## Lecture 3

This lecture was the first real discussion of cryptography. We introduced the one-time pad and proved that it was perfectly secure, but noted that it has several (inherent) drawbacks. Motivated by this we introduced the notion of computational security and showed the “pseudo”-one-time pad encryption scheme which beats the one-time pad in terms of key length.

Also, HW1 is out. For the homework you will use the JCE to implement some basic encryption schemes.

Slide are posted on the course syllabus.

### One Response to “Lecture 3”

1. Anonymous Says:

Dr. Katz asked me to post this question I asked which he answered over email:

Q: Yesterday in lecture when we were going over the one time pad, there was something I didn’t understand. Obviously, we were able to prove that the probability of guessing the message in a one time pad is 1/(2^L). I realize it fits the formal definition, but since perfect secrecy means “an adversary running for an unbounded amount of time learns nothing about the message,” it seems to me that the expected number of guesses it takes to learn something about the message is 2^L. Even for a sufficiently large L, the law of large numbers would take over for an unbounded adversary. How does that fit the english definition of perfect secrecy?

A: No! What we showed was that the probability of getting *any* particular
ciphertext when we encrypt any particular message is 1/(2^L).

In fact, depending on the distribution it might be possible for the
adversary to guess the message with probability much better than
1/2^L. For example, when the adversary knows that the sender is
sending either “yes” or “no”, each with probability 1/2. Then it can
guess the message with probability 1/2. Are you saying that the adversary is able to guess the message with probability 1/2^L (assuming all messages equally likely), and therefore with probability 1/2^L the adversary learns something about the message? But note that the adversary can guess the message with probability 1/2^L without seeing the ciphertext at all. So the point is that the ciphertext does not reveal anything to the adversary *that