Communication Theory of secrecy Systems.ppt

8/10/2019 Communication Theory of secrecy Systems.ppt

1/57

Communication Theory of

Secrecy Systems

On a paper by Shannon

(and the industry it didntspawn)

Gilad Tsur

Yossi Oren

December 2005


2/57

What youll see today

Shannonhis life and work

Cryptography before Shannon

Definition of a cryptosystem

Theoretical and practical security

Product ciphers and combined

cryptosystems

Closing thoughts


3/57

Shannonhis life and work


4/57

Claude E. Shannon (1916-2001)


5/57

Claude E. Shannon (1916-2001)

Important facts:

M. Sc. Thesis founded an industry

Ph. D. finished in 1.5 years Married a computer in 1949

Wrote scientific papers on a variety of topics,

including juggling


6/57

Shannons Information Theory Paper

Mathematical Theory of Communication,

published in 1948

Main claim: All sources of data have a rate

All channels have a capacity

If the capacity is greater than the rate,transmission with no errors is possible

Introduced concept of entropyof a random

variable/process


7/57

Cryptography before Shannon

From http://www.cqrsoft.com/history/scytale.htm
http://www.cqrsoft.com/history/scytale.htmhttp://www.cqrsoft.com/history/scytale.htm


8/57

Themes in cryptography

Fromhttp://images.encarta.msn.com/xrefme

dia/sharemed/targets/images/pho/t025/

T025102A.jpg

Sealswere used as authentication means

for signing contracts, for royal decrees

and for other documents.

Passwordswere used by military and

other organizations to identify members.

Codesare semanticwhile ciphersare

syntactic.

All these methods (in the case of seals,

as rubber stamps) are also in use today.


9/57

Ancient Ciphers I

Atbashcipher used in old testament

= Of course, anyone whod ever heard of this cipher could

easily crack it.

This is also true for another famous cipher, the Caesar

cipher.

A B C X Y Z

D E F A B C


10/57

Ancient Ciphers II

The Caesar cipher is just a specific case of what are

generally known as Shift Ciphers.

A Shift cipher is one where the code is simply arotation of the alphabet with K steps, where the

number K can be considered the key. Easier for us in

CSthink of it as a constant added modulo the size

of the alphabet.

Obviously, finding the key for such a code is not a

lengthy process.


11/57

Ancient Ciphers III

Text took an active effort to understand (This wasused with ROT-13 on Usenet).

Probably the real reasonsecurity through

obscurity.

The concept of cryptography was not that wellknown, and codes such as Atbash were simply

assumed not to be known by people you didnt want

reading them.

So what were these ciphers good for?


12/57

Ancient Ciphers IV

Both Atbash and Shift ciphers are specific cases of

a more general type of ciphers used in the ancient

world: Monoalphabetic Substitution Ciphers.

As these ciphers were used by people who wanted

to remember them, keywordandkeyphraseciphers

were often used.

The keyword could be changed daily to make itharder to decrypt.

Some of these ciphers didnt use a 1-1

correspondence, trusting the redundancy of language

or allowing multiple representations.


13/57

Ancient Ciphers V

Not all ancient ciphers used

substitution methods.

The earliest known

cryptographic device (to the

best of our knowledge) is the

Spartan scytale.

Using this device the lettersof the message werent

changed, but their order was.

http://plus.maths.org/issue34/features/ekert/


14/57

Ancient Ciphers VI

The scytale was a device assisting in the creation of

a Transposition Cipher.

Perhaps the most notable example of atransposition cipher is the column transposition.

Other geometrical transposition ciphers abound,

mostly route ciphers.

Transposition ciphers based on a local permutationare also common, but offer a less apparently

convenient way of writing quickly.


15/57

Ancient Ciphers VII

We have written records of frequency analysis

dating to the 9thcentury.

From http://en.wikipedia.org/wiki/Caesar_cipher

http://plus.maths.org/issue34/features/ekert/

Using multiple options to substitute frequent

letters could make frequency analysis much harder.


16/57

Cryptography during the darkages (till around 14thcentury)

Cryptography didnt advance in Europe much during the

dark ages.

Some religious and mystical sects used cryptographictechniques to encode their writings, often substitution

ciphers to an arcane alphabet.

However, the church considered most people using

cryptography as heretics, sorcerers or witches, and was in

the habit of burning them.Coupled with low levels of literacy, cryptography was

only studied outside of Europe.

While texts (such as the cryptanalytic one mentioned

above) appeared, we are unaware of major advances.


17/57

Codes and ciphers in therenaissance

In Italy, and later all over Europe,

cryptography returns to fashion.

Different city-states and countries

begin to employ professionalcryptanalysts for encoding and

decoding mail.

The most common codes are

Polyalphabetic Substitution

Ciphers.

Many devices are made to aid

encryption and decryption.


18/57

Polyalphabetic substitutionciphers

These ciphers can simply be considered as a list of

shift ciphers or monoalphabetic substitution ciphers to

be used consecutively.The use of some of these ciphers was aided by a

cipher disk.

Other such ciphers used tables to assist encryption and

decryption.Notably, some in of these cipher were polygraphic

each encoded symbol represented a combination of

plaintext symbols.


19/57

Cryptanalysis of polyalphabeticsubstitution ciphers

The major classic techniques used for this process

involve two steps:

1. Discover the length of cycle.

2. Use monoalphabetic cryptanalysis techniques foreach alphabet (+ information gained from

previous alphabets).

Step 1 can be done systematically (Brute force

approach) but this may be a very hard process.

A shortcut that often helps (and is published in the

19thcentury, though probably known before) is

finding repeating sequences in the text.


20/57

Cryptography in the 19thand 20thCentauries I

WWI sees the full use of

cryptography in the battle field.

Advances in radio and telegraph

allow military units to communicate

better than ever before. This means

easy to use, generic ciphers arerequired. Mechanized cipher

machines offer this option.


21/57

Cryptography in the 19thand 20thCentauries II

WWII is famous for being a

scientific war in general, and for

cryptography in particular.

German Enigmacracked by

British, Japanese Purple by the

US.Enigma, in fact, a polyalphabetic

cipher system with around 20,000

alphabets.


22/57

Definitions of a Cryptosystem


23/57

Definitions of a Cryptosystem:Shannons version II

A cryptosystem can be viewed as a distribution of possible

plaintexts (P), a set of possible ciphertexts (C),

a distribution of possible keys (K) and an encoding transformation

(E) With its inverse (D).


24/57

Definitions of a Cryptosystem:modern variations

Many things have changed in our thinking about

cryptography.

Different functions: Not only trying to transmit secret

information.

Different settings for Alice and Bob we now

have public key cryptosystemsand extensive use of

randomness.Different settings for Eve we now have a variety of

attacks such as known plain text, chosen ciphertext,

chosen plain text and side channel attacks.


25/57

Shannons 1948 Paper

Published one year after his monumental

information theory paper

Inspired by Von-Neumanns paper on gametheory

transformed cryptography from art to

science


26/57

Main Contributions

Notions of theoretical security and practicalsecurity

Observation that the secret is all in the key, not in

the algorithmthe enemy knows the system(also attributed to Auguste Kerckhoffs)

Product ciphers and mixing transformationsinspiration for LUCIFER and later DES

Proof that Vernams cipher(one-time pad) wastheoretically secure


27/57

Theoretical Security andPractical Security


28/57

Theoretical Security and PracticalSecurity

Theoretically secure cryptosystems cannot bebroken even by an all-powerful adversary

Practically secure cryptosystems require a large

amount of work to solve Bad news:

The only theoretically secure cryptosystem is the one-time pad

The only practically secure cryptosystem is the

one-time pad We do have some cryptosystems which are provably

[as] secureas a difficult problem


29/57

Review: Bayes Theorem

Let X and Y be two random variables.

Define:

Theorem (Chain Rule):

Theorem (Bayes): Apriori

Aposteriori


30/57

Theoretical (Perfect) Security

What does it mean for a cryptosystem to be

perfectly secure?

Essentially, the adversary doesnt learnanythingfrom the ciphertext:


31/57


32/57

The Vernam Cipher (1)

Is there a perfectly secure cryptosystemfor which |K|=|P|?

Theorem (Shannon): Let (P,K,C,E,D) be acryptosystem for which |K|=|P|=|C|. Then the

cryptosystem provides perfect secrecy iff:


33/57


Proof: Let (P,K,C,E,D) be a cryptosystem

for which |K|=|P|=|C|.

Because of perfect secrecy:

|K|=|P|=|C|, so there is a unique key associated

with every pair (p,c)


34/57


Fix c. For all possible plaintexts pi, let kibe the

key satisfying eki(pi)=c

By Bayes:


35/57


36/57

Towards real-world cryptography

How secure are cryptosystems with a smaller keyspace?

Rules of the game:

Symmetric (deterministic) encryption

|P|=|C|, all keys chosen equiprobably

Ciphertext-only attack

Adversary wishes to recover the key Question: How fast does the set of possible keys

shrink as the amount of ciphertext grows?


37/57

A Brief Introduction toInformation Theory

Some random events are moreunexpected than others

Some facts are more significant thanothers

Shannon Entropymeasures the amountof uncertaintyregarding a random

variable, or the amount of informationanevent provides

Entropy Rate measures the growth of

information in an infinitely-long sequence


38/57

Definition of Entropy

If X is a random variable taking valuesfrom finite alphabetX, then

(note: limx!0xlogx=0)


39/57

Entropy Rate

If L is a language formed of a sequence of

identically distributed (possibly dependent)

variables, then

The redundancyof a language is definedas:


40/57


42/57


43/57

A strong cipher which is very weak (2)

Observation: There are 26!1026possible

substitution ciphers over the lowercase

English alphabet

This is equivalent to 88-bit securityso

why was it so easy to break?

Shannon: Any monoalphabetic cipher overthe English languageis easily broken,

given a sequence of 25 letters of unknown

ciphertext


44/57

Unicity distance of a language (1)

By definition of the entropy rate:

Since |P|=|C|, we have:

Substituting into the formula for H(K|Cn):


45/57


46/57

Tricks to raise the unicity distance

The idearaise the entropyof thelanguage without disturbing content

Adding random nullshello becomesh;e;;l;lo;;

Replace characters with homophonic setshello becomes hello

Compressthe data Good compressiongood for encryption

Good encryptionbad for compression


47/57

Product Ciphers andCombined Cryptosystems


48/57

E d hi d


49/57

Endomorphic cryptosystems andproduct ciphers

Another way to use two cryptosystems is toencrypt and decrypt messages consecutively. Wecall this a product cipher.

An endomorphic cryptosystem is a systemwhere the message space is transformed to itself.With such a system we can even create a productof the system with itself.

The set of endomorphic cryptosystems with the

aforementioned operations almost create a linearassociative algebra.


50/57

Idempotent and commutativecryptosystems

A cryptosystem S is called

idempotentif S2= S.

Combining two idempotent secrecysystems that commute will create

another idempotent secrecy system

isnt of any use.


51/57

h


52/57

Designing cryptosystems that arehard to attack II

Statistics must be:

Simpleto measure

Depend more on the key(if were trying tofind the key) than the message

Usefuldivide the key-space into areas of

similar probability and eliminate most

Usablethe separation of the key-space mustbe natural


53/57

Confusion and Diffusion

To make finding such statistics harder (without an

ideal system) Shannon suggests:

Diffusion: Spreading the information in such a way

that it is hard to get exact results. Confusion: Make the natural separation of the key-

space hard to use. (Make all parameters of key

dependant in natural decryption).

He believes that a combination of an initialtransposition with alternating substitutions and

linear operations may do the trick.


54/57

Closing Thoughts


55/57

Effect of this Paper

Paper did not bring forth an explosion similar to

the 1947 paper

The problem of good cipher design is essentially

one of finding difficult problems

This type of problem was made very public with

the creation of DES.

Both DES and AES use Shannons ideas ofcombining confusion and diffusion (although

other ideas that he hadnt mentioned appear in

both).


56/57

Some closing thoughts

Cryptography is always in the context of

communication between agents.

Not only what messages are transmitted but from

whom to whom is important. We can hardly hidethe size of messages.

One can encrypt messages in ways that allow

breaking them, to misinform. In huge information environments one could

easily(?) conceal the existence of messages and

the identities of the sender and the receiver.


57/57

Date post:	02-Jun-2018
Category:	Documents
Upload:	tomjeffries
View:	223 times
Download:	0 times

Communication Theory of secrecy Systems.ppt

Documents