module 6 Flashcards
entropy
amount of information in the variable
shannon’s entropy: the absolute minimum amount of storage / transmission needed to capture the information in some variable
entropy is a good measure of how “random” (strong) a password is
How does the one time pad work?
- you have a message M made up of n bits
- you have a key made up of n bits, distributed uniformly at random
- you encrypt your message by XORing it with the key
- you decrypt by XORing the encrypted message with the key
What is Shannon’s information theoretic security?
ciphertext should leak no information about the plaintext
A cipher (E,D) over (K,M,C) has perfect secrecy if:
For all messages m1, m2 in the message space that are the same size and all ciphertexts c in the ciphertext space: the probability that the encryption of m1 to ciphertext c is the same as the probability that the encryption of m2 to ciphertext c, where the key k i selected uniformly at random
Explain why OTP is perfectly secret.
Lemma: If X is a random variable on {0,1}^n and Y is an independent uniform random variable on {0,1}^2 then Z=X XOR Y is a uniform random variable on {0,1}^n
What are the issues with OTP?
- perfect secrecy implies that key length >= message length: you don’t want to have a key that is the same length as your message
- keys only work once. else,
What does it mean that OTP has no integrity?
an adversary can intercept and corrupt the message
what is a stream cipher?
any cipher that has perfect secrecy must have really long keys…
proposed solution: take idea of OTP and make it practical by introducing some assumptions that we believe hold in practice
key idea: replace random key in OTP by pseudorandom key
PRG: pseudorandom generator
a PRG is a function that takes a random seed and generates pseudorandom bits
G: {0,1}^s –> {0,1}^n, where n»_space; s
key property of PRG:
- given a small random seed, one can compute output of PRG efficiently with a deterministic algorithm
- the output of PRG looks random (we will revisit later)
**only the seed (or input) to the function is actually random
can stream ciphers guarantee perfect secrecy?
no.
perfect secrecy implies that your keys need to be as long as the message. this will not be the case with a stream cipher.
we know that a stream cipher is secure if PRG is secure. so, what is a good definition for a secure cryptographic PRG?
very important property:
unpredictability
adversary cannot predict the next bit
informally: a PRG is predictable if there exists an integer i and an efficient algorithm A such that the given the prefix of the output an algorithm can predict the rest
G(k)_i,…,i – A –> G(k)_i,…,n
if G is predictable, stream cipher is not secure
high level proof for:
if G is predictable, stream cipher is not secure
- suppose PRG G is predictable and stream cipher is secure
- suppose the attacker knows a small part of the message
- -> common for many protocols (e.g. Web protocols have common headers) - attacker can use knowledge of small part of message and ciphertext c to deriver output of G for that part of the message (via message), this is the same as saying that the attacker knows the prefix of the output of the pseudorandom generator
- since G is predictable, attacker can determine the next bit and recover the rest of the message.
THEREFORE, stream cipher is not secure. Which is a contradiction.
define predictability formally.
if an algorithm is even a tiny tiny bit better than predicting the next bit correctly half the time
so 1/2 plus some epsilon
when is a PRG unpredictable?
for all i, no “efficient” algorithm can predict bit i + 1 with non negligible E.
informal definition of negligible vs. non negligible
are the following negligible?
