Download pptx

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

History of statistics wikipedia , lookup

Inductive probability wikipedia , lookup

Ars Conjectandi wikipedia , lookup

Probability wikipedia , lookup

Probability interpretations wikipedia , lookup

Transcript 
Cryptography
Lecture 2
Arpita Patra
© Arpita Patra
Recall
>> Crypto: Past and Present (aka Classical vs. Modern Cryto)
o Scope
o Scientific Basis (Formal Def. + Precise Assumption + Rigorous Proof)
o End-users
>> Secure Communication in Secret Key Setting
Secret Key Encryption (SKE)
>> Learn From the Blunders of Classical SKE
o Algorithms of SKE (in general in crypto) must be PUBLIC
o Secret Key Space Must be large enough to fail brute force
o No ad-hoc algorithm without definition and proof
Today’s Goal
- Do Secure Communication in a ‘modern’ way ditching the ‘classic’ approach
o Formulate a formal definition (threat + break model)
o Identify assumptions needed and build a construction
o Prove security of the construction relative to the definition and assumption
Secure Communication in Private Key
Setting
m
m
Encryption
c
Decryption
m
??
k
o
Secret key k shared in advance (by “some” mechanism)
o
m is the plain-text
o
c is the cipher-text (scrambled message)
Need: An encryption scheme (Gen, Enc, Dec)
- Private (Secret) Key Encryption- Keys are private to the sender and the receiver
- Symmetric Key Encryption- The same key is used for encryption and decryption
k
Syntax of Secret Key Encryption (SKE)
1. Key-generation Algorithm: Gen()
> Outputs a key k chosen according to some probability distribution.
> MUST be a Randomized algorithm
2. Encryption Algorithm: Enck(m)
> c  Enck(m) when randomized and c:=Enck(m) when deterministic
> Deterministic/Randomized algorithm
3. Decryption Algorithm: Deck(c)
> Outputs m:= Deck(c)
> Usually deterministic
Syntax of SKE
1. Key space (K):
> Set of all possible keys output by algorithm Gen
2. Plaintext / message space (M):
> Set of all possible “legal” message (i.e. those supported by Enc)
3. Ciphertext space (C):
> Set of all cipher-texts output by algorithm Enc
SKE is specified using (Gen, Enc, Dec) and M
Formal Definition of Security
Two components of a security definition:
Threat: >> Who is your threat?
>> Who do you want to protect from?
>> Cultivate your enemy a.k.a adversary in crypto language.
>> Look out in practical scenarios / be an adversary
>> Unless you know your adv, no hope of defeating him
Break: >> What are you afraid of losing?
>> What do you want to protect?
>> If you don’t know what to protect then how to do you
when or if you are protecting it?
Threat
Model
computationally?
- How powerful
> Best is to have no assumption on the computing power of the adv. a.k.a unbounded
powerful adversary
> Give him any so-called hard problem (factoring etc), he solves in no time
> Strongest adversary that we can think of in terms of computing power
- What are his capabilities (in terms of attacking a secure communication protocol)?
m
c
Enc
??
k
k
> Attacker/adv. can eavesdrop/tap the ciphertext during transit- Passive or
Eavesdropper
> Ciphertext Only Attack (COA)
Can you think of a smarter attack?
Threat
Model
- Can sample random coins? (deterministic or randomized)
> Randomness is absolute necessity in Crypto; it is practical and Good guys use
randomness often. Why not adversary?
> Good to be liberal in terms of giving more power to adversary
- Randomized
- Unbounded Powerful
- COA
Break
Model
Attempt I>> Secret key ?
Then Enc(m) = m is secure
Attempt II>> Entire Message?
Then Enc(m) leaking most significant 10 bits is secure; m: bank password|
amazon password|
Attempt III>> No additional info about the message irrespective of prior
information?
Right Notion
How to formalise?
Need basics of Discrete Probability Theory
Discrete Probability Background
> U: Finite set; e.g. {0,1}
> Probability Distribution on U specifies the probabilities of the occurrence of the
elements of U
- e.g Probability Distribution on U = {0,1}: Pr(0) = ½ , Pr(1) = ½
Pr(0) = 0 , Pr(1) = 1
Probability distribution: Probability distribution Pr over U is a function
Pr: U ⟶ [0,1]
such that
Σ Pr(x) = 1
x in U
> Uniform Probability Distribution on U: Pr(x) = 1/|U| for every x
Discrete Probability Background
Event: Occurrence of one or more elements of U is called an event
- e.g Consider Uniform Distribution on U = {0,1}4
- Let A = occurrence of elements of U with msb two bits as 01
- Pr(A) = 1/4
Union Bound: For events A1 and A2
Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2] (extend for more than 2)
Conditional probability: probability that one event occurs, assuming some other
event occurred.
- Pr(A | B) = Pr(A ∧ B) / Pr(B)
- For independent A, B: Pr(A | B) = Pr(A) and Pr(A ∧ B) = Pr(A) . Pr(B)
Discrete Probability Background
Law of total probability: Let E1, …, En are a partition of all possibilities of events.
Then for any event A:
Pr[A] = i Pr[A ∧ Ei] = i Pr[A | Ei] · Pr[Ei]
Bayes’s Theorem: If Pr(B) ≠ 0 then
Pr(A | B) = Pr(B | A) . Pr(A) / Pr(B)
Random Variable: variable that takes on (discrete) values from a finite set with
certain probabilities (defined with respect to a finite set)
Probability distribution for a random variable: specifies the probabilities with
which the variable takes on each possible value of a finite set
- Each probability must be between 0 and 1
- The probabilities must sum to 1
Done!!
Formulating Definition for SKE=(Gen,Enc,Dec)
ilu
ihu
M
K
C
Random
Variable
M
K
C
Prob. Dist.
- Determined by
external factors
Pr(M = ilu) = .7
Pr(M = ihu) = .3
- Depends on Gen
Pr(K = k) =
Pr(Gen outputs k)
- Choose a message m,
according to the given dist.
- Generate a key k using Gen
- Compute c  Enck(m)
Numerical Example
M = {a b c d}
1 3 3 3
-4 10
- 20
- 10
-
K = {k1 k2 k3}
1
-4
1
-2
1
-4
C = {1 2 3 4}
.26 .26 .26 .21
Enc
 What is the probability distribution on the cipher-text space C ?
Pr [C = 1] : Pr [M = b] Pr [K = k2] + Pr [M = c] Pr [K = k3] + Pr [M = d] Pr [K = k1] =
0.2625
Pr [C = 2] : Pr [M = c] Pr [K = k1] + Pr [M = d] Pr [K = k2] + Pr [M = d] Pr [K = k3] =
0.2625
Pr [C = 3] : Pr [M = a] Pr [K = k1] + Pr [M = a] Pr [K = k2] + Pr [M = b] Pr [K = k3]
= 0.2625
Pr [C = 4] : Pr [M = a] Pr [K = k3] + Pr [M = b] Pr [K = k1] + Pr [M = c] Pr [K = k2] =
0.2125
What is the point in tapping over channel. I
better watch the cricket match today
Threat & Break Model
-
Randomized
Unbounded Powerful
COA

No additional info about the message
should be leaked from the ciphertext
irrespective of the prior information that
the adv has
What captures the prior information of the attacker about m ?
- Probability distribution on the plain-text space M
- The probability distribution {Pr[M = m]}

Observing the cipher-text c should not change the attacker’s knowledge
about the distribution of the plaintext
- Mathematically, Pr[M = m | C = c] = Pr[M = m]
Perfectly-secure Encryption : Formal Definition
Definition (Perfectly-secure Encryption): An encryption scheme (Gen,
Enc, Dec) over a plaintext space M is perfectly-secure if for every
probability distribution over M, every plain-text
m  M and
every cipher-text c  C, the following holds:
Pr [M = m | C = c] = Pr [M = m]
Posteriori probability that m is
encrypted in c
a priori probability that m might
be communicated
 Probably the first formal definition of security
- C. E. Shannon. Communication theory of
secrecy systems. Bell Systems Technical
Journal, 28(4): 656-715, 1949.
What have we done so far..
o Formulate a formal definition (threat + break model)
o Identify assumptions needed and build a construction
o Prove security of the construction relative to the definition and assumption
No assumption!!
Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l
k
k
Gen
k R K
mM
Enc
c:= mk
Correctness:
Deck( Enck(m)
)
=m
c
cC
Dec
m:= ck
m
Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l
k
k
Gen
k R K
mM
Enc
cC
c
Dec
m
m:= ck
c:= mk
Theorem (Security): Vernam Cipher is perfectly-secure
Proof:
To prove Pr[M = m | C = c] = Pr[M = m]
For arbitrary c and m, Pr[C = c | M = m]
Pr[C = c] = Σ Pr[C = c | M = m] Pr[M = m]
m in M
= 1/2l Σ Pr[M = m]
m in M
= 1/2l
= Pr[K = c  m] = 1/2l
(irrespective of p. d. over M)
Perfectly-secure Encryption- Construction
M = K = C = {0, 1}l
k
k
Gen
k R K
mM
Enc
c
c:= mk
cC
Dec
m:= ck
Pr[C = c | M = m ] Pr[M = m]
Pr[M = m | C = c] =
(Bayes' Theorem)
Pr[C = c]
= Pr[M = m]
m
What have we done so far..
o Formulate a formal definition (threat + break model)
o Identify assumptions needed and build a construction
o Prove security of the construction relative to the definition and assumption
Vernam Cipher is not all that nice because..
o How long is the key?
length is as long as the message
- For long messages hard to agree on long key
- What happens the parties cannot predict the message size in advance
o Can we reuse the keys for multiple messages?
No!!
- c = m  k, c’ = m’  k
- c  c’ = m  m’
Adversary learns the difference!
- Perfect security breaks down 
Let us design another scheme that overcomes the drawbacks..
Alas! Inherent problems..
Chalk & Talk Assignment
o Various Perfect Security Definitions and their Equivalence
Definition I:
Pr [M = m | C = c] = Pr [M = m]
≈
Definition III:
KL Chapter 2
Define it
Definition II:
Pr [C = c | M = m] = Pr [C = c | M = m’]
Next class…
o Various Perfect Security Definitions and their Equivalence
Definition I:
Pr [M = m | C = c] = Pr [M = m]
≈
Definition III:
KL Chapter 2
Define it
Definition IV:
Definition II:
Pr [C = c | M = m] = Pr [C = c | M = m’]
Related documents
How influential was America in deciding the outcome of World War II
How influential was America in deciding the outcome of World War II
PZ1 chip (PZ0 modified to drive 50W terminated cables at 77K)
PZ1 chip (PZ0 modified to drive 50W terminated cables at 77K)
EMF
EMF
CSCI6268L06
CSCI6268L06
PPT
PPT
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
Database Confidentiality
Database Confidentiality
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Network Security Policy: In the Work Place
Network Security Policy: In the Work Place
university of toronto regis college to what extent must the religion of
university of toronto regis college to what extent must the religion of
Privacy preserving data mining
Privacy preserving data mining
EMF - Purdue Physics
EMF - Purdue Physics
Document
Document
Fast Field Cycling NMR Relaxometry
Fast Field Cycling NMR Relaxometry
here
here
Accelnet Plus Module CANopen
Accelnet Plus Module CANopen