CS 490 B Cryptography - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

CS 490 B Cryptography

Description:

Spurious keys, unicity distance. 9/28/09. Cryptography, Lecture 8 Draft. Slide 4 ... Unicity distance. Definition: The unicity distance of a cyptosystem. is the ... – PowerPoint PPT presentation

Number of Views:386

Avg rating:3.0/5.0

Slides: 31

Provided by: LaptopSoft

Category:

more less

Transcript and Presenter's Notes

Title: CS 490 B Cryptography

1
CS 490 BCryptography

David Mutchler
Spring term, 1998-99
Lecture 8

2
Announcements

Homework due dates
Homework 1 answers are on the Web
Homework 2 is due Monday, March 22
Homework 3 will be due Friday, March 26
It will appear on the Web Sunday, March 21
No class Monday or Tuesday, March 22 23.
So turn in Homework 2 on Thursday, March 25.
Questions on Homework 2?

3
Overview

Perfect secrecy
Conditional probability
Definition of perfect secrecy
Systems that provide perfect secrecy
We encrypt a single plaintext element with a
single key
How secure when we reuse a key?
Entropy
Redundancy of a language
Spurious keys, unicity distance

4
What is a cryptosystem?

Three finite sets
P set of possible plaintexts
C set of possible ciphertexts
K set of possible keys
Encryption and decryption functions e and d.For
each k in K
ek P? C dk C ? P
Main property for any plaintext x and key k
dk(ek(x)) x

5
Security of a cryptosystem ??

Computationally secure
Definition the best algorithm for breaking the
cryptosystem requires at least N
operations,where N is some specified, large
number
Difficult to make the above notion precise
Difficult to prove for any particular
cryptosystem
Unconditionally secure
The cryptosystem cannot be broken,even with
unlimited computational resources
Also must specify the type of attack

6
Where we are going

Yesterday and today we develop
a theory of cryptosystems
that are unconditionally secure
against a ciphertext-only attack
Shift cipher, substitution cipher, Vigenere
cipher
Not computationally secure
against a ciphertext-only attack,
given a sufficient amount of ciphertext
Unconditionally secure (!)
if only one element of plaintext is encrypted
with a given key

7
Conditional probability

To define unconditionally secure,need
probability theory
random variable, sample space
probability distribution
joint probability distribution
conditional probability distribution
independent random variables
Bayes theorem

8
Random variable

Definition A random variable
is a function
from the sample space
to a set of numbers
(for us, the nonnegative integers)
Examples
The number of aces in a bridge hand
The number of multiple birthdays in a room of n
people
Ill assume discrete random variablesthroughout
these notes

9
Probability distribution

Definition The probability distribution
of a random variable X
gives, for each possible value x that X can take,
the probability of x,
written p(x).
Example
Let X number of heads after 3 coin tosses.
p(0) 1/8 p(1) 3/8 p(2) 3/8
p(3) 1/8

10
Joint probability distribution

Definition
Let X and Y be random variables.
The joint probability p(x, y)
is the probability that X is x and Y is y.
Example
X a
b c 1 .25 .15 .20Y 2 .10 .25 .05

11
Conditional probabilities

Definition
Let X and Y be random variables.
The probability X is x given that Y is y,
written p( x y ), probability of x given
y
is p(x, y) / p(y)
Example/exercise
X a
b c 1 .25 .15 .20 p(b 1) 15/60Y
2 .10 .25 .05 p(b 2) 25/40

12
Independent random variables

Definition
Random variables X and Y are independent
if p(x y) p(x) for all x, y.
Equivalently, if p(x, y) p(x)p(y) for all x,
y.
Examples
X and Y on previous slide are not independent
of heads in toss A, in toss B independent

13
Bayes Theorem

Provides a way to compute p(x y),given you
have p(y x) and other stuff

14
Application to ciphers

Assume
pp(x) probability distribution on plaintext
pk(k) probability distribution on key space
Picking key and picking plaintext are independent
These induce
pc(y) probability distribution on ciphertext
Exercise what is it?

15
Plain given cipher, and vice versa

Have
Exercise compute pc(y x)
Exercise compute pp(x y).
Use Bayes theorem and the above.

16
Example

P a, b. C 1, 2, 3, 4.
pp a gt 1/4 b gt 3/4
K k1, k2, k3 a b
k1 1 2
k2 2 3
k3 3 4
pk k1 gt 1/2 k2 gt 1/4 k3 gt 1/4
Exercise compute pc.
Exercise compute pp(x y).

17
Perfect secrecy

Definition A cryptosystem has perfect secrecy
if pp(x y) pp(x) for all x?P, y?C.
Theorem
Suppose the 26 keys in the Shift cipher are used
with equal probability.
Then for any plaintext probability distribution,
the Shift cipher has perfect secrecy.
Note that we are encrypting a single character
with a single key
Another time the (easy) proof!

18
What provides perfect secrecy?

Theorem
Perfect secrecy requires K ? C.
Any cryptosystem has C ? P.
Suppose K C P.
Then the cryptosystem has perfect secrecy iff
every key is used with equal probability, and
for every x?P and y?C,there is a unique key k
such that ek(x) y

19
Vernams one-time pad

Corollary to the theorem on the previous slide
Vigeneres cipher provides perfect secrecy, if
each key is equally likely, and
you encrypt a single plaintext element(i.e.,
encrypt m characters using a key of length m)
Cannot have perfect secrecy with shorter keys
History
1917 Gilbert Vernam suggested Vigenere with a
binary alphabet and a long keyword. Joseph
Mauborgne suggested uing a one-time pad (key as
long as the message, not reused).
Widely accepted as unbreakablebut no proof
until Shannons work 30 years later

20
What if keys are reused?

Summary
We defined perfect secrecy.
We found cryptosystems that provide perfect
secrecy.
But perfect secrecy requires that we not reuse
a key
Next How secure is a cryptosystemwhen we reuse
keys?
Entropy
Redundancy of a language
Spurious keys, unicity distance

21
Entropy motivation

Background
From information theory
Introduced by Claude Shannon in 1948.
A measure of information or uncertainty
Computed as a function of a probability
distribution
Example
Toss a coin.How many bits required to represent
the result?
Toss a coin n times. Now how many bits?

22
Entropy definition

Definition
Suppose X is a random variable
with probability distribution p p1, p2, ... pn
where pi is the probability X takes on its ith
possible value.
Then the entropy of X,
written H(X), is

23
Entropy example

Definition of entropy
P a, b. C 1, 2, 3, 4.
pp a gt 1/4 b gt 3/4
pc 1 gt 1/8 2 gt 7/16 3 gt 1/4 4
gt 3/16
Exercise what is H(P)? H(C)?
H(P) - ( 1/4 ? -2 ) ( 3/4 ? (log2 3 - 2)
) ? 0.81
H(C) ? 1.85.

24
Spurious keys

Exercise
Suppose Oscar is doing a ciphertext-only attack
on a string encoded using Vigeneres cipher
where m is modest (not a one-time pad)
Oscar decrypts the message to a meaningful
sentence.
Why is Oscar not done?
Answer
1. There may be other keys that yield other
meaningful sentences.
2. We want the key, not just the meaningful
sentence.

25
Spurious keys

Context
Oscar is doing cipher-text only attack
Oscar has infinite computational resources
Oscar knows the plaintext is a natural
language.
Result
Oscar will be able to rule out certain keys.
Many possible keys remain. Only one key is
correct.
The remaining possible, but incorrect, keysare
called spurious keys.
Our goal determine how many spurious keys.

26
Entropy redundancy of a language

Definitions
Let L be a natural language (like English).
Let Pn be a random variable whose probability
distribution is that of all n-grams of plaintext
in L.
The entropy HL of L is
The redundancy RL of L is
HL measures entropy per letter.
RL measures fraction of excess characters.

27
Entropy redundancy of a language

Experiments have shown that for English
H(P2) ? 7.80
1.0 ? HL ? 1.5
So RL ? 0.75
Exercise does this mean you could keep only
every 4th letter of a message and hope to read
it?
Answer No!This means you could hope to encode
long strings of English to about 1/4 of their
size, using a Huffman encoding.

28
Number of spurious keys