This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 1 I n f o r m a t i o n- T h e o r e t i c E n c r y p t i o n : P e r f e c t S e c r e c y a n d the One-Time Pad Consider the following scenario: Alice is sending Bob off on an important mission. Prior to Bobs leaving, Alice gives him secret instructions on how to communicate back to her secretly so that no eavesdropper Eve can intercept their communication. The first question to ask is what part of the instructions should we consider secret. To be on the safe side, we must assume that Eve knows as much as possible, and still ensure secrecy under such an assumption. As far back as 1883, Kerckhoffs [Ker83] suggested that all one can hope to keep secret in a cryptosystem is a key. The algorithms and designs should be assumed to be publicly known. His insight is true to this day, as multiple recent examples demonstrate: publicly known security technologies receive more scrutiny, and hence it is more likely that any problems will be uncovered at early stages. Deploying a secret system and waiting for it to be broken is generally a poor strategy. In this class we will always assume that the adversary knows the entire design of the system. It is imperative to ask what constitutes a secure systemin other words, what is our goal? Note that, unlike an attack on a system, security cannot be demonstrated by example. Hence, popular perception often holds that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve (this quote is from Edgar Allan Poe, who, in addition to being a writer, was an amateur cryptogapher [Poe65]). We will not be satisfied with this design-then-break approach to security. Rather, we will define what constitutes a secure system and then prove that a particular construction is secure, thus guaranteeing security. The first formal definition of encryption was given by Shannon in his 1949 paper [Sha49]. Definition 1 (encryption scheme a.k.a. cryptosystem). Let M and K be finite sets, and Enc, Dec be two algorithms (Enc may be randomized). We say that ( M,K, Enc , Dec) is an encryption scheme if for all m M and k K , m = Dec k (Enc k ( m )) (if Enc is randomized, this equation should hold with probability 1 over the random choices made by Enc). Note that this definition says nothing about security, its purely functional. We now address security separately....
View Full Document
- Spring '09