Spring 2017 Lecture 4 B 50 4 I 538 Introduction to Cryptography 20170119 Perfectly secret encryption Also known as unconditionally secret encryption informationtheoretically secret encryption ID: 773144
Download Presentation The PPT/PDF document "Spring 2017 •" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Spring 2017 • Lecture 4 B504/I538: Introduction to Cryptography (2017—01—19)
Perfectly secret encryptionAlso known as: “unconditionally secret encryption” “information-theoretically secret encryption”
What is encryption?A way to “scramble” messages so that only their intended recipient can “unscramble” them2c c←Enc (m) m←Dec (c)
What is encryption?Convention: Write Enck(m), Deck(m) instead of Enc(k,m), Dec(k,m)K is the key spaceM is the message spaceC is the ciphertext space2 Defⁿ: An encryption scheme is a triple of PPT algorithms ( Gen,Enc,Dec ) , where Gen:1 ℕ →K is a (randomized) key generation algorithm Enc:K×M→C is a (randomized) encryption algorithm Dec:K×C→M is a (deterministic) decryption algorithm set of possible keys set of possible plaintexts set of possible ciphertexts
CorrectnessIntuitively: Correctness is the property of actually being able to decrypt (if you know the right key)Note: It is possible to allow correctness with probability less than one; e.g., Pr[Deck(c)=m|c←Enck(m)]=1-ε(|k|).3 Defⁿ: An encryption scheme ( Gen,Enc,Dec ) with key space K and message space M is correct if ∀ k∈K and ∀ m∈M , Pr [Dec k (c)= m|c←Enc k (m)]=1 .
Defining secrecy4Recall: Three steps in modern crypto propose a precise threat model propose a construction prove that breaking construction is “equivalent” to solving an intractable problem (or impossible ) Threat model (for now): “ ciphertext -only attacks” - Attacker can see a single ciphertext and nothing more
Defining secrecy Consider the following candidate “definitions”: Attempt 1: Attacker cannot recover the secret keyNOPE! The identity scheme Enck(m)≔m satisfies this definition! Attempt 2: Attacker cannot recover plaintextNOPE! The scheme Enck(m0∥m1)≔m0∥(m1⊕k) satisfies this definition! Attempt 3: Attacker learns nothing about the plaintextYES! This is what we want ― but how can we make it rigorous?4
Perfect secrecy (Definition 1)5 Defⁿ: An encryption scheme ( Gen,Enc,Dec ) with message space M and ciphertext space C is perfectly secret if ∀m 0 ,m 1 ∈M (with |m 0 |=|m 1 |=n ) and ∀ c∈C , Pr [ Enc k (m 0 )= c|k←Gen (1 n )] = Pr [ Enc k (m 1 )= c|k←Gen (1 n )]
Perfect secrecy (Definition 2)Suppose attacker A knows some prior distribution on the message space MThat is, A has prior knowledge about how likely different messages areLet M and C≔Enck(M) be random variables describing the plaintext and ciphertext (assuming k←Gen(1n))6 Defⁿ: An encryption scheme ( Gen,Enc,Dec ) is perfectly secret if ∀ m∈M and ∀ c∈C , Pr [M= m|C =c]= Pr [M=m]
Perfect secrecy (Definition 3)7k←Gen(1n)b∊{0,1}c←Enck(mb)M0,m1∈M (|m0|=|m1|=n) Challenger (C) Attacker (A) Adv onetime (A)≔∣ Pr [b=b’]−½∣ 1 n 1 n b' (m 0 ,m 1 ) c Defⁿ: An encryption scheme ( Gen,Enc,Dec ) is perfectly secret Adv onetime (A)=0 for every attacker A . one-time indistinguishability game
Gilbert Vernam (1890—1960)8Engineer at AT&T Bell Labs“Invented” stream ciphers and the one-time pad (OTP) in 1919U.S. Patent 1,310,719Actually, the patent was for a machine that encrypts a plaintext by (mechanically) XORing it with a secret key
One-time pad (“Vernam cipher”)Messages, ciphertexts, and keys are all n-bit strings (that is, M=C=K={0,1}*)Gen(1n) outputs a uniform random key k∊{0,1}sEnck(m) outputs XOR of m and k; that is, c≔m⊕kDeck(c) outputs XOR of c and k; that is, m≔c⊕k9 Thm (OTP is correct): The one-time pad is correct . Proof: Dec k ( Enc k (m)) = Enc k (m)⊕k =( m⊕k )⊕k =m⊕( k⊕k ) =m ☐
One-time pad exampleEncryptionPlaintext:Key:Ciphertext: DecryptionCiphertext:Key:Plaintext:10 0 0 1 0 1 1 1 0 1 0 0 1 ⊕ 0 1 0 1 1 1 0 1 0 0 0 1 0 1 1 1 0 0 1 1 1 0 0 0 ⊕ 0 1 0 1 1 1 0 1 0 0 0 1 0 0 1 0 1 1 1 0 1 0 0 1 1 0 0 00 01 11 11 0
Secrecy of the OTP11 Thm (OTP is perfectly secret): The one-time pad is perfectly secret. Proof: Left as an exercise (see Assignment 1). ☐
12 Obs : If k=0ⁿ , then Enc k (m)=m⊕0ⁿ=m ! Idea: Avoid ever revealing the plaintext by never choosing the pad k=0ⁿ ! A better one-time pad (?) Q: Is this a great idea, or what? A: NO! It is a terrible idea! If Pr [k=0 s ]=0 , then Pr [M=m |C=m]=0 , and the scheme cannot satisfy Definition 2 for perfect secrecy!
Perfect secrecy≠perfect encryption13 Thm : If ( Gen,Enc,Dec ) is a perfectly secret encryption scheme, then |m|≤|k| . Key must be at least as long as the message This is not very practical! Idea: Pick a key k←Gen (1ⁿ) and then keep using it forever!
Two-time padNever, ever, EVER use OTP key more than once!!Eavesdropper can compute c0⊕c1=m0⊕m1There is sufficient redundancy in English to uniquely determine m0,m1 from m0⊕m1 with high probability!14 (Seriously, don’t do it!)
Malleability of the OTPThe one-time pad is “malleable”Given only c0←\Enck(m0), it is easy to produce ciphertext c1 such that m1←Enck(c1) has a “known relationship” with m0No need to know anything about m0 or k, but…Knowing m0 lets attacker to specify any m1 (of the same lenght) if its choosing 18
That’s all for today, folks!