YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE
CPSC 467a: Cryptography and Computer Security | Notes 2 (rev. 2) | |
Professor M. J. Fischer | September 12, 2006 | |
Lecture Notes 2
A symmetric cryptosystem consists of a set of plaintext messages, a set of ciphertexts, a set of keys, and two functions, an encryption function E : ×→ and a decryption function D : ×→. We often write Ek(m) = E(k,m) and Dk(c) = D(k,c). One may view a cryptosystem as consisting of a family of encryption and decryption functions indexed by k, but this should not obscure the fact that in order to be useful, it must be possible to compute the functions given an arbitrary key k.
We would like a cryptosystem to have three properties:
While these properties are always required of a cryptosystem, we generally want m to remain secret even when Eve has access to various kinds of additional information. This leads us to define several attack scenarios.
Still stronger versions of these attacks are possible. For example, in a chosen plaintext attack, Eve might be able to choose the messages mi one at a time rather than all at once so that m2 depends on the value of c1, m3 depends on both c1 and c2, and so forth. Such an attack is called adaptive. Adaptive chosen ciphertext attacks are of course also possible, where each new ciphertext chosen depends on the plaintexts corresponding to the previously-chosen ciphertexts. One can have mixed chosen plaintext and chosen ciphertext attacks where Eve can choose some plaintexts and some ciphertexts and get the corresponding decryptions or encryptions of same. Adaptive versions of mixed attacks are also possible.
One might question whether such attack scenarios are feasible in practice. Why would Alice cooperate with Eve in this way? It all depends on the situation in which the cryptosystem is used. “Alice” might be an Internet server, not a person, who encrypts/decrypts certain messages received in the course of carrying out more complicated cryptographic protocols. We will see such protocols later in the course. One could also imagine that an attacker gets hold of Alice’s encryption device and is able to play with it for awhile even though she can’t extract the secret key that is stored inside. For example, Eve might sit down at Alice’s computer when Alice is out to lunch, or she might slip Alice’s cryptographic smart card out of her purse when Alice isn’t looking. Of course, if Alice discovers the intrusion or learns that her card is missing, she’ll change her key and Eve’s efforts would be for naught, but if Eve puts everything back in order before Alice returns, Alice might be none the wiser.
We’ve already mentioned one kind of compromise of a cryptosystem—learning the secret message m. But actually there are many different degrees of compromise, some more serious than others, depending on the application. Here is a list of some of the kinds of compromise which one should be aware of and ideally be able to prevent:
When we start talking about the probability of Even learning the message, we must ask, “Where does randomness enter into the discussion of attacks on a cryptosystem?” We assume there are three such places:
We further assume that these three sources of randomness are statistically independent. This means that Eve’s random numbers do not depend on (nor give any information about) the message or key used by Alice. It also means that Alice’s key does not depend on the particular message or vice versa.
These multiple sources of randomness give rise to a joint probability distribution that assigns a well-defined probability (i.e., a real number in the interval [0,1]) to each triple (m,k,z), where m is a message, k a key, and z is the result of the random choices Eve makes during her computation. The independence requirement simply says that the probability of the triple (m,k,z) is precisely the product of pm ×pk ×pz, where pm is the probability that m is the chosen message, pk is the probability that k is the chosen key, and pz is the probability that z represents the random choices made by Eve during the course of her computation.
When talking about random choices, we often use the term random variable to denote the experiment of choosing an element from a set according to a particular probability distribution. For example, we sometimes use m to denote the random variable that describes the experiment of Alice choosing a message m according to the assumed message distribution. Ambiguously, we often use m to denote a particular element in the set , perhaps the outcome of the experiment described by the random variable m. While these two uses may sometimes be confusing, we will try to make which usage is intended clear from context.
For example, if we let pm denote the probability that the message distribution assigns to the particular message m , then there is no experiment under consideration and it is clear that m is being used to denote an element of . On the other hand, if we talk about the event m = m0, then we are using m in the sense of a random variable, and the event m = m0 means that the outcome of the experiment described by m is m0. We denote the probability of that event occurring by prob[m = m0], which in this case is simply pm0. See section 15.1 of Trapp and Washington for a more thorough review of basic probability definitions.
Information-theoretic security is defined formally in terms of statistical independence. In our probabilistic model, we can consider both m and k to be random variables. Together, they induce a probability distribution on the ciphertext c = E(k,m). Here we see the power of the random variable notation, for c itself can be considered to be a random variable which is a function of k and m. To define c formally, we must define the probability of each of the events c = c0 for c0 . These are easily derived from the random variables k and m as follows:
Because of the assumed independence of k and m, this is the same as
The reason for the summation is that the same ciphertext can arise from many different key-message pairs.
Now, what it means for the cryptosystem to be information-theoretically secure is that the random variables c and m are statistically independent, that is,
for all m0 and c0 .
This independence is often expressed more intuitively in terms of conditional probabilities. We define
assuming the denominator of the fraction is non-zero. This is the probability that m = m0 given that c = c0. We then say that c and m are statistically independent if
for all m0 and c0 such that prob[c = c0]0. Hence, even after Eve receives the ciphertext c0, her opinion of the likelihood of each message m0 is the same as it was initially.
To make these ideas more concrete, we look at the Caeser cipher, which is said to go back to Roman times. It is an alphabetic cipher, that is, used to encode the 26 letters of the Roman alphabet A,B,…,Z. For convenience, we will represent the letters by the numbers 0,1,…,25, where A = 0, B = 1, . . . , Z = 25.
The base cipher handles just single letters. The message space is = {0,…,25}, and the ciphertext space and key space are the same, so = = .
To encrypt, Ek replaces each letter m by the letter k places further on in the alphabet when read circularly, with A following Z. To decrypt, Dk replaces each letter c by the letter k places earlier in the alphabet when read circularly. Mathematically, the encryption and decryption functions are given by
(Notation: x mod 26 is the remainder of x divided by 26.) Thus, if k = 3, then Ek(P) = S and Dk(S) = P .
Of course, one is generally interested in encrypting more than single letter messages, so we need a way to extend the encryption and decryption functions to strings of letters. The simplest way of extending is to encrypt each letter separately using the same key k. If m1…mr is an r-letter message, then its encryption is c1…cr, where ci = Ek(mi) = (mi + k) mod 26 for each i = 1,…,r. Decryption works similarly, letter by letter.
What we have really done by the above is to build a new cryptosystem from the base cryptosystem on single letters. In the new system, the message space and ciphertext space are
that is, length-r sequences of numbers from {0,…,25}. The encryption and decryption functions are
Here, we use the superscript r to distinguish these functions from the base functions Ek() and Dk().