The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the...
Transcript of The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the...
![Page 1: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/1.jpg)
The One-Time Pad (Vernamโs Cipher)
โข In 1917, Vernam patented a cipher now called the one-time pad that obtains perfect secrecy.
โข There was no proof of this fact at the time.
โข 25 years later, Shannon introduced the notion of perfect secrecy and demonstrated that the one-time pad achieves this level of security.
![Page 2: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/2.jpg)
The One-Time Pad Scheme
1. Fix an integer โ > 0. Then the message space ๐, key space ๐พ, and ciphertext space ๐ถ are all equal to 0,1 โ.
2. The key-generation algorithm ๐บ๐๐ works by choosing a string from ๐พ = 0,1 โ according to the uniform distribution.
3. Encryption ๐ธ๐๐ works as follows: given a key ๐ โ 0,1 โ, and a message ๐ โ 0,1 โ,output ๐ โ ๐ โ๐.
4. Decryption ๐ท๐๐ works as follows: given a key ๐ โ 0,1 โ, and a ciphertext ๐ โ 0,1 โ, output ๐ โ ๐โ ๐.
![Page 3: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/3.jpg)
Security of OTP
Theorem: The one-time pad encryption scheme is perfectly secure.
![Page 4: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/4.jpg)
Proof
Proof: Fix some distribution over ๐ and fix an arbitrary ๐ โ ๐ and ๐ โ ๐ถ. For one-time pad: Pr ๐ถ = ๐| ๐ = ๐ = Pr ๐โ๐พ = ๐ | ๐ = ๐
= Pr ๐โ๐พ = ๐ = Pr ๐พ = ๐โ ๐ = 1
2โ
Since this holds for all distributions and all ๐, we have that for every probability distribution over ๐, every ๐0, ๐1 โ ๐ and every ๐ โ ๐ถ
Pr ๐ถ = ๐ ๐ = ๐0] = 1
2โ= Pr ๐ถ = ๐|๐ = ๐1
![Page 5: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/5.jpg)
Drawbacks of OTP
โข Key length is the same as the message length.
โ For every bit communicated over a public channel, a bit must be shared privately.
โ We will see this is not just a problem with the OTP scheme, but an inherent problem in perfectly secret encryption schemes.
โข Key can only be used once.
โ You will see in the homework that this is also an inherent problem.
![Page 6: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/6.jpg)
Some Examples
โข Is the following scheme perfectly secret?
โข Message space ๐ด = {0,1, โฆ , ๐ โ 1}. Key space ๐ฒ = {0,1, โฆ , ๐ โ 1}.
โข Gen() chooses a key ๐ at random from ๐ฒ.
โข Enc๐ ๐ returns ๐ + ๐.
โข ๐ท๐๐๐ ๐ returns ๐ โ ๐.
![Page 7: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/7.jpg)
Some Examples
โข Is the following scheme perfectly secret?
โข Message space ๐ด = {0,1, โฆ , ๐ โ 1}. Key space ๐ฒ = {0,1, โฆ , ๐ โ 1}.
โข Gen() chooses a key ๐ at random from ๐ฒ.
โข Enc๐ ๐ returns ๐ + ๐ ๐๐๐ ๐.
โข ๐ท๐๐๐ ๐ returns ๐ โ ๐ ๐๐๐ ๐.
![Page 8: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/8.jpg)
Limitations of Perfect Secrecy
Theorem: Let (๐บ๐๐, ๐ธ๐๐, ๐ท๐๐) be a perfectly-secret encryption scheme over a message space ๐ด, and let ๐ฒ be the key space as determined by ๐บ๐๐. Then ๐ฒ โฅ |๐ด|.
![Page 9: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/9.jpg)
Proof
Proof (by contradiction): We show that if ๐ฒ < |๐ด| then the scheme cannot be perfectly
secret.
โข Assume ๐ฒ < ๐ด . Consider the uniform distribution over ๐ด and let ๐ โ ๐ช.
โข Let ๐ด(๐) be the set of all possible messages which are possible decryptions of ๐.
๐ด ๐ โ ๐ ๐ = ๐ท๐๐๐ ๐ ๐๐๐ ๐ ๐๐๐ ๐ โ ๐ฒ}
![Page 10: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/10.jpg)
Proof
๐ด ๐ โ { ๐ | ๐ = ๐ท๐๐๐ ๐ ๐๐๐ ๐ ๐๐๐ ๐ โ ๐ฒ}
โข ๐ด ๐ โค |๐ฒ|. Why?
โข Since we assumed ๐ฒ < |๐ด|, this means that there is some ๐โฒ โ ๐ด such that ๐โฒ โ ๐ด ๐ .
โข But then Pr ๐ = ๐โฒ| ๐ถ = ๐ = 0 โ Pr[๐ = ๐โฒ]
And so the scheme is not perfectly secret.
![Page 11: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/11.jpg)
Shannonโs Theorem
Let (๐บ๐๐, ๐ธ๐๐, ๐ท๐๐) be an encryption scheme with message space ๐ด, for which ๐ด = ๐ฒ =|๐ช|. The scheme is perfectly secret if and only if:
1. Every key ๐ โ ๐ฒ is chosen with equal probability 1/|๐ฒ| by algorithm ๐บ๐๐.
2. For every ๐ โ ๐ด and every ๐ โ ๐ช, there exists a unique key ๐ โ ๐ฒ such that ๐ธ๐๐๐(๐) outputs ๐.
**Theorem only applies when ๐ด = ๐ฒ = |๐ช|.
![Page 12: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/12.jpg)
Some Examples
โข Is the following scheme perfectly secret?
โข Message space ๐ด = {0,1, โฆ , ๐ โ 1}. Key space ๐ฒ = {0,1, โฆ , ๐ โ 1}.
โข Gen() chooses a key ๐ at random from ๐ฒ.
โข Enc๐ ๐ returns ๐ + ๐.
โข ๐ท๐๐๐ ๐ returns ๐ โ ๐.
![Page 13: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/13.jpg)
Some Examples
โข Is the following scheme perfectly secret?
โข Message space ๐ด = {0,1, โฆ , ๐ โ 1}. Key space ๐ฒ = {0,1, โฆ , ๐ โ 1}.
โข Gen() chooses a key ๐ at random from ๐ฒ.
โข Enc๐ ๐ returns ๐ + ๐ ๐๐๐ ๐.
โข ๐ท๐๐๐ ๐ returns ๐ โ ๐ ๐๐๐ ๐.
![Page 14: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/14.jpg)
The Computational Approach to Security
โAn encryption scheme is secure if no adversary learns meaningful information about the plaintext after seeing the ciphertextโ
How do you formalize learns meaningful information?
![Page 15: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/15.jpg)
The Computational Approach to Security
โข Meaningful Information about plaintext m: โ ๐(๐) for an efficiently computable function ๐
โข Learn Meaningful Information from the ciphertext: โ An efficient algorithm that can output ๐(๐) after
seeing ๐ but could not output ๐ ๐ before seeing ๐.
โข Learn Meaningful Information: โ The change in probability that an efficient algorithm
can output ๐(๐) after seeing ๐ and can output ๐ ๐ before seeing ๐ is significant.
![Page 16: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/16.jpg)
Note:
โข The intuitive definition from the previous slide is known as โsemantic security.โ
โข We will first see a different, simpler definition known as indistinguishability.
โข Later we will see that the two definitions are provably equivalent.
![Page 17: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/17.jpg)
The Computational Approach
Two main relaxations:
1. Security is only guaranteed against efficient adversaries that run for some feasible amount of time.
2. Adversaries can potentially succeed with some very small probability.
![Page 18: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/18.jpg)
Security Parameter
โข Integer valued security parameter denoted by n that parameterizes both the cryptographic schemes as well as all involved parties.
โข When honest parties initialize a scheme, they choose some value n for the security parameter.
โข Can think of security parameter as corresponding to the length of the key.
โข Security parameter is assumed to be known to any adversary attacking the scheme.
โข View run time of the adversary and its success probability as functions of the security parameter.
![Page 19: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/19.jpg)
Polynomial Time
โข Efficient adversaries = Polynomial time adversaries
โ There is some polynomial ๐ such that the adversary runs for time at most ๐(๐) when the security parameter is ๐.
โ Honest parties also run in polynomial time.
โ The adversary may be much more powerful than the honest parties.
![Page 20: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/20.jpg)
Negligible
โข Small probability of success = negligible probability
โ A function ๐ is negligible if for every polynomial ๐ and all sufficiently large values of ๐ it holds that
๐ ๐ < 1
๐(๐).
โ Intuition, ๐ ๐ < ๐โ๐ for every constant ๐, as ๐ goes to infinity.
![Page 21: The One-Time Pad (Vernamโs Cipher)danadach/Intro_Crypto...ย ยท 1. Fix an integer โ>0. Then the message space ๐, key space ๐พ, and ciphertext space are all equal to 0,1โ.](https://reader036.fdocuments.us/reader036/viewer/2022071219/60564c6a2d7d5d63b76be72e/html5/thumbnails/21.jpg)
Negligible