Download Private-Key Encryption: Perfect Secrecy and Security Definitions and more Study notes Cryptography and System Security in PDF only on Docsity! Recommended Reading. • Katz�Lindell, Chapter 2. 1 Private-Key (aka Symmetric) Encryption • The setting for private-key encryption is the following: two parties share a secret key and want to exchange messages privately over �insecure channel�. For now, we will not worry about how they came to share the secret key. • Kerchkho�'s Principle: Assume encryption/decryption algorithms are known to adversary. Only thing secret is the key. • For now, �insecure channel� means that adversary can listen to all messages sent, but cannot inject/alter messages, i.e. passive rather than active. • De�nition 1 A (private-key) encryption scheme consists of three algorithms (G,E,D), as follows: � The key generation algorithm G is a randomized algorithm that returns a key k ∈ K; we write k R←G. � The encryption algorithm E is a randomized algorithm that takes a key k ∈ K and a plaintext (aka message) m ∈ P and outputs a ciphertext c ∈ C; we write c R← Ek(m). � The decryption algorithm D is a deterministic algorithm that takes a key k ∈ K and a ciphertext c ∈ C and returns a plaintext m ∈ P. The message space P is often the set of strings of a given length. The ciphertext space C does not have to equal the plaintext space. We require Dk(Ek(m)) = m for all m ∈ P. • The de�nition describes the functionalities of the encryption scheme but does not take security into account yet. For example: • Examples: � Shift cipher (cf. Caesar cipher). The key is a random number: k R←{0, . . . , 25}, the mes- sage space is P = {A, . . . , Z}` (strings of length ` over the English alphabet) so we can see the message as m ∈ {0, . . . , 25}`. Ek(m1m2 · · ·m`) = c1c2 · · · c`, where ci = mi + k (mod 26). 1 � Substitution cipher. The key k is a random permutation of {0, . . . , 25}. Ek(m1m2 · · ·m`) = k(m1)k(m2) · · · k(m`). � One-time pad. The message space consists of binary strings of length ` and the key k is a random element of {0, 1}`. Ek(m) = m ⊕ k (bitwise XOR). The decryption is Dk(c) = c⊕ k. 2 Perfect Secrecy • What does it mean for something to be secret? How to de�ne security? Some attempts: � Adversary can't determine key from ciphertext. � Adversary can't determine plaintext. � Adversary can't determine any symbol of plaintext. � Adversary can't determine �any information� about plaintext. • De�nition 2 (perfect indistinguishability) Encryption scheme satis�es perfect indistin- guishability if for every m1,m2 ∈ P and K R←G, the random variables EK(m1) and EK(m2) have the same distribution. That is, for every c, Pr [EK(m1) = c] = Pr [EK(m2) = c] , where the probabilities are taken over k R←G and the coin tosses of E. Idea: the adversary sees the same distribution of ciphertext, regardless of the message sent. Note that there is no probability distribution over the messages; rather we assume that the adversary knows the possible messages in advance. Intuitively, the case of two messages is the worst case (the adversary knows all but �one bit� of information in advance), and hence is representative of the security of an encryption scheme. • Proposition 3 Shift and Substitution ciphers do not satisfy perfect indistinguishability for messages of length > 1. Proof: • Proposition 4 One-time pad satis�es perfect indistinguishability. Proof: • De�nition 5 (Shannon secrecy) Let M be a distribution on P. An encryption scheme satis�es Shannon secrecy with respect to M if for every m ∈ P and every c ∈ C, Pr [M = m|EK(M) = c] = Pr [M = m] 2
