Download presentation
Presentation is loading. Please wait.
1
CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional probability –Definition of perfect secrecy –Systems that provide perfect secrecy How secure when we reuse a key? –Entropy –Redundancy of a language –Spurious keys, unicity distance
2
CryptographyPerfect secrecySlide 2 Contact before work Turn to a neighbor and ask: What do you think of this week’s homework problems? Easy or hard? Interesting or dull? Why or why not? Why do Contact Before Work? –Helps us know our teammates. We work better with people we know and like. –Helps start the meeting on time.
3
CryptographyPerfect secrecySlide 3 Announcements Today at 4:20: –Mark Gritter(CSSE faculty candidate, from Stanford) Content Location with Name-Based Routing Olin 267 Questions on homework? –Due Thursday Friday: annual Undergraduate Mathematics Conference here at Rose-Hulman! –So no class Friday. –We ask that you go to a talk at the conference instead! See schedule on Mathematics home page.
4
CryptographyPerfect secrecySlide 4 What is perfect secrecy? Exercise: –Do the following by yourself (1 minute) and then in groups of about four (3 to 5 minutes) Give (mathematical) definitions for a cipher to be: –Computationally secure –Unconditionally secure (“perfect secrecy”) Consider: –Computer-invariant? –Information-invariant? –Kinds of attack? Is your definition precise enough that I could use it to determine whether, e.g., cipher A is twice as computationally secure as cipher B”?
5
CryptographyPerfect secrecySlide 5 Computationally secure Stallings: A cipher is computationally secure if: –Cost of breaking the cipher exceeds value of the encrypted information –Time required to break the cipher exceeds useful lifetime of the encrypted information Is this: –Computer-invariant? –Information-invariant? –Practical to determine? I find Stalling’s definition unsatisfying. Can you do better?
6
CryptographyPerfect secrecySlide 6 Unconditionally secure Stallings: A cipher is: –Computationally secure if: Cost of breaking the cipher exceeds value of the encrypted information Time required to break the cipher exceeds useful lifetime of the encrypted information –Unconditionally secure if: Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext –No matter how much ciphertext –No matter how much time/resources available to attacker Huh? Can we be more precise?
7
CryptographyPerfect secrecySlide 7 Where we are going: Unconditionally secure: –Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext To make this precise, we need: –What is a cipher? –What does it mean to determine the plaintext? Uniquely? We will see that: –Shift cipher, substitution cipher, Vigenere cipher are: Not computationally secure –against even a ciphertext-only attack, –given a sufficient amount of ciphertext Unconditionally secure (!) –if [an important condition that we will see soon] [can you guess it?]
8
CryptographyPerfect secrecySlide 8 What is a cryptosystem? Three finite sets: –P = set of possible plaintexts –C = set of possible ciphertexts –K = set of possible keys Encryption and decryption functions e and d. For each k in K: –e k : P C d k : C P Exercise: What has to be true of e k and d k ? Answer: for any plaintext x and key k: d k (e k (x)) = x
9
CryptographyPerfect secrecySlide 9 Conditional probability So now we know: –What is a cipher? Next: –What does it mean to determine the plaintext? Uniquely? To answer this, we need probability theory: –random variable, sample space –probability distribution –joint probability distribution –conditional probability distribution –independent random variables –Bayes’ theorem
10
CryptographyPerfect secrecySlide 10 Random variable Probability distribution Definition: A random variable –is a function from the sample space to a set of numbers (for us, the nonnegative integers) Examples: –The number of aces in a bridge hand –The number of multiple birthdays in a room of n people I’ll assume discrete random variables throughout these notes Definition: The probability distribution of a random variable X –Gives, for each possible value x that X can take, the probability of x –Written Pr (x) Example: –Let X = number of heads after 3 coin tosses. p(0) = 1/8 p(1) = 3/8 p(2) = 3/8 p(3) = 1/8
11
CryptographyPerfect secrecySlide 11 Joint probability distribution Conditional probability distribution Definitions: Let X and Y be random variables. –The joint probability Pr (x, y) is the probability that X is x and Y is y. –The conditional probability Pr ( x | y ) is the probability that X is x given that Y is y and is (by definition) Pr (x, y) / Pr (y) In the example to the right: –Pr (c, B)? Pr (b, B)? –Pr (a | B )? Pr (B | a)? Answers: –Pr (c, B) = 0.05 Pr (b, B) = 0.25 –Pr (a | B ) = 0.10 / (0.10 + 0.25 + 0.05) = 0.4 –Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7 X abc Y A0.250.150.20 B0.100.250.05
12
CryptographyPerfect secrecySlide 12 Independent random variables Definition: –Random variables X and Y are independent –if Pr (x | y) = Pr (x) for all x, y. Equivalently, if Pr (x, y) = Pr (x) Pr (y) for all x, y. Examples –X and Y on previous slide are not independent –# of heads in toss A,# in toss B: independent
13
CryptographyPerfect secrecySlide 13 Application to ciphers Assume –Pr P (x) probability distribution on plaintext space P –Pr K (k) probability distribution on key space K –Choosing the key and selecting the plaintext are independent These induce: –Pr P,K (y) probability distribution on ciphertext C –Pr P,K (x, y) joint probability distribution of plaintext and ciphertext –Pr P,K (x | y) conditional distribution of plaintext given ciphertext Example and details on next slides.
14
CryptographyPerfect secrecySlide 14 Example Sets: –Plaintext P = {a, b} –Ciphertext C = {A, B, C, D} –Key space K = {1, 2, 3} Cipher: per table on right Probabilitity distributions: –Pr p (a) = ¼ Pr p (b) = ¾ –Pr K (1) = ½ Pr K (2) = ¼ Pr K (3) = ¼ Exercise: compute Pr P,K (y) –probability distribution on ciphertext C Exercise: compute Pr P,K (x | y) –conditional distribution of plaintext given ciphertext Cipher ab 1AB 2BC 3CD
15
CryptographyPerfect secrecySlide 15 Computation of the induced probability distributions Given: Pr P (x) Pr K (k) Probability that plaintext is x. Probability that key is k. Assume choosing key and selecting plaintext are independent. Then: Pr P,K (y) Pr P,K (x | y) Pr P,K (y | x) are given by: Probability Pr P,K (y) that ciphertext is y Probability Pr P,K (y | x) that ciphertext is y given plaintext is x Probability Pr P,K (x | y) that plaintext is x given ciphertext is y –Pr P,K (y) = [ Pr P (x) Pr K (k) ] Where the sum is over all plaintext x and keys k such that e k (x) = y –Pr P,K (y | x) = [ Pr K (k) ] / Pr P (x) Where the sum is over all keys k such that e k (x) = y –Pr P,K (x | y) = Pr P,K (y | x) Pr P (x) / Pr P,K (y) by Bayes Theorem
16
CryptographyPerfect secrecySlide 16 So what is perfect secrecy? Given: Pr P (x) Pr K (k) Probability that plaintext is x. Probability that key is k. Assume choosing key and selecting plaintext are independent. Then that induces (per previous slide): Probability Pr P,K (y) that ciphertext is y Probability Pr P,K (y | x) that ciphertext is y given plaintext is x Probability Pr P,K (x | y) that plaintext is x given ciphertext is y Informally: perfect secrecy means that the ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext –Can you now give a precise definition of perfect secrecy, in terms of the above?
17
CryptographyPerfect secrecySlide 17 Perfect secrecy Definition: A cryptosystem has perfect secrecy if: –For all x in plaintext space P and y in ciphertext space C –We have Pr P,K (x | y) = Pr P (x) Theorem: –Suppose the 26 keys in the Shift cipher are used with equal probability. –Then for any plaintext probability distribution, –the Shift cipher has perfect secrecy. Note that we are encrypting a single character with a single key Another time: the (easy) proof!
18
CryptographyPerfect secrecySlide 18 What provides perfect secrecy? Theorem: –Perfect secrecy requires |K| |C|. –Suppose as few keys as possible, i.e. |K| = |C| = |P|. Note: Any cryptosystem has |C| |P|. –Then the cryptosystem has perfect secrecy iff every key is used with equal probability, and for every x in P and y in C, there is a unique key k such that e k (x) = y
19
CryptographyPerfect secrecySlide 19 Vernam’s one-time pad Corollary to the theorem on the previous slide: –Vigenere’s cipher provides perfect secrecy, if: each key is equally likely, and you encrypt a single plaintext element (i.e., encrypt m characters using a key of length m) –Cannot have perfect secrecy with shorter keys –History: 1917: Gilbert Vernam suggested Vigenere with a binary alphabet and a long keyword. Joseph Mauborgne suggested uing a one-time pad (key as long as the message, not reused). Widely accepted as “unbreakable” but no proof until Shannon’s work 30 years later
20
CryptographyPerfect secrecySlide 20 What if keys are reused? Summary: –We defined perfect secrecy. –We found cryptosystems that provide perfect secrecy. –But: perfect secrecy requires that we not reuse a key Next: How secure is a cryptosystem when we reuse keys? –Entropy –Redundancy of a language –Spurious keys, unicity distance
21
CryptographyPerfect secrecySlide 21 Entropy: motivation Background –From information theory –Introduced by Claude Shannon in 1948. –A measure of information or uncertainty –Computed as a function of a probability distribution Example: –Toss a coin. How many bits required to represent the result? –Toss a coin n times. Now how many bits? What if the coin is a biased coin?
22
CryptographyPerfect secrecySlide 22 Entropy: definition Definition: –Suppose X is a random variable –with probability distribution p = p 1, p 2,... p n –where p i is the probability X takes on its i th possible value. –Then the entropy of X, –written H(X), is
23
CryptographyPerfect secrecySlide 23 Entropy: example Definition of entropy: P = {a, b}. C = {1, 2, 3, 4}. –p p : a => 1/4 b => 3/4 –p c : 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16 –Exercise: what is H(P)? H(C)? –H(P) = - [ ( 1/4 -2 ) + ( 3/4 (log 2 3 - 2) ) ] 0.81 –H(C) 1.85.
24
CryptographyPerfect secrecySlide 24 Spurious keys Exercise: –Suppose Oscar is doing a ciphertext-only attack –on a string encoded using Vigenere’s cipher –where m (key length) is modest (not a one-time pad). –Oscar decrypts the message to a meaningful sentence. –Why is Oscar not done? Answer: –1. There may be other keys that yield other meaningful sentences. –2. We want the key, not just the meaningful sentence.
25
CryptographyPerfect secrecySlide 25 Spurious keys Context: –Oscar is doing cipher-text only attack –Oscar has infinite computational resources –Oscar knows the plaintext is a “natural” language. Result: –Oscar will be able to rule out certain keys. –Many “possible” keys remain. Only one key is correct. –The remaining possible, but incorrect, keys are called spurious keys. Our goal: determine how many spurious keys.
26
CryptographyPerfect secrecySlide 26 Entropy & redundancy of a language Definitions: –Let L be a natural language (like English). –Let P n be a random variable whose probability distribution is that of all n-grams of plaintext in L. –The entropy H L of L is –The redundancy R L of L is H L measures entropy per letter. R L measures fraction of “excess characters.”
27
CryptographyPerfect secrecySlide 27 Entropy & redundancy of a language Experiments have shown that for English: –H(P 2 ) 7.80 –1.0 H L 1.5 –So R L 0.75 Exercise: does this mean you could keep only every 4th letter of a message and hope to read it? Answer: No! This means you could hope to encode long strings of English to about 1/4 of their size, using a Huffman encoding.
28
CryptographyPerfect secrecySlide 28 Number of spurious keys Theorem: –Suppose |C| = |P| and keys are equiprobable. –Given a ciphertext of length n (where n is large enough) –the expected number s n of spurious keys satisfies So what can you say about long ciphertext messages? Note: the expression goes to 0 quickly as n increases
29
CryptographyPerfect secrecySlide 29 Unicity distance Definition: –The unicity distance of a cyptosystem –is the value of n (ciphertext length), denoted n 0, –at which the expected number of spurious keys –becomes zero. Theorem: –Exercise: unicity distance of the Substitution cipher? –Answer: 88.4 / (0.75 4.7) 25
30
CryptographyPerfect secrecySlide 30 Summary Perfect secrecy. –Perfect. Provides clear sense of the ultimate: What can be done. How to do it (Vernam’s one-time pad). If we reuse keys: –No longer perfect secrecy. –But the secret may not be utterly revealed, even against infinite computational resources: Because of redundant keys –Clear answers, beautiful mathematics, but not much secrecy! What if there are finite computational resources?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.