• Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. x y logical operation OR ( x, y are Boolean variables), also bit operation: bit-wise or ( x, y are bit strings) x y logical operation XOR ( x, y are Boolean variables), also bit operation: bit-wise xor ( x, y are bit strings) (* … *) non-executable comment parts in algorithms or protocols end of proof, remark or example • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Chapter 3. Probability and Information Theory Section 3.1. Introduction Section 3.2. Basic Concept of Probability Section 3.3. Properties Section 3.4. Basic Calculation Section 3.5. Random Variables and their Probability Distributions Section 3.6. Birthday Paradox Section 3.7. Information Theory Section 3.8. Redundancy in Natural Languages Section 3.9. Chapter Summary Exercises • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 3.1 Introduction Probability and information theory are essential tools for the development of modern cryptographic techniques. Probability is a basic tool for the analysis of security. We often need to estimate how probable it is that an insecure event may occur under certain conditions. For example, considering Protocol "Coin Flipping Over Telephone" in Chapter 1 , we need to estimate the probability for Alice to succeed in finding a collision for a given one-way function f (which should desirably be bounded by a very small quantity), and that for Bob to succeed in finding the parity of x when given f ( x ) (which should desirably be very close to ). Information theory is closely related to probability. An important aspect of security for an encryption algorithm can be referred to as "uncertainty of ciphers:" an encryption algorithm should desirably output ciphertext which has a random distribution in the entire space of its ciphertext message space. Shannon quantifies the uncertainty of information by a notion which he names entropy. Historically, the desire for achieving a high entropy in ciphers comes from the need for thwarting a cryptanalysis technique which makes use of the fact that natural languages contain redundancy, which is related to frequent appearance of some known patterns in natural languages. Recently, the need for modern cryptographic systems, in particular public-key cryptosystems, to have probabilistic behavior has reached a rather stringent degree: semantic security. This can be described as the following property: if Alice encrypts either 0 or 1 with equal probability under a semantically secure encryption algorithm, sends the resultant ciphertext c to Bob and asks him to answer which is the case, then Bob, without the correct decryption key, should not have an algorithmic strategy to enable him to discern between the two cases with any "advantage" better than a random guessing. We notice that many "textbook" versions of encryption algorithms do not have this desirable property. 3.1.1 Chapter Outline The basic notions of probability which are sufficient for our use in this book will be introduced in § 3.2 —§ 3.6 . Information theory will be introduced in § 3.7 —§ 3.8 . • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 3.2 Basic Concept of Probability Let be an arbitrary, but fixed, set of points called probability space (or sample space ). Any element x is called a sample point (also called outcome, simple event or indecomposable event; we shall just use point for short). An event (also called compound event or decomposable event) is a subset of and is usually denoted by a capital letter (e.g., E ). An experiment or observation is an action of yielding (taking) a point from . An occurrence of an event E is when an experiment yields x E for some point x . Example 3.1. Consider an experiment of drawing one playing card from a fair deck (here "fair" means drawing a card at random). Here are some examples of probability spaces, points, events and occurrences of events. 1 : The space consists of 52 points, 1 for each card in the deck. Let event E 1 be "aces" (i.e., E 1 = { A , A , A , A }). It occurs if the card drawn is an ace of any suit. 1. 2 = {red, black}. Let event E 2 = {red}. It occurs if the card drawn is of red color. 2. 3 : This space consists of 13 points, namely, 2, 3, 4, …, 10, J, Q, K, A. Let event E 3 be "numbers." It occurs if the card drawn is 2, or 3, or …, or 10. 3. Definition 3.1: Classical Definition of Probability Suppose that an experiment can yield one of n = # equally probable points and that every experiment must yield a point. Let m be the number of points which form event E. Then value is called the probability of the event E occuring and is denoted by Example 3.2. In Example 3.1 : 1. 2. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 2. 3. Definition 3.2: Statistical Definition of Probability Suppose that n experiments are carried out under the same condition, in which event E has occurred m times. If value becomes and remains stable for all sufficiently large n, then the event E is said to have probability which is denoted by In § 3.5.3 we will see that Definition 3.2 can be derived as a theorem (a corollary of the law of large numbers) from a few other intuitive notions. We however provide it in the form of a definition because we consider that itself is sufficiently intuitive. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 3.3 Properties A probability space itself is an event called sure event . For example, = {HEADS, TAILS}. We have Prob [ ] = 1. 1. Denoting by the event that contains no point (i.e., the event that never occurs). For example, black . It is called an impossible event. We have Prob [ ] = 0. 2. Any event E satisfies 0 Prob [ E ] 1. 3. If E F , we say that event E implies event F , and Prob [ E ] Prob [ F ]. 4. Denote by the complementary event of E . Then Prob [ E ] + Prob [ ] = 1. 5. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 3.4 Basic Calculation Denote by E F the sum of events E, F to represent an occurrence of at least one of the two events, and by E F the product of events E, F to represent the occurrence of both of the two events. 3.4.1 Addition Rules Prob [ E F ] = Prob [ E ] + Prob [ F ] – Prob [ E F ].1. If , we say that the two events are mutually exclusive or disjoint, and 2. If with then 3. Example 3.3. Show Equation 3.4.1 Because E F = E ( F ) where E and F are mutually exclusive, ( 3.4.1 ) holds as a result of Addition Rule 2. Definition 3.3: Conditional Probability Let E, F be two events with E having non-zero probability. The probability of occurring F given that E has occurred is called the conditional probability of F given E and is denoted by • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Example 3.4. Consider families with two children. Let g and b stand for girl and boy, respectively, and the first letter for the older child. We have four possibilities gg, gb, bg, bb and these are the four points in . We associate probability with each point. Let event E be that a family has a girl. Let event F be that both children in the family are girls. What is the probability of F given E (i.e., Prob [ F | E ])? The event E F means gg , and so Prob [ E F ] = . Since the event E means gg , or gb , or bg , and hence Prob . Therefore by Definition 3.3 , Prob . Indeed, in one-third of the families with the characteristic E we can expect that F will occur. Definition 3.4: Independent Events Events E, F are said to be independent if and only if Prob [F | E] = Prob[F] 3.4.2 Multiplication Rules Prob [ E F ] = Prob [ F | E ] · Prob [ E ] = Prob [ E | F ] · Prob [ F ].1. If events E, F are independent, then Prob [ E F ] = Prob [ E ] · Prob [ F ]. 2. Example 3.5. Consider Example 3.1 . We expect that the events E 1 and E 2 are independent. Their probabilities are and , respectively ( Example 3.2 ). Since these two events are independent, applying "Multiplication Rule 2," the probability of their simultaneous realization (a red ace is drawn) is . 3.4.3 The Law of Total Probability The law of total probability is a useful theorem. . Theorem 3.1 If and , then for any event A • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Proof Since where A E i and A E j ( i j ) are mutually exclusive, the probabilities of the right-hand-side sum of events can be added up using Addition Rule 2, in which each term follows from an application of "Multiplication Rule 1." The law of total probability is very useful. We will frequently use it when we evaluate (or estimate a bound of) the probability of an event A which is conditional given some other mutually exclusive events (e.g. and typically, E and ). The usefulness of this formula is because often an evaluation of conditional probabilities Prob [ A | E i ] is easier than a direct calculation of Prob [ A ]. Example 3.6. (This example uses some elementary facts of number theory. The reader who finds this example difficult may return to review it after having studied Chapter 6 .) Let p = 2 q + 1 such that both p and q are prime numbers. Consider choosing two numbers g and h at random from the set S = {1, 2, …, p – 1} (with replacement). Let event A be "h is generated by g," that is, h g x (mod p ) for some x < p (equivalently, this means "log g h (mod p – 1) exists"). What is the probability of A for random g and h? It is not very straightforward to evaluate Prob [ A ] directly. However, the evaluation can be made easy by first evaluating a few conditional probabilities followed by applying the theorem of total probability. Denote by ord p ( g ) the (multiplicative) order of g (mod p ), which is the least natural number i such that g i 1 (mod p ). The value Prob [ A ] depends on the following four mutually exclusive events. E 1 : ord p ( g ) = p – 1 = 2 q and we know Prob (here p is Euler's phi function; in S there are exactly f (2 q ) = q – 1 elements of order 2 q ). In this case, any h < p must be generated by g ( g is a generator of the set S ), and so we have Prob [ A | E 1 ] = 1. i. E 2 : ord p ( g ) = q and similar to case (i) we know Prob . In this case, h can be generated by g if and only if ord p ( h ) | q . Since in the set S there are exactly q elements of ii. iii. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. orders dividing q , we have Prob . ii. E 3 : ord p ( g ) = 2. Because there is only one element, p – 1, of order 2, so Prob . Only 1 and p – 1 can be generated by p – 1, so we have Prob . iii. E 4 : ord p ( g ) = 1. Only element 1 is of order 1, and so Prob . Also only 1 can be generated by 1, and we have Prob . The above four events not only are mutually exclusive, but also form all possible cases for the orders of g . Therefore we can apply the theorem of total probability to obtain Prob [ A ]: iv. [...]... in S at random by following the uniform distribution Show that the probability that the sampled point is ak-bit number is S = {0,1 ,2, …, 2k – 1} can be partitioned into two disjoint subsets S 1 = {0,1 ,2, …, 2k–1 –1} and S • 2 = {2k–1 ,2k–1 + of Contents Table 1, …, 2k –1} where S 2 contains all k-bit numbers, Applying "Addition Theory have Modern Cryptography: 2, " weand Practice ByWenbo Mao Hewlett-Packard... Theorem 3 .2 Shannon [26 2 ,26 3] • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25 , 20 03 Proof The following "sandwich" style relation holds for all integers k > 0: ISBN: 0-13-066943-1 Pages: 648 The statement is in its limit form Many cryptographic schemes and protocols, especially those based on public-keycryptography,... background material2/n, and so foundation for y 1 and y3 y 2 is 1 – that is the on Upon 3 modern cryptography drawing the kth ball, the probability for no collision so far is For sufficiently large n and relatively small x, we know or So • Table of Contents The equation in theTheory and Practice side is due to Gauss summation on the exponent value Modern Cryptography: most right-hand ByWenbo Mao Hewlett-Packard... with r in the right-hand side of (3.5 .2) and obtain Equation 3.5.4 In particular, we have • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Notice Date: July 25 , 20 03 Pub that (3.5.4) holds for all k = r + 1, r + 2, …, n Therefore we have ISBN: 0-13-066943-1 Pages: 648 Equation 3.5.5 Many cryptographic schemes and protocols, especially... number of points, and in that Table of Contents x#S Modern Cryptography: Theory and Practice case, #S = This will allow us to conduct computational complexity analysis of our algorithms and protocols in an asymptotic manner (see §4.6) ByWenbo Mao Hewlett-Packard Company Definition 3.5:Discrete Random Variables and their Distribution Function Publisher: Prentice Hall PTR Pub Date: July 25 , 20 03 ISBN: 0-13-066943-1... self-containedtheoretical background material that is the foundation for modern cryptography • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25 , 20 03 ISBN: 0-13-066943-1 Pages: 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions,... a non-trivial amount of information to convey 2 InChapter 14 we will only deal with these four attacks • Table of Contents Since Cryptography: Theory and Practice Modernin Chapter 14 we will only deal with these four attacks, the actual entropy of these names can be as low as 2 bits per name However, because numbers 0, 1, 2, and 3 and a few other ByWenbo Mao Hewlett-Packard Company single characters... names: a0, a1, a2, a3 Now, in the scope of that chapter measure the redundancy for the following four reasonably shortened attacking names: Passive IND-Attack, • Table of Contents IND-CPA, Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company IND-CCA, IND-CCA2 Publisher: Prentice Hall PTR Pub Date: July 25 , 20 03 ISBN: 0-13-066943-1 Pages: 648 Many cryptographic schemes and protocols,... foundation for modern cryptography Chapter 4 Computational Complexity Section 4.1 Introduction • Section Table of Contents 4 .2 Turing Machines Modern Cryptography: Theory and Practice Section 4.3 Deterministic Polynomial Time ByWenbo Mao Hewlett-Packard Company Section 4.4 Probabilistic Polynomial Time Publisher: Prentice Hall PTR Section 4.5 Non-deterministic Polynomial Time Pub Date: July 25 , 20 03 ISBN:... should have probability 1 Indeed, applying "Addition Rule 2, " we have • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR For Pub Date: July 25 , 20 03 (ii), we have ISBN: 0-13-066943-1 Pages: 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, For (iii), we must sum "textbook crypto" versions, . probability of the event E occuring and is denoted by Example 3 .2. In Example 3.1 : 1. 2. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher :. given E and is denoted by • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25 , 20 03 ISBN :. number is . S = {0,1 ,2, …, 2 k – 1} can be partitioned into two disjoint subsets S 1 = {0,1 ,2, …, 2 k –1 –1} and S 2 = {2 k –1 ,2 k –1 + 1, …, 2 k –1} where S 2 contains all k -bit