cryptographyperfect secrecyslide 1 today what does it mean for a cipher to be: –computational...
Post on 21-Dec-2015
216 views
TRANSCRIPT
Cryptography Perfect secrecy Slide 1
Today
• What does it mean for a cipher to be:– Computational secure? Unconditionally secure?
• Perfect secrecy– Conditional probability– Definition of perfect secrecy– Systems that provide perfect secrecy
• How secure when we reuse a key?– Entropy– Redundancy of a language– Spurious keys, unicity distance
Cryptography Perfect secrecy Slide 2
Contact before work
• Turn to a neighbor and ask:What do you think of this week’s homework problems?
Easy or hard? Interesting or dull?Why or why not?
• Why do Contact Before Work?– Helps us know our teammates.
We work better with people we know and like.– Helps start the meeting on time.
Cryptography Perfect secrecy Slide 3
Announcements
• Today at 4:20:– Mark Gritter(CSSE faculty candidate, from Stanford)
• Content Location with Name-Based Routing• Olin 267
• Questions on homework?– Due Thursday
• Friday: annual Undergraduate Mathematics Conference here at Rose-Hulman!– So no class Friday.– We ask that you go to a talk at the conference instead!
• See schedule on Mathematics home page.
Cryptography Perfect secrecy Slide 4
What is perfect secrecy?
• Exercise:– Do the following by yourself (1 minute) and then in
groups of about four (3 to 5 minutes)
• Give (mathematical) definitions for a cipher to be:– Computationally secure
– Unconditionally secure (“perfect secrecy”)• Consider:
– Computer-invariant?
– Information-invariant?
– Kinds of attack?
Is your definition precise enough that I could use it to determine whether, e.g., cipher A is twice as computationally secure as cipher B”?
Cryptography Perfect secrecy Slide 5
Computationally secure
• Stallings: A cipher is computationally secure if:– Cost of breaking the cipher exceeds value of the
encrypted information
– Time required to break the cipher exceeds useful lifetime of the encrypted information
• Is this:– Computer-invariant?
– Information-invariant?
– Practical to determine?
I find Stalling’s definition unsatisfying. Can you do better?
Cryptography Perfect secrecy Slide 6
Unconditionally secure
• Stallings: A cipher is:– Computationally secure if:
• Cost of breaking the cipher exceeds value of the encrypted information
• Time required to break the cipher exceeds useful lifetime of the encrypted information
– Unconditionally secure if:• Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext– No matter how much ciphertext
– No matter how much time/resources available to attacker
Huh? Can we be more precise?
Cryptography Perfect secrecy Slide 7
Where we are going:
• Unconditionally secure:– Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext• To make this precise, we need:
– What is a cipher?– What does it mean to determine the plaintext? Uniquely?
• We will see that:– Shift cipher, substitution cipher, Vigenere cipher are:
• Not computationally secure– against even a ciphertext-only attack,– given a sufficient amount of ciphertext
• Unconditionally secure (!)– if [an important condition that we will see soon] [can you guess it?]
Cryptography Perfect secrecy Slide 8
What is a cryptosystem?
• Three finite sets:– P = set of possible plaintexts– C = set of possible ciphertexts– K = set of possible keys
• Encryption and decryption functions e and d.For each k in K:– ek : P C dk : C P
• Exercise: What has to be true of ek and dk?• Answer: for any plaintext x and key k:
dk(ek(x)) = x
Cryptography Perfect secrecy Slide 9
Conditional probability
• So now we know:– What is a cipher?
• Next:– What does it mean to determine the plaintext? Uniquely?
• To answer this, we need probability theory:– random variable, sample space– probability distribution– joint probability distribution– conditional probability distribution– independent random variables– Bayes’ theorem
Cryptography Perfect secrecy Slide 10
Random variableProbability distribution
• Definition: A random variable– is a function from the sample space to a set of numbers
• (for us, the nonnegative integers)• Examples:
– The number of aces in a bridge hand– The number of multiple birthdays in a room of n people
• I’ll assume discrete random variables throughout these notes• Definition: The probability distribution of a random variable X
– Gives, for each possible value x that X can take, the probability of x– Written Pr (x)
• Example:– Let X = number of heads after 3 coin tosses.
• p(0) = 1/8 p(1) = 3/8 p(2) = 3/8 p(3) = 1/8
Cryptography Perfect secrecy Slide 11
Joint probability distributionConditional probability distribution
• Definitions: Let X and Y be random variables.– The joint probability Pr (x, y) is the probability that X is x and Y is y.– The conditional probability Pr ( x | y ) is the probability that X is x
given that Y is y and is (by definition) Pr (x, y) / Pr (y)
• In the example to the right:– Pr (c, B)? Pr (b, B)?– Pr (a | B )? Pr (B | a)?
• Answers:– Pr (c, B) = 0.05 Pr (b, B) = 0.25– Pr (a | B ) =
0.10 / (0.10 + 0.25 + 0.05) = 0.4– Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7
X
a b c
Y
A 0.25 0.15 0.20
B 0.10 0.25 0.05
Cryptography Perfect secrecy Slide 12
Independent random variables
• Definition:– Random variables X and Y are independent
– if Pr (x | y) = Pr (x) for all x, y.• Equivalently, if Pr (x, y) = Pr (x) Pr (y) for all x, y.
• Examples– X and Y on previous slide are not independent
– # of heads in toss A,# in toss B: independent
Cryptography Perfect secrecy Slide 13
Application to ciphers
• Assume– PrP (x)
• probability distribution on plaintext space P– PrK(k)
• probability distribution on key space K– Choosing the key and selecting the plaintext are independent
• These induce:– PrP,K (y)
• probability distribution on ciphertext C– PrP,K (x, y)
• joint probability distribution of plaintext and ciphertext– PrP,K (x | y)
• conditional distribution of plaintext given ciphertext
Example and details on next slides.
Cryptography Perfect secrecy Slide 14
Example
• Sets:– Plaintext P = {a, b}– Ciphertext C = {A, B, C, D}– Key space K = {1, 2, 3}
• Cipher: per table on right• Probabilitity distributions:
– Prp(a) = ¼ Prp(b) = ¾ – PrK(1) = ½ PrK(2) = ¼ PrK(3) = ¼
• Exercise: compute PrP,K (y)– probability distribution on ciphertext C
• Exercise: compute PrP,K (x | y)– conditional distribution of plaintext given ciphertext
Cipher a b
1 A B
2 B C
3 C D
Cryptography Perfect secrecy Slide 15
Computation of the induced probability distributions
• Given: PrP (x) PrK (k)• Probability that plaintext is x. Probability that key is k.• Assume choosing key and selecting plaintext are independent.
• Then: PrP,K (y) PrP,K (x | y) PrP,K (y | x) are given by:• Probability PrP,K (y) that ciphertext is y• Probability PrP,K (y | x) that ciphertext is y given plaintext is x• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
– PrP,K (y) = [ PrP (x) PrK (k) ]• Where the sum is over all plaintext x and keys k such that ek(x) = y
– PrP,K (y | x) = [ PrK (k) ] / PrP (x)• Where the sum is over all keys k such that ek(x) = y
– PrP,K (x | y) = PrP,K (y | x) PrP (x) / PrP,K (y) by Bayes Theorem
Cryptography Perfect secrecy Slide 16
So what is perfect secrecy?
• Given: PrP (x) PrK (k)• Probability that plaintext is x. Probability that key is k.• Assume choosing key and selecting plaintext are independent.
• Then that induces (per previous slide):• Probability PrP,K (y) that ciphertext is y• Probability PrP,K (y | x) that ciphertext is y given plaintext is x• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
• Informally: perfect secrecy means that the ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext– Can you now give a precise definition of perfect secrecy, in terms of
the above?
Cryptography Perfect secrecy Slide 17
Perfect secrecy
• Definition: A cryptosystem has perfect secrecy if:– For all x in plaintext space P and y in ciphertext space C– We have PrP,K (x | y) = PrP (x)
• Theorem:– Suppose the 26 keys in the Shift cipher are used with
equal probability.– Then for any plaintext probability distribution,– the Shift cipher has perfect secrecy.
• Note that we are encrypting a single character with a single key• Another time: the (easy) proof!
Cryptography Perfect secrecy Slide 18
What provides perfect secrecy?
• Theorem:– Perfect secrecy requires |K| |C|.
– Suppose as few keys as possible, i.e. |K| = |C| = |P|.• Note: Any cryptosystem has |C| |P|.
– Then the cryptosystem has perfect secrecy iff• every key is used with equal probability, and
• for every x in P and y in C,there is a unique key k such that ek (x) = y
Cryptography Perfect secrecy Slide 19
Vernam’s one-time pad• Corollary to the theorem on the previous slide:
– Vigenere’s cipher provides perfect secrecy, if:• each key is equally likely, and• you encrypt a single plaintext element
(i.e., encrypt m characters using a key of length m)
– Cannot have perfect secrecy with shorter keys– History:
• 1917: Gilbert Vernam suggested Vigenere with a binary alphabet and a long keyword. Joseph Mauborgne suggested uing a one-time pad (key as long as the message, not reused).
• Widely accepted as “unbreakable”but no proof until Shannon’s work 30 years later
Cryptography Perfect secrecy Slide 20
What if keys are reused?
• Summary:– We defined perfect secrecy.
– We found cryptosystems that provide perfect secrecy.
– But: perfect secrecy requires that we not reuse a key
• Next: How secure is a cryptosystemwhen we reuse keys?– Entropy
– Redundancy of a language
– Spurious keys, unicity distance
Cryptography Perfect secrecy Slide 21
Entropy: motivation
• Background– From information theory– Introduced by Claude Shannon in 1948.– A measure of information or uncertainty– Computed as a function of a probability distribution
• Example:– Toss a coin.
How many bits required to represent the result?– Toss a coin n times. Now how many bits?
• What if the coin is a biased coin?
Cryptography Perfect secrecy Slide 22
Entropy: definition
• Definition:– Suppose X is a random variable
– with probability distribution p = p1, p2, ... pn
– where pi is the probability X takes on its ith possible value.
– Then the entropy of X,
– written H(X), isi
n
ii ppXH 2
1
log)(
Cryptography Perfect secrecy Slide 23
Entropy: example
• Definition of entropy:
• P = {a, b}. C = {1, 2, 3, 4}.– pp: a => 1/4 b => 3/4
– pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16
– Exercise: what is H(P)? H(C)?
– H(P) = - [ ( 1/4 -2 ) + ( 3/4 (log2 3 - 2) ) ] 0.81
– H(C) 1.85.
i
n
ii ppXH 2
1
log)(
Cryptography Perfect secrecy Slide 24
Spurious keys
• Exercise:– Suppose Oscar is doing a ciphertext-only attack
– on a string encoded using Vigenere’s cipher
– where m (key length) is modest (not a one-time pad).
– Oscar decrypts the message to a meaningful sentence.
– Why is Oscar not done?
• Answer:– 1. There may be other keys that yield other meaningful sentences.
– 2. We want the key, not just the meaningful sentence.
Cryptography Perfect secrecy Slide 25
Spurious keys• Context:
– Oscar is doing cipher-text only attack– Oscar has infinite computational resources– Oscar knows the plaintext is a “natural” language.
• Result:– Oscar will be able to rule out certain keys.– Many “possible” keys remain. Only one key is correct.– The remaining possible, but incorrect, keys
are called spurious keys.
• Our goal: determine how many spurious keys.
Cryptography Perfect secrecy Slide 26
Entropy & redundancy of a language
• Definitions:– Let L be a natural language (like English).
– Let Pn be a random variable whose probability distribution is that of all n-grams of plaintext in L.
– The entropy HL of L is
– The redundancy RL of L is
• HL measures entropy per letter.
• RL measures fraction of “excess characters.”
n
PHH
n
nL
)(lim
||log1
2 P
HR L
L
Cryptography Perfect secrecy Slide 27
Entropy & redundancy of a language
• Experiments have shownthat for English:– H(P2) 7.80
– 1.0 HL 1.5
– So RL 0.75• Exercise: does this mean you could keep only every 4th letter
of a message and hope to read it?
• Answer: No!This means you could hope to encode long strings of English to about 1/4 of their size, using a Huffman encoding.
n
PHH
n
nL
)(lim
||log1
2 P
HR L
L
Cryptography Perfect secrecy Slide 28
Number of spurious keys
• Theorem:– Suppose |C| = |P| and keys are equiprobable.– Given a ciphertext of length n (where n is large enough)
– the expected number sn of spurious keys satisfies
• So what can you say about long ciphertext messages?• Note: the expression goes to 0 quickly as n increases
1||
||
LnRnP
Ks
Cryptography Perfect secrecy Slide 29
Unicity distance
• Definition:– The unicity distance of a cyptosystem
– is the value of n (ciphertext length), denoted n0,
– at which the expected number of spurious keys
– becomes zero.
• Theorem:
– Exercise: unicity distance of the Substitution cipher?
– Answer: 88.4 / (0.75 4.7) 25
||log
||log
2
20 PR
Kn
L
Cryptography Perfect secrecy Slide 30
Summary
• Perfect secrecy.– Perfect. Provides clear sense of the ultimate:
• What can be done.• How to do it (Vernam’s one-time pad).
• If we reuse keys:– No longer perfect secrecy.– But the secret may not be utterly revealed, even against infinite
computational resources:• Because of redundant keys
– Clear answers, beautiful mathematics, but not much secrecy!
• What if there are finite computational resources?