Lecture 2: Shannon and Perfect Secrecy

Instructor: Omkant Pandey

Spring 2017 (CSE 594)

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 1 / 32
Last Class

We discussed some historical ciphers

...and how to break them

This class: a more formal treatment of ciphers.

Specifically Shannon’s treatment of secure ciphers

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 2 / 32
Symmetric Ciphers
A symmetric cipher consists of:
– A method for generating random keys k, denoted by KG
– Encryption algorithm: Enc
– Decryption algorithm: Dec
Enc encrypts messages using a secret key:
– Encpk, mq Ñ c
– Enc may use randomness
– c is called the ciphertext
Dec should decrypt correctly:
@k, @m : Decpk, Encpk, mqq “ m.
The set of all messages m is called message space M;
c is called the ciphertext and set of all ciphertexts ciphertext space
C;
The set of all keys k is called the key space K.
messages m are also known as plaintexts.
Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 3 / 32
Security of a Cipher

What about security?

What should it mean intuitively?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 4 / 32
First attempt: hide the key

All ciphers in the frequency analysis recover the key...

What if we just guarantee that key remains completely hidden?
No reason why plaintext should be hidden!
Example from Caesar Cipher:
ATTACK = BUUBDL and DEFEND = EFGFOE

Broken by checking patterns! don’t need the key!

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 5 / 32
Second approach: hide the message

What does it mean?

Hide the full message only?
Hide every letter of the message?
What if the ciphertext reveals the frequency of the alphabets in
the plaintext?
Dangerous: May be enough to find out if the army will attack or
defend?
Hide everything about the message: all possible functions of the
message.
Good starting point but impossible! Something about the message
may already be known!
(E.g., it is in English, starts with “Hello” and today’s date, etc.)

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 6 / 32
Third approach: hide everything that is not already
known!

We cannot hide what may be a priori known about the message.

The ciphertext must hide everything else!
Adversary should not learn any NEW information about the
message after seeing the ciphertext.
How to capture it mathematically?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 7 / 32
Shannon’s Treatment

Messages come from some distribution; let D be a random variable

for sampling the messages from the message space M.
Distribution D is known to the adversary. This captures a priori
information about the messages.
The ciphertext c “ Encpm, kq depends on:
m chosen according to D
k is chosen randomly (according to KG)
Enc may also use some randomness
These induce a distribution C over the ciphertexts c.
The adversary only observes c
D KG
(for some m Ð M and k Ð K, but m, k themselves)

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 8 / 32
Shannon’s Treatment (continued)

Knowledge about m before observing the output of C is captured

by: D
Knowledge about m after observing the output of C is captured
by: D|C
Shannon secrecy: distribution D and D|C must be identical.
Intuitively, this means that:
C contains no NEW information about m
...in the standard sense of information theory.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect SecrecySpring 2017 (CSE 594) 9 / 32
Shannon Secrecy

Definition (Shannon Secrecy)

A cipher pM, K, KG, Enc, Decq is Shannon secure w.r.t a
distribution D over M if for all m1 P M and for all c,
“ ‰
Pr “m Ð D : m “ m1 “ ‰
Pr k Ð KG, m Ð D : m “ m1 |Encpm, kq “ c

It is Shannon secure if it is Shannon secure w.r.t. all distributions D

over M.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 10 / 32
 Questions?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 11 / 32
Perfect Secrecy

Suppose you have two messages: m1 P M and m2 P M.

What is the distribution of ciphertexts for m1 ?

C1 :“ tk Ð KG, output Encpm1 , kqu

Likewise, for m2 , the ciphertext distribution is:

C2 :“ tk Ð KG, output Encpm2 , kqu

Perfect secrecy:
C1 and C2 must be identical for every pair of m1 , m2 .
ñ Ciphertexts are independent of the plaintext(s)!

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 12 / 32
Perfect Secrecy (conitinued)

Definition (Perfect Secrecy)

Scheme pM, K, KG, Enc, Decq is perfectly secure for every pair of
messages m1 , m2 in M and for all c,

“ ‰ “ ‰
Pr k Ð KG : Encpm1 , kq “ c “ Pr k Ð KG : Encpm2 , kq “ c

So much simpler than Shannon Secrecy!

No mention of distributions, a priori or posteriori.
Much easier to work with...

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 13 / 32
Which notion is better?

OK, so we have two definitions: perfect secrecy and Shannon

secrecy.
Both of them intuitively seem to guarantee great security!

Is one better than the other?

If our intuition is right, shouldn’t they offer “same level” of
security?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 14 / 32
Equivalence Theorem

Theorem (Equivalence Theorem)

A private-key encryption scheme is perfectly secure if and only if it is
Shannon secure.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 15 / 32
Proof: Simplifying Notation

We drop KG and D when clear from context.

Enck pmq will be shorthand for Encpm, kq
For example:
Prm r. . .s means Prrm Ð D : . . .s
Prk r. . .s means Prrk Ð KG : . . .s
Prk,m r. . .s means Prrk Ð KG, m Ð D : . . .s

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 16 / 32
Proof: Perfect Secrecy ñ Shannon Secrecy

Given: @pm1 , m2 q P M ˆ M and every c P C:

PrrEnck pm1 q “ cs “ PrrEnck pm2 q “ cs

k k

Show: for every D over M, m1 P M, and c P C:

Pr rm “ m1 |Enck pmq “ cs “ Prrm “ m1 s

k,m m

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 17 / 32
Proof: Perfect Secrecy ñ Shannon Secrecy (continued)

L.H.S. “ Prk,m rm “ m1 |Enck pmq “ cs

Prk,m rm“m1 X Enck pmq“cs

“ Prk,m rEnck pmq“cs

Prk,m rm“m1 X Enck pm1 q“cs

“ Prk,m rEnck pmq“cs

Prm rm“m1 s¨Prk rEnck pm1 q“cs

“ Prk,m rEnck pmq“cs

Prk rEnck pm1 q“cs

“ R.H.S. ˆ Prk,m rEnck pmq“cs

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 18 / 32
Proof: Perfect Secrecy ñ Shannon Secrecy (continued)

Show:
Prk rEnck pm1 q “ cs
“1
Prk,m rEnck pmq “ cs
Proof:
ÿ
Pr rEnck pmq “ cs “ Prrm “ m2 s PrrEnck pm2 q “ cs
k,m m k
m2 PM
ÿ
“ Prrm “ m2 s PrrEnck pm1 q “ cs
m k
m2 PM
ÿ
“ PrrEnck pm1 q “ cs ¨ Prrm “ m2 s
k m
m2 PM
loooooooooomoooooooooon

“ PrrEnck pm1 q “ cs ˆ 1. pQEDq

k

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 19 / 32
Proof: Perfect Secrecy ð Shannon Secrecy

We have to show: @pm1 , m2 q P M ˆ M and @c:

PrrEnck pm1 q “ cs “ PrrEnck pm2 q “ cs

k k

Fix any m1 , m2 , c as above.

Let D be the uniform distribution over tm1 , m2 u so that:

Prrm “ m1 s “ Prrm “ m2 s “ 1{2.

m m

By definition, the scheme is Shannon secure w.r.t. this D. Therefore,

Pr rm “ m1 |Enck pmq “ cs “ Prrm “ m1 s, and

k,m m
Pr rm “ m2 |Enck pmq “ cs “ Prrm “ m2 s
k,m m

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 20 / 32
Proof: Perfect Secrecy ð Shannon Secrecy (continued)

Therefore: Prk,m rm “ m1 |Enck pmq “ cs “ Prk,m rm “ m2 |Enck pmq “ cs

Consider the LHS:

Prk,m rm “ m1 X Enck pmq “ cs
Pr rm “ m1 |Enck pmq “ cs “
k,m Prk,m rEnck pmq “ cs
Prm rm “ m1 s ¨ Prk Enck pm1 q “ cs
“
Prk,m rEnck pmq “ cs
1
2 ¨ Prk Enck pm1 q “ cs
“
Prk,m rEnck pmq “ cs

Likewise, the RHS is:

1
2¨ Prk Enck pm2 q “ cs
Pr rm “ m2 |Enck pmq “ cs “
k,m Prk,m rEnck pmq “ cs

Cancel and rearrange. (QED)

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy
Spring 2017 (CSE 594) 21 / 32
 Should we go over this proof again?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 22 / 32
The One Time Pad : A perfect secure scheme

Let n be an integer = length of the plaintext messages.

Message space M :“ t0, 1un (bit-strings of length n)
Key space K :“ t0, 1un (keys too are length n bit-strings)
The key is as long as the message
The algorithms are:
– KG: samples a key uniformly at random k Ð t0, 1un
– Encpm, kq: XOR bit-by-bit,
Let m “ m1 m2 . . . mn and k “ k1 k2 . . . kn ;
Output c “ c1 c2 . . . cn where ci “ mi ‘ ki for every i P rns.
– Decpc, kq: XOR bit-by-bit.
Return m where mi “ ci ‘ ki for every i.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 23 / 32
Perfect Security of OTP

Theorem (Perfect security of OTP)

One Time Pad is a perfectly secure private-key encryption scheme.

Let a ‘ b for n-bit strings a, b mean bit-wise XOR.

Then: Encpm, kq “ m ‘ k and Decpc, kq “ c ‘ k.
Ciphertext space is C :“ t0, 1un . Correctness: straightforward.
Perfect secrecy: fix any m P t0, 1un and c P t0, 1un .

PrrEnck pmq “ cs “ Prrm ‘ k “ cs

k
“ Prrk “ m ‘ cs “ 2´n .
PrrEnck pmq “ cs “ 0 p@c R t0, 1un q
k

ñ @pm1 , m2 q P t0, 1unˆn and @c :

Prk rEnck pm1 q “ cs “ Prk rEnck pm2 q “ cs. pQEDq
Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy
Spring 2017 (CSE 594) 24 / 32
Some Remarks

The One Time Pad (OTP) scheme is also known as the Vernam
Cipher.
The Caesar Cipher is just OTP for 1-alphabet messages!
Mathematically:
– XOR is the same as addition modulo 2:
a ` b mod 2.
– Caesar Cipher for 1-alphabet is addition modulo 26.
– You can work modulo any number n
As the name suggests, one key can be used only once.
The key must be:
sampled uniformly every time, and
be as long as the message.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 25 / 32
Key Length in Perfectly Secure Encryption

If the key has to be as long as the message, it is a serious problem!

Imagine encrypting your machine’s hard drive with a OTP...
– 80 GB long key to encrypt 80 GB data
– 80 GB space to store this key in a safe place
(other than your hard drive)
– Key for OTP is uniform, so it cannot be compressed either!
– This is never done in practice...
OTP looks naïve, quite elementary: can’t we design a more
sophisticated scheme with shorter keys?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 26 / 32
Shannon’s Theorem

Theorem (Shannon’s Theorem)

For every perfectly secure cipher pEnc, Decq with message space M and
key space K, it holds that |K| ě |M|.

Some Remarks:
Message length is n “ lg |M| and key length is ` “ lg |K|.
It follows that ` ě n, i.e., keys must be as long as the messages.

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 27 / 32
Shannon’s Theorem

Theorem (Shannon’s Theorem)

For every perfectly secure cipher pEnc, Decq with message space M and
key space K, it holds that |K| ě |M|.

Proof:
Assume the contrary: i.e., |K| ă |M|
Fix any message m0 , and any key k0 . Let
c0 “ Encpm0 , k0 q.
ùñ P rk rEncpm0 , kq “ c0 s ą 0. (1)
What happens if we decrypt c0 with each key one by one?
We get a set of messages, which we denote by:
S “ tDecpc0 , kq : k P Ku.
Note that |S| ď |K| and |K| ă |M|.
ùñ |S| ă |M|.
Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy
Spring 2017 (CSE 594) 28 / 32
Proof continued..

This means, there exists a message m1 P M such that m1 R S.

What happens if we encrypt m1 with a key k P K?
Since m1 R S, by definition:

@k P K : Encpm1 , kq ‰ c0 .

ùñ PrrEncpm1 , kq “ c0 s “ 0. (2)
k

Therefore, there exist m0 , m1 , c0 such that:

PrrEncpm0 , kq “ c0 s ‰ PrrEncpm1 , kq “ c0 s.
k k

This contradicts perfect secrecy. (QED)

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 29 / 32
Exercise: Reusing OTP

What could go wrong if you re-use a OTP anyway?

If we could re-use then we could encrypt longer messages with
shorter keys.
Simply break the message in shorter parts.
Therefore, by Shannon’s Theorem, the resulting scheme will not be
perfectly secure.
Even worse — it will be open to the frequency attack!
(just like Vigènere Cipher)
In fact, lots of neat examples where reusing OTP leaks clear
patterns.
Can you construct such examples?

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 30 / 32
Back to Key Length in Perfect Secrecy

Shannon’s Theorem on key length is pretty bad news for perfect

ciphers.
It means we really have to give up on perfect secrecy for practical
applications, unless we absolutely need it.
This is really the dawn of modern cryptography: we want to
construct something that is “just as good for practical purposes.”

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 31 / 32
 The modern approach focuses on what computers can do
efficiently.
For example, if we have a short, efficient computer program, which
generates large “random looking” strings, we can use this program
to generate strings that look like a OTP key.
This is really what we will try to do — we will build some theory
in the next few lectures and return to this issue again.
In the next class, we will review notions of “efficient computation”
and define what is called a “one way function.”

Instructor: Omkant Pandey Lecture 2: Shannon and Perfect Secrecy

Spring 2017 (CSE 594) 32 / 32