Cryptography Question from Katz and Lindell book Introduction to Modern Cryptogr

Question

Cryptography Question from Katz and Lindell book Introduction to Modern Cryptography

In this problem we consider definitions of perfect secrecy for the encryption of two messages (using the same key). Here we consider distributions over pairs of messages from the message space M; we let M1, M2 be random variables denoting he first and second message, respectively. We generate a (single) key k, sample messages (m1, m2) according to the given distribution, and then compute ciphertexts c1 <-- Enck(m1) and c2 <-- Enck(m2); this induces a distribution over pairs of ciphertexts and we let C1, C2 be the corresponding random variables.

(a)

Say encryption scheme (Gen, Enc, Dec) is perfectly secret for two messages if for all distributions over M x M, all m1, m2 M, and all ciphertexts c1, c2 C with Pr[C1=c1 C2=c2] > 0: Pr[M1=m1 M2=m2 | C1=c1 C2=c2] = Pr[M=m1 M2=m2]. Prove that no encryption scheme can satisfy this definition.

Hint: Take m1=/=m2 but c1=c2

(b)

Say encryption scheme E=(Gen, Enc, Dec) is perfectly secret for two distinct messages if for all distributions over M x M where the first and second messages are guaranteed to be different (i.e., distributions over pairs of distinct messages), all m1,m2 M, and all c1, c2 C with Pr[C1= c1 C2=c2] > 0: Pr[M1=m1 M2=m2| C1= c1 C2=c2] = Pr[M1=m1 M2=m2]. Show an encryption scheme that provably satisfies this definition.

Hint: The encryptions scheme you propose need not be efficient, though an efficient solution is possible.

Explanation / Answer

Cryptographic

In this lecture, we introduce a new primitive: collision-resistant hash functions. Recall that hash
functions (as used in data structures and algorithms) are functions that take arbitrary-length strings
and compress them into shorter strings. In data structures, the aim is for these short strings to be
used as indices in a table; as such the output of the hash function is very short. Furthermore, it is
desired that the hash function yields as few collisions as possible (so that only a few elements will
end up in each entry in the table). We remark that a truly random function would do the best job
here (however, such functions require exponential storage).

Note that if Alice only ever sends one one-letter message m, then just sending P(m) is
completely secure: regardless of what the message m is, Eve will just see a random letter
P(m). That is, the distribution (over the choice of the secret key P) of encodings of a
message m is the same for all messages m, and thus, from the point of view of Eve, the
encryption is statistically independent of the message.

Encrypt-then-authenticate. In this approach, an encryption c = Ek1(m) is first computed,
next a message authentication code MACk2(c) is computed on c, and finally (c;MACk2(c)) is sent.
For any encryption scheme E that is CPA-secure and any secure MAC, this combination is secure.
Intuitively, privacy is preserved because the MAC is computed over c. Therefore, no function of m
is computed that could reveal information. Furthermore, the security of the MAC ensures that the
adversary cannot cause the legitimate parties to accept any ciphertext (and so any message) that
was not generated by them. The combination of encryption and authentication in this way yields
so-called secure channels, that provide both authenticity and privacy

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.