jonathan katz •yehuda lindell chapter 2 : perfectly...

INTRODUCTION TO

MODERN CRYPTOGRAPHY

_ Second Edition _ Jonathan Katz •Yehuda Lindell

1

Chapter 2 : Perfectly-Secret Encryption

COMP547 Claude Crépeau

2.1 Definitions and Basic Properties

We refer to probability distributions over K, M, and C .

The distribution over K is simply the one that is definedby running Gen.

We let Pr[K = k] denote the probability that the keyoutput by Gen is equal to k. (K is a random variable.)

We let Pr[M = m] denote the probability that themessage is equal to m.

2

Definitions and Basic Properties

As an example, the adversary may know that theencrypted message is either

‟attack tomorrow” or ‟don’t attack”.

The adversary may even know (by other means) thatwith probability 0.7 the message will be a commandto attack and with probability 0.3 the opposite. In thiscase, we have

Pr[M = ‟attack tomorrow”] = 0.7 andPr[M = ‟don’t attack”] = 0.3.

3


The distributions over K and M are independent.

This is the case because the key is chosen andfixed (i.e., shared by the communicating parties)before the message (and its distribution) is known.

The distribution over K is fixed by the encryptionscheme itself (since it is defined by Gen)

4


The distribution over M may vary depending onthe parties who are using the cipher.

For c ∈ C , we write Pr[C = c] to denote theprobability that the ciphertext C be c.

Given the encryption algorithm Enc, thedistribution over C is fully determined by thedistributions over K and M (and the randomnessof the encryption algorithm in case it is aprobabilistic algorithm).

5

The Definition

Intuitively, we imagine an adversary who knows theprobability distribution over M ; that is, the adversaryknows the likelihood that different messages will besent (as in the example given above).

The adversary then observes some ciphertext beingsent by one party to the other.

6

The Definition

Ideally, observing this ciphertext should have noeffect on the knowledge of the adversary

In other words, the a posteriori likelihood thatsome message m was sent (even given theciphertext that was seen) should be no differentfrom the a priori probability that m would be sent.

This should hold for any m ∈ M.

7

The Definition

M

MM|cM|c

Insecure

8

The Definition

M

M

c

M|cM|c

Insecure

8

The Definition

M

MM|cM|c

Secure

9

The Definition

M

M

c

M|cM|c

Secure

9

Perfect Secrecy

DEFINITION 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m ∈ M, and every ciphertext c ∈ C for which Pr[C = c] > 0 : Pr[M = m | C = c] = Pr[M = m].

10

Perfect Secrecy

Another way o f i n te rpre t i ng Definition 2.3 is that a scheme is perfectly secret if the distributions over plaintexts and ciphertexts are independent.

11

Perfect indistinguishability

LEMMA 2.4 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, for every m, m′ ∈ M, and every c ∈ C,

Pr[EncK(m) = c] = Pr[EncK(m′) = c].

12


PROOFWe show that if the stated condition holds, then the scheme is perfectly secret; the converse is left to Exercise 2.4.

Fix a distribution over M, a message m, and a ciphertext c for which Pr[C = c] > 0. If Pr[M = m] = 0 then we trivially have

Pr[M = m | C = c] = 0 = Pr[M = m].

So, assume Pr[M = m] > 0.

13


PROOFNotice first that

Pr[C = c|M = m] = Pr[EncK(M) = c|M = m] = Pr[EncK(m) = c], where the first equality is by definition of the random variable C, and the second is because we condition on the event that M is equal to m.

Set δc =def Pr[EncK(m) = c] = Pr[C = c | M = m]. If the condition of the lemma holds, then for every m′∈M we have Pr[EncK(m′) = c] = Pr[C = c|M = m′] = δc.

14


Using Bayes’ Theorem, we thus havePr[M = m | C = c] = Pr[C = c | M = m]· Pr[M = m] Pr[C = c] = ︎ Pr[C = c|M = m]· Pr[M = m] ∑m′∈M Pr[C = c | M = m′]· Pr[M = m′] = ︎ δc· Pr[M =m] . ∑m′∈M δc· Pr[M = m′] = ︎ Pr[M=m] = Pr[M=m], ∑m′∈M Pr[M = m′]where the summation is over m′∈M with Pr[M=m′]>0.

15

PROOFWe conclude that for every m ∈ M and c ∈ C for which

Pr[C = c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m],

and so the scheme is perfectly secret.


16

Adversarial indistinguishability.

This other definition is based on an experimentinvolving an adversary A, and formalizes A’s inabilityto distinguish the encryption of one plaintext fromthe encryption of another; we thus call it adversarialindistinguishability.

This definition will serve as our starting point whenwe introduce the notion of computational security inthe next chapter.

17


The experiment is defined for any encryptionscheme Π = (Gen, Enc, Dec) over messagespace M and for any adversary A.

We let PrivKeAa,vΠ denote an execution of the

experiment for a given Π and A.The experiment isdefined as follows:

18

m0, m1 ∈ M

b = b′ ?

c

b b′

PrivKeAa,vΠ

Ac ← Enck(mb)b ← { 0, 1 }k ← Gen

19


PrivKeAa,vΠ :

1. Adversary A outputs a pair of messages m0, m1 ∈ M.

2. A random key k is generated by running Gen, and arandom bit b ← { 0, 1 } is chosen (by some imaginaryentity that is running the experiment with A.) Aciphertext c ← Enck(mb) is computed and given to A.

3. A outputs a bit b′.

4.The output of the experiment is defined to be 1 ifb′ = b, and 0 otherwise.

20


We write PrivKeAa,vΠ = 1 if the output is 1 and in

this case we say that A succeeded.

One should think of A as trying to guess the value ofb that is chosen in the experiment, and A succeedswhen its guess b′ is correct.

The alternate definition we now give states that anencryption scheme is perfectly secret if no adversaryA can succeed with probability any better than 1/2.

21

Pr[ b = b′ ] = 1/2

perfectly secretb b′

A

m0, m1 ∈ M

c ← Enck(mb)b ← { 0, 1 }k ← Gen

c

PrivKeAa,vΠ

22


DEFINITION 2.5 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that Pr[ PrivKe

Aa,vΠ = 1 ] = 1/2 .

23


PROPOSITION 2.6 Let (Gen, Enc, Dec) be an encryption scheme over a message space M . Then (Gen, Enc, Dec) is perfectly secret with respect to Definition 2.3 if and only if it is perfectly secret with respect to Definition 2.5.

24

3 Equivalent Formulations

DEFINITION 2.5 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that Pr[ PrivKeAa,vΠ = 1 ] = 1/2 .

DEFINITION 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m ∈ M, and every ciphertext c ∈ C for which Pr[C = c] > 0 : Pr[M = m | C = c] = Pr[M = m].

LEMMA 2.4 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, for every m, m′ ∈ M, and every c ∈ C,

Pr[EncK(m) = c] = Pr[EncK(m′) = c].

25

INTRODUCTION TO

MODERN CRYPTOGRAPHY


26



2.2 The One-Time Pad (Vernam’s Cipher)

In 1917, Vernam patented a cipher now called the one-time pad. There was no proof of perfect secrecy at thetime.

Rather, approximately 25 years later, Shannon introducedthe notion of perfect secrecy and demonstrated that theone-time pad achieves this level of security.

The invention of the one-time pad is generally creditedto Gilbert S. Vernam and Joseph O. Mauborgne. It wasindeed invented 35 years earlier by a Sacramento bankernamed Frank Miller. 27

The One-Time Pad

One-time pad encryption is defined as follows:

1. Fix an integer ℓ> 0. Then the message space M,

key space K, and ciphertext space C are all {0, 1}ℓ.

2. The key-generation algorithm Gen works byuniformly choosing a string from K = {0, 1}ℓ.

28

The One-Time Pad

Let a ⊕ b denote the bitwise exclusive-or (XOR) ofbinary strings a and b.

1. Encryption Enc : given a key k ∈ { 0, 1 }ℓ and a

message m ∈ {0, 1}ℓ, output c := k ⊕ m.

2. Decryption Dec : given a key k ∈ { 0, 1 }ℓ and a

ciphertext c ∈ {0, 1}ℓ, output m := k ⊕ c.

29

The One-Time Pad

Before discussing the security of the one-time pad, we note that Deck(Enck(m)) = k ⊕ k ⊕ m = m(a correct encryption scheme).

Intuitively, the one-time pad is perfectly secret because given a ciphertext c, there is no way to know which plaintext m it comes from.

31

The One-Time Pad

In order to see why this is true, notice that forevery possible m there exists a key k such thatc = Enck(m); namely, take k = m ⊕ c.

Each key is chosen with uniform probability (andhidden from the adversary) and so no key is morelikely than any other.

32

The One-Time Pad

THEOREM 2.9 The one-time pad encryption scheme is perfectly-secret. PROOF Fix some distribution over M and fix arbitrary m ∈ M and c ∈ C . The key observation is that for the one-time pad, Pr[C = c | M = m] = Pr[M ⊕ K = c | M = m] = Pr[m ⊕ K = c] = Pr[K = m ⊕ c] = 1/2ℓ.

33

The One-Time Pad

Now fix any probability distribution over M. For any c ∈ C , we havePr[C = c] = ∑m∈M Pr[C = c | M = m]· Pr[M = m]

= ∑m∈M Pr[M = m] / 2ℓ = 1︎/2ℓ

where the summation is over m∈M with Pr[M=m]>0.

34

The One-Time Pad

Using Bayes’ Theorem, we thus have

Pr[M = m | C = c] = Pr[C = c | M = m]· Pr[M = m] Pr[C = c] = 1︎/2ℓ· Pr[M = m] 1︎/2ℓ

= Pr[M = m]We conclude that the one-time pad is perfectly secret.

35

The One-Time Pad

Unfortunately, the one-time pad encryptionscheme has a number of drawbacks.

the key is required to be as long as the message.

a long key must be securely stored,

limits applicability of the scheme if we send verylong messages

As the name indicates — One-time pad is only“secure” if keys are used once.

36

The One-Time Pad

In particular, say two messages m, m′ are encryptedusing the same key k.

An adversary who obtains c = m ⊕ k and c′ = m′ ⊕ kcan compute c ⊕ c′ = (m ⊕ k) ⊕ (m′ ⊕ k) = m ⊕ m′and thus learn something about the exclusive-or of thetwo messages.

If the messages correspond to English-language text, thengiven the exclusive-or of two sufficiently-long messages,it has been shown to be possible to perform frequencyanalysis and recover the messages.

37

2.3 Limitations of Perfect Secrecy

We prove that any perfectly-secret encryptionscheme must have a key space that is at least aslarge as the message space.

If the key space consists of fixed-length keys, andthe message space consists of all messages of somefixed length, this implies that the key must be atleast as long as the message.

The other limitation regarding the fact that the keycan only be used once is also inherent.

39

Limitations of Perfect Secrecy

THEOREM 2.10 Let (Gen, Enc, Dec) be a perfectly-secret encryption scheme over a message space M, and let K be the key space as determined by Gen. Then |K | ≥ |M |.

40


PROOF

We show that if |K | < |M | then the scheme is not perfectly secret. Assume |K | < |M |. Consider the uniform distribution over M and let c ∈ C be a ciphertext that occurs with non-zero probability.

Let M(c) be the set of all possible messages which are possible decryptions of c; that is M(c) def= { m | m = Deck(c) for some k ∈ K }.

41


Clearly |M(c)| ≤ |K | since for each messagem ∈ M(c) we can identify at least one key k ∈ K for which m = Deck(c). (Recall that we assume Dec is deterministic.)

Under the assumption that |K | < |M |, this means that there is some m′ ∈ M such that m′ ∉ M(c). But then Pr[M = m′ | C = c] = 0 ≠ Pr[M = m′],and so the scheme is not perfectly secret.

42

Perfect secrecy at a lower price?

The theorem shows an inherent limitation ofschemes that achieve perfect secrecy.

Even so, it is often claimed by individuals and/orcompanies that they have developed a radicallynew encryption scheme that is unbreakable andachieves the security level of the one-time padwithout using long keys.The above proofdemonstrates that such claims cannot be true; theperson claiming them either knows very littleabout cryptography or is blatantly lying.

43

2.4 Shannon’ s Theorem

44

2.4 Shannon’ s Theorem

THEOREM 2.11 (Shannon’s theorem) Let (Gen, Enc, Dec) be an encryption scheme overa message space M for which |M | = |K | = |C |.The scheme is perfectly secret if and only if:

1. Every k ∈ K is chosen with equal prob.= 1/|K | by Gen.

2. For every m ∈ M and every c ∈ C , there exists a unique key k ∈ K such that Enck(m) outputs c.

45

Uses of Shannon’ s theorem.

Theorem 2.11 is of interest in its own right in that itessentially gives a complete characterization of perfectly-secret encryption schemes.

In addition, since items (1) and (2) have nothing to dowith the probability distribution over the set of plaintextsM, the theorem implies that if there exists an encryptionscheme that provides perfect secrecy for a specificprobability distribution over M then it actually providesperfect secrecy in general (i.e., for all probabilitydistributions over M ).

46

Uses of Shannon’ s theorem.

Shannon’s theorem is extremely useful for provingwhether a scheme is or is not perfectly secret.

Item (1) is easy to confirm and item (2) can bedemonstrated (or contradicted) without analyzing anyprobabilities.

The perfect secrecy of the one-time pad is trivial toprove using Shannon’s theorem.

Theorem 2.11 only holds if |M | = |K | = |C |, andso one must be careful to apply it only in this case.

47

INTRODUCTION TO

MODERN CRYPTOGRAPHY


48



jonathan katz •yehuda lindell chapter 2 : perfectly...

Documents