Cryptography - Rose

Download Report

Transcript Cryptography - Rose

Today
• What does it mean for a cipher to be:
– Computational secure? Unconditionally secure?
• Perfect secrecy
– Conditional probability
– Definition of perfect secrecy
– Systems that provide perfect secrecy
• How secure when we reuse a key?
– Entropy
– Redundancy of a language
– Spurious keys, unicity distance
Cryptography
Perfect secrecy
Slide 1
Contact before work
• Turn to a neighbor and ask:
What do you think of this week’s homework problems?
Easy or hard? Interesting or dull?
Why or why not?
• Why do Contact Before Work?
– Helps us know our teammates.
We work better with people we know and like.
– Helps start the meeting on time.
Cryptography
Perfect secrecy
Slide 2
Announcements
• Today at 4:20:
– Mark Gritter(CSSE faculty candidate, from Stanford)
• Content Location with Name-Based Routing
• Olin 267
• Questions on homework?
– Due Thursday
• Friday: annual Undergraduate Mathematics Conference
here at Rose-Hulman!
– So no class Friday.
– We ask that you go to a talk at the conference instead!
• See schedule on Mathematics home page.
Cryptography
Perfect secrecy
Slide 3
What is perfect secrecy?
• Exercise:
– Do the following by yourself (1 minute) and then in
groups of about four (3 to 5 minutes)
• Give (mathematical) definitions for a cipher to be:
– Computationally secure
– Unconditionally secure (“perfect secrecy”)
• Consider:
Is your definition precise enough that I
– Computer-invariant? could use it to determine whether, e.g.,
– Information-invariant? cipher A is twice as computationally
– Kinds of attack?
secure as cipher B”?
Cryptography
Perfect secrecy
Slide 4
Computationally secure
• Stallings: A cipher is computationally secure if:
– Cost of breaking the cipher exceeds value of the
encrypted information
– Time required to break the cipher exceeds useful
lifetime of the encrypted information
• Is this:
– Computer-invariant?
– Information-invariant?
– Practical to determine?
Cryptography
I find Stalling’s definition
unsatisfying. Can you do better?
Perfect secrecy
Slide 5
Unconditionally secure
• Stallings: A cipher is:
– Computationally secure if:
• Cost of breaking the cipher exceeds value of the encrypted
information
• Time required to break the cipher exceeds useful lifetime of the
encrypted information
– Unconditionally secure if: Huh? Can we be more precise?
• Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext
– No matter how much ciphertext
– No matter how much time/resources available to attacker
Cryptography
Perfect secrecy
Slide 6
Where we are going:
• Unconditionally secure:
– Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext
• To make this precise, we need:
– What is a cipher?
– What does it mean to determine the plaintext? Uniquely?
• We will see that:
– Shift cipher, substitution cipher, Vigenere cipher are:
• Not computationally secure
– against even a ciphertext-only attack,
– given a sufficient amount of ciphertext
• Unconditionally secure (!)
– if [an important condition that we will see soon] [can you guess it?]
Cryptography
Perfect secrecy
Slide 7
What is a cryptosystem?
• Three finite sets:
– P = set of possible plaintexts
– C = set of possible ciphertexts
– K = set of possible keys
• Encryption and decryption functions e and d.
For each k in K:
– ek : P C
dk : C  P
• Exercise: What has to be true of ek and dk?
• Answer: for any plaintext x and key k:
dk(ek(x)) = x
Cryptography
Perfect secrecy
Slide 8
Conditional probability
• So now we know:
– What is a cipher?
• Next:
– What does it mean to determine the plaintext? Uniquely?
• To answer this, we need probability theory:
–
–
–
–
–
–
random variable, sample space
probability distribution
joint probability distribution
conditional probability distribution
independent random variables
Bayes’ theorem
Cryptography
Perfect secrecy
Slide 9
Random variable
Probability distribution
• Definition: A random variable
– is a function from the sample space to a set of numbers
• (for us, the nonnegative integers)
• Examples:
– The number of aces in a bridge hand
– The number of multiple birthdays in a room of n people
• I’ll assume discrete random variables throughout these notes
• Definition: The probability distribution of a random variable X
– Gives, for each possible value x that X can take, the probability of x
– Written Pr (x)
• Example:
– Let X = number of heads after 3 coin tosses.
• p(0) = 1/8
Cryptography
p(1) = 3/8
p(2) = 3/8
Perfect secrecy
p(3) = 1/8
Slide 10
Joint probability distribution
Conditional probability distribution
• Definitions: Let X and Y be random variables.
– The joint probability Pr (x, y) is the probability that X is x and Y is y.
– The conditional probability Pr ( x | y ) is the probability that X is x
given that Y is y and is (by definition) Pr (x, y) / Pr (y)
• In the example to the right:
X
– Pr (c, B)? Pr (b, B)?
– Pr (a | B )? Pr (B | a)?
a
• Answers:
– Pr (c, B) = 0.05 Pr (b, B) = 0.25
– Pr (a | B ) =
0.10 / (0.10 + 0.25 + 0.05) = 0.4
– Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7
Cryptography
Perfect secrecy
Y
b
c
A
0.25 0.15 0.20
B
0.10 0.25 0.05
Slide 11
Independent random variables
• Definition:
– Random variables X and Y are independent
– if Pr (x | y) = Pr (x) for all x, y.
• Equivalently, if Pr (x, y) = Pr (x)  Pr (y) for all x, y.
• Examples
– X and Y on previous slide are not independent
– # of heads in toss A,# in toss B: independent
Cryptography
Perfect secrecy
Slide 12
Application to ciphers
• Assume
– PrP (x)
• probability distribution on plaintext space P
– PrK(k)
• probability distribution on key space K
– Choosing the key and selecting the plaintext are independent
• These induce:
– PrP,K (y)
• probability distribution on ciphertext C
Example and details
on next slides.
– PrP,K (x, y)
• joint probability distribution of plaintext and ciphertext
– PrP,K (x | y)
• conditional distribution of plaintext given ciphertext
Cryptography
Perfect secrecy
Slide 13
Example
• Sets:
Cipher
a
b
1
A
B
2
B
C
3
C
D
– Plaintext P = {a, b}
– Ciphertext C = {A, B, C, D}
– Key space K = {1, 2, 3}
• Cipher: per table on right
• Probabilitity distributions:
– Prp(a) = ¼
– PrK(1) = ½
Prp(b) = ¾
PrK(2) = ¼
• Exercise: compute PrP,K (y)
PrK(3) = ¼
– probability distribution on ciphertext C
• Exercise: compute PrP,K (x | y)
– conditional distribution of plaintext given ciphertext
Cryptography
Perfect secrecy
Slide 14
Computation of the induced
probability distributions
• Given: PrP (x)
PrK (k)
• Probability that plaintext is x. Probability that key is k.
• Assume choosing key and selecting plaintext are independent.
• Then: PrP,K (y)
PrP,K (x | y)
PrP,K (y | x) are given by:
• Probability PrP,K (y) that ciphertext is y
• Probability PrP,K (y | x) that ciphertext is y given plaintext is x
• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
– PrP,K (y) =  [ PrP (x)  PrK (k) ]
• Where the sum is over all plaintext x and keys k such that ek(x) = y
– PrP,K (y | x) = [  PrK (k) ] / PrP (x)
• Where the sum is over all keys k such that ek(x) = y
– PrP,K (x | y) = PrP,K (y | x)  PrP (x) / PrP,K (y) by Bayes Theorem
Cryptography
Perfect secrecy
Slide 15
So what is perfect secrecy?
• Given: PrP (x) PrK (k)
• Probability that plaintext is x. Probability that key is k.
• Assume choosing key and selecting plaintext are independent.
• Then that induces (per previous slide):
• Probability PrP,K (y) that ciphertext is y
• Probability PrP,K (y | x) that ciphertext is y given plaintext is x
• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
• Informally: perfect secrecy means that the ciphertext
generated does not contain enough information to determine
uniquely the corresponding plaintext
– Can you now give a precise definition of perfect secrecy, in terms of
the above?
Cryptography
Perfect secrecy
Slide 16
Perfect secrecy
• Definition: A cryptosystem has perfect secrecy if:
– For all x in plaintext space P and y in ciphertext space C
– We have PrP,K (x | y) = PrP (x)
• Theorem:
– Suppose the 26 keys in the Shift cipher are used with
equal probability.
– Then for any plaintext probability distribution,
– the Shift cipher has perfect secrecy.
• Note that we are encrypting a single character with a single key
• Another time: the (easy) proof!
Cryptography
Perfect secrecy
Slide 17
What provides perfect secrecy?
• Theorem:
– Perfect secrecy requires |K|  |C|.
– Suppose as few keys as possible, i.e. |K| = |C| = |P|.
• Note: Any cryptosystem has |C|  |P|.
– Then the cryptosystem has perfect secrecy iff
• every key is used with equal probability, and
• for every x in P and y in C,
there is a unique key k such that ek (x) = y
Cryptography
Perfect secrecy
Slide 18
Vernam’s one-time pad
• Corollary to the theorem on the previous slide:
– Vigenere’s cipher provides perfect secrecy, if:
• each key is equally likely, and
• you encrypt a single plaintext element
(i.e., encrypt m characters using a key of length m)
– Cannot have perfect secrecy with shorter keys
– History:
• 1917: Gilbert Vernam suggested Vigenere with a binary
alphabet and a long keyword. Joseph Mauborgne suggested
uing a one-time pad (key as long as the message, not reused).
• Widely accepted as “unbreakable”
but no proof until Shannon’s work 30 years later
Cryptography
Perfect secrecy
Slide 19
What if keys are reused?
• Summary:
– We defined perfect secrecy.
– We found cryptosystems that provide perfect secrecy.
– But: perfect secrecy requires that we not reuse a key
• Next: How secure is a cryptosystem
when we reuse keys?
– Entropy
– Redundancy of a language
– Spurious keys, unicity distance
Cryptography
Perfect secrecy
Slide 20
Entropy: motivation
• Background
–
–
–
–
From information theory
Introduced by Claude Shannon in 1948.
A measure of information or uncertainty
Computed as a function of a probability distribution
• Example:
– Toss a coin.
How many bits required to represent the result?
– Toss a coin n times. Now how many bits?
• What if the coin is a biased coin?
Cryptography
Perfect secrecy
Slide 21
Entropy: definition
• Definition:
– Suppose X is a random variable
– with probability distribution p = p1, p2, ... pn
– where pi is the probability X takes on its ith possible
value.
– Then the entropy of X,
– written H(X), is
n
H ( X )   pi log2 pi
i 1
Cryptography
Perfect secrecy
Slide 22
Entropy: example
n
• Definition of entropy:
H ( X )   pi log2 pi
i 1
• P = {a, b}. C = {1, 2, 3, 4}.
–
–
–
–
pp: a => 1/4 b => 3/4
pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16
Exercise: what is H(P)? H(C)?
H(P) = - [ ( 1/4  -2 ) + ( 3/4  (log2 3 - 2) ) ]
 0.81
– H(C)  1.85.
Cryptography
Perfect secrecy
Slide 23
Spurious keys
• Exercise:
–
–
–
–
–
Suppose Oscar is doing a ciphertext-only attack
on a string encoded using Vigenere’s cipher
where m (key length) is modest (not a one-time pad).
Oscar decrypts the message to a meaningful sentence.
Why is Oscar not done?
• Answer:
– 1. There may be other keys that yield other meaningful sentences.
– 2. We want the key, not just the meaningful sentence.
Cryptography
Perfect secrecy
Slide 24
Spurious keys
• Context:
– Oscar is doing cipher-text only attack
– Oscar has infinite computational resources
– Oscar knows the plaintext is a “natural” language.
• Result:
– Oscar will be able to rule out certain keys.
– Many “possible” keys remain. Only one key is correct.
– The remaining possible, but incorrect, keys
are called spurious keys.
• Our goal: determine how many spurious keys.
Cryptography
Perfect secrecy
Slide 25
Entropy & redundancy of a language
• Definitions:
– Let L be a natural language (like English).
– Let Pn be a random variable whose probability
distribution is that of all n-grams of plaintext in L.
– The entropy HL of L is
H (P n )
H L  lim
n 
n
– The redundancy RL of L is
HL
RL  1 
log2 | P |
• HL measures entropy per letter.
• RL measures fraction of “excess characters.”
Cryptography
Perfect secrecy
Slide 26
Entropy & redundancy of a language
• Experiments have shown
that for English:
H (P n )
H L  lim
n 
n
HL
RL  1 
log2 | P |
– H(P2)  7.80
– 1.0  HL  1.5
– So RL  0.75
• Exercise: does this mean you could keep only every 4th letter
of a message and hope to read it?
• Answer: No!
This means you could hope to encode long strings of English
to about 1/4 of their size, using a Huffman encoding.
Cryptography
Perfect secrecy
Slide 27
Number of spurious keys
• Theorem:
– Suppose |C| = |P| and keys are equiprobable.
– Given a ciphertext of length n (where n is large enough)
– the expected number sn of spurious keys satisfies
sn 
|K|
| P | nRL
1
• So what can you say about long ciphertext messages?
• Note: the expression goes to 0 quickly as n increases
Cryptography
Perfect secrecy
Slide 28
Unicity distance
• Definition:
–
–
–
–
The unicity distance of a cyptosystem
is the value of n (ciphertext length), denoted n0,
at which the expected number of spurious keys
becomes zero.
log | K |
• Theorem:
n0 
2
RL log2 | P |
– Exercise: unicity distance of the Substitution cipher?
– Answer: 88.4 / (0.75  4.7)  25
Cryptography
Perfect secrecy
Slide 29
Summary
• Perfect secrecy.
– Perfect. Provides clear sense of the ultimate:
• What can be done.
• How to do it (Vernam’s one-time pad).
• If we reuse keys:
– No longer perfect secrecy.
– But the secret may not be utterly revealed, even against infinite
computational resources:
• Because of redundant keys
– Clear answers, beautiful mathematics, but not much secrecy!
• What if there are finite computational resources?
Cryptography
Perfect secrecy
Slide 30