Cryptography Reference
In-Depth Information
Bob and in fact, we may assume that she even knows the probability distribution of
these messages. Why is it that, even with all this knowledge, the observation of the
ciphertext gives Eve no additional information about which of the three messages is
the one that was actually encrypted?
Let us compute the following 34-byte hex keys:
> k2 := OTP(c1, m2);
"b0f29e2253072462fa5ca7a7804a77ba1a7359b6778700a1c5470e00e7c625e2b7c3"
> k3 := OTP(c1, m3);
"b0f29e2253072462fb4ca1bc974133ab073e42ab688705f3cb440e50a2dc7eb8b9c0"
Now, observe what happens if we encrypt message
m2
with key
k2
and message
m3
with key
k3
:
> c2 := OTP(k2, m2);
"e797be553a6b48428929d5d5e52413df68532dd91ae872d3aa302e6193e64b8dd8ad"
> c3 := OTP(k3, m3);
"e797be553a6b48428929d5d5e52413df68532dd91ae872d3aa302e6193e64b8dd8ad"
The three ciphertexts are the same:
> evalb(c1 = c2 = c3);
true
Because of the assumed uniform probability distribution on the key space, the
three keys
k1
,
k2
,
k3
each have probability
1
3
of having been chosen so the
a
posteriori
probability of each message given that
c1
was sent is the same as its
a
priori
probability of being sent. For example, if Eve knows that all three messages
were
apriori
equally likely, it is intuitively clear that they remain equally likely once
c1
is observed: that
m1
was encrypted with
k1
, that
m2
was encrypted with
k2
and
that
m3
was encrypted with
k3
are all equally likely events. Observe also that, in
contrast with what happens with
POTP
, now a brute-force attack does not make sense
even if the messages, and hence the keys, are very short. As we have just seen, Eve
might be able to compute the keys that produce a given ciphertext from all possible
messages but this will not give her any information about which of these messages
was the one actually encrypted.
3.5 Private-Key Encryption Schemes and Their
Security
In our previous study of classical cryptography we considered several ciphers of his-
torical interest and studied their weaknesses. These ciphers are examples of encryp-
tion schemes, which were tentatively defined in the Introduction but whose definition
we are going to make more precise now by making explicit some requirements that
were left out in the preliminary definition and that are important for the study of the
security properties of these schemes.