Download Private-Key Encryption: Perfect Secrecy and Security Definitions and more Study notes Cryptography and System Security in PDF only on Docsity! Recommended Reading. • KatzLindell, Chapter 2. 1 Private-Key (aka Symmetric) Encryption • The setting for private-key encryption is the following: two parties share a secret key and want to exchange messages privately over insecure channel. For now, we will not worry about how they came to share the secret key. • Kerchkho's Principle: Assume encryption/decryption algorithms are known to adversary. Only thing secret is the key. • For now, insecure channel means that adversary can listen to all messages sent, but cannot inject/alter messages, i.e. passive rather than active. • Denition 1 A (private-key) encryption scheme consists of three algorithms (G,E,D), as follows: The key generation algorithm G is a randomized algorithm that returns a key k ∈ K; we write k R←G. The encryption algorithm E is a randomized algorithm that takes a key k ∈ K and a plaintext (aka message) m ∈ P and outputs a ciphertext c ∈ C; we write c R← Ek(m). The decryption algorithm D is a deterministic algorithm that takes a key k ∈ K and a ciphertext c ∈ C and returns a plaintext m ∈ P. The message space P is often the set of strings of a given length. The ciphertext space C does not have to equal the plaintext space. We require Dk(Ek(m)) = m for all m ∈ P. • The denition describes the functionalities of the encryption scheme but does not take security into account yet. For example: • Examples: Shift cipher (cf. Caesar cipher). The key is a random number: k R←{0, . . . , 25}, the mes- sage space is P = {A, . . . , Z}` (strings of length ` over the English alphabet) so we can see the message as m ∈ {0, . . . , 25}`. Ek(m1m2 · · ·m`) = c1c2 · · · c`, where ci = mi + k (mod 26). 1 Substitution cipher. The key k is a random permutation of {0, . . . , 25}. Ek(m1m2 · · ·m`) = k(m1)k(m2) · · · k(m`). One-time pad. The message space consists of binary strings of length ` and the key k is a random element of {0, 1}`. Ek(m) = m ⊕ k (bitwise XOR). The decryption is Dk(c) = c⊕ k. 2 Perfect Secrecy • What does it mean for something to be secret? How to dene security? Some attempts: Adversary can't determine key from ciphertext. Adversary can't determine plaintext. Adversary can't determine any symbol of plaintext. Adversary can't determine any information about plaintext. • Denition 2 (perfect indistinguishability) Encryption scheme satises perfect indistin- guishability if for every m1,m2 ∈ P and K R←G, the random variables EK(m1) and EK(m2) have the same distribution. That is, for every c, Pr [EK(m1) = c] = Pr [EK(m2) = c] , where the probabilities are taken over k R←G and the coin tosses of E. Idea: the adversary sees the same distribution of ciphertext, regardless of the message sent. Note that there is no probability distribution over the messages; rather we assume that the adversary knows the possible messages in advance. Intuitively, the case of two messages is the worst case (the adversary knows all but one bit of information in advance), and hence is representative of the security of an encryption scheme. • Proposition 3 Shift and Substitution ciphers do not satisfy perfect indistinguishability for messages of length > 1. Proof: • Proposition 4 One-time pad satises perfect indistinguishability. Proof: • Denition 5 (Shannon secrecy) Let M be a distribution on P. An encryption scheme satises Shannon secrecy with respect to M if for every m ∈ P and every c ∈ C, Pr [M = m|EK(M) = c] = Pr [M = m] 2