COMP443-2shannon-screen.pdf

Modern Cryptography

COMP 443 / 543

Chapter 2

Alptekin K¨up¸c¨u

Computer Science and Engineering Ko¸c University

Perfect Secrecy

Provable security

Message perfectly hidden

Secure against even a computationally unbounded adversary (as opposed to an efficient =polynomial-time one)

Several equivalent definitions

One-Time Pad

Shannon’s results & Limitations

Clarifications

Randomized vs. deterministic encryption

Randomized vs. deterministic decryption

Probability space (redefine correctness)

Perfectly correct encryption

Key-message independence

Definition 1

Adversary’s knowledge about probability distribution of the message space should not change.

a posteriori =a priori

Perfect secrecyworks for every probability distribution over M.

Pr[M =m|C =c] =Pr[M =m]

quantifications ??

Definition 2

Pr[C =c|M =m] =Pr[C =c]

Proveequivalence to Definition 1using Bayes Theorem

Definition 2

Pr[C =c|M =m] =Pr[C =c]

Proveequivalence to Definition 1using Bayes Theorem

Pr[M =m|C =c]∗Pr[C =c] =Pr[C =c|M =m]∗Pr[M =m]

Definition 3

Perfect indistinguishabilityrequires that the probability distribution of the ciphertexts is independent of the plaintext.

LetC(m) denote the ciphertext distribution when the plaintext is m. Perfect indistinguishability means for any two messagesm0 and

m1 we haveC(m0) =C(m1)

Pr[C =c|M =m0] =Pr[C =c|M =m1]

Equivalence to Definition 2 ??

⇒immediately apply definition 2 to m0 andm1

⇐UsePr[C =c] = Σm∈MPr[C =c|M =m]∗Pr[M =m] and the

Definition 3

Perfect indistinguishabilityrequires that the probability distribution of the ciphertexts is independent of the plaintext.

LetC(m) denote the ciphertext distribution when the plaintext is m. Perfect indistinguishability means for any two messagesm0 and

m1 we haveC(m0) =C(m1)

Pr[C =c|M =m0] =Pr[C =c|M =m1]

Equivalenceto Definition 2 ??

⇒immediately apply definition 2 to m0 andm1

⇐UsePr[C =c] = Σm∈MPr[C =c|M =m]∗Pr[M =m] and the

fact thatPr[C =c|M =m] is a constant according to Definition 3

Definition 3

Perfect indistinguishabilityrequires that the probability distribution of the ciphertexts is independent of the plaintext.

LetC(m) denote the ciphertext distribution when the plaintext is m. Perfect indistinguishability means for any two messagesm0 and

m1 we haveC(m0) =C(m1)

Pr[C =c|M =m0] =Pr[C =c|M =m1]

Equivalenceto Definition 2 ??

⇒immediately apply definition 2 tom0 andm1

⇐UsePr[C =c] = Σm∈MPr[C =c|M =m]∗Pr[M =m] and the

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sends m₀ andm₁ 3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary 5 _{Adversary guesses bit b}0

Adversary wins ifb =b0

Pr[Adversary AwinsPrivK_A,eav_Π] =??

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense ??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sendsm₀ andm₁

3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary 5 _{Adversary guesses bit b}0

Adversary wins ifb =b0

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense ??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sendsm₀ andm₁ 3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary 5 _{Adversary guesses bit b}0

Adversary wins ifb =b0

Pr[Adversary AwinsPrivK_A,eav_Π] =??

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense ??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sendsm₀ andm₁ 3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary

5 _{Adversary guesses bit b}0 Adversary wins ifb =b0

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense ??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sendsm₀ andm₁ 3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary 5 _{Adversary guesses bitb}0

Adversary wins ifb =b0

Pr[Adversary AwinsPrivK_A,eav_Π] =??

Definition 4

Adversarial indistinguishabilityrequires that no

“computationally unbounded” adversary can distinguish at the end of a game (= experiment).

Game namePrivKeav _{makes sense ??}

Parameters: protocol Π and adversaryA PrivK_A,eav_Π game:

1 Challenger generates keyk

2 Adversary sendsm₀ andm₁ 3 _{Challenger flips bit b}← {0_,1}

4 Challenger encryptsc ←Enc_k(m_b), sendsc to Adversary 5 _{Adversary guesses bitb}0

Adversary wins ifb =b0

One-Time Pad (Vernam’s Cipher)

Bitwise XOR⊕

M=K=C={0,1}t

Key generation picks uniformly randomstring k

Encryptionc =m⊕k Decryption m0 =c ⊕k Correctness ??

Security intuition: ∀c ∀m ∃k s.t. c =m⊕k Proof (using Definition 3: perfect indistinguishability) ??

Pr[C =c|M =m] =Pr[c =m⊕K] =Pr[K =m⊕c] = 2−t

One-Time Pad (Vernam’s Cipher)

Bitwise XOR⊕

M=K=C={0,1}t

Key generation picks uniformly randomstring k

Encryptionc =m⊕k Decryption m0 =c ⊕k Correctness ??

Security intuition: ∀c ∀m ∃k s.t. c =m⊕k Proof(using Definition 3: perfect indistinguishability) ??

One-Time Pad (Vernam’s Cipher)

Bitwise XOR⊕

M=K=C={0,1}t

Key generation picks uniformly randomstring k

Encryptionc =m⊕k Decryption m0 =c ⊕k Correctness ??

Security intuition: ∀c ∀m ∃k s.t. c =m⊕k Proof (using Definition 3: perfect indistinguishability) ??

Pr[C =c|M =m] =Pr[c =m⊕K] =Pr[K =m⊕c] = 2−t

Limitations

Key as long as message

Secure only if usedonce

Any perfectly secure encryption must have key space at least as big as the message space.

Proof ?? [Hint: Employ definition 1]

Pr[M =m|C =c] =Pr[M =m]

Limitations

Key as long as message

Secure only if usedonce

Any perfectly secure encryption must have key space at least as big as the message space.

Proof ?? [Hint: Employ definition 1]

Pr[M =m|C =c] =Pr[M =m]

What about decryption?

Shannon’s Theorem

An encryption scheme with|M|=|K|=|C|is perfectly secure iff 1 Key is chosen uniformly randomly

2 ∀c ∀m ∃k _{s.t. c} ←_Enc

k(m)

Conclusions

Encryption can be secure against even computationally-unbounded adversaries

Shannon’s Theorem

An encryption scheme with|M|=|K|=|C|is perfectly secure iff 1 Key is chosen uniformly randomly

2 ∀c ∀m ∃k _{s.t. c} ←_Enc

k(m)

Conclusions

Encryption can be secure against even computationally-unbounded adversaries

Key space must be as big as message space (so ??)

Final Words

Read and understand the proof of Shannon’s theorem Solve end-of-chapter exercises 2.2 - 2.10 and 2.12 - 2.13

Some may appear in a quiz

Finish reading about mathematical background Read chapter 3

First read until (excluding) 3.3

When done, read until (excluding) 3.6.3