Upload
frederica-anthony
View
218
Download
0
Embed Size (px)
Citation preview
Information theory
Cryptography and Authentication
A.J. Han VinckEssen, 2008
Cryptographic model
sender receiver attacker
secrecy encrypt M decrypt M read M
find key
authentication sign test validity modify
generate
General (classical) Communication Model
source M encrypter C decrypter M destination
analyst M‘
Secure key channel
K K
no information providing ciphers
ShannonShannon (1949): Perfect secrecy condition
Prob. distribution (M) = Prob. distribution (M|C)
and thus: H(M|C) = H(M)
(no gain if we want to guess the message given the cipher)
Perfect secrecy condition
Furthermore: for perfect secrecy H(M) H(K)
H(M|C) H(MK|C) = H(K|C) + H(M|CK)
C and K M
= H(K|C) H(K)
H(M) = H(M|C) H(K) perfect secrecy!
Imperfect secrecy
How much ciphertext do we need to find
unique key-message pair
given the cipher?
Minimum is called unicity distance.
Imperfect secrecy
Suppose we observe a piece of ciphertext
Key K, H(K)
source M, H(M)
Cipher C
CL
K and ML determineCL
Key equivocation: H(K| CL) = H(K,CL) – H(CL)
H(CL ) Llog2|C|
Question: When is H(K| CL) = 0 ?
H(K| CL) = H(K) + H(CL|K) – H(CL) = H(K) + H(ML) – H(CL)
Using: H(CL ) Llog2|C|; H(ML) LHS(M)
where HS(M) is the normalized entropy per output symbol
H(K| CL) H(K) + L[HS(M)- log2|C|]
= 0 for L = H(K) / [ log2|C|- HS (M)]
Define U = the least value of L such that H(K| CL) = 0
Hence: U H(K) / [ log2|C|- HS (M)]
( K ML CL )
conclusion
Make HS (M) as large as possible:
USE DATA REDUCTION !!
H(K| CL)H(K)
L
U is called the unicity point
H(K) / [ log2|C|- HS (M)]
examples: U H(K) / [ log2|C|- HS(M) ]
Substitution cipher: H(K) = log2 26!
English: HS(M) 2; |M|= |C|=26; U 32 symbols
DES: U 56 / [ 8 – 2 ] 9 ASCII symbols
examples: U H(K) / [ log2|C|- HS(M) ]
Permutation cipher: period 26; H(K) = log226!
English: H(M) 2; |M|= |C|=26; U 32 symbols
Vigenere: key length 80, U 13 symbols !
check!
Plaintext-ciphertext attack
H(K,ML, CL) = H(K|ML, CL) + H( CL|ML ) + H(ML)
= H(CL|K,ML) + H( K|ML ) + H(ML)
H(K|ML, CL) = H(K) - H( CL|ML )
H( CL|ML ) Llog2|C|
thus: U H(K) / log2|C|
CL ← K,ML K independent from ML
Wiretapping model
sender noiselesss channel receiver
noise
wiretapper
Send: n binary digits
0: Xn of even weight
1: Xn of odd weight
Wiretapper:
Pe = P(Zn has odd # of errors)
= 1- ½(1+(1-2p)n)
S
Zn
Xn Xn
Wiretapping
Result:
for p ½ Pe ½
and H(S|Zn) = 1
for p 0, Pe np
and H(S|Zn) h(np)
Pe = 1- ½(1+(1-2p)n)
Wiretapping general strategy
Encoder: use R = k/n error correcting code C
carrier c { 2k codewords }
message m { 2nh(p) vectors as correctable noise }
select c at random and transmit c m
Note: 2k 2nh(p) 2n k/n 1 – h(p)
Communication sender-receiver
transmit = receive : c m
first decode: c
calculate m = c m c = m
m c
c m
Wiretapper:
receive z = c m n‘
- first decode: c
possible when m n‘ is decodable noise
- calculate: c m n‘ c = m n‘
m‘ = m n‘ is one of 2nh(p‘) messages
the # of noise sequences n‘ is |n‘ | ~ 2nh(p‘)
c m
n‘
z = c m n‘
Wiretapping general strategy
Result: information rate R = h(p)
p‘ small: c decodable and H(Sk|Zn) = nh(p‘)
p‘ p: H(Sk|Zn) = nh(p)H(Sk|Zn) nh(p)
P P‘
Wiretapping general strategy picture
Volume 2nh(p‘)
Volume 2nh(p)
codeword
2k codewords
2n vectors
authentication
Encryption table:
message X
Key K ( X, K ) Y
unique cipher: Y
Authentication: impersonation
message: 0 1 select y at random
00 00 10 Pi (y = correct) = ½
key 01 01 00 P(key = i ) = 1/4
10 11 01 P(message = i ) = 1/2
11 10 11 cipherPi is probability that an injected cipher is valid
Authentication: bound
Let : |X| # messages
|K| # keys
|Y| # ciphers
Pi prob (random cipher = valid) |X|/|Y|
= probability that we choose one of the colors in a specific row
´ specified by the key
|X|
|K|
Cont‘d
Since: ( Y, K) X H(X) = H(Y|K)
An improved (Simmons) bound gives:
Pi 2H(X)/2H(Y) = 2H(Y|K)-H(Y) = 2-I(Y;K)
Cont‘d
Pi 2-I(Y;K) = 2+ H(K |Y) - H(K)
For low probability of success: H(K|Y) = 0
For perfect secrecy: H(K|Y) = H(K)
Contradiction!
Cont‘d
0 1
0 00 01
1 10 11
0 1
0 00 01
1 01 00
prob success = ½ prob success = 1
H(K|Y) = 0 H(K|Y) = 1
no secrecy perfect secrecy
Prob ( key = 0 ) = Prob ( key = 0 ) = ½; Prob (X = 0) = Prob(X =
1) = 1/2
Authentication: impersonation
X= 0 1 P(X=0) = P(X=1)= ½
K= 0 0 1 P(K=0) = P(K=1)= ½
1 1 2 H(K) =1; H(K|Y) = ½
Pi =1 (send always 1)
Pi 2H(Y|K)-H(Y) = 21-1.5 = 2 –0.5 = 0.7
Authentication: substitution
message
0 1
0 0 2
Key 1 1 3
2 0 3
3 1 2 cipher
Active wiretapping:
replace an observed cipher by another cipher
Example: observe 0 replace by 3
probability of success = ½ (accepted only if key = 2)
Authentication: substitution examples
0 1
0 0 2
1 1 3
2 0 3
3 1 2
0 1
0 3
1 2
2 1
3 0
0 1
0 2
1 0
3 1
2 3
Ps = ½
H(X|Y) = 0
Ps = 1
H(X|Y) = 1
Ps = ½
H(X|Y) = 1
Ps = probability( substitution is successful)
H(K) = 2; H(K|Y) = 1;Pi ½