Shannon Secrecy CSCI284/162 Spring 2009 GWU

CS284/Spring09/GWU/Vora/Shannon Secrecy Latin Square A Latin Square of order n is an n  n array where each integer from 1…n occurs exactly once in each row and column 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

Perfect Secrecy: Definition A cryptosystem has perfect secrecy if Pr[x|y] = Pr[x]  xP, yC a posteriori probability = a priori probability posterior = prior 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

general proof for secrecy of a system p(m) = anything p(k) = ? p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Example: one-time pad P = C = Z2n dK=eK(x1, x2, …xn) = (x1+K1, x2+K2, …xn+Kn) mod 2 Show that it provides perfect secrecy if the keys are uniformly distributed 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy one-time pad: proof p(m) = anything p(k) = constant p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / k  x p(k|eK(x)=c) p(x) = p(k) p(m) /  x p(k) p(x) (because only one key per plaintext/ciphertext pair) = p(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

A vulnerability of the one-time pad Exercise 2.6 Suppose that y and y’ are two ciphertext elements in the one-time pad that were obtained by encrypting x and x’ respectively using the same key K. Prove that x + x’ = y + y’ (mod 2) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Some proofs: Thm. 2.3 Thm 2.3 : Suppose the 26 keys in the shift cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the Shift Cipher has perfect secrecy. P(m) = anything; P(k) = 1/26; P(c) = x P(c|x)P(x) = x P(k|x+k = c)P(x) x P(k = x-c)P(x) = 1/26 P(m|c) = P(c|m)P(m)  26 = P(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Some proofs: Thm. 2.4 Thm 2.4: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Then the cryptosystem provides perfect secrecy if and only if every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Thm. 2.4: Proof  Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c Then the cryptosystem provides perfect secrecy 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy : Proof p(m) = anything p(k) = 1/|K| p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x) = 1/|K| p(m) / x 1/|K| p(x) = p(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Thm. 2.4 Proof  Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Thm. 2.4 Proof  First show: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy If K1 and K2 take m to c, K1  K2 If p(m) = 0, then p(m|c) = 0 Consider a distribution for which p(m)  0 Then there is some c’ that m does not go to, under any K (as |K| = |P| = |C| ) Then p(m|c’) = 0  p(m) Hence, m P and c C, there is at most one key K such that eK(m) = c Because |K| = |P| = |C|, there is a unique key taking m to c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Thm. 2.4 Proof  Now show: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then every key is used with equal probability 1/|K| Straightforward from perfect secrecy formula 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

Product Cryptosystems Composition of two cryptosystems with same plaintext and ciphertext spaces: P = C (P, P, K1, K2, E, D) e (K1, K2) (x) = e K2(e K1(x)) d (K1, K2) (x) = d K1(d K2 (x)) Pr[K1 K2 ] = Pr[K1] Pr[K2] e.g.: Shift  Affine; Shift  Substitution 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

Properties: Product Cryptosystems A commutative cryptosystem is one in which S  M = M  S (S1  S2)  S3 = S1  (S2  S3) for all cryptosystems associative S idempotent if S  S = S (then no point in composing) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy S  M = ? M the multiplicative cipher with eK(x) = Ka mod m (what property for K?) K chosen equiprobably S the shift cipher, eK(x) = K+a mod m S  M = ? 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

CS284/Spring09/GWU/Vora/Shannon Secrecy Prob. 2.19 Suppose S1 is the Shift Cipher (with equiprobable keys) and S2 is the Shift Cipher with keys chosen wrt some pdf pK (not necc. equiprobable). Prove that S1  S2 = S1 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy