Private-Key Encryption and Perfect Secrecy in Cryptography, Study notes of Cryptography and System Security

Lecture notes 3 from a 2006 course on introduction to cryptography by salil vadhan and alon rosen. It discusses private-key encryption and perfect secrecy, providing definitions and examples of encryption schemes, as well as propositions and proofs related to perfect indistinguishability and shannon secrecy.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Sept. 21 & 26, 2006
Lecture Notes 3:
Private-Key Encryption: Perfect Secrecy
Recommended Reading.
KatzLindell, Chapter 2.
1 Private-Key (aka Symmetric) Encryption
The setting for private-key encryption is the following: two parties share a
secret key
and want
to exchange messages
privately
over insecure channel. For now, we will not worry about how
they came to share the secret key.
Kerchkho's Principle: Assume encryption/decryption algorithms are known to adversary.
Only thing secret is the
key
.
For now, insecure channel means that adversary can
listen
to all messages sent, but cannot
inject/alter messages, i.e.
passive
rather than
active
.
Denition 1
A
(private-key) encryption scheme
consists of three algorithms
(G, E, D)
, as
follows:
The
key generation
algorithm
G
is a randomized algorithm that returns a
key
k K
; we
write
k
R
G
.
The
encryption algorithm
E
is a randomized algorithm that takes a key
k K
and a
plaintext
(aka
message
)
m P
and outputs a ciphertext
c C
; we write
c
R
Ek(m)
.
The
decryption algorithm
D
is a deterministic algorithm that takes a key
k K
and a
ciphertext
c C
and returns a plaintext
m P
.
The
message space
P
is often the set of strings of a given length. The ciphertext space
C
does
not have to equal the plaintext space. We require
Dk(Ek(m)) = m
for all
m P
.
The denition describes the functionalities of the encryption scheme but does not take security
into account yet. For example:
Examples:
Shift cipher (cf. Caesar cipher). The key is a random number:
k
R
{0, . . . , 25}
, the mes-
sage space is
P={A, . . . , Z}`
(strings of length
`
over the English alphabet) so we can
see the message as
m {0, . . . , 25}`
.
Ek(m1m2· · · m`) = c1c2· · · c`
, where
ci=mi+k
(mod 26)
.
1
pf3
pf4

Partial preview of the text

Download Private-Key Encryption and Perfect Secrecy in Cryptography and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Sept. 21 & 26, 2006

Lecture Notes 3:

Private-Key Encryption: Perfect Secrecy

Recommended Reading.

  • KatzLindell, Chapter 2.

1 Private-Key (aka Symmetric) Encryption

  • The setting for private-key encryption is the following: two parties share a secret key and want to exchange messages privately over insecure channel. For now, we will not worry about how they came to share the secret key.
  • Kerchkho's Principle: Assume encryption/decryption algorithms are known to adversary. Only thing secret is the key.
  • For now, insecure channel means that adversary can listen to all messages sent, but cannot inject/alter messages, i.e. passive rather than active.
  • Denition 1 A (private-key) encryption scheme consists of three algorithms (G, E, D), as follows:

 The key generation algorithm G is a randomized algorithm that returns a key k ∈ K; we write k ←R G.  The encryption algorithm E is a randomized algorithm that takes a key k ∈ K and a plaintext (aka message) m ∈ P and outputs a ciphertext c ∈ C; we write c ←R Ek(m).  The decryption algorithm D is a deterministic algorithm that takes a key k ∈ K and a ciphertext c ∈ C and returns a plaintext m ∈ P.

The message space P is often the set of strings of a given length. The ciphertext space C does not have to equal the plaintext space. We require Dk(Ek(m)) = m for all m ∈ P.

  • The denition describes the functionalities of the encryption scheme but does not take security into account yet. For example:
  • Examples:

 Shift cipher (cf. Caesar cipher). The key is a random number: k ← {R 0 ,... , 25 }, the mes- sage space is P = {A,... , Z}^ (strings of length over the English alphabet) so we can see the message as m ∈ { 0 ,... , 25 }. Ek(m 1 m 2 · · · m) = c 1 c 2 · · · c`, where ci = mi + k (mod 26).

 Substitution cipher. The key k is a random permutation of { 0 ,... , 25 }. Ek(m 1 m 2 · · · m) = k(m 1 )k(m 2 ) · · · k(m).  One-time pad. The message space consists of binary strings of length and the key k is a random element of { 0 , 1 }. Ek(m) = m ⊕ k (bitwise XOR). The decryption is Dk(c) = c ⊕ k.

2 Perfect Secrecy

  • What does it mean for something to be secret? How to dene security? Some attempts:

 Adversary can't determine key from ciphertext.  Adversary can't determine plaintext.  Adversary can't determine any symbol of plaintext.  Adversary can't determine any information about plaintext.

  • Denition 2 (perfect indistinguishability) Encryption scheme satises perfect indistin- guishability if for every m 1 , m 2 ∈ P and K ←R G, the random variables EK (m 1 ) and EK (m 2 ) have the same distribution. That is, for every c,

Pr [EK (m 1 ) = c] = Pr [EK (m 2 ) = c] ,

where the probabilities are taken over k ←R G and the coin tosses of E. Idea: the adversary sees the same distribution of ciphertext, regardless of the message sent. Note that there is no probability distribution over the messages; rather we assume that the adversary knows the possible messages in advance. Intuitively, the case of two messages is the worst case (the adversary knows all but one bit of information in advance), and hence is representative of the security of an encryption scheme.

  • Proposition 3 Shift and Substitution ciphers do not satisfy perfect indistinguishability for messages of length > 1. Proof:
  • Proposition 4 One-time pad satises perfect indistinguishability. Proof:
  • Denition 5 (Shannon secrecy) Let M be a distribution on P. An encryption scheme satises Shannon secrecy with respect to M if for every m ∈ P and every c ∈ C,

Pr [M = m|EK (M ) = c] = Pr [M = m]

  • Computational security: only protect against adversaries with limited computational re- sources, i.e. ecient adversaries with a reasonable amount of computational power ⇒ REST OF THIS COURSE.
  • Other communication settings  quantum cryptography, beacon of random bits,...