300 likes | 393 Vues
Today. What does it mean for a cipher to be: Computational secure? Unconditionally secure? Perfect secrecy Conditional probability Definition of perfect secrecy Systems that provide perfect secrecy How secure when we reuse a key? Entropy Redundancy of a language
E N D
Today • What does it mean for a cipher to be: • Computational secure? Unconditionally secure? • Perfect secrecy • Conditional probability • Definition of perfect secrecy • Systems that provide perfect secrecy • How secure when we reuse a key? • Entropy • Redundancy of a language • Spurious keys, unicity distance Perfect secrecy
Contact before work • Turn to a neighbor and ask: What do you think of this week’s homework problems?Easy or hard? Interesting or dull?Why or why not? • Why do Contact Before Work? • Helps us know our teammates.We work better with people we know and like. • Helps start the meeting on time. Perfect secrecy
Announcements • Today at 4:20: • Mark Gritter(CSSE faculty candidate, from Stanford) • Content Location with Name-Based Routing • Olin 267 • Questions on homework? • Due Thursday • Friday: annual Undergraduate Mathematics Conference here at Rose-Hulman! • So no class Friday. • We ask that you go to a talk at the conference instead! • See schedule on Mathematics home page. Perfect secrecy
What is perfect secrecy? • Exercise: • Do the following by yourself (1 minute) and then in groups of about four (3 to 5 minutes) • Give (mathematical) definitions for a cipher to be: • Computationally secure • Unconditionally secure (“perfect secrecy”) • Consider: • Computer-invariant? • Information-invariant? • Kinds of attack? Is your definition precise enough that I could use it to determine whether, e.g., cipher A is twice as computationally secure as cipher B”? Perfect secrecy
Computationally secure • Stallings: A cipher is computationally secure if: • Cost of breaking the cipher exceeds value of the encrypted information • Time required to break the cipher exceeds useful lifetime of the encrypted information • Is this: • Computer-invariant? • Information-invariant? • Practical to determine? I find Stalling’s definition unsatisfying. Can you do better? Perfect secrecy
Unconditionally secure • Stallings: A cipher is: • Computationally secure if: • Cost of breaking the cipher exceeds value of the encrypted information • Time required to break the cipher exceeds useful lifetime of the encrypted information • Unconditionally secure if: • Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • No matter how much ciphertext • No matter how much time/resources available to attacker Huh? Can we be more precise? Perfect secrecy
Where we are going: • Unconditionally secure: • Ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • To make this precise, we need: • What is a cipher? • What does it mean to determine the plaintext? Uniquely? • We will see that: • Shift cipher, substitution cipher, Vigenere cipher are: • Not computationally secure • against even a ciphertext-only attack, • given a sufficient amount of ciphertext • Unconditionally secure (!) • if [an important condition that we will see soon] [can you guess it?] Perfect secrecy
What is a cryptosystem? • Three finite sets: • P = set of possible plaintexts • C = set of possible ciphertexts • K = set of possible keys • Encryption and decryption functions e and d.For each k in K: • ek : P C dk : C P • Exercise: What has to be true of ek and dk? • Answer: for any plaintext x and key k:dk(ek(x)) = x Perfect secrecy
Conditional probability • So now we know: • What is a cipher? • Next: • What does it mean to determine the plaintext? Uniquely? • To answer this, we need probability theory: • random variable, sample space • probability distribution • joint probability distribution • conditional probability distribution • independent random variables • Bayes’ theorem Perfect secrecy
Random variableProbability distribution • Definition: A random variable • is a function from the sample space to a set of numbers • (for us, the nonnegative integers) • Examples: • The number of aces in a bridge hand • The number of multiple birthdays in a room of n people • I’ll assume discrete random variables throughout these notes • Definition: The probability distribution of a random variable X • Gives, for each possible value x that X can take, the probability of x • Written Pr (x) • Example: • Let X = number of heads after 3 coin tosses. • p(0) = 1/8 p(1) = 3/8 p(2) = 3/8 p(3) = 1/8 Perfect secrecy
Joint probability distributionConditional probability distribution • Definitions: Let X and Y be random variables. • The joint probabilityPr (x, y) is the probability that X is xandY is y. • The conditional probabilityPr ( x | y ) is the probability that X is xgiven that Y is y and is (by definition) Pr (x, y) / Pr (y) • In the example to the right: • Pr (c, B)? Pr (b, B)? • Pr (a | B )? Pr (B | a)? • Answers: • Pr (c, B) = 0.05 Pr (b, B) = 0.25 • Pr (a | B ) = 0.10 / (0.10 + 0.25 + 0.05) = 0.4 • Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7 Perfect secrecy
Independent random variables • Definition: • Random variables X and Y are independent • if Pr (x | y) = Pr (x) for all x, y. • Equivalently, if Pr (x, y) = Pr (x) Pr (y) for all x, y. • Examples • X and Y on previous slide are not independent • # of heads in toss A,# in toss B: independent Perfect secrecy
Application to ciphers • Assume • PrP (x) • probability distribution on plaintext space P • PrK(k) • probability distribution on key space K • Choosing the key and selecting the plaintext are independent • These induce: • PrP,K (y) • probability distribution on ciphertext C • PrP,K (x, y) • joint probability distribution of plaintext and ciphertext • PrP,K (x | y) • conditional distribution of plaintext given ciphertext Example and details on next slides. Perfect secrecy
Example • Sets: • Plaintext P = {a, b} • Ciphertext C = {A, B, C, D} • Key space K = {1, 2, 3} • Cipher: per table on right • Probabilitity distributions: • Prp(a) = ¼ Prp(b) = ¾ • PrK(1) = ½ PrK(2) = ¼ PrK(3) = ¼ • Exercise: compute PrP,K (y) • probability distribution on ciphertext C • Exercise: compute PrP,K (x | y) • conditional distribution of plaintext given ciphertext Perfect secrecy
Computation of the induced probability distributions • Given: PrP (x) PrK (k) • Probability that plaintext is x. Probability that key is k. • Assume choosing key and selecting plaintext are independent. • Then: PrP,K (y) PrP,K (x | y) PrP,K (y | x) are given by: • Probability PrP,K (y) that ciphertext is y • Probability PrP,K (y | x) that ciphertext is y given plaintext is x • Probability PrP,K (x | y) that plaintext is x given ciphertext is y • PrP,K (y) = [ PrP (x) PrK (k) ] • Where the sum is over all plaintext x and keys k such that ek(x) = y • PrP,K (y | x) = [ PrK (k) ] / PrP (x) • Where the sum is over all keys k such that ek(x) = y • PrP,K (x | y) = PrP,K (y | x) PrP (x) / PrP,K (y) by Bayes Theorem Perfect secrecy
So what is perfect secrecy? • Given: PrP (x) PrK (k) • Probability that plaintext is x. Probability that key is k. • Assume choosing key and selecting plaintext are independent. • Then that induces (per previous slide): • Probability PrP,K (y) that ciphertext is y • Probability PrP,K (y | x) that ciphertext is y given plaintext is x • Probability PrP,K (x | y) that plaintext is x given ciphertext is y • Informally: perfect secrecy means that the ciphertext generated does not contain enough information to determine uniquely the corresponding plaintext • Can you now give a precise definition of perfect secrecy, in terms of the above? Perfect secrecy
Perfect secrecy • Definition: A cryptosystem has perfect secrecy if: • For all x in plaintext space P and y in ciphertext space C • We have PrP,K (x | y) = PrP(x) • Theorem: • Suppose the 26 keys in the Shift cipher are used with equal probability. • Then for any plaintext probability distribution, • the Shift cipher has perfect secrecy. • Note that we are encrypting a single character with a single key • Another time: the (easy) proof! Perfect secrecy
What provides perfect secrecy? • Theorem: • Perfect secrecy requires |K| |C|. • Suppose as few keys as possible, i.e. |K| = |C| = |P|. • Note: Any cryptosystem has |C| |P|. • Then the cryptosystem has perfect secrecy iff • every key is used with equal probability, and • for every x in P and y in C,there is a unique key k such that ek (x) = y Perfect secrecy
Vernam’s one-time pad • Corollary to the theorem on the previous slide: • Vigenere’s cipher provides perfect secrecy, if: • each key is equally likely, and • you encrypt a single plaintext element(i.e., encrypt m characters using a key of length m) • Cannot have perfect secrecy with shorter keys • History: • 1917: Gilbert Vernam suggested Vigenere with a binary alphabet and a long keyword. Joseph Mauborgne suggested uing a one-time pad (key as long as the message, not reused). • Widely accepted as “unbreakable”but no proof until Shannon’s work 30 years later Perfect secrecy
What if keys are reused? • Summary: • We defined perfect secrecy. • We found cryptosystems that provide perfect secrecy. • But: perfect secrecy requires that we not reuse a key • Next: How secure is a cryptosystemwhen we reuse keys? • Entropy • Redundancy of a language • Spurious keys, unicity distance Perfect secrecy
Entropy: motivation • Background • From information theory • Introduced by Claude Shannon in 1948. • A measure of information or uncertainty • Computed as a function of a probability distribution • Example: • Toss a coin.How many bits required to represent the result? • Toss a coin n times. Now how many bits? • What if the coin is a biased coin? Perfect secrecy
Entropy: definition • Definition: • Suppose X is a random variable • with probability distribution p = p1, p2, ... pn • where pi is the probability X takes on its ith possible value. • Then the entropy of X, • written H(X), is Perfect secrecy
Entropy: example • Definition of entropy: • P = {a, b}. C = {1, 2, 3, 4}. • pp: a => 1/4 b => 3/4 • pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16 • Exercise: what is H(P)? H(C)? • H(P) = - [ ( 1/4 -2 ) + ( 3/4 (log2 3 - 2) ) ] 0.81 • H(C) 1.85. Perfect secrecy
Spurious keys • Exercise: • Suppose Oscar is doing a ciphertext-only attack • on a string encoded using Vigenere’s cipher • where m (key length) is modest (not a one-time pad). • Oscar decrypts the message to a meaningful sentence. • Why is Oscar not done? • Answer: • 1. There may be other keys that yield other meaningful sentences. • 2. We want the key, not just the meaningful sentence. Perfect secrecy
Spurious keys • Context: • Oscar is doing cipher-text only attack • Oscar has infinite computational resources • Oscar knows the plaintext is a “natural” language. • Result: • Oscar will be able to rule out certain keys. • Many “possible” keys remain. Only one key is correct. • The remaining possible, but incorrect, keysare called spurious keys. • Our goal: determine how many spurious keys. Perfect secrecy
Entropy & redundancy of a language • Definitions: • Let L be a natural language (like English). • Let Pnbe a random variable whose probability distribution is that of all n-grams of plaintext in L. • The entropy HL of L is • The redundancy RL of L is • HL measures entropy per letter. • RL measures fraction of “excess characters.” Perfect secrecy
Entropy & redundancy of a language • Experiments have shownthat for English: • H(P2) 7.80 • 1.0 HL 1.5 • So RL 0.75 • Exercise: does this mean you could keep only every 4th letter of a message and hope to read it? • Answer: No!This means you could hope to encode long strings of English to about 1/4 of their size, using a Huffman encoding. Perfect secrecy
Number of spurious keys • Theorem: • Suppose |C| = |P| and keys are equiprobable. • Given a ciphertext of length n(where n is large enough) • the expected number sn of spurious keys satisfies • So what can you say about long ciphertext messages? • Note: the expression goes to 0 quickly as n increases Perfect secrecy
Unicity distance • Definition: • The unicity distance of a cyptosystem • is the value of n (ciphertext length), denoted n0, • at which the expected number of spurious keys • becomes zero. • Theorem: • Exercise: unicity distance of the Substitution cipher? • Answer: 88.4 / (0.75 4.7) 25 Perfect secrecy
Summary • Perfect secrecy. • Perfect. Provides clear sense of the ultimate: • What can be done. • How to do it (Vernam’s one-time pad). • If we reuse keys: • No longer perfect secrecy. • But the secret may not be utterly revealed, even against infinite computational resources: • Because of redundant keys • Clear answers, beautiful mathematics, but not much secrecy! • What if there are finite computational resources? Perfect secrecy