Scribd
Upload
45 views22 pages

Cryptography: Perfect Secrecy, Part 2

The document discusses the goal of perfect secrecy in encryption. Perfect secrecy means that the ciphertext reveals no additional information about the plaintext beyond what an attacker already knows, even if the attacker sees multiple ciphertexts. It reviews probability concepts like random variables, distributions, and conditional probability that are important for analyzing encryption schemes. It defines the common components of encryption like keys, messages, and algorithms. And it provides examples of calculating ciphertext probabilities for a simple cipher. The overall goal is to formally define what perfect secrecy means in probabilistic terms.

Uploaded by

AnggieTasya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
45 views22 pages

Cryptography: Perfect Secrecy, Part 2

The document discusses the goal of perfect secrecy in encryption. Perfect secrecy means that the ciphertext reveals no additional information about the plaintext beyond what an attacker already knows, even if the attacker sees multiple ciphertexts. It reviews probability concepts like random variables, distributions, and conditional probability that are important for analyzing encryption schemes. It defines the common components of encryption like keys, messages, and algorithms. And it provides examples of calculating ciphertext probabilities for a simple cipher. The overall goal is to formally define what perfect secrecy means in probabilistic terms.

Uploaded by

AnggieTasya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Cryptography

Perfect secrecy, part 2

Secure encryp0on?
What is our goal?
Regardless of any prior info. the a;acker has
about the plaintext, the ciphertext should leak
no addi1onal informa0on about the plaintext
(Ciphertext-only a;ack, one ciphertext)

Probability review
Random variable variable that takes on (discrete)
values with certain probabili0es
Probability distribu0on for a r.v. species the
probabili0es with which the variable takes on
each possible value
Each probability must be between 0 and 1
The probabili0es must sum to 1

Probability review
Event a par0cular occurrence in some experiment
Pr[E] probability of event E

Condi0onal probability probability that one event


occurs, assuming some other event occurred
Pr[A | B] = Pr[A and B]/Pr[B]

Two r.v.s X, Y are independent if


for all x, y: Pr[X=x | Y=y] = Pr[X=x]

Probability review
Law of total probability say E1, , En are a par11on
of all possibili0es. Then for any A:
Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] Pr[Ei]

Recall
A private-key encryp1on scheme is dened by a
message space M and algorithms (Gen, Enc, Dec):
Gen (key-genera0on algorithm): generates k
Enc (encryp0on algorithm): takes key k and message
m M as input; outputs ciphertext c.
c Enck(m)
Dec (decryp0on algorithm): takes key k
and ciphertext c as input; outputs m.
m := Deck(c)

Nota0on
K (key space) set of all possible keys
C (ciphertext space) set of all possible
ciphertexts

Probability distribu0ons
Let M be a random variable deno0ng the
value of the message
M ranges over M
This reects the likelihood of dierent messages
being sent by the par0es, given the a;ackers
prior knowledge
E.g.,
Pr[M = a;ack today] = 0.7
Pr[M = dont a;ack] = 0.3

Probability distribu0ons
Let K be a random variable deno0ng the key
K ranges over K

Fix some encryp0on scheme (Gen, Enc, Dec)


Gen denes a probability distribu0on for K:
Pr[K = k] = Pr[Gen outputs key k]

Probability distribu0ons
Random variables M and K are independent
I.e., the message that a party sends does not
depend on the key used to encrypt that message

Probability distribu0ons
Fix some encryp0on scheme (Gen, Enc, Dec), and
some distribu0on for M
Consider the following (randomized) experiment:
1. Choose a message m, according to the given distribu0on
2. Generate a key k using Gen
3. Compute c Enck(m)

This denes a distribu0on on the ciphertext!


Let C be a random variable deno0ng the
value of the ciphertext in this experiment

Example 1
Consider the shik cipher

So for all k {0, , 25}, Pr[K = k] = 1/26

Say Pr[M = a] = 0.7, Pr[M = z] = 0.3


What is Pr[C = b] ?

Either M = a and K = 1, or M = z and K = 2


Pr[C=b] = Pr[M=a]Pr[K=1] + Pr[M=z] Pr[K=2]
Pr[C=b] = 0.7 (1/26) + 0.3 (1/26)
Pr[C=b] = 1/26

Example 2
Consider the shik cipher, and the distribu0on
Pr[M = one] = , Pr[M = ten] =

Pr[C = rqh] = ?
= Pr[C = rqh | M = one] Pr[M = one]
+ Pr[ C = rqh | M = ten] Pr[M = ten]
= 1/26 + 0 = 1/52

Perfect secrecy (informal)


Regardless of any prior info. the a;acker has
about the plaintext, the ciphertext should leak
no addi1onal informa0on about the plaintext
(Ciphertext-only a;ack, one ciphertext)

Perfect secrecy (informal)


A;ackers informa0on about the plaintext =
a;acker-known distribu1on of the plaintext
Perfect secrecy means that observing the
ciphertext should not change the a;ackers
knowledge about the distribu0on of the plaintext

Perfect secrecy (formal)


Encryp0on scheme (Gen, Enc, Dec) with message
space M and ciphertext space C is perfectly secret if
for every distribu0on over M, every m M, and
every c C with Pr[C=c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m].

Example 3
Consider the shik cipher, and the distribu0on
Pr[M = one] = , Pr[M = ten] =
Take m = ten and c = rqh
Pr[M = ten | C = rqh] = ?
= 0
Pr[M = ten]

Bayess theorem
Pr[A | B] = Pr[B | A] Pr[A]/Pr[B]

Example 4
Shik cipher,
Pr[M=hi] = 0.3,
Pr[M=no] = 0.2,
Pr[M=in]= 0.5
Pr[M = hi | C = xy] = ?
= Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy]

Example 4, con0nued
Pr[C = xy | M = hi] = 1/26
Pr[C = xy]
= Pr[C = xy | M = hi] 0.3 + Pr[C = xy | M = no] 0.2
+ Pr[C=xy | M=in] 0.5
= (1/26) 0.3 + (1/26) 0.2 + 0 0.5
= 1/52

Example 4
Pr[M = hi | C = xy] = ?
= Pr[C = xy | M = hi] Pr[M = hi]/Pr[C = xy]
= (1/26) 0.3/(1/52)
= 0.6
Pr[M = hi]

Conclusion
The shik cipher is not perfectly secret!
How to construct a perfectly secret scheme?

You might also like