CSC 5930/9010 Modern Cryptography: Perfect Secrecy

CSC 5930/9010 Modern Cryptography: Perfect Secrecy Professor Henry Carter Fall 2018

Recap Cryptography has existed for centuries, but has only developed into a science in the past ~80 years Encryption schemes are composed of three algorithms Ancient cryptography, while provably insecure, has some starting lessons to teach us Three guiding principles to the science of cryptography

Perfect Secrecy Starting off with the strongest definition This is possible! Why even consider less secure schemes? Limitations to perfect secrecy make it difficult to use

Last time: three principles Formal definitions Precise Assumptions Rigorous Proofs

A note on randomness We assume all parties have access to uniform random bits In practice, this requires: High entropy input Smoothing the input to obtain uniform bits This is a HUGE challenge in practical crypto implementations Many random number generators are NOT cryptographically secure

Defining Security Intuitively, leak no additional information about the underlying plaintext Assume unlimited computational power This will change in future definitions The adversary does not have access to the secret key But may have access or knowledge of messages

Notes Message space may be very small One-bit messages Distribution over messages is not uniform (or secret) Attack at dawn may be unlikely Unlimited compute power implies immunity to bruteforce attacks Security must be perfect!

Probability Review 1/5 E2 1/10 1/10 1/20 1/5 1/20 1/10 1/20 1/10 E1 1/20 S 8

Notation Probability of an event Probability of the union Intersection Conditional probability 9

Bayes Theorem 10

Example: ROT-X Cipher What is the keyspace? Given a message distribution of: Pr[ M = a ] = 0.7, Pr[ M = z ] = 0.3 What is the probability that the ciphertext is B? What is the probability the message is a given the ciphertext is B?

Example: ROT-X Cipher Given the message distribution Pr[ M = kim ] = 0.5, Pr[ M = ann ] = 0.2, Pr[ M = boo ] = 0.3 What is the probability that the ciphertext is DQQ?

Secrecy Assume some set of messages M with a known probability distribution Assume an adversary can see the encrypted ciphertext Goal: adversary should have no more information about the message after viewing the ciphertext than he did before (a posteriori vs a priori) 13

Perfect Secrecy 14

An alternate definition An encryption scheme (Gen, Eng, Dec) with message space M is perfectly secret if and only if: for every m, m 0 2 M and every c 2 C <latexit sha1_base64="nzwlimwngxpqopmrqgdiql2t2fg=">aaaddxicbvjnb9naef2bj5bwlckry4genuvrzoccqkiqlaokhbskpq0ur9f6pbzx3v1bu2tqshkco7+gg+lkb+bp8btyj1ehlxowxm/e7l55s3epulfb8mvzr1y9dn1r+0br5q3bd+62d+4dm6lsdmeseiu+jalbwrwolbcct0unvmyct+kzg6z+8gg14yu6svmsp5jmiqecueugwfv3cwwomj6xzt8ylqne6pzeo+rdocr68arzxhc+cpudrgnohmbkyhwpkttmjir63ail3ecjokvmxrwmmo0weapujvaob/h0wsukmeoqpojn6vgibtdsk0pfzm97cg+ea5u6z19od4w1iltjeu9aaea30by6sg9yfykuyenic+oawtarb4vurn0jbsey4hisrpmowcdotuntrunbkonkmkgnmyrbaac11zyzgytwvbl0dpw5xyyuvdsznk2xi1nai4ck0ghoc2vhif7buvnpzfzgjtminbdrdfi/2qsy6dnpzvvzwbe91uvpjcaw0gwzeq5xm0g4zzo7rcbyqimz7i1snksk5um4gurwogiuh5tdnctw1ouxjbqcha8hytai3w87+y/xjm6tb+qh6zgqpch75a0zktfh3ph3yfvsffg/+t/87/6pfdx31j33yub4p/8awuryrg==</latexit> <latexit sha1_base64="nzwlimwngxpqopmrqgdiql2t2fg=">aaaddxicbvjnb9naef2bj5bwlckry4genuvrzoccqkiqlaokhbskpq0ur9f6pbzx3v1bu2tqshkco7+gg+lkb+bp8btyj1ehlxowxm/e7l55s3epulfb8mvzr1y9dn1r+0br5q3bd+62d+4dm6lsdmeseiu+jalbwrwolbcct0unvmyct+kzg6z+8gg14yu6svmsp5jmiqecueugwfv3cwwomj6xzt8ylqne6pzeo+rdocr68arzxhc+cpudrgnohmbkyhwpkttmjir63ail3ecjokvmxrwmmo0weapujvaob/h0wsukmeoqpojn6vgibtdsk0pfzm97cg+ea5u6z19od4w1iltjeu9aaea30by6sg9yfykuyenic+oawtarb4vurn0jbsey4hisrpmowcdotuntrunbkonkmkgnmyrbaac11zyzgytwvbl0dpw5xyyuvdsznk2xi1nai4ck0ghoc2vhif7buvnpzfzgjtminbdrdfi/2qsy6dnpzvvzwbe91uvpjcaw0gwzeq5xm0g4zzo7rcbyqimz7i1snksk5um4gurwogiuh5tdnctw1ouxjbqcha8hytai3w87+y/xjm6tb+qh6zgqpch75a0zktfh3ph3yfvsffg/+t/87/6pfdx31j33yub4p/8awuryrg==</latexit> <latexit sha1_base64="nzwlimwngxpqopmrqgdiql2t2fg=">aaaddxicbvjnb9naef2bj5bwlckry4genuvrzoccqkiqlaokhbskpq0ur9f6pbzx3v1bu2tqshkco7+gg+lkb+bp8btyj1ehlxowxm/e7l55s3epulfb8mvzr1y9dn1r+0br5q3bd+62d+4dm6lsdmeseiu+jalbwrwolbcct0unvmyct+kzg6z+8gg14yu6svmsp5jmiqecueugwfv3cwwomj6xzt8ylqne6pzeo+rdocr68arzxhc+cpudrgnohmbkyhwpkttmjir63ail3ecjokvmxrwmmo0weapujvaob/h0wsukmeoqpojn6vgibtdsk0pfzm97cg+ea5u6z19od4w1iltjeu9aaea30by6sg9yfykuyenic+oawtarb4vurn0jbsey4hisrpmowcdotuntrunbkonkmkgnmyrbaac11zyzgytwvbl0dpw5xyyuvdsznk2xi1nai4ck0ghoc2vhif7buvnpzfzgjtminbdrdfi/2qsy6dnpzvvzwbe91uvpjcaw0gwzeq5xm0g4zzo7rcbyqimz7i1snksk5um4gurwogiuh5tdnctw1ouxjbqcha8hytai3w87+y/xjm6tb+qh6zgqpch75a0zktfh3ph3yfvsffg/+t/87/6pfdx31j33yub4p/8awuryrg==</latexit> <latexit sha1_base64="nzwlimwngxpqopmrqgdiql2t2fg=">aaaddxicbvjnb9naef2bj5bwlckry4genuvrzoccqkiqlaokhbskpq0ur9f6pbzx3v1bu2tqshkco7+gg+lkb+bp8btyj1ehlxowxm/e7l55s3epulfb8mvzr1y9dn1r+0br5q3bd+62d+4dm6lsdmeseiu+jalbwrwolbcct0unvmyct+kzg6z+8gg14yu6svmsp5jmiqecueugwfv3cwwomj6xzt8ylqne6pzeo+rdocr68arzxhc+cpudrgnohmbkyhwpkttmjir63ail3ecjokvmxrwmmo0weapujvaob/h0wsukmeoqpojn6vgibtdsk0pfzm97cg+ea5u6z19od4w1iltjeu9aaea30by6sg9yfykuyenic+oawtarb4vurn0jbsey4hisrpmowcdotuntrunbkonkmkgnmyrbaac11zyzgytwvbl0dpw5xyyuvdsznk2xi1nai4ck0ghoc2vhif7buvnpzfzgjtminbdrdfi/2qsy6dnpzvvzwbe91uvpjcaw0gwzeq5xm0g4zzo7rcbyqimz7i1snksk5um4gurwogiuh5tdnctw1ouxjbqcha8hytai3w87+y/xjm6tb+qh6zgqpch75a0zktfh3ph3yfvsffg/+t/87/6pfdx31j33yub4p/8awuryrg==</latexit> Pr[Enc K (m) =c] =Pr[Enc K (m 0 )=c]

<latexit sha1_base64="oarxvhbk7baxfit6oavcrfe4suk=">aaacynicbvhlthsxfhwmly/qqlkw7ciivkwbacyb2cchokpi3qsvafiyijw3dxilp0b2hvau8uh9graw74fghbftofeydxtuw/ccz4wsnul4ora9eftuzxvtvb7x/spmvqp58dzb0gh2wcrrljphuumdpzkk8ljwkhsm8ck7op7nl67rewnngu0ltluyg5llebsoyen4t+v6pwwmf+7pb/yqqxquv9txihs4oz6qcm7e7piuuhyb+c8ehzctdxutub0vgr8gsqvarirusflbhywslbongrle95o4ohqmhelqefsflb4lavdijp0ajddo09lc7s3/epgrz60lxxbfsp92zit2fqqzukkftfzl3jz8x65fun6qzqqpskidtw/lpejk+dw6ppjblqlpaakcdltymagngilbs5omnf9hektgnhrodgdz1pmawbrkpvgvwxmnnctt5lttovpembjgpredtscsts+o2anrsh4d9pvdsxv2upst1anmtp1ugtwqnm22fnhnr7xrtjw=</latexit> <latexit sha1_base64="oarxvhbk7baxfit6oavcrfe4suk=">aaacynicbvhlthsxfhwmly/qqlkw7ciivkwbacyb2cchokpi3qsvafiyijw3dxilp0b2hvau8uh9graw74fghbftofeydxtuw/ccz4wsnul4ora9eftuzxvtvb7x/spmvqp58dzb0gh2wcrrljphuumdpzkk8ljwkhsm8ck7op7nl67rewnngu0ltluyg5llebsoyen4t+v6pwwmf+7pb/yqqxquv9txihs4oz6qcm7e7piuuhyb+c8ehzctdxutub0vgr8gsqvarirusflbhywslbongrle95o4ohqmhelqefsflb4lavdijp0ajddo09lc7s3/epgrz60lxxbfsp92zit2fqqzukkftfzl3jz8x65fun6qzqqpskidtw/lpejk+dw6ppjblqlpaakcdltymagngilbs5omnf9hektgnhrodgdz1pmawbrkpvgvwxmnnctt5lttovpembjgpredtscsts+o2anrsh4d9pvdsxv2upst1anmtp1ugtwqnm22fnhnr7xrtjw=</latexit> <latexit sha1_base64="oarxvhbk7baxfit6oavcrfe4suk=">aaacynicbvhlthsxfhwmly/qqlkw7ciivkwbacyb2cchokpi3qsvafiyijw3dxilp0b2hvau8uh9graw74fghbftofeydxtuw/ccz4wsnul4ora9eftuzxvtvb7x/spmvqp58dzb0gh2wcrrljphuumdpzkk8ljwkhsm8ck7op7nl67rewnngu0ltluyg5llebsoyen4t+v6pwwmf+7pb/yqqxquv9txihs4oz6qcm7e7piuuhyb+c8ehzctdxutub0vgr8gsqvarirusflbhywslbongrle95o4ohqmhelqefsflb4lavdijp0ajddo09lc7s3/epgrz60lxxbfsp92zit2fqqzukkftfzl3jz8x65fun6qzqqpskidtw/lpejk+dw6ppjblqlpaakcdltymagngilbs5omnf9hektgnhrodgdz1pmawbrkpvgvwxmnnctt5lttovpembjgpredtscsts+o2anrsh4d9pvdsxv2upst1anmtp1ugtwqnm22fnhnr7xrtjw=</latexit> <latexit sha1_base64="oarxvhbk7baxfit6oavcrfe4suk=">aaacynicbvhlthsxfhwmly/qqlkw7ciivkwbacyb2cchokpi3qsvafiyijw3dxilp0b2hvau8uh9graw74fghbftofeydxtuw/ccz4wsnul4ora9eftuzxvtvb7x/spmvqp58dzb0gh2wcrrljphuumdpzkk8ljwkhsm8ck7op7nl67rewnngu0ltluyg5llebsoyen4t+v6pwwmf+7pb/yqqxquv9txihs4oz6qcm7e7piuuhyb+c8ehzctdxutub0vgr8gsqvarirusflbhywslbongrle95o4ohqmhelqefsflb4lavdijp0ajddo09lc7s3/epgrz60lxxbfsp92zit2fqqzukkftfzl3jz8x65fun6qzqqpskidtw/lpejk+dw6ppjblqlpaakcdltymagngilbs5omnf9hektgnhrodgdz1pmawbrkpvgvwxmnnctt5lttovpembjgpredtscsts+o2anrsh4d9pvdsxv2upst1anmtp1ugtwqnm22fnhnr7xrtjw=</latexit> Proof Pr[Enc K(m) =c] =Pr[Enc K (m 0 )=c]! Perfect Secrecy

Practice Prove that if a scheme is perfectly secure, then the alternate definition holds

Adversarial indistinguishability The definitions we have seen so far use probability distributions over messages and ciphertexts How do we define these probabilities based on adversary capability? Previously mentioned adversarial games in definition Will be useful for reduction-style proofs What does an adversarial game look like?

Adversarial Indistinguishability Exp Experiment P rivk eav A, : 1. The adversary A outputs m 0,m 1 2 M 2. Generate k using Gen and a uniform bit b 2 {0, 1}. Give c 3. A outputs bit b 0 Enc k (m b )toa 4. Output 1 if b = b 0 and output 0 otherwise <latexit sha1_base64="yihh8ahsxdwq+nzxsjeoxdqmb8s=">aaadgxicbvjdaxnbfn3tqq3xo60++nixi7yqwm5efewosqkgyosmlwtjmjt7kwzzmv1mzlpdsv/pv+cf8fufnu3wkrs9mha59+vcmzfou66n7/9yt7w7d+9t79xvpxj46phu3v6tm50viugazwmmlmkqmeusb4abfc9yhvtekz7hs491/hyosvnmnppfjinbj5kpoapgqtg+s49/5ki4qgma9bwff/5eip1xurkkaqampux7qhp2euxetmiyj1ywkaubihqswie3kob0ikcteg5vcybrlqsywusf0ube5hdefedijvxlfkli0+me5binkbmbqnm5awixalqmqkgwrdmlioawz7xquvqdikxinwyhdclntprbmolyukwysziwljodicg+jgcytvrn0nuprma8/j/0dqkdcqjwct38hdjgklfwhhxbbkaolrngvogywdmo2mv7xx9pcnmjgqftnna3n7idjhkr6j9hkdv6gpi5gzvugc7swvrcy07zje5waf1jbeprutygcl5yjagrlx32t5foekvjhdyledvmend9pvadt8wghrm/hpvc2ovrstwgczhw0taxbqlxyey6sa5liluuwkzuuwbsxwx0kll9rnahdjlzxknobs51rcnkf1wx6qzz1usgfjf41msffwhe3hgeoc+daydwxjlhzien7wwc5v50f7t/3l+e5x16vtdbpw65tc1tz8o8t/8akkmaia==</latexit> <latexit sha1_base64="yihh8ahsxdwq+nzxsjeoxdqmb8s=">aaadgxicbvjdaxnbfn3tqq3xo60++nixi7yqwm5efewosqkgyosmlwtjmjt7kwzzmv1mzlpdsv/pv+cf8fufnu3wkrs9mha59+vcmzfou66n7/9yt7w7d+9t79xvpxj46phu3v6tm50viugazwmmlmkqmeusb4abfc9yhvtekz7hs491/hyosvnmnppfjinbj5kpoapgqtg+s49/5ki4qgma9bwff/5eip1xurkkaqampux7qhp2euxetmiyj1ywkaubihqswie3kob0ikcteg5vcybrlqsywusf0ube5hdefedijvxlfkli0+me5binkbmbqnm5awixalqmqkgwrdmlioawz7xquvqdikxinwyhdclntprbmolyukwysziwljodicg+jgcytvrn0nuprma8/j/0dqkdcqjwct38hdjgklfwhhxbbkaolrngvogywdmo2mv7xx9pcnmjgqftnna3n7idjhkr6j9hkdv6gpi5gzvugc7swvrcy07zje5waf1jbeprutygcl5yjagrlx32t5foekvjhdyledvmend9pvadt8wghrm/hpvc2ovrstwgczhw0taxbqlxyey6sa5liluuwkzuuwbsxwx0kll9rnahdjlzxknobs51rcnkf1wx6qzz1usgfjf41msffwhe3hgeoc+daydwxjlhzien7wwc5v50f7t/3l+e5x16vtdbpw65tc1tz8o8t/8akkmaia==</latexit> <latexit sha1_base64="yihh8ahsxdwq+nzxsjeoxdqmb8s=">aaadgxicbvjdaxnbfn3tqq3xo60++nixi7yqwm5efewosqkgyosmlwtjmjt7kwzzmv1mzlpdsv/pv+cf8fufnu3wkrs9mha59+vcmzfou66n7/9yt7w7d+9t79xvpxj46phu3v6tm50viugazwmmlmkqmeusb4abfc9yhvtekz7hs491/hyosvnmnppfjinbj5kpoapgqtg+s49/5ki4qgma9bwff/5eip1xurkkaqampux7qhp2euxetmiyj1ywkaubihqswie3kob0ikcteg5vcybrlqsywusf0ube5hdefedijvxlfkli0+me5binkbmbqnm5awixalqmqkgwrdmlioawz7xquvqdikxinwyhdclntprbmolyukwysziwljodicg+jgcytvrn0nuprma8/j/0dqkdcqjwct38hdjgklfwhhxbbkaolrngvogywdmo2mv7xx9pcnmjgqftnna3n7idjhkr6j9hkdv6gpi5gzvugc7swvrcy07zje5waf1jbeprutygcl5yjagrlx32t5foekvjhdyledvmend9pvadt8wghrm/hpvc2ovrstwgczhw0taxbqlxyey6sa5liluuwkzuuwbsxwx0kll9rnahdjlzxknobs51rcnkf1wx6qzz1usgfjf41msffwhe3hgeoc+daydwxjlhzien7wwc5v50f7t/3l+e5x16vtdbpw65tc1tz8o8t/8akkmaia==</latexit> <latexit sha1_base64="yihh8ahsxdwq+nzxsjeoxdqmb8s=">aaadgxicbvjdaxnbfn3tqq3xo60++nixi7yqwm5efewosqkgyosmlwtjmjt7kwzzmv1mzlpdsv/pv+cf8fufnu3wkrs9mha59+vcmzfou66n7/9yt7w7d+9t79xvpxj46phu3v6tm50viugazwmmlmkqmeusb4abfc9yhvtekz7hs491/hyosvnmnppfjinbj5kpoapgqtg+s49/5ki4qgma9bwff/5eip1xurkkaqampux7qhp2euxetmiyj1ywkaubihqswie3kob0ikcteg5vcybrlqsywusf0ube5hdefedijvxlfkli0+me5binkbmbqnm5awixalqmqkgwrdmlioawz7xquvqdikxinwyhdclntprbmolyukwysziwljodicg+jgcytvrn0nuprma8/j/0dqkdcqjwct38hdjgklfwhhxbbkaolrngvogywdmo2mv7xx9pcnmjgqftnna3n7idjhkr6j9hkdv6gpi5gzvugc7swvrcy07zje5waf1jbeprutygcl5yjagrlx32t5foekvjhdyledvmend9pvadt8wghrm/hpvc2ovrstwgczhw0taxbqlxyey6sa5liluuwkzuuwbsxwx0kll9rnahdjlzxknobs51rcnkf1wx6qzz1usgfjf41msffwhe3hgeoc+daydwxjlhzien7wwc5v50f7t/3l+e5x16vtdbpw65tc1tz8o8t/8akkmaia==</latexit>

Adv Ind Definition Encryption scheme =(Gen, Enc, Dec) with message space M is perfectly indistinguishable if for every A it holds that: Pr[P rivk eav A, = 1] = 1 2

Example: Vigenere Cipher Message space: two-character strings The length of the key is chosen uniformly from {1, 2} Construct the adversary

<latexit sha1_base64="y1irwglwlvqcalk+warihlegpge=">aaacyxicbvfdsymxfe1h12rd1eo++hisgshszvriviz48slsyyxyftpjuzpetoozzegyhtlm//hx+ko++0c2u+uyvs8edufcm9xzkuscg+v7zw1vzfxlwnn9o7x59dvwdntn98qoqjpsmywuvknaooas+5zbgte5rsgsgdfj3xmtx09rg67kpz3lggeqsj7mdkyjhu2zkmguyxiet+vr1qr1inr8+vu2rjhwwzlkwe4yipk0+kgjkff0fw3ivory9dyzbhf8rj8v+heec9ahiwqho41mnfksyfbajscyqednni5bw84evq2omjgdu4mubw5kynde5dxsrq8cm6jjpd2rls7z/ydkyiyzzynrrhc377wa/ewbfhb8my65zaulkr0+nc4etyrwyder18ismdkatho3k2ut0mcsy3fpjqnq73cgrkpc4ytrlzv6t4allngf1edw1esgfjf40+ucnc1cxcd7zj8ckoackxnyqulsj4zckwfysj4al96g1/z2x1u9xmlmo1kqb+8vkiy5hw==</latexit> <latexit sha1_base64="y1irwglwlvqcalk+warihlegpge=">aaacyxicbvfdsymxfe1h12rd1eo++hisgshszvriviz48slsyyxyftpjuzpetoozzegyhtlm//hx+ko++0c2u+uyvs8edufcm9xzkuscg+v7zw1vzfxlwnn9o7x59dvwdntn98qoqjpsmywuvknaooas+5zbgte5rsgsgdfj3xmtx09rg67kpz3lggeqsj7mdkyjhu2zkmguyxiet+vr1qr1inr8+vu2rjhwwzlkwe4yipk0+kgjkff0fw3ivory9dyzbhf8rj8v+heec9ahiwqho41mnfksyfbajscyqednni5bw84evq2omjgdu4mubw5kynde5dxsrq8cm6jjpd2rls7z/ydkyiyzzynrrhc377wa/ewbfhb8my65zaulkr0+nc4etyrwyder18ismdkatho3k2ut0mcsy3fpjqnq73cgrkpc4ytrlzv6t4allngf1edw1esgfjf40+ucnc1cxcd7zj8ckoackxnyqulsj4zckwfysj4al96g1/z2x1u9xmlmo1kqb+8vkiy5hw==</latexit> <latexit sha1_base64="y1irwglwlvqcalk+warihlegpge=">aaacyxicbvfdsymxfe1h12rd1eo++hisgshszvriviz48slsyyxyftpjuzpetoozzegyhtlm//hx+ko++0c2u+uyvs8edufcm9xzkuscg+v7zw1vzfxlwnn9o7x59dvwdntn98qoqjpsmywuvknaooas+5zbgte5rsgsgdfj3xmtx09rg67kpz3lggeqsj7mdkyjhu2zkmguyxiet+vr1qr1inr8+vu2rjhwwzlkwe4yipk0+kgjkff0fw3ivory9dyzbhf8rj8v+heec9ahiwqho41mnfksyfbajscyqednni5bw84evq2omjgdu4mubw5kynde5dxsrq8cm6jjpd2rls7z/ydkyiyzzynrrhc377wa/ewbfhb8my65zaulkr0+nc4etyrwyder18ismdkatho3k2ut0mcsy3fpjqnq73cgrkpc4ytrlzv6t4allngf1edw1esgfjf40+ucnc1cxcd7zj8ckoackxnyqulsj4zckwfysj4al96g1/z2x1u9xmlmo1kqb+8vkiy5hw==</latexit> <latexit sha1_base64="y1irwglwlvqcalk+warihlegpge=">aaacyxicbvfdsymxfe1h12rd1eo++hisgshszvriviz48slsyyxyftpjuzpetoozzegyhtlm//hx+ko++0c2u+uyvs8edufcm9xzkuscg+v7zw1vzfxlwnn9o7x59dvwdntn98qoqjpsmywuvknaooas+5zbgte5rsgsgdfj3xmtx09rg67kpz3lggeqsj7mdkyjhu2zkmguyxiet+vr1qr1inr8+vu2rjhwwzlkwe4yipk0+kgjkff0fw3ivory9dyzbhf8rj8v+heec9ahiwqho41mnfksyfbajscyqednni5bw84evq2omjgdu4mubw5kynde5dxsrq8cm6jjpd2rls7z/ydkyiyzzynrrhc377wa/ewbfhb8my65zaulkr0+nc4etyrwyder18ismdkatho3k2ut0mcsy3fpjqnq73cgrkpc4ytrlzv6t4allngf1edw1esgfjf40+ucnc1cxcd7zj8ckoackxnyqulsj4zckwfysj4al96g1/z2x1u9xmlmo1kqb+8vkiy5hw==</latexit> Analysis Compute Pr[PrivKA, eav = 1]

The One-time Pad 1917 Gilbert Vernam applied for the patent No proof of security! Claude Shannon proved security 25 years later Used famously by national intelligence and the "red phone" between the US and USSR

One-time pad For a bit string of length L: M = C = K = {0,1} L Gen: k {0,1} L chosen uniformly Enc(k, m): c k m Dec(k, c): m k c Correctness: For all k,m: k (k m) = m, implying Dec(k,Enc(k,m)) = m 24

Security Intuition Keys are chosen uniformly Given a ciphertext, we can decrypt it to any plaintext depending on the key Since keys are uniform, the probability that the message is m is no different from the probability without knowing the ciphertext

Proof Compute Pr[C = c M = m 0 ] for an arbitrary c 2 C and m 0 2 M <latexit sha1_base64="2gzoa9+w79vhfy1bcd8dafouvpa=">aaacexicbvfntxsxehw2pxy3gr65dm0ieidonz2ucxiify5iqskamqyiwcebwphjzxsrruv+w/8gf4arvxpbgyjeohpx03sz9pvnnbfcuii6rwwfpi99wv5zxvvf2pz6rb61fwv1ysjrui20uunrmsev6zrublvjduozcnad3ryr/fopm5zrdekmouskjhtpoexnquh9d1vlvhamwo7pteeyknzbut/lfhjcpg2gajqpdwbnbeikfa6gl9gnkyqypq19wxbcub8one/dqb0rnanzwucqz0gdzksz2kot94eafpiprwva24uj3culgsepyno1fmfzjvqwr6znouljbfloqpjcnmegm8ezvg5m7nujeqw1e5n6zsqkfa9v5p+0xugyo6tkqopj0zehskka01alcknughvi4gfsw71xogm0sj3pfeempatv8gujkfany9laxorvho8ufh/ur3dvaszrm75onu5o5ygukb3ygxyqmpwij+smdeixupkxpjbh8q/2fowgb8hhs2tqm898jwsv/hwgg26/dg==</latexit> <latexit sha1_base64="2gzoa9+w79vhfy1bcd8dafouvpa=">aaacexicbvfntxsxehw2pxy3gr65dm0ieidonz2ucxiify5iqskamqyiwcebwphjzxsrruv+w/8gf4arvxpbgyjeohpx03sz9pvnnbfcuii6rwwfpi99wv5zxvvf2pz6rb61fwv1ysjrui20uunrmsev6zrublvjduozcnad3ryr/fopm5zrdekmouskjhtpoexnquh9d1vlvhamwo7pteeyknzbut/lfhjcpg2gajqpdwbnbeikfa6gl9gnkyqypq19wxbcub8one/dqb0rnanzwucqz0gdzksz2kot94eafpiprwva24uj3culgsepyno1fmfzjvqwr6znouljbfloqpjcnmegm8ezvg5m7nujeqw1e5n6zsqkfa9v5p+0xugyo6tkqopj0zehskka01alcknughvi4gfsw71xogm0sj3pfeempatv8gujkfany9laxorvho8ufh/ur3dvaszrm75onu5o5ygukb3ygxyqmpwij+smdeixupkxpjbh8q/2fowgb8hhs2tqm898jwsv/hwgg26/dg==</latexit> <latexit sha1_base64="2gzoa9+w79vhfy1bcd8dafouvpa=">aaacexicbvfntxsxehw2pxy3gr65dm0ieidonz2ucxiify5iqskamqyiwcebwphjzxsrruv+w/8gf4arvxpbgyjeohpx03sz9pvnnbfcuii6rwwfpi99wv5zxvvf2pz6rb61fwv1ysjrui20uunrmsev6zrublvjduozcnad3ryr/fopm5zrdekmouskjhtpoexnquh9d1vlvhamwo7pteeyknzbut/lfhjcpg2gajqpdwbnbeikfa6gl9gnkyqypq19wxbcub8one/dqb0rnanzwucqz0gdzksz2kot94eafpiprwva24uj3culgsepyno1fmfzjvqwr6znouljbfloqpjcnmegm8ezvg5m7nujeqw1e5n6zsqkfa9v5p+0xugyo6tkqopj0zehskka01alcknughvi4gfsw71xogm0sj3pfeempatv8gujkfany9laxorvho8ufh/ur3dvaszrm75onu5o5ygukb3ygxyqmpwij+smdeixupkxpjbh8q/2fowgb8hhs2tqm898jwsv/hwgg26/dg==</latexit> <latexit sha1_base64="2gzoa9+w79vhfy1bcd8dafouvpa=">aaacexicbvfntxsxehw2pxy3gr65dm0ieidonz2ucxiify5iqskamqyiwcebwphjzxsrruv+w/8gf4arvxpbgyjeohpx03sz9pvnnbfcuii6rwwfpi99wv5zxvvf2pz6rb61fwv1ysjrui20uunrmsev6zrublvjduozcnad3ryr/fopm5zrdekmouskjhtpoexnquh9d1vlvhamwo7pteeyknzbut/lfhjcpg2gajqpdwbnbeikfa6gl9gnkyqypq19wxbcub8one/dqb0rnanzwucqz0gdzksz2kot94eafpiprwva24uj3culgsepyno1fmfzjvqwr6znouljbfloqpjcnmegm8ezvg5m7nujeqw1e5n6zsqkfa9v5p+0xugyo6tkqopj0zehskka01alcknughvi4gfsw71xogm0sj3pfeempatv8gujkfany9laxorvho8ufh/ur3dvaszrm75onu5o5ygukb3ygxyqmpwij+smdeixupkxpjbh8q/2fowgb8hhs2tqm898jwsv/hwgg26/dg==</latexit>

<latexit sha1_base64="dt4kmerkrp2qbea1xcvwdhhdrys=">aaaczhicbvhltgixfc3ja0ruklgymy1g4ormsng4ihkjgxnm5jeaiz3sgyzoo2k7rjlhi/wal+re77adeylgxz2cc27vvaduwkjstv2zsnz29/btmypsye7o+crfog0reupmwlgwibsuuorrtlqaaka6gstidxnpunn6rhdeivru8bc9c8jar2nopyqrntqw/9cgbxdxgryzwzk6yuxdyvpgue8jpcgiru/zcgu2hfwyyxj2kycrst4v3w3zjbtilwpuaycbjzbuc1hipfsjguofci0zuqrn2ieerehqihmzz/uhighcuzqmpqm58okarit75/dkmcpomyu8wtvcsh87iuqrnfnd44y3vjtatp6n9ult3q4iyonqe46xg7yqqs1ghj4jsrkswzwwwpkaxsgeiimwnhgvvcrf/cpmidywxjjxq+thrdyw0tmbqw2ddrxi2bxnuvqq3schzsa5uatxwae3oayeqro0aabv4an8ge/uj5wzitbz0mqlkp4iwcvr4hcesrli</latexit> <latexit sha1_base64="dt4kmerkrp2qbea1xcvwdhhdrys=">aaaczhicbvhltgixfc3ja0ruklgymy1g4ormsng4ihkjgxnm5jeaiz3sgyzoo2k7rjlhi/wal+re77adeylgxz2cc27vvaduwkjstv2zsnz29/btmypsye7o+crfog0reupmwlgwibsuuorrtlqaaka6gstidxnpunn6rhdeivru8bc9c8jar2nopyqrntqw/9cgbxdxgryzwzk6yuxdyvpgue8jpcgiru/zcgu2hfwyyxj2kycrst4v3w3zjbtilwpuaycbjzbuc1hipfsjguofci0zuqrn2ieerehqihmzz/uhighcuzqmpqm58okarit75/dkmcpomyu8wtvcsh87iuqrnfnd44y3vjtatp6n9ult3q4iyonqe46xg7yqqs1ghj4jsrkswzwwwpkaxsgeiimwnhgvvcrf/cpmidywxjjxq+thrdyw0tmbqw2ddrxi2bxnuvqq3schzsa5uatxwae3oayeqro0aabv4an8ge/uj5wzitbz0mqlkp4iwcvr4hcesrli</latexit> <latexit sha1_base64="dt4kmerkrp2qbea1xcvwdhhdrys=">aaaczhicbvhltgixfc3ja0ruklgymy1g4ormsng4ihkjgxnm5jeaiz3sgyzoo2k7rjlhi/wal+re77adeylgxz2cc27vvaduwkjstv2zsnz29/btmypsye7o+crfog0reupmwlgwibsuuorrtlqaaka6gstidxnpunn6rhdeivru8bc9c8jar2nopyqrntqw/9cgbxdxgryzwzk6yuxdyvpgue8jpcgiru/zcgu2hfwyyxj2kycrst4v3w3zjbtilwpuaycbjzbuc1hipfsjguofci0zuqrn2ieerehqihmzz/uhighcuzqmpqm58okarit75/dkmcpomyu8wtvcsh87iuqrnfnd44y3vjtatp6n9ult3q4iyonqe46xg7yqqs1ghj4jsrkswzwwwpkaxsgeiimwnhgvvcrf/cpmidywxjjxq+thrdyw0tmbqw2ddrxi2bxnuvqq3schzsa5uatxwae3oayeqro0aabv4an8ge/uj5wzitbz0mqlkp4iwcvr4hcesrli</latexit> <latexit sha1_base64="dt4kmerkrp2qbea1xcvwdhhdrys=">aaaczhicbvhltgixfc3ja0ruklgymy1g4ormsng4ihkjgxnm5jeaiz3sgyzoo2k7rjlhi/wal+re77adeylgxz2cc27vvaduwkjstv2zsnz29/btmypsye7o+crfog0reupmwlgwibsuuorrtlqaaka6gstidxnpunn6rhdeivru8bc9c8jar2nopyqrntqw/9cgbxdxgryzwzk6yuxdyvpgue8jpcgiru/zcgu2hfwyyxj2kycrst4v3w3zjbtilwpuaycbjzbuc1hipfsjguofci0zuqrn2ieerehqihmzz/uhighcuzqmpqm58okarit75/dkmcpomyu8wtvcsh87iuqrnfnd44y3vjtatp6n9ult3q4iyonqe46xg7yqqs1ghj4jsrkswzwwwpkaxsgeiimwnhgvvcrf/cpmidywxjjxq+thrdyw0tmbqw2ddrxi2bxnuvqq3schzsa5uatxwae3oayeqro0aabv4an8ge/uj5wzitbz0mqlkp4iwcvr4hcesrli</latexit> Proof Fix any distribution over M. For any c 2 C:

Are we done? Pros: Information theoretic: NO UNPROVEN ASSUMPTIONS Secure against any adversary of any capability What are the cons to this scheme? 28

Attacks What happens if we re-use the key? m k = c m k = c c c = m k k m = m m What can an adversary do with m m? Rules out perfect secrecy Can be (and has been) used to recover text using frequency analysis How does this complicate usage? 29

Long keys 30

The theoretical wall The one-time pad is the optimal perfectly secret encryption scheme Key length and one-time properties are necessary for any perfectly secure encryption scheme Be wary of anyone who claims otherwise! Impossibility results are not uncommon in cryptography 31

Claude Shannon Mathematician, cryptographer, engineer Pioneered foundational work in information theory, Boolean circuit design, and cryptanalysis His information theory serves as the foundation for information-theoretic cryptography Proved the one-time pad secure along with an alternate definition

Shannon s Theorem An encryption scheme (Gen, Enc, Dec) with message space M where M = K = C is perfectly secret if and only if: 1. Every key k is chosen with equal probability 1/ K 2. For every m 2 M and c 2 C, thereisauniquekeyk such that Enc k (m) outputs c

<latexit sha1_base64="qw3iaitzfjb5y019526j5jrgym4=">aaactnicbvc5tgmxfpsgk9wbshqlgkaku2mgrnbqbkecuhjfxudt1slhyn4liii+g6+hhz6wh6fd4bxcbbjj0mje4tctz1i4dmo3odazoze/ufxcwl5zxvsvbww2nmkthzo30tibmdmqqkmdbuq4yswwfuu4jm/phvxro7bogh2f/qzaivw0sarn6kvo6fayzvobve8opmasklrbsqkxirpw3o/sgtgeofih3alvd0rlsbkoqp+saelkzijazynyahunzxvo5ji514zcdnsdzlfwcq9lrdxbxvgt60htu80uupzg5oyb7nmlsxnj/dnir+rpiqftzvvv7dsvw9t9rg3f/2rnhjpj9kdolefqfpxrkkukhg5jol3h3alse8k4ff5wylnmgucf5tqmbybze0oyz3xjqqrtpr7p8nffv4p6sxrvshrwootq+er0emkrbjmdckaickroydmpktrh5je8kwfyerwg78fh8dlulqstms0yhulxc7cftly=</latexit> <latexit sha1_base64="qw3iaitzfjb5y019526j5jrgym4=">aaactnicbvc5tgmxfpsgk9wbshqlgkaku2mgrnbqbkecuhjfxudt1slhyn4liii+g6+hhz6wh6fd4bxcbbjj0mje4tctz1i4dmo3odazoze/ufxcwl5zxvsvbww2nmkthzo30tibmdmqqkmdbuq4yswwfuu4jm/phvxro7bogh2f/qzaivw0sarn6kvo6fayzvobve8opmasklrbsqkxirpw3o/sgtgeofih3alvd0rlsbkoqp+saelkzijazynyahunzxvo5ji514zcdnsdzlfwcq9lrdxbxvgt60htu80uupzg5oyb7nmlsxnj/dnir+rpiqftzvvv7dsvw9t9rg3f/2rnhjpj9kdolefqfpxrkkukhg5jol3h3alse8k4ff5wylnmgucf5tqmbybze0oyz3xjqqrtpr7p8nffv4p6sxrvshrwootq+er0emkrbjmdckaickroydmpktrh5je8kwfyerwg78fh8dlulqstms0yhulxc7cftly=</latexit> <latexit sha1_base64="qw3iaitzfjb5y019526j5jrgym4=">aaactnicbvc5tgmxfpsgk9wbshqlgkaku2mgrnbqbkecuhjfxudt1slhyn4liii+g6+hhz6wh6fd4bxcbbjj0mje4tctz1i4dmo3odazoze/ufxcwl5zxvsvbww2nmkthzo30tibmdmqqkmdbuq4yswwfuu4jm/phvxro7bogh2f/qzaivw0sarn6kvo6fayzvobve8opmasklrbsqkxirpw3o/sgtgeofih3alvd0rlsbkoqp+saelkzijazynyahunzxvo5ji514zcdnsdzlfwcq9lrdxbxvgt60htu80uupzg5oyb7nmlsxnj/dnir+rpiqftzvvv7dsvw9t9rg3f/2rnhjpj9kdolefqfpxrkkukhg5jol3h3alse8k4ff5wylnmgucf5tqmbybze0oyz3xjqqrtpr7p8nffv4p6sxrvshrwootq+er0emkrbjmdckaickroydmpktrh5je8kwfyerwg78fh8dlulqstms0yhulxc7cftly=</latexit> <latexit sha1_base64="qw3iaitzfjb5y019526j5jrgym4=">aaactnicbvc5tgmxfpsgk9wbshqlgkaku2mgrnbqbkecuhjfxudt1slhyn4liii+g6+hhz6wh6fd4bxcbbjj0mje4tctz1i4dmo3odazoze/ufxcwl5zxvsvbww2nmkthzo30tibmdmqqkmdbuq4yswwfuu4jm/phvxro7bogh2f/qzaivw0sarn6kvo6fayzvobve8opmasklrbsqkxirpw3o/sgtgeofih3alvd0rlsbkoqp+saelkzijazynyahunzxvo5ji514zcdnsdzlfwcq9lrdxbxvgt60htu80uupzg5oyb7nmlsxnj/dnir+rpiqftzvvv7dsvw9t9rg3f/2rnhjpj9kdolefqfpxrkkukhg5jol3h3alse8k4ff5wylnmgucf5tqmbybze0oyz3xjqqrtpr7p8nffv4p6sxrvshrwootq+er0emkrbjmdckaickroydmpktrh5je8kwfyerwg78fh8dlulqstms0yhulxc7cftly=</latexit> Proof Shannon s theorem! Perfect secrecy

<latexit sha1_base64="evswg7pjktiqth2adig5nrtu/ei=">aaactnicbzc5tgmxeia94qp3gjlgiicowm4akbe0legqgjrekdezzvr4wnmzocjimxgawuhpere6bm4hricrlp365/dmf2dsoazdt6awmzs3v1bcxfpewv1bl21snpzjlyc6n9lym5g5kejdhqvkumksmbvlui5vz4b56zuwthh9hf0m2or1tegez+ittumwbjybjtqbt8d7dldlrs9fzq2536wxkdpa6h1hmqvjqxvk5basjol+fdfelmkkap2nykhvntxxojfl5lwzcjnsd5hfwsu8llvybxnjt6whts81u+dag9fld3tpo12agoufrjpyf3ymmhkur2jfqrim7nduap6xa+ayhlchqmc5gubjj5jcujr0iil2haebsu8f41b4xslpmwucpcypsdom2fudzm/4wlrvp4/6xsoji36d+isa1uouvqklavnkdakxslbjdjkgetkij+sc1eidcpjinsgzeqleg/fgi/gclxacsc8wmypc8quyf7s2</latexit> <latexit sha1_base64="evswg7pjktiqth2adig5nrtu/ei=">aaactnicbzc5tgmxeia94qp3gjlgiicowm4akbe0legqgjrekdezzvr4wnmzocjimxgawuhpere6bm4hricrlp365/dmf2dsoazdt6awmzs3v1bcxfpewv1bl21snpzjlyc6n9lym5g5kejdhqvkumksmbvlui5vz4b56zuwthh9hf0m2or1tegez+ittumwbjybjtqbt8d7dldlrs9fzq2536wxkdpa6h1hmqvjqxvk5basjol+fdfelmkkap2nykhvntxxojfl5lwzcjnsd5hfwsu8llvybxnjt6whts81u+dag9fld3tpo12agoufrjpyf3ymmhkur2jfqrim7nduap6xa+ayhlchqmc5gubjj5jcujr0iil2haebsu8f41b4xslpmwucpcypsdom2fudzm/4wlrvp4/6xsoji36d+isa1uouvqklavnkdakxslbjdjkgetkij+sc1eidcpjinsgzeqleg/fgi/gclxacsc8wmypc8quyf7s2</latexit> <latexit sha1_base64="evswg7pjktiqth2adig5nrtu/ei=">aaactnicbzc5tgmxeia94qp3gjlgiicowm4akbe0legqgjrekdezzvr4wnmzocjimxgawuhpere6bm4hricrlp365/dmf2dsoazdt6awmzs3v1bcxfpewv1bl21snpzjlyc6n9lym5g5kejdhqvkumksmbvlui5vz4b56zuwthh9hf0m2or1tegez+ittumwbjybjtqbt8d7dldlrs9fzq2536wxkdpa6h1hmqvjqxvk5basjol+fdfelmkkap2nykhvntxxojfl5lwzcjnsd5hfwsu8llvybxnjt6whts81u+dag9fld3tpo12agoufrjpyf3ymmhkur2jfqrim7nduap6xa+ayhlchqmc5gubjj5jcujr0iil2haebsu8f41b4xslpmwucpcypsdom2fudzm/4wlrvp4/6xsoji36d+isa1uouvqklavnkdakxslbjdjkgetkij+sc1eidcpjinsgzeqleg/fgi/gclxacsc8wmypc8quyf7s2</latexit> <latexit sha1_base64="evswg7pjktiqth2adig5nrtu/ei=">aaactnicbzc5tgmxeia94qp3gjlgiicowm4akbe0legqgjrekdezzvr4wnmzocjimxgawuhpere6bm4hricrlp365/dmf2dsoazdt6awmzs3v1bcxfpewv1bl21snpzjlyc6n9lym5g5kejdhqvkumksmbvlui5vz4b56zuwthh9hf0m2or1tegez+ittumwbjybjtqbt8d7dldlrs9fzq2536wxkdpa6h1hmqvjqxvk5basjol+fdfelmkkap2nykhvntxxojfl5lwzcjnsd5hfwsu8llvybxnjt6whts81u+dag9fld3tpo12agoufrjpyf3ymmhkur2jfqrim7nduap6xa+ayhlchqmc5gubjj5jcujr0iil2haebsu8f41b4xslpmwucpcypsdom2fudzm/4wlrvp4/6xsoji36d+isa1uouvqklavnkdakxslbjdjkgetkij+sc1eidcpjinsgzeqleg/fgi/gclxacsc8wmypc8quyf7s2</latexit> Proof Perfect secrecy! Shannon s theorem

Shannon s Theorem Provides a handy test to verify perfect secrecy Neither condition requires complex probability computation Example: vastly simplifies the proof of the one-time pad Remember: it ONLY applies to schemes where the keyspace, message space, and ciphertext space are all the same size!

Thought Exercise It has been suggested that using the one-time pad with the key 0 L is insecure What does your intuition tell you? What does information theory tell you?

Moving forward Practical encryption schemes do not require such strong guarantees We relax the following: Computationally bounded adversaries Asymptotic security Assume that hard problems exist To achieve the following: Short encryption keys Reusable encryption keys Essentially all cryptographic constructions! 38

Recap Perfect security implies that an adversary of unlimited computational power cannot learn additional information about a message based on observing the encrypted version The one-time pad is the original example of an information-theoretic secure encryption scheme It is unfortunately limited in practicality Proofs of security may take the form of a probability calculation, an adversarial experiment, or a convenient checklist in the case of Shannon security

Next Time... Katz & Lindell Chapter 3.1-4 Remember, you need to read it BEFORE you come to class! Homework problems available on the course webpage 40