1 / 30

Today

Today. What does it mean for a cipher to be: Computational secure? Unconditionally secure? Perfect secrecy Conditional probability Definition of perfect secrecy Systems that provide perfect secrecy How secure when we reuse a key? Entropy Redundancy of a language

Télécharger la présentation

Today

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Today • What does it mean for a cipher to be: • Computational secure? Unconditionally secure? • Perfect secrecy • Conditional probability • Definition of perfect secrecy • Systems that provide perfect secrecy • How secure when we reuse a key? • Entropy • Redundancy of a language • Spurious keys, unicity distance Perfect secrecy

  2. Contact before work • Turn to a neighbor and ask: What do you think of this week’s homework problems?Easy or hard? Interesting or dull?Why or why not? • Why do Contact Before Work? • Helps us know our teammates.We work better with people we know and like. • Helps start the meeting on time. Perfect secrecy

  3. Announcements • Today at 4:20: • Mark Gritter(CSSE faculty candidate, from Stanford) • Content Location with Name-Based Routing • Olin 267 • Questions on homework? • Due Thursday • Friday: annual Undergraduate Mathematics Conference here at Rose-Hulman! • So no class Friday. • We ask that you go to a talk at the conference instead! • See schedule on Mathematics home page. Perfect secrecy

  4. What is perfect secrecy? • Exercise: • Do the following by yourself (1 minute) and then in groups of about four (3 to 5 minutes) • Give (mathematical) definitions for a cipher to be: • Computationally secure • Unconditionally secure (“perfect secrecy”) • Consider: • Computer-invariant? • Information-invariant? • Kinds of attack? Is your definition precise enough that I could use it to determine whether, e.g., cipher A is twice as computationally secure as cipher B”? Perfect secrecy

  5. Computationally secure • Stallings: A cipher is computationally secure if: • Cost of breaking the cipher exceeds value of the encrypted information • Time required to break the cipher exceeds useful lifetime of the encrypted information • Is this: • Computer-invariant? • Information-invariant? • Practical to determine? I find Stalling’s definition unsatisfying. Can you do better? Perfect secrecy

  6. Unconditionally secure • Stallings: A cipher is: • Computationally secure if: • Cost of breaking the cipher exceeds value of the encrypted information • Time required to break the cipher exceeds useful lifetime of the encrypted information • Unconditionally secure if: • Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • No matter how much ciphertext • No matter how much time/resources available to attacker Huh? Can we be more precise? Perfect secrecy

  7. Where we are going: • Unconditionally secure: • Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • To make this precise, we need: • What is a cipher? • What does it mean to determine the plaintext? Uniquely? • We will see that: • Shift cipher, substitution cipher, Vigenere cipher are: • Not computationally secure • against even a ciphertext-only attack, • given a sufficient amount of ciphertext • Unconditionally secure (!) • if [an important condition that we will see soon] [can you guess it?] Perfect secrecy

  8. What is a cryptosystem? • Three finite sets: • P = set of possible plaintexts • C = set of possible ciphertexts • K = set of possible keys • Encryption and decryption functions e and d.For each k in K: • ek : P C dk : C  P • Exercise: What has to be true of ek and dk? • Answer: for any plaintext x and key k:dk(ek(x)) = x Perfect secrecy

  9. Conditional probability • So now we know: • What is a cipher? • Next: • What does it mean to determine the plaintext? Uniquely? • To answer this, we need probability theory: • random variable, sample space • probability distribution • joint probability distribution • conditional probability distribution • independent random variables • Bayes’ theorem Perfect secrecy

  10. Random variableProbability distribution • Definition: A random variable • is a function from the sample space to a set of numbers • (for us, the nonnegative integers) • Examples: • The number of aces in a bridge hand • The number of multiple birthdays in a room of n people • I’ll assume discrete random variables throughout these notes • Definition: The probability distribution of a random variable X • Gives, for each possible value x that X can take, the probability of x • Written Pr (x) • Example: • Let X = number of heads after 3 coin tosses. • p(0) = 1/8 p(1) = 3/8 p(2) = 3/8 p(3) = 1/8 Perfect secrecy

  11. Joint probability distributionConditional probability distribution • Definitions: Let X and Y be random variables. • The joint probabilityPr (x, y) is the probability that X is xandY is y. • The conditional probabilityPr ( x | y ) is the probability that X is xgiven that Y is y and is (by definition) Pr (x, y) / Pr (y) • In the example to the right: • Pr (c, B)? Pr (b, B)? • Pr (a | B )? Pr (B | a)? • Answers: • Pr (c, B) = 0.05 Pr (b, B) = 0.25 • Pr (a | B ) = 0.10 / (0.10 + 0.25 + 0.05) = 0.4 • Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7 Perfect secrecy

  12. Independent random variables • Definition: • Random variables X and Y are independent • if Pr (x | y) = Pr (x) for all x, y. • Equivalently, if Pr (x, y) = Pr (x)  Pr (y) for all x, y. • Examples • X and Y on previous slide are not independent • # of heads in toss A,# in toss B: independent Perfect secrecy

  13. Application to ciphers • Assume • PrP (x) • probability distribution on plaintext space P • PrK(k) • probability distribution on key space K • Choosing the key and selecting the plaintext are independent • These induce: • PrP,K (y) • probability distribution on ciphertext C • PrP,K (x, y) • joint probability distribution of plaintext and ciphertext • PrP,K (x | y) • conditional distribution of plaintext given ciphertext Example and details on next slides. Perfect secrecy

  14. Example • Sets: • Plaintext P = {a, b} • Ciphertext C = {A, B, C, D} • Key space K = {1, 2, 3} • Cipher: per table on right • Probabilitity distributions: • Prp(a) = ¼ Prp(b) = ¾ • PrK(1) = ½ PrK(2) = ¼ PrK(3) = ¼ • Exercise: compute PrP,K (y) • probability distribution on ciphertext C • Exercise: compute PrP,K (x | y) • conditional distribution of plaintext given ciphertext Perfect secrecy

  15. Computation of the induced probability distributions • Given: PrP (x) PrK (k) • Probability that plaintext is x. Probability that key is k. • Assume choosing key and selecting plaintext are independent. • Then: PrP,K (y) PrP,K (x | y) PrP,K (y | x) are given by: • Probability PrP,K (y) that ciphertext is y • Probability PrP,K (y | x) that ciphertext is y given plaintext is x • Probability PrP,K (x | y) that plaintext is x given ciphertext is y • PrP,K (y) =  [ PrP (x)  PrK (k) ] • Where the sum is over all plaintext x and keys k such that ek(x) = y • PrP,K (y | x) = [  PrK (k) ] / PrP (x) • Where the sum is over all keys k such that ek(x) = y • PrP,K (x | y) = PrP,K (y | x)  PrP (x) / PrP,K (y) by Bayes Theorem Perfect secrecy

  16. So what is perfect secrecy? • Given: PrP (x) PrK (k) • Probability that plaintext is x. Probability that key is k. • Assume choosing key and selecting plaintext are independent. • Then that induces (per previous slide): • Probability PrP,K (y) that ciphertext is y • Probability PrP,K (y | x) that ciphertext is y given plaintext is x • Probability PrP,K (x | y) that plaintext is x given ciphertext is y • Informally: perfect secrecy means that the ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • Can you now give a precise definition of perfect secrecy, in terms of the above? Perfect secrecy

  17. Perfect secrecy • Definition: A cryptosystem has perfect secrecy if: • For all x in plaintext space P and y in ciphertext space C • We have PrP,K (x | y) = PrP(x) • Theorem: • Suppose the 26 keys in the Shift cipher are used with equal probability. • Then for any plaintext probability distribution, • the Shift cipher has perfect secrecy. • Note that we are encrypting a single character with a single key • Another time: the (easy) proof! Perfect secrecy

  18. What provides perfect secrecy? • Theorem: • Perfect secrecy requires |K|  |C|. • Suppose as few keys as possible, i.e. |K| = |C| = |P|. • Note: Any cryptosystem has |C|  |P|. • Then the cryptosystem has perfect secrecy iff • every key is used with equal probability, and • for every x in P and y in C,there is a unique key k such that ek (x) = y Perfect secrecy

  19. Vernam’s one-time pad • Corollary to the theorem on the previous slide: • Vigenere’s cipher provides perfect secrecy, if: • each key is equally likely, and • you encrypt a single plaintext element(i.e., encrypt m characters using a key of length m) • Cannot have perfect secrecy with shorter keys • History: • 1917: Gilbert Vernam suggested Vigenere with a binary alphabet and a long keyword. Joseph Mauborgne suggested uing a one-time pad (key as long as the message, not reused). • Widely accepted as “unbreakable”but no proof until Shannon’s work 30 years later Perfect secrecy

  20. What if keys are reused? • Summary: • We defined perfect secrecy. • We found cryptosystems that provide perfect secrecy. • But: perfect secrecy requires that we not reuse a key • Next: How secure is a cryptosystemwhen we reuse keys? • Entropy • Redundancy of a language • Spurious keys, unicity distance Perfect secrecy

  21. Entropy: motivation • Background • From information theory • Introduced by Claude Shannon in 1948. • A measure of information or uncertainty • Computed as a function of a probability distribution • Example: • Toss a coin.How many bits required to represent the result? • Toss a coin n times. Now how many bits? • What if the coin is a biased coin? Perfect secrecy

  22. Entropy: definition • Definition: • Suppose X is a random variable • with probability distribution p = p1, p2, ... pn • where pi is the probability X takes on its ith possible value. • Then the entropy of X, • written H(X), is Perfect secrecy

  23. Entropy: example • Definition of entropy: • P = {a, b}. C = {1, 2, 3, 4}. • pp: a => 1/4 b => 3/4 • pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16 • Exercise: what is H(P)? H(C)? • H(P) = - [ ( 1/4  -2 ) + ( 3/4  (log2 3 - 2) ) ]  0.81 • H(C)  1.85. Perfect secrecy

  24. Spurious keys • Exercise: • Suppose Oscar is doing a ciphertext-only attack • on a string encoded using Vigenere’s cipher • where m (key length) is modest (not a one-time pad). • Oscar decrypts the message to a meaningful sentence. • Why is Oscar not done? • Answer: • 1. There may be other keys that yield other meaningful sentences. • 2. We want the key, not just the meaningful sentence. Perfect secrecy

  25. Spurious keys • Context: • Oscar is doing cipher-text only attack • Oscar has infinite computational resources • Oscar knows the plaintext is a “natural” language. • Result: • Oscar will be able to rule out certain keys. • Many “possible” keys remain. Only one key is correct. • The remaining possible, but incorrect, keysare called spurious keys. • Our goal: determine how many spurious keys. Perfect secrecy

  26. Entropy & redundancy of a language • Definitions: • Let L be a natural language (like English). • Let Pnbe a random variable whose probability distribution is that of all n-grams of plaintext in L. • The entropy HL of L is • The redundancy RL of L is • HL measures entropy per letter. • RL measures fraction of “excess characters.” Perfect secrecy

  27. Entropy & redundancy of a language • Experiments have shownthat for English: • H(P2)  7.80 • 1.0  HL  1.5 • So RL  0.75 • Exercise: does this mean you could keep only every 4th letter of a message and hope to read it? • Answer: No!This means you could hope to encode long strings of English to about 1/4 of their size, using a Huffman encoding. Perfect secrecy

  28. Number of spurious keys • Theorem: • Suppose |C| = |P| and keys are equiprobable. • Given a ciphertext of length n(where n is large enough) • the expected number sn of spurious keys satisfies • So what can you say about long ciphertext messages? • Note: the expression goes to 0 quickly as n increases Perfect secrecy

  29. Unicity distance • Definition: • The unicity distance of a cyptosystem • is the value of n (ciphertext length), denoted n0, • at which the expected number of spurious keys • becomes zero. • Theorem: • Exercise: unicity distance of the Substitution cipher? • Answer: 88.4 / (0.75  4.7)  25 Perfect secrecy

  30. Summary • Perfect secrecy. • Perfect. Provides clear sense of the ultimate: • What can be done. • How to do it (Vernam’s one-time pad). • If we reuse keys: • No longer perfect secrecy. • But the secret may not be utterly revealed, even against infinite computational resources: • Because of redundant keys • Clear answers, beautiful mathematics, but not much secrecy! • What if there are finite computational resources? Perfect secrecy

More Related