diff options
Diffstat (limited to 'ss2017/cryptography/Notes02.txt')
-rw-r--r-- | ss2017/cryptography/Notes02.txt | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/ss2017/cryptography/Notes02.txt b/ss2017/cryptography/Notes02.txt new file mode 100644 index 0000000..59da143 --- /dev/null +++ b/ss2017/cryptography/Notes02.txt | |||
@@ -0,0 +1,214 @@ | |||
1 | 2 Principles of cryptography (KL1.1, KL1.2, KL1.4, KL2) | ||
2 | -------------------------------------------------------- | ||
3 | |||
4 | These considerations and similar ones applying to other historical | ||
5 | ciphers have led to the principles for the design of cryptosystems. | ||
6 | |||
7 | Before stating these we describe somewhat more formally what a | ||
8 | (private-key) cryptosystem is. | ||
9 | |||
10 | A cryptosystem comprises three algorithms: | ||
11 | |||
12 | - A key generation algorithm Gen which outputs a key according to some | ||
13 | format an probability distribution. | ||
14 | |||
15 | - An encryption algorithm Enc which given plaintext m and key k | ||
16 | produces a ciphertext Enc_k(m) | ||
17 | |||
18 | - A decryption algorithm Dec which given ciphertext c and key k | ||
19 | produces a plaintext Dec_k(m). | ||
20 | |||
21 | The set of all keys possibly put out by the key generator Gen is | ||
22 | called keyspace (K). For every key k produced by Gen it must hold | ||
23 | that Dec_k(Enc_k(m)) = m. There is also a finite set of possible | ||
24 | messages M and ciphertexts C. Clearly, Gen must be randomized, | ||
25 | otherwise it would always return the same key. Sometimes Enc is also | ||
26 | randomized, i.e. ciphertexts may contain some random information and | ||
27 | do not depend functionally on plaintext and key. | ||
28 | |||
29 | One of the most important design principles is Kerckhoff's rule (19th | ||
30 | century): Security of the cryptosystem should rely on secrecy of the | ||
31 | key not on secrecy of the method. In other words, the cryptosystem | ||
32 | should remain secure if everything about the three algorithms involved | ||
33 | is publicly known. "No security through obscurity". | ||
34 | |||
35 | In addition to this, the cryptosystem should withstand some or all of | ||
36 | the following kinds of attack: | ||
37 | |||
38 | Ciphertext only attack: an eavesdropper observes ciphertext and aims | ||
39 | at determining the underlying plaintexts. | ||
40 | |||
41 | Known plaintext attack (KPA): This is when the eavesdropper knows some | ||
42 | ciphertext-plaintext pairs for one and the same key and tries to use | ||
43 | this information to then decrypt additional ciphertexts (again | ||
44 | w.r.t. the same key). | ||
45 | |||
46 | Chosen plaintext attack (CPA): Here the adversary may prepare | ||
47 | plaintexts of its choice and request the corresponding ciphertexts. | ||
48 | |||
49 | Chosen ciphertext attack (CCA): Here the adversary can even request | ||
50 | the decryption of ciphertexts of its choice. | ||
51 | |||
52 | Modern cryptography, say since WW2, holds the following additional | ||
53 | principles: | ||
54 | |||
55 | |||
56 | Principle 1: Formulation of exact definitions | ||
57 | |||
58 | Which notion of security is one aiming at? | ||
59 | |||
60 | No adversary should be able to know the key ... But what if they can | ||
61 | decrypt ciphertexts without knowing the key? | ||
62 | |||
63 | No adversary should be able to decrypt any ciphertext unless they know | ||
64 | the key. But what if they can find out some bits of the ciphertext, | ||
65 | e.g. every second letter, or a block of letters somewhere in the | ||
66 | middle? | ||
67 | |||
68 | |||
69 | Principle 2: Reliance on precise assumptions | ||
70 | |||
71 | Typically, security of a cryptosystem can be guaranteed only by making | ||
72 | assumptions on the computational power of an adversary (with unlimited | ||
73 | resources they could always try out all plaintexts) and also on the | ||
74 | computational difficulty of solving certain algorithmic | ||
75 | problems. Desirable as it would be to have unconditional security; if | ||
76 | one has to work with assumptions one should at least state them | ||
77 | precisely. Sometimes, security can only be proven for idealized | ||
78 | versions of cryptosystems that use components not known to exist but | ||
79 | which are believed to be "approximated" by existing components. Again, | ||
80 | it is then important to clearly state what these idealized components | ||
81 | or versions are. | ||
82 | |||
83 | |||
84 | Principle 3: Rigorous proofs of security | ||
85 | |||
86 | Once the desired notion of security and the assumptions are clearly | ||
87 | defined one should then establish a rigorous mathematical proof of | ||
88 | conditional security. | ||
89 | |||
90 | "Given that Assumption X is true, Construction Y is secure according | ||
91 | to the given definition." | ||
92 | |||
93 | As an example, we now look at perfect security in the sense of Shannon | ||
94 | and see how Vernam's cipher (patented in 1919) implements it. | ||
95 | |||
96 | |||
97 | In order to get around the fact that an adversary can always try out | ||
98 | all possible plaintexts but that this kind of attack "doesn't count" | ||
99 | Claude Shannon suggested to use probabilities: if one out of two | ||
100 | messages is selected at random and the adversary gets to see the | ||
101 | ciphertexts only it has a chance of no more than 50% of determining | ||
102 | the plaintext correctly from the ciphertext. For cryptosystem Pi and | ||
103 | adversary A we thus define the following | ||
104 | |||
105 | Eavesdropping indistinguishability experiment PrivK^eav_{A,Pi}: | ||
106 | |||
107 | 1. The adversary produces two messages m0, m1 from the message space M. | ||
108 | 2. Gen is used to generate a (random) key k and a bit b <- {0,1} is | ||
109 | chosen uniformly at random (50/50). The (or rather a) ciphertext | ||
110 | c = Enc_k(m_b) is then given to A. | ||
111 | 3. A answers by outputting a bit b'. | ||
112 | 4. The output of the experiment is defined 1 if b=b' and 0 otherwise. | ||
113 | |||
114 | Definition (perfect secrecy): The encryption scheme Pi=(Gen,Enc,Dec) | ||
115 | is perfectly secret if for all adversaries A it holds that | ||
116 | |||
117 | Pr[PrivK^eav_{A,Pi} = 1] = 0.5 | ||
118 | |||
119 | The following cryptosystems are not perfectly secure: | ||
120 | |||
121 | A book cipher which uses a secret code book containing for each *word* | ||
122 | another word to replace it. E,g. "bomb" gets enciphered as "cake" and | ||
123 | "dollars" gets enciphered as "grams". Here the adversary could select | ||
124 | m0="bomb bomb" and m1="dollar bomb". If the received ciphertext has | ||
125 | the form c = x x then it will output b'=0 and if c = x y with x =/= y | ||
126 | it goes for 1. | ||
127 | |||
128 | The Vigenere cipher with key length uniformly chosen at random from | ||
129 | {1,2} (and once the length is fixed keys also chosen at random). The | ||
130 | adversary can choose m0 = aa and m1=ab. If the ciphertext has the form | ||
131 | xx it goes for b'=0. Otherwise it returns b'=1. | ||
132 | |||
133 | Now, if b=0 then there is a 1/2+1/2*1/26 chance that the ciphertext | ||
134 | has the form xx (key length 1 or key length 2 with equal letters) and thus | ||
135 | the adversary is right with probability 1/2+1/52 | ||
136 | |||
137 | If b=1 then the adversary is right with probability 1-1/52 (the only | ||
138 | way to be wrong is key length two and two key letters of distance 1). | ||
139 | |||
140 | Thus, the total probability for A to be right is 1/2*(1/2+1/52) + | ||
141 | 1/2*(1-1/52) = 3/4. | ||
142 | |||
143 | |||
144 | Proposition: Fix a cryptosystem Pi and suppose that plaintexts and | ||
145 | keys are drawn according to some, not necessarily uniform | ||
146 | distribution. The sytem Pi is perfectly secret if and only if | ||
147 | |||
148 | Pr[M=m | C=c] = Pr[M=m] | ||
149 | |||
150 | for every fixed plaintext m and ciphertext c such that Pr[C=c] != | ||
151 | 0. | ||
152 | |||
153 | Proof (sketch): Suppose that Pr[M=m | C=c] != Pr[M=m] for some c and | ||
154 | m. Since sum_m Pr[M=m | C=c] = sum_m Pr[M=m] = 1 (both are probability | ||
155 | measures) there must exist m_0,m_1 (one of them m) such that Pr[M=m0 | | ||
156 | C=c] < Pr[M=m0] and Pr[M=m1 | C=c] > Pr[M=m1]. By Bayes' theorem it | ||
157 | follows that Pr[C=c|M=m0]<Pr[C=c] and Pr[C=c|M=m1]>Pr[C=c], thus in | ||
158 | particular, Pr[C=c|M=m0] < Pr[C=c|M=m1]. | ||
159 | |||
160 | Now, consider the adversary who presents these messages m_0, m_1 and | ||
161 | if the ciphertext returned is c | ||
162 | then outputs b'=1, i.e. assume that the plaintext was not | ||
163 | m0 and outputs b'=0 otherwise. Its success probability is | ||
164 | |||
165 | 1/2*(1-Pr[C=c|M=m0]) + 1/2*Pr[C=c|M=m1] = | ||
166 | 1/2 + 1/2(Pr[C=c|M=m1] - Pr[C=c|M=m0]) | ||
167 | |||
168 | which is strictly above 1/2. | ||
169 | |||
170 | For the converse, one uses the fact that all the adversary knows is | ||
171 | the ciphertext, but according to the assumed equality Pr[M=m | C=c] = | ||
172 | Pr[M=m] this does not help. Q.E.D. | ||
173 | |||
174 | Now, such perfectly secret cryptosystems exist indeed: for fixed n:N | ||
175 | put M=C=K={0,1}^n and let Gen return k:K uniformly at random. The | ||
176 | encryption function is Enc_k(m) = m+k and Dec_k(m) = m+k as well, | ||
177 | where + denotes pointwise addition modulo 2 (XOR). For example, if n=5 | ||
178 | and k=11010 and m=11100 then Enc_k(m)=00110. | ||
179 | |||
180 | This system is known as Vernam's cipher or "one time pad" the point | ||
181 | being that its secrecy relies on the key being chosen afresh at random | ||
182 | every time one wants to use the scheme. It can also be seen as a | ||
183 | special case of the Vigenere cipher with the key being as long as the | ||
184 | entire text to be enciphered. | ||
185 | |||
186 | Proposition: The Vernam cipher is perfectly secret. | ||
187 | |||
188 | Proof: This is because for a given plaintext m the ciphertexts are | ||
189 | uniformly distributed, i.e., their distributions are identical and | ||
190 | independent for m0 and m1. As a result, the adversary cannot have an | ||
191 | advantage. Q.E.D. | ||
192 | |||
193 | The obvious disadvantage of the one-time pad is the key length, | ||
194 | nevertheless it is sometimes used, e.g. purportedly during the Cold | ||
195 | War for secure communication between the White House and the Kremlin. | ||
196 | |||
197 | Unfortunately, this key length is the price of perfect secrecy: | ||
198 | |||
199 | Theorem: If Pi is a perfectly secret cryptosystem with key space K and | ||
200 | message space M then |K|>=|M|, i.e. there have to be at least as many | ||
201 | possible keys as there are possible messages ("the key must be as long | ||
202 | as the message"). | ||
203 | |||
204 | Proof: Suppose for a contradiction that |K|<|M| and that ciphertext | ||
205 | c:C occurs with nonzero probability. Let M(c) = {m | Dec_k(c)=m for | ||
206 | some k:K}. We must have |M(c)|<=|K| since for each m:M(c) there is at | ||
207 | least one k:K such that m=Dec_k(c) and the keys thus corresponding to | ||
208 | distinct messages are distinct. If now |K|<|M| there must exist some | ||
209 | m' not in M(c). But then Pr[M=m'|C=c] = 0 =/= Pr[M=m'], so the scheme | ||
210 | is not perfectly secret. | ||
211 | |||
212 | This result is due to Claude Shannon who gives in fact a more precise | ||
213 | characterisation of perfect secrecy, see (KL2.4). | ||
214 | |||