts a plaintext by (mechanically) XORing it with a secret key

15 One-time pad (Aka. Vernam cipher)
Messages, ciphertexts and keys are all n-bit strings (that is, M = C = K = {0, 1}n) Gen(1n) outputs a uniform random key k ∈ 𝑅 {0, 1}n Enck(m) exclusive-ORs the message and key; that is, c := m ⊕ k Deck(c) exclusive-ORs the ciphertext and key; that is, m := c ⊕ k Correctness: Deck(Enck(m)) = Enck(m) ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m ⊕ 0n = m

16 One-time pad example Encryption Decryption 1 1 1 1 1 1
Plaintext: Key: Ciphertext: Decryption Ciphertext: Key: Plaintext: 1 1 1 1 1 1

17 Secrecy of the one-time pad
Recall theorem from first lecture: Thm (XOR preserves uniformity): If Y is a uniform random variable on {0, 1}n and X is an arbitrary random variable on {0, 1}n, then Z := X⊕Y is a uniform random variable on {0, 1}n. Proof (for n=1): Pr[Z = 0]= Pr[(x, y) = (0, 0) or (x, y) = (1, 1)] (definition) = Pr[(x, y) = (0, 0)]+ Pr[(x, y) = (1, 1)] (independence) = Pr[x = 0]∙ Pr[y=0]+Pr[x=1]∙ Pr[y=1](independence) = Pr[y=0]/ 2 + Pr[y=1]/ 2 (by assumption) = ( Pr[y=0]+ Pr[y=1]) / 2 = 1 / 2

18 Secrecy of the one-time pad
Recall theorem from first lecture: Thm (XOR preserves uniformity): If Y is a uniform random variable on {0, 1}n and X is an arbitrary random variable on {0, 1}n, then Z := X⊕Y is a uniform random variable on {0, 1}n. Corollary: If (Gen, Enc, Dec) is the one-time pad encryption scheme, then ∀m ∈ M Pr[ Enck(m) = c 1 k←Gen(1 n) ]= 2-n ⇒ ∀m0,m1 ∈ M, Pr[Enck(m0) 1 k← Gen(1n)]= Pr[Enck(m1) 1 k← Gen(1n)]

19 A better one-time pad (?)
Observation: If k=0n, then Enck(m) = m ⨁ 0n = m. Idea: Never choose k = 0n Is this a good idea? If Pr[k = 0n]= 0, then Pr[M = m 1 C = m]= 0, and the scheme cannot satisfy Definition 2 for perfect secrecy! Intuitively, c = Enck(m) leaks information about m; namely, that m ≠ c NO! It is a terrible idea! (But why?)

20 Perfect secrecy ≠ perfect cryptosystem
Thm: If (Gen, Enc, Dec) is perfectly secret then 1M1 = 1C1 = 1K1. (Question 4 on Assignment 1 asks you to prove or disprove the converse of this theorem.) Large keys make OTP hard to use in practice! Idea: Fix a key k ← Gen(1n) once and for all, and then use to it encrypt many plaintexts! Is this a good idea? key must be as long as message!! NO! It is a terrible idea! (But why?)

21 Two-time pad Never , ever, EVER use OTP key more than once!!
c0 = m0 ⊕ k c1 = m1 ⊕ k Eavesdropper can compute c0 ⨁ c1 = Sufficient redundancy in English to uniquely determine m0,m1 from m0 ⨁ m1 with high probability! (Eg, Question 8 on Assignment 1!) m0 ⨁ m1 ???

22 Malleability of the one-time pad
Thm: The one-time pad encryption scheme is malleable; that is, given a ciphertext c0 = Enck(m0), an attacker (without knowledge of k or m0) can produce a ciphertext c1 such that m1 = Deck(c1) has a “known relationship” to m0 (For instance, see Question 6 on Assignment 1!)

23 That’s all for today, folks!

Download ppt "Lectures so far: Today’s lecture: Discrete probability Proving things"

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.

CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.

CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
CIS 5371 Cryptography Introduction.

CIS 5371 Cryptography Introduction.

Similar presentations

Ads by Google