Upload
anggietasya
View
213
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Cryptographypart2
Citation preview
Cryptography
Perfect secrecy, part 2
Secure encryp0on?
What is our goal?
Regardless of any prior info. the a;acker has about the plaintext, the ciphertext should leak no addi1onal informa0on about the plaintext (Ciphertext-only a;ack, one ciphertext)
Probability review
Random variable variable that takes on (discrete) values with certain probabili0es
Probability distribu0on for a r.v. species the probabili0es with which the variable takes on each possible value Each probability must be between 0 and 1 The probabili0es must sum to 1
Probability review
Event a par0cular occurrence in some experiment Pr[E] probability of event E
Condi0onal probability probability that one event occurs, assuming some other event occurred Pr[A | B] = Pr[A and B]/Pr[B]
Two r.v.s X, Y are independent if for all x, y: Pr[X=x | Y=y] = Pr[X=x]
Probability review
Law of total probability say E1, , En are a par11on of all possibili0es. Then for any A: Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] Pr[Ei]
Recall
A private-key encryp1on scheme is dened by a message space M and algorithms (Gen, Enc, Dec): Gen (key-genera0on algorithm): generates k Enc (encryp0on algorithm): takes key k and message m M as input; outputs ciphertext c. c Enck(m)
Dec (decryp0on algorithm): takes key k and ciphertext c as input; outputs m. m := Deck(c)
Nota0on
K (key space) set of all possible keys
C (ciphertext space) set of all possible ciphertexts
Probability distribu0ons
Let M be a random variable deno0ng the value of the message M ranges over M This reects the likelihood of dierent messages being sent by the par0es, given the a;ackers prior knowledge
E.g., Pr[M = a;ack today] = 0.7 Pr[M = dont a;ack] = 0.3
Probability distribu0ons
Let K be a random variable deno0ng the key K ranges over K
Fix some encryp0on scheme (Gen, Enc, Dec) Gen denes a probability distribu0on for K: Pr[K = k] = Pr[Gen outputs key k]
Probability distribu0ons
Random variables M and K are independent I.e., the message that a party sends does not depend on the key used to encrypt that message
Probability distribu0ons
Fix some encryp0on scheme (Gen, Enc, Dec), and some distribu0on for M
Consider the following (randomized) experiment: 1. Choose a message m, according to the given distribu0on 2. Generate a key k using Gen 3. Compute c Enck(m)
This denes a distribu0on on the ciphertext! Let C be a random variable deno0ng the
value of the ciphertext in this experiment
Example 1 Consider the shik cipher So for all k {0, , 25}, Pr[K = k] = 1/26
Say Pr[M = a] = 0.7, Pr[M = z] = 0.3
What is Pr[C = b] ? Either M = a and K = 1, or M = z and K = 2 Pr[C=b] = Pr[M=a]Pr[K=1] + Pr[M=z] Pr[K=2] Pr[C=b] = 0.7 (1/26) + 0.3 (1/26) Pr[C=b] = 1/26
Example 2
Consider the shik cipher, and the distribu0on Pr[M = one] = , Pr[M = ten] =
Pr[C = rqh] = ?
= Pr[C = rqh | M = one] Pr[M = one] + Pr[ C = rqh | M = ten] Pr[M = ten] = 1/26 + 0 = 1/52
Perfect secrecy (informal)
Regardless of any prior info. the a;acker has about the plaintext, the ciphertext should leak no addi1onal informa0on about the plaintext (Ciphertext-only a;ack, one ciphertext)
Perfect secrecy (informal)
A;ackers informa0on about the plaintext = a;acker-known distribu1on of the plaintext Perfect secrecy means that observing the ciphertext should not change the a;ackers knowledge about the distribu0on of the plaintext
Perfect secrecy (formal)
Encryp0on scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if for every distribu0on over M, every m M, and every c C with Pr[C=c] > 0, it holds that Pr[M = m | C = c] = Pr[M = m].
Example 3
Consider the shik cipher, and the distribu0on Pr[M = one] = , Pr[M = ten] =
Take m = ten and c = rqh
Pr[M = ten | C = rqh] = ? = 0 Pr[M = ten]
Bayess theorem
Pr[A | B] = Pr[B | A] Pr[A]/Pr[B]
Example 4
Shik cipher, Pr[M=hi] = 0.3, Pr[M=no] = 0.2, Pr[M=in]= 0.5
Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy]
Example 4, con0nued
Pr[C = xy | M = hi] = 1/26
Pr[C = xy] = Pr[C = xy | M = hi] 0.3 + Pr[C = xy | M = no] 0.2 + Pr[C=xy | M=in] 0.5 = (1/26) 0.3 + (1/26) 0.2 + 0 0.5 = 1/52
Example 4
Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy] = (1/26) 0.3/(1/52) = 0.6 Pr[M = hi]
Conclusion
The shik cipher is not perfectly secret!
How to construct a perfectly secret scheme?