cryptographyperfect secrecyslide 1 today what does it mean for a cipher to be: –computational...

Cryptography Perfect secrecy Slide 1

Today

• What does it mean for a cipher to be:– Computational secure? Unconditionally secure?

• Perfect secrecy– Conditional probability– Definition of perfect secrecy– Systems that provide perfect secrecy

• How secure when we reuse a key?– Entropy– Redundancy of a language– Spurious keys, unicity distance


Contact before work

• Turn to a neighbor and ask:What do you think of this week’s homework problems?

Easy or hard? Interesting or dull?Why or why not?

• Why do Contact Before Work?– Helps us know our teammates.

We work better with people we know and like.– Helps start the meeting on time.


Announcements

• Today at 4:20:– Mark Gritter(CSSE faculty candidate, from Stanford)

• Content Location with Name-Based Routing• Olin 267

• Questions on homework?– Due Thursday

• Friday: annual Undergraduate Mathematics Conference here at Rose-Hulman!– So no class Friday.– We ask that you go to a talk at the conference instead!

• See schedule on Mathematics home page.


What is perfect secrecy?

• Exercise:– Do the following by yourself (1 minute) and then in

groups of about four (3 to 5 minutes)

• Give (mathematical) definitions for a cipher to be:– Computationally secure

– Unconditionally secure (“perfect secrecy”)• Consider:

– Computer-invariant?

– Information-invariant?

– Kinds of attack?

Is your definition precise enough that I could use it to determine whether, e.g., cipher A is twice as computationally secure as cipher B”?


Computationally secure

• Stallings: A cipher is computationally secure if:– Cost of breaking the cipher exceeds value of the

encrypted information

– Time required to break the cipher exceeds useful lifetime of the encrypted information

• Is this:– Computer-invariant?

– Information-invariant?

– Practical to determine?

I find Stalling’s definition unsatisfying. Can you do better?


Unconditionally secure

• Stallings: A cipher is:– Computationally secure if:

• Cost of breaking the cipher exceeds value of the encrypted information

• Time required to break the cipher exceeds useful lifetime of the encrypted information

– Unconditionally secure if:• Ciphertext generated does not contain enough information to

determine uniquely the corresponding plaintext– No matter how much ciphertext

– No matter how much time/resources available to attacker

Huh? Can we be more precise?


Where we are going:

• Unconditionally secure:– Ciphertext generated does not contain enough information to

determine uniquely the corresponding plaintext• To make this precise, we need:

– What is a cipher?– What does it mean to determine the plaintext? Uniquely?

• We will see that:– Shift cipher, substitution cipher, Vigenere cipher are:

• Not computationally secure– against even a ciphertext-only attack,– given a sufficient amount of ciphertext

• Unconditionally secure (!)– if [an important condition that we will see soon] [can you guess it?]


What is a cryptosystem?

• Three finite sets:– P = set of possible plaintexts– C = set of possible ciphertexts– K = set of possible keys

• Encryption and decryption functions e and d.For each k in K:– ek : P C dk : C P

• Exercise: What has to be true of ek and dk?• Answer: for any plaintext x and key k:

dk(ek(x)) = x


Conditional probability

• So now we know:– What is a cipher?

• Next:– What does it mean to determine the plaintext? Uniquely?

• To answer this, we need probability theory:– random variable, sample space– probability distribution– joint probability distribution– conditional probability distribution– independent random variables– Bayes’ theorem


Random variableProbability distribution

• Definition: A random variable– is a function from the sample space to a set of numbers

• (for us, the nonnegative integers)• Examples:

– The number of aces in a bridge hand– The number of multiple birthdays in a room of n people

• I’ll assume discrete random variables throughout these notes• Definition: The probability distribution of a random variable X

– Gives, for each possible value x that X can take, the probability of x– Written Pr (x)

• Example:– Let X = number of heads after 3 coin tosses.

• p(0) = 1/8 p(1) = 3/8 p(2) = 3/8 p(3) = 1/8


Joint probability distributionConditional probability distribution

• Definitions: Let X and Y be random variables.– The joint probability Pr (x, y) is the probability that X is x and Y is y.– The conditional probability Pr ( x | y ) is the probability that X is x

given that Y is y and is (by definition) Pr (x, y) / Pr (y)

• In the example to the right:– Pr (c, B)? Pr (b, B)?– Pr (a | B )? Pr (B | a)?

• Answers:– Pr (c, B) = 0.05 Pr (b, B) = 0.25– Pr (a | B ) =

0.10 / (0.10 + 0.25 + 0.05) = 0.4– Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7

X

a b c

Y

A 0.25 0.15 0.20

B 0.10 0.25 0.05


Independent random variables

• Definition:– Random variables X and Y are independent

– if Pr (x | y) = Pr (x) for all x, y.• Equivalently, if Pr (x, y) = Pr (x) Pr (y) for all x, y.

• Examples– X and Y on previous slide are not independent

– # of heads in toss A,# in toss B: independent


Application to ciphers

• Assume– PrP (x)

• probability distribution on plaintext space P– PrK(k)

• probability distribution on key space K– Choosing the key and selecting the plaintext are independent

• These induce:– PrP,K (y)

• probability distribution on ciphertext C– PrP,K (x, y)

• joint probability distribution of plaintext and ciphertext– PrP,K (x | y)

• conditional distribution of plaintext given ciphertext

Example and details on next slides.


Example

• Sets:– Plaintext P = {a, b}– Ciphertext C = {A, B, C, D}– Key space K = {1, 2, 3}

• Cipher: per table on right• Probabilitity distributions:

– Prp(a) = ¼ Prp(b) = ¾ – PrK(1) = ½ PrK(2) = ¼ PrK(3) = ¼

• Exercise: compute PrP,K (y)– probability distribution on ciphertext C

• Exercise: compute PrP,K (x | y)– conditional distribution of plaintext given ciphertext

Cipher a b

1 A B

2 B C

3 C D


Computation of the induced probability distributions

• Given: PrP (x) PrK (k)• Probability that plaintext is x. Probability that key is k.• Assume choosing key and selecting plaintext are independent.

• Then: PrP,K (y) PrP,K (x | y) PrP,K (y | x) are given by:• Probability PrP,K (y) that ciphertext is y• Probability PrP,K (y | x) that ciphertext is y given plaintext is x• Probability PrP,K (x | y) that plaintext is x given ciphertext is y

– PrP,K (y) = [ PrP (x) PrK (k) ]• Where the sum is over all plaintext x and keys k such that ek(x) = y

– PrP,K (y | x) = [ PrK (k) ] / PrP (x)• Where the sum is over all keys k such that ek(x) = y

– PrP,K (x | y) = PrP,K (y | x) PrP (x) / PrP,K (y) by Bayes Theorem


So what is perfect secrecy?

• Given: PrP (x) PrK (k)• Probability that plaintext is x. Probability that key is k.• Assume choosing key and selecting plaintext are independent.

• Then that induces (per previous slide):• Probability PrP,K (y) that ciphertext is y• Probability PrP,K (y | x) that ciphertext is y given plaintext is x• Probability PrP,K (x | y) that plaintext is x given ciphertext is y

• Informally: perfect secrecy means that the ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext– Can you now give a precise definition of perfect secrecy, in terms of

the above?


Perfect secrecy

• Definition: A cryptosystem has perfect secrecy if:– For all x in plaintext space P and y in ciphertext space C– We have PrP,K (x | y) = PrP (x)

• Theorem:– Suppose the 26 keys in the Shift cipher are used with

equal probability.– Then for any plaintext probability distribution,– the Shift cipher has perfect secrecy.

• Note that we are encrypting a single character with a single key• Another time: the (easy) proof!


What provides perfect secrecy?

• Theorem:– Perfect secrecy requires |K| |C|.

– Suppose as few keys as possible, i.e. |K| = |C| = |P|.• Note: Any cryptosystem has |C| |P|.

– Then the cryptosystem has perfect secrecy iff• every key is used with equal probability, and

• for every x in P and y in C,there is a unique key k such that ek (x) = y


Vernam’s one-time pad• Corollary to the theorem on the previous slide:

– Vigenere’s cipher provides perfect secrecy, if:• each key is equally likely, and• you encrypt a single plaintext element

(i.e., encrypt m characters using a key of length m)

– Cannot have perfect secrecy with shorter keys– History:

• 1917: Gilbert Vernam suggested Vigenere with a binary alphabet and a long keyword. Joseph Mauborgne suggested uing a one-time pad (key as long as the message, not reused).

• Widely accepted as “unbreakable”but no proof until Shannon’s work 30 years later


What if keys are reused?

• Summary:– We defined perfect secrecy.

– We found cryptosystems that provide perfect secrecy.

– But: perfect secrecy requires that we not reuse a key

• Next: How secure is a cryptosystemwhen we reuse keys?– Entropy

– Redundancy of a language

– Spurious keys, unicity distance


Entropy: motivation

• Background– From information theory– Introduced by Claude Shannon in 1948.– A measure of information or uncertainty– Computed as a function of a probability distribution

• Example:– Toss a coin.

How many bits required to represent the result?– Toss a coin n times. Now how many bits?

• What if the coin is a biased coin?


Entropy: definition

• Definition:– Suppose X is a random variable

– with probability distribution p = p1, p2, ... pn

– where pi is the probability X takes on its ith possible value.

– Then the entropy of X,

– written H(X), isi

n

ii ppXH 2

1

log)(


Entropy: example

• Definition of entropy:

• P = {a, b}. C = {1, 2, 3, 4}.– pp: a => 1/4 b => 3/4

– pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16

– Exercise: what is H(P)? H(C)?

– H(P) = - [ ( 1/4 -2 ) + ( 3/4 (log2 3 - 2) ) ] 0.81

– H(C) 1.85.

i

n

ii ppXH 2

1

log)(


Spurious keys

• Exercise:– Suppose Oscar is doing a ciphertext-only attack

– on a string encoded using Vigenere’s cipher

– where m (key length) is modest (not a one-time pad).

– Oscar decrypts the message to a meaningful sentence.

– Why is Oscar not done?

• Answer:– 1. There may be other keys that yield other meaningful sentences.

– 2. We want the key, not just the meaningful sentence.


Spurious keys• Context:

– Oscar is doing cipher-text only attack– Oscar has infinite computational resources– Oscar knows the plaintext is a “natural” language.

• Result:– Oscar will be able to rule out certain keys.– Many “possible” keys remain. Only one key is correct.– The remaining possible, but incorrect, keys

are called spurious keys.

• Our goal: determine how many spurious keys.


Entropy & redundancy of a language

• Definitions:– Let L be a natural language (like English).

– Let Pn be a random variable whose probability distribution is that of all n-grams of plaintext in L.

– The entropy HL of L is

– The redundancy RL of L is

• HL measures entropy per letter.

• RL measures fraction of “excess characters.”

n

PHH

n

nL

)(lim

||log1

2 P

HR L

L


Entropy & redundancy of a language

• Experiments have shownthat for English:– H(P2) 7.80

– 1.0 HL 1.5

– So RL 0.75• Exercise: does this mean you could keep only every 4th letter

of a message and hope to read it?

• Answer: No!This means you could hope to encode long strings of English to about 1/4 of their size, using a Huffman encoding.

n

PHH

n

nL

)(lim

||log1

2 P

HR L

L


Number of spurious keys

• Theorem:– Suppose |C| = |P| and keys are equiprobable.– Given a ciphertext of length n (where n is large enough)

– the expected number sn of spurious keys satisfies

• So what can you say about long ciphertext messages?• Note: the expression goes to 0 quickly as n increases

1||

||

LnRnP

Ks


Unicity distance

• Definition:– The unicity distance of a cyptosystem

– is the value of n (ciphertext length), denoted n0,

– at which the expected number of spurious keys

– becomes zero.

• Theorem:

– Exercise: unicity distance of the Substitution cipher?

– Answer: 88.4 / (0.75 4.7) 25

||log

||log

2

20 PR

Kn

L


Summary

• Perfect secrecy.– Perfect. Provides clear sense of the ultimate:

• What can be done.• How to do it (Vernam’s one-time pad).

• If we reuse keys:– No longer perfect secrecy.– But the secret may not be utterly revealed, even against infinite

computational resources:• Because of redundant keys

– Clear answers, beautiful mathematics, but not much secrecy!

• What if there are finite computational resources?

cryptographyperfect secrecyslide 1 today what does it mean for a cipher to be: –computational...

Documents

secure stallings

secure perfect secrecy

vigenere cipher

substitution cipher

shift cipher

cipher b

encrypted information

unicity distance slide