Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Adversarial Indistinguishability
Perfectly-Secret Encryption

Foundations of Cryptography
Computer Science Department
Wellesley College

Fall 2016

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Table of contents

Introduction

Adversarial Indistinguishability

Vernam’s Cipher

Shannon’s Theorem
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Perfect Secrecy Revisited*

Definition 2.3. An encryption scheme (Gen, Enc, Dec) over a message
space M is perfectly secret if for every probability distribution over M,
every message m 2 M, and every ciphertext c 2 C for which
Pr[C = c] > 0:

Pr[M = m | C = c] = Pr[M = m].

Lemma 2.4. An encryption scheme (Gen, Enc, Dec) over a message

space M is perfectly secret if and only if for every probability distribution
over M, every m0 , m1 2 M, and every ciphertext c 2 C:

Pr[C = c | M = m0 ] = Pr[C = c | M = m1 ].

*Another way of interpreting this definition is that a scheme is perfectly secret

if the distributions over message and ciphertexts are independent.

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Experiments in security
The eavesdropping indistinguishability experiment PrivKeav
A,⇧
1. The adversary A outputs a pair of messages m0 , m1 2 M.
2. A random key k is generated by running Gen, and a random
bit b {0, 1} is chosen. (These are chosen by some
imaginary entity that is running the experiment with A.)
Then, a ciphertext c Enck (mb ) is computed and given to
A.
3. A outputs a bit b 0 .
4. The output of the experiment is defined to be 1 if b 0 = b, and
0 otherwise. We write PrivKeav
A,⇧ = 1 if the output is 1 and in
this case we say that A succeeded.

Observe that it is always possible for A to succeed with probability one

half. (Why?) The question is can A do any better.
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Perfect indistinguishability

Definition 2.5. Encryption scheme ⇧ = (Gen, Enc, Dec) with

message space M is perfectly indistinguishable if for every
adversary A it holds that
1
Pr[PrivKeav
A,⇧ = 1] = .
2

Lemma 2.6. Encryption scheme ⇧ is perfectly secret if and only if

it is perfectly indistinguishable.

Remark. You will have an opportunity to explore the proof of

Lemma 2.6 in the next problem set.

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Vigenère is not perfectly indistinguishable

Example 2.7. Let ⇧ denote the Vigenère cipher for the message
space of two-character strings, and where the period is chosen
uniformly in {1, 2}. We exhibit an adversary A for which
Pr[PrivKeav 1
A,⇧ = 1] > 2 .

Adversary A does:
1. Output m0 = aa and m1 = ab.
2. Upon receiving the challenge ciphertext c = c1 c2 , do the
following: if c1 = c2 output 0; else output 1.
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Analyzing the adversary’s chances

Pr[PrivKeav
A,⇧ = 1]
1 1
= · Pr[PrivKeav
A,⇧ = 1 | b = 0] + · Pr[PrivKeav
A,⇧ = 1 | b = 1]
2 2
1 1
= · Pr[A outputs 0 | b = 0] + · Pr[A outputs 1 | b = 1]
2 2
A outputs 0 if and only if the two characters of the ciphertet
c = c1 c2 are equal. When b = 0 then c1 = c2 if either (1) a key of
period 1 is chosen, or (2) a key of period 2 is chosen, and both
characters of the key are equal. So,
1 1 1
Pr[A outputs 0 | b = 0] = + · .
2 2 26

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Analyzing the adversary’s chances (part 2)

Pr[PrivKeav
A,⇧ = 1]
1 1
= · Pr[A outputs 0 | b = 0] + · Pr[A outputs 1 | b = 1]
2 2
When b = 1 then c1 = c2 if a key of period 2 is chosen and the
first character of the key is one more than the second. So,
1 1
Pr[A outputs 1 | b = 1] = 1 Pr[A outputs 0 | b = 1] = 1 · .
2 26
Plugging into the top equations gives
✓ ◆
1 1 1 1 1 1
Pr[PrivKeav
A,⇧ = 1] = · + · +1 · = 0.75
2 2 2 26 2 26
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

The one-time pad (random polyalphabetic cipher)

• We assume that an attacker has at

least some knowledge of the
statistical characteristics of the
plaintext.
• If these statistics survive in the
ciphertext, the cryptanalysis may
be able to greatly restrict the key
space.
• In 1917, Vernam patented a cipher
now called the one-time pad that
masked all statistical characteristics
of the plaintext. Indeed, although
there was no proof of it at the time,
the cipher obtains perfect secrecy.

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

The one-time pad encryption scheme

Fix an integer ` > 0. Then the message space M, key space K,

and ciphertext space space C are all equal to {0, 1}` .
1. Gen chooses a string from K = {0, 1}` according to the
uniform distribution.
2. Enc: given a key k 2 {0, 1}` and a message m 2 {0, 1}` ,
output c := k m.
3. Dec: given a key k 2 {0, 1}` and a ciphertext c 2 {0, 1}` ,
output m := k c.

Note that the scheme is perfectly correct. Why?

*Here a b denotes the bitwise exclusive-or of two binary strings a, b.
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

The one-time pad is perfectly-secret

Theorem 2.9. The one-time pad encryption scheme is
perfectly-secret.
Proof. Fix some distribution over M and fix an arbitrary m 2 M
and c 2 C. Then

Pr[C = c | M = m] = Pr[M K = c | M = m]
1
= Pr[m K = c] = Pr[K = m c] = .
2`
Since this holds for all distributions and all m, we have that for
every probability distribution over M, every m0 , m1 2 M and
every c 2 C,
1
Pr[C = c | M = m0 ] = = Pr[C = c | M = m1 ],
2`
and by Lemma 2.4, the encryption scheme is perfectly secret.

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

So why use anything else

Theorem 2.10. Let (Gen, Enc, Dec) be a perfectly-secret

encryption scheme over a message space M, and let K be the key
space as determined by Gen. Then |K| |M|.

In particular, if the key space consists of fixed-length keys, and the

message space consists of all messages of some fixed length, this
implies that the key must be at least as long as the message.

(And reusing one-time pads is a really bad idea.)

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Back to the theorem (and its proof )

Theorem 2.10. Let (Gen, Enc, Dec) be a perfectly-secret
encryption scheme over a message space M, and let K be the key
space as determined by Gen. Then |K| |M|.
Proof. Suppose |K| < |M|. Consider the uniform distribution over
M and let c 2 C. Define
def
M(c) = {m̂ | m̂ = Deck̂ (c) for some k̂ 2 K}.

Clearly |M(c)|  |K| since for each message m̂ 2 M(c) there is at

least one key k̂ 2 K for which m̂ = Deck̂ (c). Under the
assumption that |K| < |M|, there is some m0 2 M such that
m0 62 M(c). But then

Pr[M = m0 | C = c] = 0 6= Pr[M = m0 ]

and the scheme is not perfectly secret.

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Shannon’s Characterization of Perfect Secrecy

• In his work on perfect secrecy,

Claude Shannon also provided a
characterization of perfectly secret
encryption scheme.
• This theorem is a useful tool for
proving (or disproving) perfect
secrecy of suggested schemes.
• We investigate a version in the
following slides.
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Shannon’s Theorem

Theorem 2.11. Let (Gen, Enc, Dec) be a perfectly-secret

encryption scheme with message space M, for which
|M| = |K| = |C|. The scheme is perfectly secret if and only if:
1. Every key k 2 K is chosen with (equal) probability 1/|K| by
the algorithm Gen.
2. For every m 2 M and every c 2 C, there exists a unique key
k 2 K such that Enck (m) outputs c

Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Proof of Shannon’s Theorem (()

Proof. (() Fix c 2 C and m 2 M. Let k be the unique key for
which Enck (m) = c. Then

Pr[C = c | M = m] = Pr[K = k] = 1/|K|,

So
X
Pr[C = c] = Pr[EncK (m) = c] · Pr[M = m] = 1/|K|.
m2M

Thus for any m 2 M with Pr[M = m] 6= 0, and any c C, we have

Pr[C = c | M = m] · Pr[M = m]
Pr[M = m | C = c] =
Pr[C = c]
Pr[EncK (m) = c] · Pr[M = m]
=
Pr[C = c]
|K| 1 · Pr[M = m]
= = Pr[M = m].
|K| 1
Introduction Adversarial Indistinguishability Vernam’s Cipher Shannon’s Theorem

Proof of Shannon’s Theorem ())

Proof. ()) Fix c 2 C. There must be some message m⇤ for which

Pr[EncK (m⇤ ) = c] 6= 0. Lemma 2.4 implies that
Pr[EncK (m) = c] 6= 0 for every m 2 M.
Thus, for each mi 2 M there is an nonempty set of keys Ki such
that Enck (mi ) = c if and only if k 2 K. Moreover when i 6= j then
Ki and Kj must be disjoint or correctness fails. Since |K| = |M|,
each Ki must consist of a single key ki establishing condition (2).
By Lemma 2.4, for any mi , mj 2 M

Pr[K = ki ] = Pr[EncK (mi ) = c] = Pr[EncK (mj ) = c] = Pr[K = ki ].

Since ki 6= kj for i 6= j, this means each key is chosen with

probability 1/|K| as required by condition (1).