Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shannon Secrecy CSCI284/162 Spring 2009 GWU.

Similar presentations


Presentation on theme: "Shannon Secrecy CSCI284/162 Spring 2009 GWU."— Presentation transcript:

1 Shannon Secrecy CSCI284/162 Spring 2009 GWU

2 CS284/Spring09/GWU/Vora/Shannon Secrecy
Latin Square A Latin Square of order n is an n  n array where each integer from 1…n occurs exactly once in each row and column 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

3 Perfect Secrecy: Definition
A cryptosystem has perfect secrecy if Pr[x|y] = Pr[x]  xP, yC a posteriori probability = a priori probability posterior = prior 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

4 general proof for secrecy of a system
p(m) = anything p(k) = ? p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

5 CS284/Spring09/GWU/Vora/Shannon Secrecy
Example: one-time pad P = C = Z2n dK=eK(x1, x2, …xn) = (x1+K1, x2+K2, …xn+Kn) mod 2 Show that it provides perfect secrecy if the keys are uniformly distributed 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

6 CS284/Spring09/GWU/Vora/Shannon Secrecy
one-time pad: proof p(m) = anything p(k) = constant p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / k  x p(k|eK(x)=c) p(x) = p(k) p(m) /  x p(k) p(x) (because only one key per plaintext/ciphertext pair) = p(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

7 A vulnerability of the one-time pad
Exercise 2.6 Suppose that y and y’ are two ciphertext elements in the one-time pad that were obtained by encrypting x and x’ respectively using the same key K. Prove that x + x’ = y + y’ (mod 2) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

8 CS284/Spring09/GWU/Vora/Shannon Secrecy
Some proofs: Thm. 2.3 Thm 2.3 : Suppose the 26 keys in the shift cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the Shift Cipher has perfect secrecy. P(m) = anything; P(k) = 1/26; P(c) = x P(c|x)P(x) = x P(k|x+k = c)P(x) x P(k = x-c)P(x) = 1/26 P(m|c) = P(c|m)P(m)  26 = P(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

9 CS284/Spring09/GWU/Vora/Shannon Secrecy
Some proofs: Thm. 2.4 Thm 2.4: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Then the cryptosystem provides perfect secrecy if and only if every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

10 CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4: Proof Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c Then the cryptosystem provides perfect secrecy 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

11 CS284/Spring09/GWU/Vora/Shannon Secrecy
: Proof p(m) = anything p(k) = 1/|K| p(m|c) = p(c|m) p(m) / x p(c|x)p(x) = k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x) = 1/|K| p(m) / x 1/|K| p(x) = p(m) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

12 CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

13 CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof First show: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then m P and c C, there is a unique key K such that eK(m) = c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

14 CS284/Spring09/GWU/Vora/Shannon Secrecy
If K1 and K2 take m to c, K1  K2 If p(m) = 0, then p(m|c) = 0 Consider a distribution for which p(m)  0 Then there is some c’ that m does not go to, under any K (as |K| = |P| = |C| ) Then p(m|c’) = 0  p(m) Hence, m P and c C, there is at most one key K such that eK(m) = c Because |K| = |P| = |C|, there is a unique key taking m to c 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

15 CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof Now show: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Suppose the cryptosystem provides perfect secrecy. Then every key is used with equal probability 1/|K| Straightforward from perfect secrecy formula 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

16 Product Cryptosystems
Composition of two cryptosystems with same plaintext and ciphertext spaces: P = C (P, P, K1, K2, E, D) e (K1, K2) (x) = e K2(e K1(x)) d (K1, K2) (x) = d K1(d K2 (x)) Pr[K1 K2 ] = Pr[K1] Pr[K2] e.g.: Shift  Affine; Shift  Substitution 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

17 Properties: Product Cryptosystems
A commutative cryptosystem is one in which S  M = M  S (S1  S2)  S3 = S1  (S2  S3) for all cryptosystems associative S idempotent if S  S = S (then no point in composing) 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

18 CS284/Spring09/GWU/Vora/Shannon Secrecy
S  M = ? M the multiplicative cipher with eK(x) = Ka mod m (what property for K?) K chosen equiprobably S the shift cipher, eK(x) = K+a mod m S  M = ? 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy

19 CS284/Spring09/GWU/Vora/Shannon Secrecy
Prob. 2.19 Suppose S1 is the Shift Cipher (with equiprobable keys) and S2 is the Shift Cipher with keys chosen wrt some pdf pK (not necc. equiprobable). Prove that S1  S2 = S1 4/11/2019 CS284/Spring09/GWU/Vora/Shannon Secrecy


Download ppt "Shannon Secrecy CSCI284/162 Spring 2009 GWU."

Similar presentations


Ads by Google