Date post: | 02-Jun-2018 |
Category: |
Documents |
Upload: | tomjeffries |
View: | 223 times |
Download: | 0 times |
of 57
8/10/2019 Communication Theory of secrecy Systems.ppt
1/57
Communication Theory of
Secrecy Systems
On a paper by Shannon
(and the industry it didntspawn)
Gilad Tsur
Yossi Oren
December 2005
8/10/2019 Communication Theory of secrecy Systems.ppt
2/57
What youll see today
Shannonhis life and work
Cryptography before Shannon
Definition of a cryptosystem
Theoretical and practical security
Product ciphers and combined
cryptosystems
Closing thoughts
8/10/2019 Communication Theory of secrecy Systems.ppt
3/57
Shannonhis life and work
8/10/2019 Communication Theory of secrecy Systems.ppt
4/57
Claude E. Shannon (1916-2001)
8/10/2019 Communication Theory of secrecy Systems.ppt
5/57
Claude E. Shannon (1916-2001)
Important facts:
M. Sc. Thesis founded an industry
Ph. D. finished in 1.5 years Married a computer in 1949
Wrote scientific papers on a variety of topics,
including juggling
8/10/2019 Communication Theory of secrecy Systems.ppt
6/57
Shannons Information Theory Paper
Mathematical Theory of Communication,
published in 1948
Main claim: All sources of data have a rate
All channels have a capacity
If the capacity is greater than the rate,transmission with no errors is possible
Introduced concept of entropyof a random
variable/process
8/10/2019 Communication Theory of secrecy Systems.ppt
7/57
Cryptography before Shannon
From http://www.cqrsoft.com/history/scytale.htm
http://www.cqrsoft.com/history/scytale.htmhttp://www.cqrsoft.com/history/scytale.htm8/10/2019 Communication Theory of secrecy Systems.ppt
8/57
Themes in cryptography
Fromhttp://images.encarta.msn.com/xrefme
dia/sharemed/targets/images/pho/t025/
T025102A.jpg
Sealswere used as authentication means
for signing contracts, for royal decrees
and for other documents.
Passwordswere used by military and
other organizations to identify members.
Codesare semanticwhile ciphersare
syntactic.
All these methods (in the case of seals,
as rubber stamps) are also in use today.
8/10/2019 Communication Theory of secrecy Systems.ppt
9/57
Ancient Ciphers I
Atbashcipher used in old testament
= Of course, anyone whod ever heard of this cipher could
easily crack it.
This is also true for another famous cipher, the Caesar
cipher.
A B C X Y Z
D E F A B C
8/10/2019 Communication Theory of secrecy Systems.ppt
10/57
Ancient Ciphers II
The Caesar cipher is just a specific case of what are
generally known as Shift Ciphers.
A Shift cipher is one where the code is simply arotation of the alphabet with K steps, where the
number K can be considered the key. Easier for us in
CSthink of it as a constant added modulo the size
of the alphabet.
Obviously, finding the key for such a code is not a
lengthy process.
8/10/2019 Communication Theory of secrecy Systems.ppt
11/57
Ancient Ciphers III
Text took an active effort to understand (This wasused with ROT-13 on Usenet).
Probably the real reasonsecurity through
obscurity.
The concept of cryptography was not that wellknown, and codes such as Atbash were simply
assumed not to be known by people you didnt want
reading them.
So what were these ciphers good for?
8/10/2019 Communication Theory of secrecy Systems.ppt
12/57
Ancient Ciphers IV
Both Atbash and Shift ciphers are specific cases of
a more general type of ciphers used in the ancient
world: Monoalphabetic Substitution Ciphers.
As these ciphers were used by people who wanted
to remember them, keywordandkeyphraseciphers
were often used.
The keyword could be changed daily to make itharder to decrypt.
Some of these ciphers didnt use a 1-1
correspondence, trusting the redundancy of language
or allowing multiple representations.
8/10/2019 Communication Theory of secrecy Systems.ppt
13/57
Ancient Ciphers V
Not all ancient ciphers used
substitution methods.
The earliest known
cryptographic device (to the
best of our knowledge) is the
Spartan scytale.
Using this device the lettersof the message werent
changed, but their order was.
http://plus.maths.org/issue34/features/ekert/
8/10/2019 Communication Theory of secrecy Systems.ppt
14/57
Ancient Ciphers VI
The scytale was a device assisting in the creation of
a Transposition Cipher.
Perhaps the most notable example of atransposition cipher is the column transposition.
Other geometrical transposition ciphers abound,
mostly route ciphers.
Transposition ciphers based on a local permutationare also common, but offer a less apparently
convenient way of writing quickly.
8/10/2019 Communication Theory of secrecy Systems.ppt
15/57
Ancient Ciphers VII
We have written records of frequency analysis
dating to the 9thcentury.
From http://en.wikipedia.org/wiki/Caesar_cipher
http://plus.maths.org/issue34/features/ekert/
Using multiple options to substitute frequent
letters could make frequency analysis much harder.
8/10/2019 Communication Theory of secrecy Systems.ppt
16/57
Cryptography during the darkages (till around 14thcentury)
Cryptography didnt advance in Europe much during the
dark ages.
Some religious and mystical sects used cryptographictechniques to encode their writings, often substitution
ciphers to an arcane alphabet.
However, the church considered most people using
cryptography as heretics, sorcerers or witches, and was in
the habit of burning them.Coupled with low levels of literacy, cryptography was
only studied outside of Europe.
While texts (such as the cryptanalytic one mentioned
above) appeared, we are unaware of major advances.
8/10/2019 Communication Theory of secrecy Systems.ppt
17/57
Codes and ciphers in therenaissance
In Italy, and later all over Europe,
cryptography returns to fashion.
Different city-states and countries
begin to employ professionalcryptanalysts for encoding and
decoding mail.
The most common codes are
Polyalphabetic Substitution
Ciphers.
Many devices are made to aid
encryption and decryption.
8/10/2019 Communication Theory of secrecy Systems.ppt
18/57
Polyalphabetic substitutionciphers
These ciphers can simply be considered as a list of
shift ciphers or monoalphabetic substitution ciphers to
be used consecutively.The use of some of these ciphers was aided by a
cipher disk.
Other such ciphers used tables to assist encryption and
decryption.Notably, some in of these cipher were polygraphic
each encoded symbol represented a combination of
plaintext symbols.
8/10/2019 Communication Theory of secrecy Systems.ppt
19/57
Cryptanalysis of polyalphabeticsubstitution ciphers
The major classic techniques used for this process
involve two steps:
1. Discover the length of cycle.
2. Use monoalphabetic cryptanalysis techniques foreach alphabet (+ information gained from
previous alphabets).
Step 1 can be done systematically (Brute force
approach) but this may be a very hard process.
A shortcut that often helps (and is published in the
19thcentury, though probably known before) is
finding repeating sequences in the text.
8/10/2019 Communication Theory of secrecy Systems.ppt
20/57
Cryptography in the 19thand 20thCentauries I
WWI sees the full use of
cryptography in the battle field.
Advances in radio and telegraph
allow military units to communicate
better than ever before. This means
easy to use, generic ciphers arerequired. Mechanized cipher
machines offer this option.
8/10/2019 Communication Theory of secrecy Systems.ppt
21/57
Cryptography in the 19thand 20thCentauries II
WWII is famous for being a
scientific war in general, and for
cryptography in particular.
German Enigmacracked by
British, Japanese Purple by the
US.Enigma, in fact, a polyalphabetic
cipher system with around 20,000
alphabets.
8/10/2019 Communication Theory of secrecy Systems.ppt
22/57
Definitions of a Cryptosystem
8/10/2019 Communication Theory of secrecy Systems.ppt
23/57
Definitions of a Cryptosystem:Shannons version II
A cryptosystem can be viewed as a distribution of possible
plaintexts (P), a set of possible ciphertexts (C),
a distribution of possible keys (K) and an encoding transformation
(E) With its inverse (D).
8/10/2019 Communication Theory of secrecy Systems.ppt
24/57
Definitions of a Cryptosystem:modern variations
Many things have changed in our thinking about
cryptography.
Different functions: Not only trying to transmit secret
information.
Different settings for Alice and Bob we now
have public key cryptosystemsand extensive use of
randomness.Different settings for Eve we now have a variety of
attacks such as known plain text, chosen ciphertext,
chosen plain text and side channel attacks.
8/10/2019 Communication Theory of secrecy Systems.ppt
25/57
Shannons 1948 Paper
Published one year after his monumental
information theory paper
Inspired by Von-Neumanns paper on gametheory
transformed cryptography from art to
science
8/10/2019 Communication Theory of secrecy Systems.ppt
26/57
Main Contributions
Notions of theoretical security and practicalsecurity
Observation that the secret is all in the key, not in
the algorithmthe enemy knows the system(also attributed to Auguste Kerckhoffs)
Product ciphers and mixing transformationsinspiration for LUCIFER and later DES
Proof that Vernams cipher(one-time pad) wastheoretically secure
8/10/2019 Communication Theory of secrecy Systems.ppt
27/57
Theoretical Security andPractical Security
8/10/2019 Communication Theory of secrecy Systems.ppt
28/57
Theoretical Security and PracticalSecurity
Theoretically secure cryptosystems cannot bebroken even by an all-powerful adversary
Practically secure cryptosystems require a large
amount of work to solve Bad news:
The only theoretically secure cryptosystem is the one-time pad
The only practically secure cryptosystem is the
one-time pad We do have some cryptosystems which are provably
[as] secureas a difficult problem
8/10/2019 Communication Theory of secrecy Systems.ppt
29/57
Review: Bayes Theorem
Let X and Y be two random variables.
Define:
Theorem (Chain Rule):
Theorem (Bayes): Apriori
Aposteriori
8/10/2019 Communication Theory of secrecy Systems.ppt
30/57
Theoretical (Perfect) Security
What does it mean for a cryptosystem to be
perfectly secure?
Essentially, the adversary doesnt learnanythingfrom the ciphertext:
8/10/2019 Communication Theory of secrecy Systems.ppt
31/57
8/10/2019 Communication Theory of secrecy Systems.ppt
32/57
The Vernam Cipher (1)
Is there a perfectly secure cryptosystemfor which |K|=|P|?
Theorem (Shannon): Let (P,K,C,E,D) be acryptosystem for which |K|=|P|=|C|. Then the
cryptosystem provides perfect secrecy iff:
8/10/2019 Communication Theory of secrecy Systems.ppt
33/57
The Vernam Cipher (2)
Proof: Let (P,K,C,E,D) be a cryptosystem
for which |K|=|P|=|C|.
Because of perfect secrecy:
|K|=|P|=|C|, so there is a unique key associated
with every pair (p,c)
8/10/2019 Communication Theory of secrecy Systems.ppt
34/57
The Vernam Cipher (3)
Fix c. For all possible plaintexts pi, let kibe the
key satisfying eki(pi)=c
By Bayes:
8/10/2019 Communication Theory of secrecy Systems.ppt
35/57
8/10/2019 Communication Theory of secrecy Systems.ppt
36/57
Towards real-world cryptography
How secure are cryptosystems with a smaller keyspace?
Rules of the game:
Symmetric (deterministic) encryption
|P|=|C|, all keys chosen equiprobably
Ciphertext-only attack
Adversary wishes to recover the key Question: How fast does the set of possible keys
shrink as the amount of ciphertext grows?
8/10/2019 Communication Theory of secrecy Systems.ppt
37/57
A Brief Introduction toInformation Theory
Some random events are moreunexpected than others
Some facts are more significant thanothers
Shannon Entropymeasures the amountof uncertaintyregarding a random
variable, or the amount of informationanevent provides
Entropy Rate measures the growth of
information in an infinitely-long sequence
8/10/2019 Communication Theory of secrecy Systems.ppt
38/57
Definition of Entropy
If X is a random variable taking valuesfrom finite alphabetX, then
(note: limx!0xlogx=0)
8/10/2019 Communication Theory of secrecy Systems.ppt
39/57
Entropy Rate
If L is a language formed of a sequence of
identically distributed (possibly dependent)
variables, then
The redundancyof a language is definedas:
8/10/2019 Communication Theory of secrecy Systems.ppt
40/57
8/10/2019 Communication Theory of secrecy Systems.ppt
41/57
Entropy of CryptosystemComponents
ReminderCryptosystem = (P,K,C,E,D)
H(C|K)=H(P)
H(C|P,K)=H(P|C,K)=0 H(P,K)=H(P)+H(K)
H(C)H(P)
H(C,P,K)=H(C,K)=H(P,K)
H(K|C)=H(K)+H(P)-H(C)
H(K|Cn)=H(K)+H(Pn)-H(Cn)
8/10/2019 Communication Theory of secrecy Systems.ppt
42/57
8/10/2019 Communication Theory of secrecy Systems.ppt
43/57
A strong cipher which is very weak (2)
Observation: There are 26!1026possible
substitution ciphers over the lowercase
English alphabet
This is equivalent to 88-bit securityso
why was it so easy to break?
Shannon: Any monoalphabetic cipher overthe English languageis easily broken,
given a sequence of 25 letters of unknown
ciphertext
8/10/2019 Communication Theory of secrecy Systems.ppt
44/57
Unicity distance of a language (1)
By definition of the entropy rate:
Since |P|=|C|, we have:
Substituting into the formula for H(K|Cn):
8/10/2019 Communication Theory of secrecy Systems.ppt
45/57
8/10/2019 Communication Theory of secrecy Systems.ppt
46/57
Tricks to raise the unicity distance
The idearaise the entropyof thelanguage without disturbing content
Adding random nullshello becomesh;e;;l;lo;;
Replace characters with homophonic setshello becomes hello
Compressthe data Good compressiongood for encryption
Good encryptionbad for compression
8/10/2019 Communication Theory of secrecy Systems.ppt
47/57
Product Ciphers andCombined Cryptosystems
8/10/2019 Communication Theory of secrecy Systems.ppt
48/57
E d hi d
8/10/2019 Communication Theory of secrecy Systems.ppt
49/57
Endomorphic cryptosystems andproduct ciphers
Another way to use two cryptosystems is toencrypt and decrypt messages consecutively. Wecall this a product cipher.
An endomorphic cryptosystem is a systemwhere the message space is transformed to itself.With such a system we can even create a productof the system with itself.
The set of endomorphic cryptosystems with the
aforementioned operations almost create a linearassociative algebra.
8/10/2019 Communication Theory of secrecy Systems.ppt
50/57
Idempotent and commutativecryptosystems
A cryptosystem S is called
idempotentif S2= S.
Combining two idempotent secrecysystems that commute will create
another idempotent secrecy system
isnt of any use.
8/10/2019 Communication Theory of secrecy Systems.ppt
51/57
h
8/10/2019 Communication Theory of secrecy Systems.ppt
52/57
Designing cryptosystems that arehard to attack II
Statistics must be:
Simpleto measure
Depend more on the key(if were trying tofind the key) than the message
Usefuldivide the key-space into areas of
similar probability and eliminate most
Usablethe separation of the key-space mustbe natural
8/10/2019 Communication Theory of secrecy Systems.ppt
53/57
Confusion and Diffusion
To make finding such statistics harder (without an
ideal system) Shannon suggests:
Diffusion: Spreading the information in such a way
that it is hard to get exact results. Confusion: Make the natural separation of the key-
space hard to use. (Make all parameters of key
dependant in natural decryption).
He believes that a combination of an initialtransposition with alternating substitutions and
linear operations may do the trick.
8/10/2019 Communication Theory of secrecy Systems.ppt
54/57
Closing Thoughts
8/10/2019 Communication Theory of secrecy Systems.ppt
55/57
Effect of this Paper
Paper did not bring forth an explosion similar to
the 1947 paper
The problem of good cipher design is essentially
one of finding difficult problems
This type of problem was made very public with
the creation of DES.
Both DES and AES use Shannons ideas ofcombining confusion and diffusion (although
other ideas that he hadnt mentioned appear in
both).
8/10/2019 Communication Theory of secrecy Systems.ppt
56/57
Some closing thoughts
Cryptography is always in the context of
communication between agents.
Not only what messages are transmitted but from
whom to whom is important. We can hardly hidethe size of messages.
One can encrypt messages in ways that allow
breaking them, to misinform. In huge information environments one could
easily(?) conceal the existence of messages and
the identities of the sender and the receiver.
8/10/2019 Communication Theory of secrecy Systems.ppt
57/57