Lecture 3

This lecture was the first real discussion of cryptography. We introduced the one-time pad and proved that it was perfectly secure, but noted that it has several (inherent) drawbacks. Motivated by this we introduced the notion of computational security and showed the “pseudo”-one-time pad encryption scheme which beats the one-time pad in terms of key length.

Also, HW1 is out. For the homework you will use the JCE to implement some basic encryption schemes.

Slide are posted on the course syllabus.

One Response to “Lecture 3”

  1. Anonymous Says:

    Dr. Katz asked me to post this question I asked which he answered over email:

    Q: Yesterday in lecture when we were going over the one time pad, there was something I didn’t understand. Obviously, we were able to prove that the probability of guessing the message in a one time pad is 1/(2^L). I realize it fits the formal definition, but since perfect secrecy means “an adversary running for an unbounded amount of time learns nothing about the message,” it seems to me that the expected number of guesses it takes to learn something about the message is 2^L. Even for a sufficiently large L, the law of large numbers would take over for an unbounded adversary. How does that fit the english definition of perfect secrecy?

    A: No! What we showed was that the probability of getting *any* particular
    ciphertext when we encrypt any particular message is 1/(2^L).

    In fact, depending on the distribution it might be possible for the
    adversary to guess the message with probability much better than
    1/2^L. For example, when the adversary knows that the sender is
    sending either “yes” or “no”, each with probability 1/2. Then it can
    guess the message with probability 1/2. Are you saying that the adversary is able to guess the message with probability 1/2^L (assuming all messages equally likely), and therefore with probability 1/2^L the adversary learns something about the message? But note that the adversary can guess the message with probability 1/2^L without seeing the ciphertext at all. So the point is that the ciphertext does not reveal anything to the adversary *that
    the adversary didn’t already know before*.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: