This lecture was the first real discussion of cryptography. We introduced the one-time pad and proved that it was perfectly secure, but noted that it has several (inherent) drawbacks. Motivated by this we introduced the notion of *computational* security and showed the “pseudo”-one-time pad encryption scheme which beats the one-time pad in terms of key length.

Also, HW1 is out. For the homework you will use the JCE to implement some basic encryption schemes.

Slide are posted on the course syllabus.

### Like this:

Like Loading...

*Related*

This entry was posted on September 9, 2009 at 9:52 pm and is filed under lectures. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

September 10, 2009 at 10:04 am |

Dr. Katz asked me to post this question I asked which he answered over email:

Q: Yesterday in lecture when we were going over the one time pad, there was something I didn’t understand. Obviously, we were able to prove that the probability of guessing the message in a one time pad is 1/(2^L). I realize it fits the formal definition, but since perfect secrecy means “an adversary running for an unbounded amount of time learns nothing about the message,” it seems to me that the expected number of guesses it takes to learn something about the message is 2^L. Even for a sufficiently large L, the law of large numbers would take over for an unbounded adversary. How does that fit the english definition of perfect secrecy?

A: No! What we showed was that the probability of getting *any* particular

ciphertext when we encrypt any particular message is 1/(2^L).

In fact, depending on the distribution it might be possible for the

adversary to guess the message with probability much better than

1/2^L. For example, when the adversary knows that the sender is

sending either “yes” or “no”, each with probability 1/2. Then it can

guess the message with probability 1/2. Are you saying that the adversary is able to guess the message with probability 1/2^L (assuming all messages equally likely), and therefore with probability 1/2^L the adversary learns something about the message? But note that the adversary can guess the message with probability 1/2^L without seeing the ciphertext at all. So the point is that the ciphertext does not reveal anything to the adversary *that

the adversary didn’t already know before*.