Outline Computer Science 418 More on Perfect Secrecy, One-Time Pad, Entropy 1 Computing p(CjM) and p(C) Mike Jacobson 2 The Vernam One-Time Pad Department of Computer Science University of Calgary 3 Entropy Week 3 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 1 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 2 / 34 Computing p(CjM) and p(C) Computing p(CjM) and p(C) Computing p(CjM) and p(C) Number of Keys in the Sum Recall that perfect secrecy is equivalent to p(MjC) = p(M) for all messages M and all ciphertexts C that occur. Usually there is at most one key K with EK (M) = C for given M and C. How can we determine p(CjM) and p(C)? However, some ciphers can transform the same plaintext into the same ciphertext with different keys. For any message M 2 M, we have A monoalphabetic substitution cipher will transform a message into X the same ciphertext with different keys if the only differences between p(CjM) = p(K) : the keys occur for characters which do not appear in the message K2K EK (M)=C Eg. key1 = ECONOMICS, key2 = ECONOMY, and we encrypt a message of at most 6 characters). That is, p(CjM) is the sum of probabilities p(K) over all those keys K 2 K that encipher M to C: Mike Jacobson (University of Calgary) Computer Science 418 Week 3 3 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 4 / 34 Computing p(CjM) and p(C) Computing p(CjM) and p(C) Example: Computing p(CjM) Description of EK M = fa; bg, K = fK1; K2; K3g, and C = f1; 2; 3; 4g. Encryption is given by the following table: Consider a fixed key K. The mathematical description of the set of all Key M = a M = b possible encryptions (of any plaintext) under this key K is exactly the K1 C = 1 C = 2 image of EK , i.e. the set EK (M) = fEK (M) j M 2 Mg. K2 C = 2 C = 3 K3 C = 3 C = 4 In the previous example, we have E (M) = f1; 2g, Thus, K1 p(1ja) = p(K1) ; p(1jb) = 0 ; EK2 (M) = f2; 3g p(2ja) = p(K2) ; p(2jb) = p(K1) ; EK3 (M) = f3; 4g: p(3ja) = p(K3) ; p(3jb) = p(K2) ; p(4ja) = 0 ; p(4jb) = p(K3) : Mike Jacobson (University of Calgary) Computer Science 418 Week 3 5 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 6 / 34 Computing p(CjM) and p(C) Computing p(CjM) and p(C) Computation of p(C) Example, cont. The respective probabilities of the four ciphertexts 1; 2; 3; 4 are: For a key K and ciphertext C 2 EK (M), consider the probability p(1) = p(K1)p(a); p(2) = p(K1)p(b) + p(K2)p(a) p(DK (C)) that the message M = DK (C) was sent. Then p(3) = p(K2)p(b) + p(K3)p(a); p(4) = p(K3)p(b) X p(C) = p(K)p(DK (C)) : If we assume that every key and every message is equally probable, K2K i.e. p(K1) = p(K2) = p(K3) = 1=3 and p(a) = p(b) = 1=2, then C2EK (M) 1 1 1 1 1 1 1 1 That is, p(C) is the sum of probabilities over all those keys K 2 K under p(1) = · = ; p(2) = · + · = 3 2 6 3 2 3 2 3 which C has a decryption under key K, each weighted by the probability 1 1 1 1 1 1 1 1 p(3) = · + · = ; p(4) = · = that that key K was chosen. 3 2 3 2 3 3 2 6 Note that p(1ja) = p(K1) = 1=3 6= 1=6 = p(1), so this system does not provide perfect secrecy. Mike Jacobson (University of Calgary) Computer Science 418 Week 3 7 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 8 / 34 Computing p(CjM) and p(C) Computing p(CjM) and p(C) Necessary Condition for Perfect Secrecy Proof of the Theorem Theorem 1 Assume perfect secrecy. Fix a ciphertext C0 that is the encryption of some message under some key (i.e. actually occurs as a ciphertext). If a cryptosystem has perfect secrecy, then jKj ≥ jMj. We first claim that for every key K, there is a message M that encrypts to Informal argument: suppose jKj < jMj. C0 under key K. Since C0 occurs as a ciphertext, C0 = EK0 (M0) for some key K and message M , so by perfect secrecy, Then there is some message M such that for a given ciphertext C; no 0 0 key K encrypts M to C: p(C0) = p(C0jM0) This means that the sum defining p(CjM) is empty, so p(CjM) = 0. X = p(K) But p(C) > 0 for all ciphertexts of interest, so p(CjM) 6= p(C), and K2K hence no perfect security. (The cryptanalyst could eliminate certain EK (M)=C0 possible plaintext messages from consideration after receiving a = p(K0) + possibly other terms in the sum ≥ p(K0) > 0 : particular ciphertext.) Mike Jacobson (University of Calgary) Computer Science 418 Week 3 9 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 10 / 34 Computing p(CjM) and p(C) Computing p(CjM) and p(C) Proof, cont. Shannon's Theorem Again by perfect secrecy, for every other message M 2 M, X 0 < p(C ) = p(C jM) = p(K): 0 0 Theorem 2 (Shannon's Theorem, 1949/50) K2K EK (M)=C0 A cryptosystem with jMj = jKj = jCj has perfect secrecy if and only if In other words, for every M, there is at least one non-zero term in that p(K) = 1=jKj (i.e. every key is chosen with equal likelihood) and for every sum, i.e. there exists at least one key K that encrypts M to C0. M 2 M and every C 2 C, there exists a unique key K 2 K such that EK (M) = C. Moreover, different messages that encrypt to C0 must do so under different keys (as EK (M1) = EK (M2) implies M1 = M2). So we have at Proof. least as many keys as messages. See Theorem 2.8, p. 38, in Katz & Lindell. (Formally, consider the set K0 = fK 2 K j C0 2 EK (M)g ⊆ K. Then we have shown that the map K0 !M via K 7! M where EK (M) = C0 is well-defined and surjective. Hence jKj ≥ jK0j ≥ jMj.) Mike Jacobson (University of Calgary) Computer Science 418 Week 3 11 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 12 / 34 The Vernam One-Time Pad The Vernam One-Time Pad One-Time Pad Bitwise Exclusive-Or Fix a string length n. Then set f0; 1gn is the set of bit strings (i.e. strings of 0's and 1's) of lengthn. Generally attributed to Vernam (1917, WW I) who patented it, but recent Definition 1 (bitwise exclusive or, XOR) research suggests the technique may have been used as early as 1882 For a; b 2 f0; 1g, we define in any case, it was long before Shannon ( 0 a = b ; a ⊕ b = a + b (mod 2) = It is the only substitution cipher that does not fall to statistical analysis. 1 a 6= b : n For A = (a1; a2;:::; an); B = (b1; b2;:::; bn) 2 f0; 1g , we define then A ⊕ B = (a1 ⊕ b1; a2 ⊕ b2;:::; an ⊕ bn) : (component-wise XOR). Mike Jacobson (University of Calgary) Computer Science 418 Week 3 13 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 14 / 34 The Vernam One-Time Pad The Vernam One-Time Pad The One-Time Pad Security of the One-Time Pad Theorem 3 Definition 2 (Vernam one-time pad) The one-time pad provides perfect secrecy if each key is chosen with equal Let M = C = K = f0; 1gn (bit strings of some fixed length n). Encryption likelihood. Under this assumption, each ciphertext occurs with equal of M 2 f0; 1gn under key K 2 f0; 1gn is bitwise XOR, i.e. likelihood (regardless of the probability distribution on the plaintext space). C = M ⊕ K : This means that in the one-time pad, any given ciphertext can be Decryption of C under K is done the same way, i.e. M = C ⊕ K, since decrypted to any plaintext with equal likelihood (defn of perfect secrecy). K ⊕ K = (0; 0;:::; 0). There is no \meaningful" decryption. So even exhaustive search doesn't help. Mike Jacobson (University of Calgary) Computer Science 418 Week 3 15 / 34 Mike Jacobson (University of Calgary) Computer Science 418 Week 3 16 / 34 The Vernam One-Time Pad The Vernam One-Time Pad Proof of the Theorem Cryptanalysis of the One-Time Pad Proof of Theorem 3. It is imperative that each key is only used once: We have jMj = jCj = jKj = 2n, and for every M; C 2 f0; 1gn, there exists Immediately falls to a KPA: if a plaintext/ciphertext pair (M; C) is a unique key K that encrypts M to C, namely K = M ⊕ C. By Shannon's known, then the key is K = M ⊕ C. Theorem 2, we have prefect secrecy. Suppose K were used twice: Now let M; C 2 f0; 1gn be arbitrary. Then by perfect secrecy, C1 = M1 ⊕ K ; C2 = M2 ⊕ K =) C1 ⊕ C2 = M1 ⊕ M2 : X p(C) = p(CjM) = p(K) Note that C1 ⊕ C2 = M1 ⊕ M2 is just a coherent running key cipher K2f0;1gn (adding two coherent texts, M1 and M2), which as we have seen is M⊕K=C insecure.