Cryptography: An Introduction (3rd Edition) Nigel Smart, Lecture notes of Cryptography and System Security

Information theory is one of the foundations of computer science. In this chapter we will examine its relationship to cryptography.

Typology: Lecture notes

2022/2023

Uploaded on 05/11/2023

wualter
wualter 🇺🇸

4.8

(96)

287 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptography: An Introduction
(3rd Edition)
Nigel Smart
Chapter 5 — Edited for CIS 331 (cut short)
pf3
pf4
pf5
pf8

Partial preview of the text

Download Cryptography: An Introduction (3rd Edition) Nigel Smart and more Lecture notes Cryptography and System Security in PDF only on Docsity!

Cryptography: An Introduction

(3rd Edition)

Nigel Smart

CHAPTER 5

Information Theoretic Security

Chapter Goals

  • To introduce the concept of perfect secrecy.
  • To discuss the security of the one-time pad.
  • To introduce the concept of entropy.
  • To explain the notion of key equivocation, spurious keys and unicity distance.
  • To use these tools to understand why the prior historical encryption algorithms are weak.
    1. Introduction Information theory is one of the foundations of computer science. In this chapter we will examine its relationship to cryptography. But we shall not assume any prior familiarity with information theory. We first need to overview the difference between information theoretic security and compu- tational security. Informally, a cryptographic system is called computationally secure if the best possible algorithm for breaking it requires N operations, where N is such a large number that it is infeasible to carry out this many operations. With current computing power we assume that 280 operations is an infeasible number of operations to carry out. Hence, a value of N larger than 280 would imply that the system is computationally secure. Notice that no actual system can be proved secure under this definition, since we never know whether there is a better algorithm than the one known. Hence, in practice we say a system is computationally secure if the best known algorithm for breaking it requires an unreasonably large amount of computational resources. Another practical approach, related to computational security, is to reduce breaking the system to solving some well-studied hard problem. For example, we can try to show that a given system is secure if a given integer N cannot be factored. Systems of this form are often called provably secure. However, we only have a proof relative to some hard problem, hence this does not provide an absolute proof. Essentially, a computationally secure scheme, or one which is provably secure, is only secure when we consider an adversary whose computational resources are bounded. Even if the adversary has large, but limited, resources she still will not break the system. When considering schemes which are computationally secure we need to be very clear about certain issues:
  • We need to be careful about the key sizes etc. If the key size is small then our adversary may have enough computational resources to break the system.
  • We need to keep abreast of current algorithmic developments and developments in com- puter hardware.
  • At some point in the future we should expect our system to become broken, either through an improvement in computing power or an algorithmic breakthrough. 77
  1. PROBABILITY AND CIPHERS 79

Also suppose we have three possible keys given by K = {k 1 , k 2 , k 3 }, which occur with probability

  • p(K = k 1 ) = 1/4,
  • p(K = k 2 ) = 1/2,
  • p(K = k 3 ) = 1/4.

Now, suppose we have C = { 1 , 2 , 3 , 4 }, with the encryption function given by the following table

a b c d k 1 3 4 2 1 k 2 3 1 4 2 k 3 4 3 1 2

We can then compute, using formula (7),

p(C = 1) = p(K = k 1 )p(P = d) + p(K = k 2 )p(P = b)

  • p(K = k 3 )p(P = c) = 0. 2625 ,

p(C = 2) = p(K = k 1 )p(P = c) + p(K = k 2 )p(P = d)

  • p(K = k 3 )p(P = d) = 0. 2625 ,

p(C = 3) = p(K = k 1 )p(P = a) + p(K = k 2 )p(P = a)

  • p(K = k 3 )p(P = b) = 0. 2625 ,

p(C = 4) = p(K = k 1 )p(P = b) + p(K = k 2 )p(P = c)

  • p(K = k 3 )p(P = a) = 0. 2125.

Hence, the ciphertexts produced are distributed almost uniformly. For c ∈ C and m ∈ P we can compute the conditional probability p(C = c|P = m). This is the probability that c is the ciphertext given that m is the plaintext

p(C = c|P = m) =

k:m=dk (c)

p(K = k).

This sum is the sum over all keys k for which the decryption function on input of c will output m. For our prior example we can compute these probabilities as

p(C = 1|P = a) = 0, p(C = 2|P = a) = 0, p(C = 3|P = a) = 0. 75 , p(C = 4|P = a) = 0. 25 ,

p(C = 1|P = b) = 0. 5 , p(C = 2|P = b) = 0, p(C = 3|P = b) = 0. 25 , p(C = 4|P = b) = 0. 25 ,

p(C = 1|P = c) = 0. 25 , p(C = 2|P = c) = 0. 25 , p(C = 3|P = c) = 0, p(C = 4|P = c) = 0. 5 ,

p(C = 1|P = d) = 0. 25 , p(C = 2|P = d) = 0. 75 , p(C = 3|P = d) = 0, p(C = 4|P = d) = 0.

But, when we try to break a cipher we want the conditional probability the other way around, i.e. we want to know the probability of a given message occurring given only the ciphertext. We can compute the probability of m being the plaintext given c is the ciphertext via,

p(P = m|C = c) =

p(P = m)p(C = c|P = m) p(C = c)

80 5. INFORMATION THEORETIC SECURITY

This conditional probability can be computed by anyone who knows the encryption function and the probability distributions of K and P. Using these probabilities one may be able to deduce some information about the plaintext once you have seen the ciphertext. Returning to our previous example we compute p(P = a|C = 1) = 0, p(P = b|C = 1) = 0. 571 , p(P = c|C = 1) = 0. 143 , p(P = d|C = 1) = 0. 286 ,

p(P = a|C = 2) = 0, p(P = b|C = 2) = 0, p(P = c|C = 2) = 0. 143 , p(P = d|C = 2) = 0. 857 ,

p(P = a|C = 3) = 0. 714 , p(P = b|C = 3) = 0. 286 , p(P = c|C = 3) = 0, p(P = d|C = 3) = 0,

p(P = a|C = 4) = 0. 294 , p(P = b|C = 4) = 0. 352 , p(P = c|C = 4) = 0. 352 , p(P = d|C = 4) = 0.

Hence

  • If we see the ciphertext 1 then we know the message is not equal to a. We also can guess that it is more likely to be b rather than c or d.
  • If we see the ciphertext 2 then we know the message is not equal to a or b. We also can be pretty certain that the message is equal to d.
  • If we see the ciphertext 3 then we know the message is not equal to c or d and have a good chance that it is equal to a.
  • If we see the ciphertext 4 then we know the message is not equal to d, but cannot really guess with certainty as to whether the message is a, b or c.

So in our previous example the ciphertext does reveal a lot of information about the plaintext. But this is exactly what we wish to avoid, we want the ciphertext to give no information about the plaintext. A system with this property, that the ciphertext reveals nothing about the plaintext, is said to be perfectly secure.

Definition 5.1 (Perfect Secrecy). A cryptosystem has perfect secrecy if p(P = m|C = c) = p(P = m)

for all plaintexts m and all ciphertexts c.

This means the probability that the plaintext is m, given that you know the ciphertext is c, is the same as the probability that it is m without seeing c. In other words knowing c reveals no information about m. Another way of describing perfect secrecy is via:

Lemma 5.2. A cryptosystem has perfect secrecy if p(C = c|P = m) = p(C = c) for all m and c.

Proof. This trivially follows from the definition

p(P = m|C = c) =

p(P = m)p(C = c|P = m) p(C = c)

and the fact that perfect secrecy means p(P = m|C = c) = p(P = m).!

The first result about a perfect security is Lemma 5.3. Assume the cryptosystem is perfectly secure, then #K ≥ #C ≥ #P,

where

82 5. INFORMATION THEORETIC SECURITY

Hence we obtain, for all 1 ≤ i ≤ n,

p(C = c) = p(K = ki ).

This says that the keys are used with equal probability and hence

p(K = k) = 1/#K for all k ∈ K.

Now we need to prove the result in the other direction. Namely, if

  • #K = #C = #P,
  • every key is used with equal probability 1/#K,
  • for each m ∈ P and c ∈ C there is a unique key k such that ek (m) = c,

then we need to show the system is perfectly secure, i.e.

p(P = m|C = c) = p(P = m).

We have, since each key is used with equal probability,

p(C = c) =

k

p(K = k)p(P = dk (c))

#K

k

p(P = dk (c)).

Also, since for each m and c there is a unique key k with ek (m) = c, we must have ∑

k

p(P = dk (c)) =

m

p(P = m) = 1.

Hence, p(C = c) = 1/#K. In addition, if c = ek (m) then p(C = c|P = m) = p(K = k) = 1/#K. So using Bayes’ Theorem we have

p(P = m|C = c) =

p(P = m)p(C = c|P = m) p(C = c)

=

p(P = m) (^) #^1 K 1 #K = p(P = m). !

We end this section by discussing a couple of systems which have perfect secrecy.

2.1. Modified Shift Cipher. Recall the shift cipher is one in which we ‘add’ a given letter (the key) onto each letter of the plaintext to obtain the ciphertext. We now modify this cipher by using a different key for each plaintext letter. For example, to encrypt the message HELLO we choose five random keys, say FUIAT. We then add the key onto the plaintext, modulo 26, to obtain the ciphertext MYTLH. Notice, how the plaintext letter L encrypts to different letters in the ciphertext. When we use the shift cipher with a different random key for each letter, we obtain a perfectly secure system. To see why this is so, consider the situation of encrypting a message of length n. Then the total number of keys, ciphertexts and plaintexts are all equal, namely:

#K = #C = #P = 26n^.

In addition each key will occur with equal probability:

p(K = k) =

26 n^

  1. ENTROPY 83

and for each m and c there is a unique k such that ek (m) = c. Hence, by Shannon’s Theorem this modified shift cipher is perfectly secure.

2.2. Vernam Cipher. The above modified shift cipher basically uses addition modulo 26. One problem with this is that in a computer, or any electrical device, mod 26 arithmetic is hard, but binary arithmetic is easy. We are particularly interested in the addition operation, which is denoted by ⊕ and is equal to the logical exclusive-or, or XOR, operation:

⊕ 0 1 0 0 1 1 1 0

In 1917 Gilbert Vernam patented a cipher which used these principles, called the Vernam cipher or one-time pad. To send a binary string you need a key, which is a binary string as long as the message. To encrypt a message we XOR each bit of the plaintext with each bit of the key to produce the ciphertext. Each key is only allowed to be used once, hence the term one-time pad. This means that key distribution is a pain, a problem which we shall come back to again and again. To see why we cannot get away with using a key twice, consider the following chosen plaintext attack. We assume that Alice always uses the same key k to encrypt a message to Bob. Eve wishes to determine this key and so carries out the following attack:

  • Eve generates m and asks Alice to encrypt it.
  • Eve obtains c = m ⊕ k.
  • Eve now computes k = c ⊕ m.

You may object to this attack since it requires Alice to be particularly stupid, in that she encrypts a message for Eve. But in designing our cryptosystems we should try and make systems which are secure even against stupid users. Another problem with using the same key twice is the following. Suppose Eve can intercept two messages encrypted with the same key

c 1 = m 1 ⊕ k, c 2 = m 2 ⊕ k.

Eve can now determine some partial information about the pair of messages m 1 and m 2 since she can compute

c 1 ⊕ c 2 = (m 1 ⊕ k) ⊕ (m 2 ⊕ k) = m 1 ⊕ m 2.

Despite the problems associated with key distribution, the one-time pad has been used in the past in military and diplomatic contexts.

  1. Entropy

If every message we send requires a key as long as the message, and we never encrypt two messages with the same key, then encryption will not be very useful in everyday applications such as Internet transactions. This is because getting the key from one person to another will be an impossible task. After all one cannot encrypt it since that would require another key. This problem is called the key distribution problem. To simplify the key distribution problem we need to turn from perfectly secure encryption algorithms to ones which are, hopefully, computationally secure. This is the goal of modern cryp- tographers, where one aims to build systems such that

  • one key can be used many times,
  • one small key can encrypt a long message.