CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

Slides:



Advertisements
Similar presentations
Block Cipher Modes of Operation and Stream Ciphers
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
Online Cryptography Course Dan Boneh
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
Ref. Cryptography: theory and practice Douglas R. Stinson
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS470, A.SelcukIntroduction1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
EE5552 Network Security and Encryption block 4 Dr. T.J. Owens CEng MIET Dr T. Itagaki MIET, MIEEE, MAES.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Topic 21 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography CS555.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Stream Ciphers Making the one-time pad practical.
Lecture 4: Using Block Ciphers
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Stream Cipher July 2011.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
1 Information Theory Nathanael Paul Oct. 09, 2002.
Lecture 2: Introduction to Cryptography
WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.
Lectures so far: Today’s lecture: Discrete probability Proving things
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
University of Malawi, Chancellor College
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 2 – Stream Ciphers These slides were.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptography CS 555 Topic 15: Stream Ciphers.
Cryptography Lecture 3.
B504/I538: Introduction to Cryptography
Cryptography Lecture 4.
Topic 5: Constructing Secure Encryption Schemes
Topic 3: Perfect Secrecy
CMSC 414 Computer and Network Security Lecture 3
Cryptography Lecture 6.
RC4 RC
Topic 13: Message Authentication Code
Information Security CS 526 Topic 3
Cryptography Lecture 3.
Presentation transcript:

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers

Announcements HW1 is out, due on Sep 5 –Start early, late policy is 3 total late days TA Office hour set –Mohammed Almeshekah: Office: LWSN2161; Office hour: Monday 10am to 11am, Thursday 9am to 10amMohammed Almeshekah –Weining Yang: Office: LWSN 2161; Office hour: Wednesday 10am to 11am, Friday 1pm to 2pmWeining Yang Planned project 1: web security, to be assigned on Sep 19 Planned project 2: implementation of file encryption CS526Topic 3: One-time Pad and Perfect Secrecy 2

CS526Topic 3: One-time Pad and Perfect Secrecy 3 Readings for This Lecture Required reading from wikipedia One-Time Pad Information theoretic security Stream cipher Pseudorandom number generatorPseudorandom number generator Stream ciphers on Dan Boneh’s Cryptography I course on Coursea

Topic 3: One-time Pad and Perfect Secrecy 4 Begin Math CS526

Topic 3: One-time Pad and Perfect Secrecy 5 Random Variable Definition A discrete random variable, X, consists of a finite set X, and a probability distribution defined on X. The probability that the random variable X takes on the value x is denoted Pr[ X =x]; sometimes, we will abbreviate this to Pr[x] if the random variable X is fixed. It must be that CS526

Topic 3: One-time Pad and Perfect Secrecy 6 Example of Random Variables Let random variable D 1 denote the outcome of throwing one die (with numbers 0 to 5 on the 6 sides) randomly, then D ={0,1,2,3,4,5} and Pr[ D 1 =i] = 1/6 for 0  i  5 Let random variable D 2 denote the outcome of throwing a second such die randomly Let random variable S 1 denote the sum of the two dice, then S ={0,1,2,…,10}, and Pr[ S 1 =0] = Pr[ S 1 =10] = 1/36 Pr[ S 1 =1] = Pr[ S 1 =9] = 2/36 = 1/18 … Let random variable S 2 denote the sum of the two dice modulo 6, what is the distribution of S 2 ? CS526

Topic 3: One-time Pad and Perfect Secrecy 7 Relationships between Two Random Variables Definitions Assume X and Y are two random variables, then we define: - joint probability: Pr[x, y] is the probability that X takes value x and Y takes value y. - conditional probability: Pr[x|y] is the probability that X takes value x given that Y takes value y. Pr[x|y] = Pr[x, y] / Pr[y] - independent random variables: X and Y are said to be independent if Pr[x,y] = Pr[x]P[y], for all x  X and all y  Y. CS526

Topic 3: One-time Pad and Perfect Secrecy 8 Examples Joint probability of D 1 and D 2 for 0  i,j  5, Pr[ D 1 =i, D 2 =j] = ? What is the conditional probability Pr[ D 1 =i | D 2 =j] for 0  i, j  5? Are D 1 and D 2 independent? Suppose D 1 is plaintext and D 2 is key, and S 1 and S 2 are ciphertexts of two different ciphers, which cipher would you use? CS526

Topic 3: One-time Pad and Perfect Secrecy 9 Examples to think after class What is the joint probability of D 1 and S 1 ? What is the joint probability of D 2 and S 2 ? What is the conditional probability Pr[ S 1 =s | D 1 =i] for 0  i  5 and 0  s  10? What is the conditional probability Pr[ D 1 =i | S 2 =s] for 0  i  5 and 0  s  5? Are D 1 and S 1 independent? Are D 1 and S 2 independent? CS526

Topic 3: One-time Pad and Perfect Secrecy 10 Bayes’ Theorem If P[y] > 0 then Corollary X and Y are independent random variables iff P[x|y] = P[x], for all x  X and all y  Y. CS526

Topic 3: One-time Pad and Perfect Secrecy 11 End Math CS526

Topic 3: One-time Pad and Perfect Secrecy 12 One-Time Pad Fix the vulnerability of the Vigenere cipher by using very long keys Key is a random string that is at least as long as the plaintext Encryption is similar to shift cipher Invented by Vernam in the 1920s

CS526Topic 3: One-time Pad and Perfect Secrecy 13 One-Time Pad Let Z m ={0,1,…,m-1} be the alphabet. Plaintext space = Ciphtertext space = Key space = (Z m ) n The key is chosen uniformly randomly Plaintext X = (x 1 x 2 … x n ) Key K = (k 1 k 2 … k n ) Ciphertext Y = (y 1 y 2 … y n ) e k (X) = (x 1 +k 1 x 2 +k 2 … x n +k n ) mod m d k (Y) = (y 1 -k 1 y 2 -k 2 … y n -k n ) mod m

CS526Topic 3: One-time Pad and Perfect Secrecy 14 The Binary Version of One-Time Pad Plaintext space = Ciphtertext space = Keyspace = {0,1} n Key is chosen randomly For example: Plaintext is Key is Then ciphertext is

CS526Topic 3: One-time Pad and Perfect Secrecy 15 Bit Operators Bit AND 0  0 = 0 0  1 = 0 1  0 = 0 1  1 = 1 Bit OR 0  0 = 0 0  1 = 1 1  0 = 1 1  1 = 1 Addition mod 2 (also known as Bit XOR) 0  0 = 0 0  1 = 1 1  0 = 11  1 = 0 Can we use operators other than Bit XOR for binary version of One-Time Pad?

CS526Topic 3: One-time Pad and Perfect Secrecy 16 How Good is One-Time Pad? Intuitively, it is secure … –The key is random, so the ciphertext is completely random How to formalize the confidentiality requirement? –Want to say “certain thing” is not learnable by the adversary (who sees the ciphertext). But what is the “certain thing”? Which (if any) of the following is the correct answer? –The key. –The plaintext. –Any bit of the plaintext. –Any information about the plaintext. E.g., the first bit is 1, the parity is 0, or that the plaintext is not “aaaa”, and so on

CS526Topic 3: One-time Pad and Perfect Secrecy 17 Shannon (Information-Theoretic) Security = Perfect Secrecy Basic Idea: Ciphertext should reveal no “information” about Plaintext Definition. An encryption over a message space M is perfectly secure if  probability distribution over M  message m  M  ciphertext c  C for which Pr[C=c] > 0 We have Pr [PT=m | CT=c] = Pr [PT = m].

Explanation of the Definition –Pr [PT = m] is what the adversary believes the probability that the plaintext is m, before seeing the ciphertext –Pr [PT = m | CT=c] is what the adversary believes after seeing that the ciphertext is c –Pr [PT=m | CT=c] = Pr [PT = m] means that after knowing that the ciphertext is C 0, the adversary’s belief does not change. CS526Topic 3: One-time Pad and Perfect Secrecy 18

Equivalent Definition of Perfect Secrecy Definition. An encryption scheme over a message space M is perfectly secure if  probability distribution over M, the random variables PT and CT are independent. That is,  message m  M  ciphertext c  C Pr [PT=m  CT=c] = Pr [PT = m] Pr [CT = c] Note that this is equivalent to: When Pr [CT = c]  0, we have Pr [PT = m] = Pr [PT=m  CT=c] / Pr [CT = c] = Pr [PT=m | CT=c] This is also equivalent to: When Pr [PT = m]  0, we have Pr [CT = c] = Pr [PT=m  CT=c] / Pr [PT = m] = Pr [CT=c | PT=m] CS555Spring 2012/Topic 319

Example for Information Theoretical Security Consider an example of encrypting the result of a 6-side dice (1 to 6). –Method 1: randomly generate K=[0..5], ciphertext is result + K. What is plaintext distribution? After seeing that the ciphertext is 6, what could be the plaintext. After seeing that the ciphertext is 11, what could be the plaintext? –Method 2: randomly generate K=[0..5], ciphertext is (result + K) mod 6. Same questions. Can one do a brute-force attack? CS526Topic 3: One-time Pad and Perfect Secrecy 20

CS526Topic 3: One-time Pad and Perfect Secrecy 21 Perfect Secrecy Fact: When keys are uniformly chosen in a cipher, the cipher has perfect secrecy iff. the number of keys encrypting M to C is the same for any (M,C) –This implies that  c  m 1  m 2 Pr[CT=c | PT=m 1 ] = Pr[CT=c | PT=m 2 ] One-time pad has perfect secrecy when limited to messages over the same length (Proof?)

CS526Topic 3: One-time Pad and Perfect Secrecy 22 Key Randomness in One-Time Pad One-Time Pad uses a very long key, what if the key is not chosen randomly, instead, texts from, e.g., a book are used as keys. –this is not One-Time Pad anymore –this does not have perfect secrecy –this can be broken –How? The key in One-Time Pad should never be reused. –If it is reused, it is Two-Time Pad, and is insecure! –Why?

Usage of One-Time Pad To use one-time pad, one must have keys as long as the messages. To send messages totaling certain size, sender and receiver must agree on a shared secret key of that size. –typically by sending the key over a secure channel This is difficult to do in practice. Can’t one use the channel for send the key to send the messages instead? Why is OTP still useful, even though difficult to use? CS526Topic 3: One-time Pad and Perfect Secrecy 23

Usage of One-Time Pad The channel for distributing keys may exist at a different time from when one has messages to send. The channel for distributing keys may have the property that keys can be leaked, but such leakage will be detected –Such as in Quantum cryptography CS526Topic 3: One-time Pad and Perfect Secrecy 24

CS526Topic 3: One-time Pad and Perfect Secrecy 25 The “Bad News” Theorem for Perfect Secrecy Question: OTP requires key as long as messages, is this an inherent requirement for achieving perfect secrecy? Answer. Yes. Perfect secrecy implies that key-length  msg-length Proof: Implication: Perfect secrecy difficult to achieve in practice Plaintext space Cipherttext space

CS526Topic 3: One-time Pad and Perfect Secrecy 26 Stream Ciphers In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: –Idea: replace “rand” by “pseudo rand” –Use Pseudo Random Number Generator –PRNG: {0,1} s  {0,1} n expand a short (e.g., 128-bit) random seed into a long (e.g., 10 6 bit) string that “looks random” –Secret key is the seed –E key [M] = M  PRNG(key)

CS526Topic 3: One-time Pad and Perfect Secrecy 27 The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in Became public in Simple and effective design. Variable key size (typical 40 to 256 bits), Output unbounded number of bytes. Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, first part of output biased, when used as stream cipher, should use RC4-Drop[n] –Which drops first n bytes before using the output –Conservatively, set n=3072

CS526Topic 3: One-time Pad and Perfect Secrecy 28 Pseudo Random Number Generator Useful for cryptography, simulation, randomized algorithm, etc. –Stream ciphers, generating session keys The same seed always gives the same output stream –Why is this necessary for stream ciphers? Simulation requires uniform distributed sequences –E.g., having a number of statistical properties Cryptographically secure pseudo-random number generator requires unpredictable sequences –satisfies the "next-bit test“: given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG’s are weak: knowing output sequence of sufficient length, can recover key. –Do not use these for cryptographic purposes

CS526Topic 3: One-time Pad and Perfect Secrecy 29 Properties of Stream Ciphers Typical stream ciphers are very fast Widely used, often incorrectly –Content Scrambling System (uses Linear Feedback Shift Registers incorrectly), –Wired Equivalent Privacy (uses RC4 incorrectly) –SSL (uses RC4, SSLv3 has no known major flaw)

CS526Topic 3: One-time Pad and Perfect Secrecy 30 Security Properties of Stream Ciphers Under known plaintext, chosen plaintext, or chosen ciphertext, the adversary knows the key stream (i.e., PRNG(key)) –Security depends on PRNG –PRNG must be “unpredictable” Do stream ciphers have perfect secrecy? How to break a stream cipher in a brute-force way? If the same key stream is used twice, then easy to break. –This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong

CS526Topic 3: One-time Pad and Perfect Secrecy 31 Using Stream Ciphers in Practice If the same key stream is used twice, then easy to break. –This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong In practice, one key is used to encrypt many messages –Example: Wireless communication –Solution: Use Initial vectors (IV). –E key [M] = [IV, M  PRNG(key || IV)] IV is sent in clear to receiver; IV needs integrity protection, but not confidentiality protection IV ensures that key streams do not repeat, but does not increase cost of brute-force attacks Without key, knowing IV still cannot decrypt –Need to ensure that IV never repeats! How?

CS526Topic 3: One-time Pad and Perfect Secrecy 32 Coming Attractions … Cryptography: Semantic Security, Block ciphers, encryption modes, cryptographic functions