Cryptography Lecture 3 Arpita Patra Arpita Patra Recall
- Slides: 20
Cryptography Lecture 3 Arpita Patra © Arpita Patra
Recall >> Study of SKE in ‘modern’ way o o Definition (Perfect Security: unbounded adversary + no additional leakage) Construction (OTP / Vernam Cipher) Proof Drawbacks (on key length and key reusability) “You should never re-use a one-time pad. It’s like toilet paper; if you re-use it, things get messy. ” Michael Rabin
Today’s Goal - Inherent drawback on key space - More definitions of Perfect Security and their equivalence o Captures different intuition for the same goal o Some definition will be more handy to prove and disprove if a SKE is perfectly -secure o Will further confirm that OTP is optimal in many other ways - Summarizing & Concluding Perfect Security - Find alternative relaxed security notion than perfect security o Introduction to Computational Security > Formulate a formal definition (threat + break model) > Identify assumptions needed and build a construction > Prove security of the construction relative to the definition and assumption
Key Space Must be As Large as the Message Space Theorem: In any perfectly-secure encryption scheme | K | | M | Proof: OTP is optimal key Let c be a ciphertext with Pr(C = c) > 0 length-wise M(c) : = { m | m = Deck (c) for some k} for instance uniformand key Assume the set of all possible decrypted messages distribution overof. Mc(any dist. bility-wise usa Where every message occurs Assume | K | < | M | | M(c) | <|M| with non-zero prob is fine) m M s. t. m M(c) Pr [M = m | C = c] = 0 No perfect Security! Pr [M = m] Show the other limitation is inevitable too!
Perfectly-secure Encryption : Equivalent Definition Perfectly-secure Encryption (Shannon’s Definition): Pr[M = m | C = c] = Pr [M = m] , m M, c C Interpretation : probability of knowing a plain-text remains the same before and after seeing the cipher-text The equivalence holds for any probability distribution over M Perfectly-secure Encryption (Alternate Definition): Pr[C = c | M = m 0] = Pr [C = c | M = m 1], m 0, m 1 M, c C Interpretation : probability distribution of cipher-text is independent of plain-text
Shannon’s Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. Why the assumption | K | = | M | = | C | ? m 1 c 1 m 2 m 3 m 4 k c 2 c 3
Shannon’s Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. Proof: (Part 1) To prove Pr[M = m | C = c] = Pr[M = m] For arbitrary c and m, Pr[C = c | M = m] = Pr[K = k] Pr[C = c] = Σ Pr[C = c | M = m] Pr[M = m] = 1/| K | (irrespective of p. d. over M) m in M = 1/| K | Σ Pr[M = m] = 1/| K | m in M Pr[M = m | C = c] = Pr[C = c | M = m ] Pr[M = m] Pr[C = c] (Bayes' Theorem) = Pr[M = m]
Shannon’s Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above Let M = {m 1, m 2, …. . } and c is a ciphertext that occurs with non-zero probability for some message Let Ki is the set of all keys that maps mi to c i. e. Enck (mi) = c iff k belongs to Ki We assume that Pr[C = c | M = m] > 0, for some m For arbitrary c, mi and mj, Pr[C = c | M = mi] Assume the same k maps both mi and mj to c Correctness fails!! = Pr[C = c | M = mj]
Shannon’s Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. Proof: (Part 2) To prove (i) and (ii) as above m 1 m 2 mn K 1 K 2 Kn |K|=|M| Pr[K = ki] = | Ki | = 1 Condition (ii) Pr[C = c | M = mi] = Pr[C = c | M = mj] = Pr[K = kj] Condition (i)
Shannon’s Theorem: A scheme (Gen, Enc, Dec) with | K | = | M | = | C | is perfectly secure if and only if (i) Every key k is chosen with probability 1/ | K | by Gen. (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. (i) k c e h c o t -Easy and (ii). ny a f o d e e n -No probability ke i l n u n o i t a l calcu ect f r e p l a n i g i or n o i t i n i f e d y t securi
Perfect Secrecy: Equivalent Definitions Definition I: For every probability dist over M Definition II: For every probability dist over M Pr[M = m | C = c] = Pr [M = m] m M, c C Pr[C = c | M = m 0] = Pr [C = c | M = m 1] m 0, m 1 M, c C Definition III: For every probability distribution over M (i) Every key k is chosen with probability 1/ | K | (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c.
Perfect Secrecy as an Indistinguishability game - Formulated as a challenge-response game between adv. and a verifier = (Gen, Enc, Dec), M Hypothetical verifier Comp. unbounded m 0 , m 1 M (freedom to choose any pair) b {0, 1} c Enck(mb) b’ {0, 1} I can break (Guess about encrypted message) q Game output : Ø 1 if b = b’ Attacker won Ø 0 if b ≠ b’ Attacker lost k Gen
Perfect Secrecy as an Indistinguishability game Comp. unbounded = (Gen, Enc, Dec), M m 0 , m 1 M b {0, 1} c Enck(mb) b’ {0, 1} I can break Experiment : Priv. K k Gen coa A, q What does the above experiment model ? q Adversary should learn the underlying m {m 0, message m 1} from c only with probability ½ c Enc k Ø No better than guessing m k (I know that either m 0 or m 1 will be communicated with equal prob. ) q Perfect secrecy : adversary should not get “any advantage” by seeing c above
Perfect Secrecy as an Indistinguishability game Comp. unbounded = (Gen, Enc, Dec), M m 0 , m 1 M b {0, 1} c Enck(mb) b’ {0, 1} I can break Experiment : Priv. K k Gen coa A, q Experiment output : Ø 1 if b = b’ Attacker won (it found the underlying message) Perfect indistinguishability Ø 0 if b ≠ b’ Attacker lost (failed to find the underlying message) = (Gen, Enc, Dec) over M is perfectly-secure if for every attacker A coa Pr Priv. K A, = 1 = ½
Chalk & Talk I (for two): Equivalence of Definitions Definition I: For every probability dist over M Definition II: For every probability dist over M Pr[M = m | C = c] = Pr [M = m] m M, c C Pr[C = c | M = m 0] = Pr [C = c | M = m 1] m 0, m 1 M, c C Definition III: For every probability distribution over M (i) Every key k is chosen with probability 1/ | K | (ii) For every m in M and every c in C, there is a unique key k s. t. Enck(m) = c. Unbounded Powerful (Perfect Indistinguishability) b {0, 1} m 0, m 1 M c Enck(mb) b’ {0, 1} I can break Experiment : is perfectly-secure if for every adversary A k Priv. K Pr Gen coa A, Priv. K coa A, =1 = ½
Chalk & Talk II (for one) - Implementation of OTP for English text & Cryptanalysis of OTP when key is reused
Concluding Perfect Security CCA at the end t a h t r e b Remem to is an p y r c y a d of the nd we a e c CPA n ie c s ed out some info appligives mes the A ciphertext t scheabout Randomized c u r t s n o c to additional to the prior ed is nethat message f o h Unbounded Powerful t r i al B actichas r p s a h t information that the adv a h t COA tional / COA urdles in h e a h t T. u e p c Com relevan ecurity s t c e f r e p c Inherent Limitations: i h p chieving a a r Two g o gth of t n e p r t s e h Cry t utweighs o - Key Space as large as message space. ecurity y s t i t r c e u f r c e p e S - Keys can not be reused No point in studying perfect security by strengthening the adv by giving more capability in attacking a protocol, as the limitations will carry over. Unbounded Powerful Can we overcome the hurdles? Yes!! No break allowed Bounded Powerful / Polynomially Bounded Two relaxations Break is allowed but with ‘very small’ probability
Concluding Perfect Security - Have we put the last nail in the coffin of perfect security? By all means no! - We overlooked efficiently of perfectly-secure scheme among the hullaballoos of limitations! - It’s blazing fast compared to the computationally-secure protocols that we design - Efficiency is in fact hallmark of perfectly-secure schemes - Perfect security is interesting in multi-party setting Many problems in crypto involves more than two parties- MPC, E-election etc. In crypto, we live in the world of trade-offs…
Perfect Security vs. Computational Security Threat is Unbounded Powerful Threat is ‘Computationally Bounded’ No break allowed Break is allowed with ‘small’ probability A scheme is secure if Pr [M = m | C = c] = Pr [M = m] m, c A scheme is secure if any computationally bounded adversary succeeds in ‘breaking’ the scheme with at most ‘some very small probability’. Key as large as the message A small key will do Fresh key for every encryption Key reuse is permitted. Is it necessary to relax the threat and break to overcome the limitations? YES Absolutely!
- Recallcrypto. com
- Arpita patra iisc
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- Patra lesa
- Goutam patra
- Rostlinná patra
- Pragyapan patra nepal
- Era of quality at the akshaya patra foundation
- Cipher patra
- Cipher patra
- Sudhakar patra
- Akshaya patra donation online
- Yamane formula for sample size
- Fdt statistics
- Gos infant formula
- Beef recall
- Can hypnosis force people to act against their will
- Recall the rules of probability
- Recall column
- Difference between recognition and recall
- Woodcock johnson test sample