Download presentation
Presentation is loading. Please wait.
Published byῬούθ Θυία Βασιλειάδης Modified over 6 years ago
1
Cryptography Lecture 3 Arpita Patra © Arpita Patra
2
Recall >> Study of SKE in ‘modern’ way Definition (Perfect Security: unbounded adversary + no additional leakage) Construction (OTP / Vernam Cipher) Proof Drawbacks (on key length and key reusability) “You should never re-use a one-time pad. It’s like toilet paper; if you re-use it, things get messy.” Michael Rabin
3
Today’s Goal Inherent drawback on key space
More definitions of Perfect Security and their equivalence Captures different intuition for the same goal Some definition will be more handy to prove and disprove if a SKE is perfectly-secure Will further confirm that OTP is optimal in many other ways Summarizing & Concluding Perfect Security Find alternative relaxed security notion than perfect security Introduction to Computational Security > Formulate a formal definition (threat + break model) > Identify assumptions needed and build a construction > Prove security of the construction relative to the definition and assumption
4
Key Space Must be As Large as the Message Space
Theorem: In any perfectly-secure encryption scheme | K | | M | OTP is optimal key length-wise and key usability-wise Proof: Assume | K | < | M | Let c be a ciphertext with Pr(C = c) > 0 Assume for instance uniform distribution over M (any dist. Where every message occurs with non-zero prob is fine) M(c) := { m | m = Deck (c) for some k} the set of all possible decrypted messages of c | M(c) | ≤ |K | < | M | m M s.t. m M(c) Pr [M = m | C = c] = Pr [M = m] No perfect Security! Show the other limitation is inevitable too!
5
Perfectly-secure Encryption : Equivalent Definition
Perfectly-secure Encryption (Shannon’s Definition): Pr[M = m | C = c] = Pr [M = m] , m M, c C Interpretation : probability of knowing a plain-text remains the same before and after seeing the cipher-text The equivalence holds for any probability distribution over M Perfectly-secure Encryption (Alternate Definition): Pr[C = c | M = m0] = Pr [C = c | M = m1], m0, m1 M, c C Interpretation : probability distribution of cipher-text is independent of plain-text
6
Shannon’s Theorem Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Why the assumption | K | = | M | = | C | ? For perfectly secure scheme: | K | ≥ | M | For correctness to hold: | C | ≥ | M | m1 m2 m3 m4 c1 c2 k c3
7
Shannon’s Theorem To prove Pr[M = m | C = c] = Pr[M = m]
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 1) To prove Pr[M = m | C = c] = Pr[M = m] For arbitrary c and m, Pr[C = c | M = m] = Pr[K = k] = 1/| K | Pr[C = c] = Σ Pr[C = c | M = m] Pr[M = m] (irrespective of p. d. over M) m in M = 1/| K | Σ Pr[M = m] = 1/| K | m in M Pr[C = c | M = m ] Pr[M = m] Pr[M = m | C = c] = = Pr[M = m] Pr[C = c] (Bayes' Theorem)
8
Shannon’s Theorem To prove (i) and (ii) as above
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above Let M = {m1, m2,…..} and c is a ciphertext that occurs with non-zero probability for some message Let Ki is the set of all keys that maps mi to c i.e. Enck (mi) = c iff k belongs to Ki Claim: Ki ≠∅ and Ki ∩ Kj = ∅ We assume that Pr[C = c | M = m] > 0, for some m Ki ≠∅ For arbitrary c, mi and mj, Pr[C = c | M = mi] = Pr[C = c | M = mj] Assume the same k maps both mi and mj to c Ki ∩ Kj = ∅ Correctness fails!!
9
Shannon’s Theorem To prove (i) and (ii) as above
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above Claim: Ki ≠∅ and Ki ∩ Kj = ∅ m1 m2 mn K1 K2 Kn | K | = | M | ⟼ | Ki | = 1 ⟼ Condition (ii) Pr[K = ki] = Pr[C = c | M = mi] = Pr[C = c | M = mj] = Pr[K = kj] ⟼ Condition (i)
10
Shannon’s Theorem -Easy to check (i) and (ii).
Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. -Easy to check (i) and (ii). -No need of any probability calculation unlike original perfect security definition
11
Perfect Secrecy: Equivalent Definitions
Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m] m M, c C Definition II: For every probability dist over M Pr[C = c | M = m0] = Pr [C = c | M = m1] m0, m1 M, c C Definition III: For every probability distribution over M Every key k is chosen with probability 1/ | K | For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c.
12
Perfect Secrecy as an Indistinguishability game
- Formulated as a challenge-response game between adv. and a challenger = (Gen, Enc, Dec), M Hypothetical challenger I can break Comp. unbounded m0, m1 M (freedom to choose any pair) b {0, 1} c Enck(mb) b’ {0, 1} (Guess about encrypted message) Gen k Game output : 1 if b = b’ Attacker won 0 if b ≠ b’ Attacker lost
13
Perfect Secrecy as an Indistinguishability game
= (Gen, Enc, Dec), M I can break Comp. unbounded b {0, 1} m0, m1 M c Enck(mb) b’ {0, 1} Gen k PrivK A, coa Experiment : Adversary should learn the underlying message from c only with probability ½ No better than guessing m What does the above experiment model ? m {m0, m1} Enc c k k (I know that either m0 or m1 will be communicated with equal prob.) Perfect secrecy : adversary should not get “any advantage” by seeing c above Attacker is computationally unbounded
14
Perfect Secrecy as an Indistinguishability game
= (Gen, Enc, Dec), M I can break Comp. unbounded b {0, 1} m0, m1 M c Enck(mb) b’ {0, 1} Gen k PrivK A, coa Experiment : Experiment output : Perfect indistinguishability 1 if b = b’ Attacker won (it found the underlying message) 0 if b ≠ b’ Attacker lost (failed to find the underlying message) = (Gen, Enc, Dec) over M is perfectly-secure if for every attacker A Pr PrivK A, coa = 1 =
15
Reading Assignment I: Equivalence of Definitions
Definition I: For every probability dist over M Pr[M = m | C = c] = Pr [M = m] m M, c C Definition II: For every probability dist over M Pr[C = c | M = m0] = Pr [C = c | M = m1] m0, m1 M, c C Definition III: For every probability distribution over M Every key k is chosen with probability 1/ | K | For every m in M and every c in C, there is a unique key k s.t. Enck(m) = c. (Perfect Indistinguishability) b {0, 1} I can break Unbounded Powerful m0, m1 M c Enck(mb) b’ {0, 1} Gen k PrivK A, coa Experiment : PrivK A, coa is perfectly-secure if for every adversary A Pr = 1 =
16
RA II - Implementation of OTP for English text & Cryptanalysis of OTP when key is reused
17
Yes!! Concluding Perfect Security
Remember that- at the end of the day crypto is an applied science and we need to construct schemes that has practical relevance. The hurdles in achieving perfect security outweighs the strength of perfect security CCA Birth of Computational / Cryptographic Security. ⟼ CPA A ciphertext gives out some info about the message that is additional to the prior information that the adv has Randomized Unbounded Powerful COA ⟼ COA Two Inherent Limitations: - Key Space as large as message space - Keys can not be reused No point in studying perfect security by strengthening the adv by giving more capability in attacking a protocol, as the limitations will carry over. Two relaxations Unbounded Powerful No break allowed Can we overcome the hurdles? ⟼ ⟼ Break is allowed but with ‘very small’ probability Bounded Powerful / Polynomially Bounded Yes!!
18
Concluding Perfect Security
- Have we put the last nail in the coffin of perfect security? By all means no! - We overlooked efficiently of perfectly-secure scheme among the hullaballoos of limitations! - It’s blazing fast compared to the computationally-secure protocols that we design - Efficiency is in fact hallmark of perfectly-secure schemes - Perfect security is interesting in multi-party setting Many problems in crypto involves more than two parties- MPC, E-election etc. In crypto, we live in the world of trade-offs…
19
Perfect Security vs. Computational Security
Threat is Unbounded Powerful Threat is ‘Computationally Bounded’ No break allowed Break is allowed with ‘small’ probability A scheme is secure if any computationally bounded adversary succeeds in ‘breaking’ the scheme with at most ‘some very small probability’. A scheme is secure if Pr [M = m | C = c] = Pr [M = m] m, c Key as large as the message A small key will do Fresh key for every encryption Key reuse is permitted. Only nerds do Perfect/information theoretic security. Is it necessary to relax the threat and break to overcome the limitations? YES Absolutely!
20
Scribe?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.