Cryptography

Perfect secrecy, part 2

Secure encryp0on?

What is our goal?

Regardless of any prior info. the a;acker has about the plaintext, the ciphertext should leak no addi1onal informa0on about the plaintext (Ciphertext-only a;ack, one ciphertext)

Probability review

Random variable variable that takes on (discrete) values with certain probabili0es

Probability distribu0on for a r.v. species the probabili0es with which the variable takes on each possible value Each probability must be between 0 and 1 The probabili0es must sum to 1

Probability review

Event a par0cular occurrence in some experiment Pr[E] probability of event E

Condi0onal probability probability that one event occurs, assuming some other event occurred Pr[A | B] = Pr[A and B]/Pr[B]

Two r.v.s X, Y are independent if for all x, y: Pr[X=x | Y=y] = Pr[X=x]

Probability review

Law of total probability say E1, , En are a par11on of all possibili0es. Then for any A: Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] Pr[Ei]

Recall

A private-key encryp1on scheme is dened by a message space M and algorithms (Gen, Enc, Dec): Gen (key-genera0on algorithm): generates k Enc (encryp0on algorithm): takes key k and message m M as input; outputs ciphertext c. c Enck(m)

Dec (decryp0on algorithm): takes key k and ciphertext c as input; outputs m. m := Deck(c)

Nota0on

K (key space) set of all possible keys

C (ciphertext space) set of all possible ciphertexts

Probability distribu0ons

Let M be a random variable deno0ng the value of the message M ranges over M This reects the likelihood of dierent messages being sent by the par0es, given the a;ackers prior knowledge

E.g., Pr[M = a;ack today] = 0.7 Pr[M = dont a;ack] = 0.3

Probability distribu0ons

Let K be a random variable deno0ng the key K ranges over K

Fix some encryp0on scheme (Gen, Enc, Dec) Gen denes a probability distribu0on for K: Pr[K = k] = Pr[Gen outputs key k]

Probability distribu0ons

Random variables M and K are independent I.e., the message that a party sends does not depend on the key used to encrypt that message

Probability distribu0ons

Fix some encryp0on scheme (Gen, Enc, Dec), and some distribu0on for M

Consider the following (randomized) experiment: 1. Choose a message m, according to the given distribu0on 2. Generate a key k using Gen 3. Compute c Enck(m)

This denes a distribu0on on the ciphertext! Let C be a random variable deno0ng the

value of the ciphertext in this experiment

Example 1 Consider the shik cipher So for all k {0, , 25}, Pr[K = k] = 1/26

Say Pr[M = a] = 0.7, Pr[M = z] = 0.3

What is Pr[C = b] ? Either M = a and K = 1, or M = z and K = 2 Pr[C=b] = Pr[M=a]Pr[K=1] + Pr[M=z] Pr[K=2] Pr[C=b] = 0.7 (1/26) + 0.3 (1/26) Pr[C=b] = 1/26

Example 2

Consider the shik cipher, and the distribu0on Pr[M = one] = , Pr[M = ten] =

Pr[C = rqh] = ?

= Pr[C = rqh | M = one] Pr[M = one] + Pr[ C = rqh | M = ten] Pr[M = ten] = 1/26 + 0 = 1/52

Perfect secrecy (informal)

Regardless of any prior info. the a;acker has about the plaintext, the ciphertext should leak no addi1onal informa0on about the plaintext (Ciphertext-only a;ack, one ciphertext)

Perfect secrecy (informal)

A;ackers informa0on about the plaintext = a;acker-known distribu1on of the plaintext Perfect secrecy means that observing the ciphertext should not change the a;ackers knowledge about the distribu0on of the plaintext

Perfect secrecy (formal)

Encryp0on scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if for every distribu0on over M, every m M, and every c C with Pr[C=c] > 0, it holds that Pr[M = m | C = c] = Pr[M = m].

Example 3

Consider the shik cipher, and the distribu0on Pr[M = one] = , Pr[M = ten] =

Take m = ten and c = rqh

Pr[M = ten | C = rqh] = ? = 0 Pr[M = ten]

Bayess theorem

Pr[A | B] = Pr[B | A] Pr[A]/Pr[B]

Example 4

Shik cipher, Pr[M=hi] = 0.3, Pr[M=no] = 0.2, Pr[M=in]= 0.5

Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy]

Example 4, con0nued

Pr[C = xy | M = hi] = 1/26

Pr[C = xy] = Pr[C = xy | M = hi] 0.3 + Pr[C = xy | M = no] 0.2 + Pr[C=xy | M=in] 0.5 = (1/26) 0.3 + (1/26) 0.2 + 0 0.5 = 1/52

Example 4

Pr[M = hi | C = xy] = ? = Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy] = (1/26) 0.3/(1/52) = 0.6 Pr[M = hi]

Conclusion

The shik cipher is not perfectly secret!

How to construct a perfectly secret scheme?