Download Cryptography - Rose

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts

History of statistics wikipedia , lookup

Probability wikipedia , lookup

Transcript 
Today
• What does it mean for a cipher to be:
– Computational secure? Unconditionally secure?
• Perfect secrecy
– Conditional probability
– Definition of perfect secrecy
– Systems that provide perfect secrecy
• How secure when we reuse a key?
– Entropy
– Redundancy of a language
– Spurious keys, unicity distance
Cryptography
Perfect secrecy
Slide 1
Contact before work
• Turn to a neighbor and ask:
What do you think of this week’s homework problems?
Easy or hard? Interesting or dull?
Why or why not?
• Why do Contact Before Work?
– Helps us know our teammates.
We work better with people we know and like.
– Helps start the meeting on time.
Cryptography
Perfect secrecy
Slide 2
Announcements
• Today at 4:20:
– Mark Gritter(CSSE faculty candidate, from Stanford)
• Content Location with Name-Based Routing
• Olin 267
• Questions on homework?
– Due Thursday
• Friday: annual Undergraduate Mathematics Conference
here at Rose-Hulman!
– So no class Friday.
– We ask that you go to a talk at the conference instead!
• See schedule on Mathematics home page.
Cryptography
Perfect secrecy
Slide 3
What is perfect secrecy?
• Exercise:
– Do the following by yourself (1 minute) and then in
groups of about four (3 to 5 minutes)
• Give (mathematical) definitions for a cipher to be:
– Computationally secure
– Unconditionally secure (“perfect secrecy”)
• Consider:
Is your definition precise enough that I
– Computer-invariant? could use it to determine whether, e.g.,
– Information-invariant? cipher A is twice as computationally
– Kinds of attack?
secure as cipher B”?
Cryptography
Perfect secrecy
Slide 4
Computationally secure
• Stallings: A cipher is computationally secure if:
– Cost of breaking the cipher exceeds value of the
encrypted information
– Time required to break the cipher exceeds useful
lifetime of the encrypted information
• Is this:
– Computer-invariant?
– Information-invariant?
– Practical to determine?
Cryptography
I find Stalling’s definition
unsatisfying. Can you do better?
Perfect secrecy
Slide 5
Unconditionally secure
• Stallings: A cipher is:
– Computationally secure if:
• Cost of breaking the cipher exceeds value of the encrypted
information
• Time required to break the cipher exceeds useful lifetime of the
encrypted information
– Unconditionally secure if: Huh? Can we be more precise?
• Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext
– No matter how much ciphertext
– No matter how much time/resources available to attacker
Cryptography
Perfect secrecy
Slide 6
Where we are going:
• Unconditionally secure:
– Ciphertext generated does not contain enough information to
determine uniquely the corresponding plaintext
• To make this precise, we need:
– What is a cipher?
– What does it mean to determine the plaintext? Uniquely?
• We will see that:
– Shift cipher, substitution cipher, Vigenere cipher are:
• Not computationally secure
– against even a ciphertext-only attack,
– given a sufficient amount of ciphertext
• Unconditionally secure (!)
– if [an important condition that we will see soon] [can you guess it?]
Cryptography
Perfect secrecy
Slide 7
What is a cryptosystem?
• Three finite sets:
– P = set of possible plaintexts
– C = set of possible ciphertexts
– K = set of possible keys
• Encryption and decryption functions e and d.
For each k in K:
– ek : P C
dk : C  P
• Exercise: What has to be true of ek and dk?
• Answer: for any plaintext x and key k:
dk(ek(x)) = x
Cryptography
Perfect secrecy
Slide 8
Conditional probability
• So now we know:
– What is a cipher?
• Next:
– What does it mean to determine the plaintext? Uniquely?
• To answer this, we need probability theory:
–
–
–
–
–
–
random variable, sample space
probability distribution
joint probability distribution
conditional probability distribution
independent random variables
Bayes’ theorem
Cryptography
Perfect secrecy
Slide 9
Random variable
Probability distribution
• Definition: A random variable
– is a function from the sample space to a set of numbers
• (for us, the nonnegative integers)
• Examples:
– The number of aces in a bridge hand
– The number of multiple birthdays in a room of n people
• I’ll assume discrete random variables throughout these notes
• Definition: The probability distribution of a random variable X
– Gives, for each possible value x that X can take, the probability of x
– Written Pr (x)
• Example:
– Let X = number of heads after 3 coin tosses.
• p(0) = 1/8
Cryptography
p(1) = 3/8
p(2) = 3/8
Perfect secrecy
p(3) = 1/8
Slide 10
Joint probability distribution
Conditional probability distribution
• Definitions: Let X and Y be random variables.
– The joint probability Pr (x, y) is the probability that X is x and Y is y.
– The conditional probability Pr ( x | y ) is the probability that X is x
given that Y is y and is (by definition) Pr (x, y) / Pr (y)
• In the example to the right:
X
– Pr (c, B)? Pr (b, B)?
– Pr (a | B )? Pr (B | a)?
a
• Answers:
– Pr (c, B) = 0.05 Pr (b, B) = 0.25
– Pr (a | B ) =
0.10 / (0.10 + 0.25 + 0.05) = 0.4
– Pr (B | a) = 0.10 / (0.25 + 0.10) = 2/7
Cryptography
Perfect secrecy
Y
b
c
A
0.25 0.15 0.20
B
0.10 0.25 0.05
Slide 11
Independent random variables
• Definition:
– Random variables X and Y are independent
– if Pr (x | y) = Pr (x) for all x, y.
• Equivalently, if Pr (x, y) = Pr (x)  Pr (y) for all x, y.
• Examples
– X and Y on previous slide are not independent
– # of heads in toss A,# in toss B: independent
Cryptography
Perfect secrecy
Slide 12
Application to ciphers
• Assume
– PrP (x)
• probability distribution on plaintext space P
– PrK(k)
• probability distribution on key space K
– Choosing the key and selecting the plaintext are independent
• These induce:
– PrP,K (y)
• probability distribution on ciphertext C
Example and details
on next slides.
– PrP,K (x, y)
• joint probability distribution of plaintext and ciphertext
– PrP,K (x | y)
• conditional distribution of plaintext given ciphertext
Cryptography
Perfect secrecy
Slide 13
Example
• Sets:
Cipher
a
b
1
A
B
2
B
C
3
C
D
– Plaintext P = {a, b}
– Ciphertext C = {A, B, C, D}
– Key space K = {1, 2, 3}
• Cipher: per table on right
• Probabilitity distributions:
– Prp(a) = ¼
– PrK(1) = ½
Prp(b) = ¾
PrK(2) = ¼
• Exercise: compute PrP,K (y)
PrK(3) = ¼
– probability distribution on ciphertext C
• Exercise: compute PrP,K (x | y)
– conditional distribution of plaintext given ciphertext
Cryptography
Perfect secrecy
Slide 14
Computation of the induced
probability distributions
• Given: PrP (x)
PrK (k)
• Probability that plaintext is x. Probability that key is k.
• Assume choosing key and selecting plaintext are independent.
• Then: PrP,K (y)
PrP,K (x | y)
PrP,K (y | x) are given by:
• Probability PrP,K (y) that ciphertext is y
• Probability PrP,K (y | x) that ciphertext is y given plaintext is x
• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
– PrP,K (y) =  [ PrP (x)  PrK (k) ]
• Where the sum is over all plaintext x and keys k such that ek(x) = y
– PrP,K (y | x) = [  PrK (k) ] / PrP (x)
• Where the sum is over all keys k such that ek(x) = y
– PrP,K (x | y) = PrP,K (y | x)  PrP (x) / PrP,K (y) by Bayes Theorem
Cryptography
Perfect secrecy
Slide 15
So what is perfect secrecy?
• Given: PrP (x) PrK (k)
• Probability that plaintext is x. Probability that key is k.
• Assume choosing key and selecting plaintext are independent.
• Then that induces (per previous slide):
• Probability PrP,K (y) that ciphertext is y
• Probability PrP,K (y | x) that ciphertext is y given plaintext is x
• Probability PrP,K (x | y) that plaintext is x given ciphertext is y
• Informally: perfect secrecy means that the ciphertext
generated does not contain enough information to determine
uniquely the corresponding plaintext
– Can you now give a precise definition of perfect secrecy, in terms of
the above?
Cryptography
Perfect secrecy
Slide 16
Perfect secrecy
• Definition: A cryptosystem has perfect secrecy if:
– For all x in plaintext space P and y in ciphertext space C
– We have PrP,K (x | y) = PrP (x)
• Theorem:
– Suppose the 26 keys in the Shift cipher are used with
equal probability.
– Then for any plaintext probability distribution,
– the Shift cipher has perfect secrecy.
• Note that we are encrypting a single character with a single key
• Another time: the (easy) proof!
Cryptography
Perfect secrecy
Slide 17
What provides perfect secrecy?
• Theorem:
– Perfect secrecy requires |K|  |C|.
– Suppose as few keys as possible, i.e. |K| = |C| = |P|.
• Note: Any cryptosystem has |C|  |P|.
– Then the cryptosystem has perfect secrecy iff
• every key is used with equal probability, and
• for every x in P and y in C,
there is a unique key k such that ek (x) = y
Cryptography
Perfect secrecy
Slide 18
Vernam’s one-time pad
• Corollary to the theorem on the previous slide:
– Vigenere’s cipher provides perfect secrecy, if:
• each key is equally likely, and
• you encrypt a single plaintext element
(i.e., encrypt m characters using a key of length m)
– Cannot have perfect secrecy with shorter keys
– History:
• 1917: Gilbert Vernam suggested Vigenere with a binary
alphabet and a long keyword. Joseph Mauborgne suggested
uing a one-time pad (key as long as the message, not reused).
• Widely accepted as “unbreakable”
but no proof until Shannon’s work 30 years later
Cryptography
Perfect secrecy
Slide 19
What if keys are reused?
• Summary:
– We defined perfect secrecy.
– We found cryptosystems that provide perfect secrecy.
– But: perfect secrecy requires that we not reuse a key
• Next: How secure is a cryptosystem
when we reuse keys?
– Entropy
– Redundancy of a language
– Spurious keys, unicity distance
Cryptography
Perfect secrecy
Slide 20
Entropy: motivation
• Background
–
–
–
–
From information theory
Introduced by Claude Shannon in 1948.
A measure of information or uncertainty
Computed as a function of a probability distribution
• Example:
– Toss a coin.
How many bits required to represent the result?
– Toss a coin n times. Now how many bits?
• What if the coin is a biased coin?
Cryptography
Perfect secrecy
Slide 21
Entropy: definition
• Definition:
– Suppose X is a random variable
– with probability distribution p = p1, p2, ... pn
– where pi is the probability X takes on its ith possible
value.
– Then the entropy of X,
– written H(X), is
n
H ( X )   pi log 2 pi
i 1
Cryptography
Perfect secrecy
Slide 22
Entropy: example
n
• Definition of entropy:
H ( X )   pi log 2 pi
i 1
• P = {a, b}. C = {1, 2, 3, 4}.
–
–
–
–
pp: a => 1/4 b => 3/4
pc: 1 => 1/8 2 => 7/16 3 => 1/4 4 => 3/16
Exercise: what is H(P)? H(C)?
H(P) = - [ ( 1/4  -2 ) + ( 3/4  (log2 3 - 2) ) ]
 0.81
– H(C)  1.85.
Cryptography
Perfect secrecy
Slide 23
Spurious keys
• Exercise:
–
–
–
–
–
Suppose Oscar is doing a ciphertext-only attack
on a string encoded using Vigenere’s cipher
where m (key length) is modest (not a one-time pad).
Oscar decrypts the message to a meaningful sentence.
Why is Oscar not done?
• Answer:
– 1. There may be other keys that yield other meaningful sentences.
– 2. We want the key, not just the meaningful sentence.
Cryptography
Perfect secrecy
Slide 24
Spurious keys
• Context:
– Oscar is doing cipher-text only attack
– Oscar has infinite computational resources
– Oscar knows the plaintext is a “natural” language.
• Result:
– Oscar will be able to rule out certain keys.
– Many “possible” keys remain. Only one key is correct.
– The remaining possible, but incorrect, keys
are called spurious keys.
• Our goal: determine how many spurious keys.
Cryptography
Perfect secrecy
Slide 25
Entropy & redundancy of a language
• Definitions:
– Let L be a natural language (like English).
– Let Pn be a random variable whose probability
distribution is that of all n-grams of plaintext in L.
– The entropy HL of L is
H (P n )
H L  lim
n 
n
– The redundancy RL of L is
HL
RL  1 
log 2 | P |
• HL measures entropy per letter.
• RL measures fraction of “excess characters.”
Cryptography
Perfect secrecy
Slide 26
Entropy & redundancy of a language
• Experiments have shown
that for English:
H (P n )
H L  lim
n 
n
HL
RL  1 
log 2 | P |
– H(P2)  7.80
– 1.0  HL  1.5
– So RL  0.75
• Exercise: does this mean you could keep only every 4th letter
of a message and hope to read it?
• Answer: No!
This means you could hope to encode long strings of English
to about 1/4 of their size, using a Huffman encoding.
Cryptography
Perfect secrecy
Slide 27
Number of spurious keys
• Theorem:
– Suppose |C| = |P| and keys are equiprobable.
– Given a ciphertext of length n (where n is large enough)
– the expected number sn of spurious keys satisfies
sn 
|K|
| P | nRL
1
• So what can you say about long ciphertext messages?
• Note: the expression goes to 0 quickly as n increases
Cryptography
Perfect secrecy
Slide 28
Unicity distance
• Definition:
–
–
–
–
The unicity distance of a cyptosystem
is the value of n (ciphertext length), denoted n0,
at which the expected number of spurious keys
becomes zero.
log | K |
• Theorem:
n0 
2
RL log 2 | P |
– Exercise: unicity distance of the Substitution cipher?
– Answer: 88.4 / (0.75  4.7)  25
Cryptography
Perfect secrecy
Slide 29
Summary
• Perfect secrecy.
– Perfect. Provides clear sense of the ultimate:
• What can be done.
• How to do it (Vernam’s one-time pad).
• If we reuse keys:
– No longer perfect secrecy.
– But the secret may not be utterly revealed, even against infinite
computational resources:
• Because of redundant keys
– Clear answers, beautiful mathematics, but not much secrecy!
• What if there are finite computational resources?
Cryptography
Perfect secrecy
Slide 30
Related documents
Session 34
Session 34
Information and Political Processes
Information and Political Processes
Ciphertext - Deadline24
Ciphertext - Deadline24
Cryptography - Stony Brook Mathematics Department and Institute
Cryptography - Stony Brook Mathematics Department and Institute
Georg Simmel. The Sociology of Georg Simmel Free Press.
Georg Simmel. The Sociology of Georg Simmel Free Press.
Shannon`s theory
Shannon`s theory
Lecture 25 - Data Encryption
Lecture 25 - Data Encryption
Solutions to the practice questions for midterm
Solutions to the practice questions for midterm
Tax-and-Health-Final
Tax-and-Health-Final
Presentation - The Cambridge Trust for New Thinking in Economics
Presentation - The Cambridge Trust for New Thinking in Economics
Introductory Presentation
Introductory Presentation