B504/I538: Introduction to Cryptography Spring 2017 • Lecture 4 (2017—01—19)

Perfectly secret encryption Also known as: “unconditionally secret encryption” “information-theoretically secret encryption”

What is encryption? A way to “scramble” messages so that only their intended recipient can “unscramble” them m←Dec(c) c←Enc(m)   c

What is encryption? Defⁿ: An encryption scheme is a triple of PPT algorithms (Gen，Enc，Dec), where Gen：1ℕ→Ｋ is a (randomized) key generation algorithm Enc：Ｋ×Ｍ→Ｃ is a (randomized) encryption algorithm Dec：Ｋ×Ｃ→Ｍ is a (deterministic) decryption algorithm Convention: Write Enck(m), Deck(m) instead of Enc(k，m), Dec(k，m) Ｋ is the key space Ｍ is the message space Ｃ is the ciphertext space set of possible keys set of possible plaintexts set of possible ciphertexts

Pr[Deck(c)=m｜c←Enck(m)]=1. Correctness Defⁿ: An encryption scheme (Gen，Enc，Dec) with key space Ｋ and message space Ｍ is correct if ∀k∈Ｋ and ∀m∈Ｍ， Pr[Deck(c)=m｜c←Enck(m)]=1. Intuitively: Correctness is the property of actually being able to decrypt (if you know the right key) Note: It is possible to allow correctness with probability less than one; e.g., Pr[Deck(c)=m｜c←Enck(m)]=1-ε(|k|).

Defining secrecy Recall: Three steps in modern crypto propose a precise threat model propose a construction prove that breaking construction is “equivalent” to solving an intractable problem (or impossible) Threat model (for now): “ciphertext-only attacks” - Attacker can see a single ciphertext and nothing more

Defining secrecy Consider the following candidate “definitions”: Attempt 1: Attacker cannot recover the secret key NOPE! The identity scheme Enck(m)≔m satisfies this definition! Attempt 2: Attacker cannot recover plaintext NOPE! The scheme Enck(m0∥m1)≔m0∥(m1⊕k) satisfies this definition! Attempt 3: Attacker learns nothing about the plaintext YES! This is what we want ― but how can we make it rigorous?

Perfect secrecy (Definition 1) Defⁿ: An encryption scheme (Gen，Enc，Dec) with message space Ｍ and ciphertext space Ｃ is perfectly secret if ∀m0,m1∈Ｍ (with |m0|=|m1|=n) and ∀c∈Ｃ, Pr[Enck(m0)=c｜k←Gen(1n)] = Pr[Enck(m1)=c｜k←Gen(1n)]

Perfect secrecy (Definition 2) Suppose attacker Ａ knows some prior distribution on the message space Ｍ That is, Ａ has prior knowledge about how likely different messages are Let M and C≔Enck(M) be random variables describing the plaintext and ciphertext (assuming k←Gen(1n)) Defⁿ: An encryption scheme (Gen，Enc，Dec) is perfectly secret if ∀m∈Ｍ and ∀c∈Ｃ, Pr[M=m｜C=c]=Pr[M=m]

Perfect secrecy (Definition 3) one-time indistinguishability game Challenger (C) Attacker (A) 1n 1n k←Gen(1n) (m0，m1) M0，m1∈Ｍ (|m0|=|m1|=n) b∊{0,1} c c←Enck(mb) b' Advonetime(A)≔∣Pr[b=b’]−½∣ Defⁿ: An encryption scheme (Gen，Enc，Dec) is perfectly secret Advonetime(A)=0 for every attacker A.

Gilbert Vernam (1890—1960) Engineer at AT&T Bell Labs “Invented” stream ciphers and the one-time pad (OTP) in 1919 U.S. Patent 1,310,719 Actually, the patent was for a machine that encrypts a plaintext by (mechanically) XORing it with a secret key

One-time pad (“Vernam cipher”) Messages, ciphertexts, and keys are all n-bit strings (that is, Ｍ=Ｃ=Ｋ={0，1}*) Gen(1n) outputs a uniform random key k∊{0,1}s Enck(m) outputs XOR of m and k; that is, c≔m⊕k Deck(c) outputs XOR of c and k; that is, m≔c⊕k Thm (OTP is correct): The one-time pad is correct． Proof: Deck(Enck(m)) =Enck(m)⊕k =(m⊕k)⊕k =m⊕(k⊕k) =m ☐

One-time pad example Encryption Plaintext: Key: Ciphertext: Decryption 1 ⊕ 1 1 1 1 1 1 1 ⊕

Proof: Left as an exercise (see Assignment 1). ☐ Secrecy of the OTP Thm (OTP is perfectly secret): The one-time pad is perfectly secret． Proof: Left as an exercise (see Assignment 1). ☐

A better one-time pad (?) Obs: If k=0ⁿ, then Enck(m)=m⊕0ⁿ=m! Idea: Avoid ever revealing the plaintext by never choosing the pad k=0ⁿ! Q: Is this a great idea, or what? A: NO! It is a terrible idea! If Pr[k=0s]=0, then Pr[M=m ｜C=m]=0, and the scheme cannot satisfy Definition 2 for perfect secrecy!

Perfect secrecy≠perfect encryption Thm: If (Gen，Enc，Dec) is a perfectly secret encryption scheme, then |m|≤|k|. Key must be at least as long as the message This is not very practical! Idea: Pick a key k←Gen(1ⁿ) and then keep using it forever!

Two-time pad Never, ever, EVER use OTP key more than once!! Eavesdropper can compute c0⊕c1=m0⊕m1 There is sufficient redundancy in English to uniquely determine m0,m1 from m0⊕m1 with high probability! (Seriously, don’t do it!)

Malleability of the OTP The one-time pad is “malleable” Given only c0←\Enck(m0), it is easy to produce ciphertext c1 such that m1←Enck(c1) has a “known relationship” with m0 No need to know anything about m0 or k, but… Knowing m0 lets attacker to specify any m1 (of the same lenght) if its choosing

That’s all for today, folks!