CS 7880 Graduate Cryptography September 10, 2017

Lecture 1: Perfect Secrecy and Statistical Authentication

Lecturer: Daniel Wichs Scribe: Matthew Dippel (Edited)

1 Topic Covered
• Definition of perfect secrecy

• One-time pad and optimality (Shannon’s theorem)

• Definition of statistical one-time MAC and construction.

2 The Encryption Problem

Consider two persons Alice and Bob, who wish to communicate messages of a sensitive
nature. However, an eavesdropper by the name of Eve has the ability to read all the mes-
sages that pass between Alice and Bob. Despite this, Alice and Bob would still like to be
able to communicate in a way that Eve cannot determine what they are saying to each other.

This is done via an encryption scheme, which is a set of functions Enc and Dec for
encryption and decryption of messages:

plaintext m Alice computes c = Enc(m) ciphertext c Bob computes m = Dec(c) m

Eve reads c, should not learn m

There are two key properties of the above. First, given only c, Eve should not be able
to learn what m is. Second, Dec(Enc(m)) = m, so that Bob can accurately determine the
message that Alice wanted to send. Creating functions Enc and Dec which satisfy this is
a fundamental problem of cryptography. But given the above encryption scheme, knowing
what these functions are is enough for anyone to decrypt c. This would make it impossible
for practical cryptography to be analyzed in the public, for any scheme which is openly
discussed would become useless.

The above problem has a simple solution: first, we assume that the scheme is always
public knowledge. This is necessary in order to create cryptography systems which can
be used as well as analyzed. Second, our Enc and Dec functions will be parametrized by
a secret key value k, which changes the behavior of the functions. By including such a
parameter which is chosen at random and shared between the communicating parties, it is
possible to both use a cryptography scheme which is public knowledge, as well as analyze
the cryptography scheme and prove statements about its security.

Lecture 1, Page 1
 The updated generic protocol is illustrated below:
plaintext m Alice computes c = Enck (m) ciphertext c Bob computes m = Deck (c) m

key k Eve reads c, Should not learn m key k

2.1 Formal View

An encryption scheme as we have described so far can be formally described as a tuple of
the following objects:
set K the key space
set M the message space
set C the ciphertext space
Enc : K × M → C the encryption function.
Dec : K × C → M the decryption function.
We will write Enc(k, m) as Enck (m) for short, and similarly write Dec(k, c) as Deck (c).
. These functions should satisfy the sanity check that decryption reverses the encryption.
We denote this as ∀k, m, Deck (Enck (m)) = m

To define perfect secrecy, we treat the encryption function as a pseudo random function
parametrized by the key choice k. Given any cipher text c, it should be impossible to
distinguish with non-trivial probability which message could have produced it, as for any
possible message, there exists a key in the key space such that Enck (m) = c.

We formalize this as follows: let M be some distribution over the message space M,
and K the uniform distribution over the key space K. Since c = Enck (m), then C is also a
random variable whose distribution depends on both M and the encryption and decryption
functions. Then we have perfect security if, ∀ distributions M , m ∈ M, c ∈ C:

Pr [M = m] = Pr [M = m|C = c]
Intuitively, this means that conditioned on the value of Enck (m), m is no more or
less likely to be any specific message from the message distribution. There are two more
equivalent definitions of perfect secrecy. We will list all three below:

1. Pr [M = m] = Pr [M = m|C = c]

2. M and C are independent random variables.

3. ∀m, m0 , c, Pr [EncK (m) = c] = Pr [EncK (m0 ) = c]

Note that, whenever we state a probability, it is over the distributions of variables that
have not been set.

Theorem 1 Definitions 1, 2, and 3 are equivalent

We will show that 1 → 2, 2 → 3, and 3 → 1.

Lecture 1, Page 2
Lemma 1 Definition 1 implies Definition 2

Proof:
Pr [M = m, C = c]
Pr [M = m] = Pr [M = m|C = c] =
Pr [C = c]

Pr [M = m] Pr [C = c] = Pr [M = m, C = c]
which is the definition of independence.

Lemma 2 Definition 2 implies Definition 3

Proof: Choose any m from the distribution M and c from C. We have:

Pr [EncK (m) = c] = Pr [EncK (M ) = c|M = m]

= Pr [C = c|M = m] = Pr [C = c]
where the conditioning on M can be removed because M and C are independent. Since
the choice of m was arbitrary, we can substitute any m0 , deriving Pr [EncK (m) = c] =
Pr [EncK (m0 ) = c].

Lemma 3 Definition 3 implies Definition 1

Proof: Consider any specific ciphertext c in the distribution C. We can rewrite the prob-
ability Pr [C = c] as:
X
Pr C = c, M = m0
 
Pr [C = c] =
m0
X
Pr C = c|M = m0 Pr M = m0
   
=
m0

We can rewrite the random variable C in terms of M as:

X
Pr EncK (M ) = c|M = m0 Pr M = m0
   
=
m0

In this, we can replace the random variable M with m0 and remove the conditioning:
X
Pr EncK (m0 ) = c Pr M = m0
   
=
m0

From 3, we have that Pr [EncK (m0 ) = c] takes the same value for any m0 . Thus we can
pick a specific value m and remove it from the sum:
X
Pr M = m0 = Pr [EncK (m) = c]
 
= Pr [EncK (m) = c]
m0

Where we used the fact that m0 Pr [M = m0 ] = 1. We can now substitute the specific
P
value of m with the random variable M and condition on its value:

Lecture 1, Page 3
 = Pr [EncK (M ) = c|M = m] = Pr [C = c|M = m]
We have thus shown that Pr [C = c] = Pr [C = c|M = m] for any m, c. Using the defini-
tion of conditional probability and some rearrangement, this is equivalent to Pr [M = m] =
Pr [M = m|C = c], as desired.

3 One Time Pad (OTP)

Having described perfectly secrecy, we now describe an encryption scheme which satisfies
it, called the One-Time-Pad, or OTP for short. It is named One Time Pad because it has
perfect secrecy for a single message, but loses nearly all security properties if the same key
is used twice.
We introduce an additional parameter t, as the number of bits in the keys, messages,
and cipher texts. In the OTP, we have our sets and encryption / decryption functions as::

K = M = C = {0, 1}t
Enck (m) = k ⊕ m
Deck (c) = k ⊕ c
where XOR operations are done on each corresponding bit in the vectors.
Note that XOR satisfies the following properties:

a⊕b=b⊕a
a⊕a=0
a⊕0=a
From these, we can show that Deck (Enck (m)) = m.
As it turns out, the set {0, 1}t with the operation ⊕ is a finite abelian group. Thus
we will instead generalize the OTP to abelian groups, and prove that this framework has
perfect secrecy.
Let (G, +) be a finite abelian group. Then we define our encryption scheme as:

K=M=C=G

Enck (m) = m + k
Deck (c) = c − k

Theorem 2 The one-time pad over a finite group (G, +) satisfies perfect secrecy.

Proof: For any m, m0 , c ∈ G, we have:

Pr [EncK (m) = c]

= Pr [K + m = c]

Lecture 1, Page 4
 = Pr [K = c − m]
Since c − m is a constant value for chosen m and c, we are really considering the probabiltiy
that a randomly chosen key is equal to their distance. Since all keys are equally likely and
chosen from the key space G, this probabiltiy is equal to:
1
=
|G|

Since the choice of m was arbitrary, we have that Pr [EncK (m) = c] = Pr [EncK (m0 ) = c],
which is one of our definitions of perfect secrecy.

Despite achieving perfect secrecy, the One Time Pad is an impractical scheme with many
undesirable properties.:

1. The key is as long as the message

2. The key cannot be reused

3. Alice and Bob must share a secret key unknown to Eve.

As it turns out, these are all necessary requirements for any perfectly secret encryption
scheme. In particular, we can prove that the key space must be at least as large as the
message space for perfect secrecy to be achieved:

Theorem 3 (Shannon 1949) In any perfect secrecy scheme, we must have that |K| ≥
|M|.

Proof: Let M be the uniform distribution over M and c be some ciphertext such that
Pr [C = c] > 0.
Consider the set M0 = {Deck (c) : k ∈ K}, which has cardinality at most |K|. If
|K| < |M|, then there exists m ∈ M/M0 .
We have then that:

Pr [M = m|C = c] = 0
, since no key decrypts c to m. Yet we have that Pr [M = m] = 1/|M|. Thus the require-
ments of perfect secrecy are violated.

The above proof is essentially a formalization of a brute force attack. If we tried all
possible encryption keys, we could rule out some messages from the message space. However,
it is computationally expensive, and does not seem to gain that much information for the
attacker. In the future, we will introduce new ways of modeling secrecy that involve a
computationally bounded adversary.

Lecture 1, Page 5
4 Authentication and MACs
Our current model of secrecy has assumed an adversary which passively listens to the
communication channel. Suppose our adversary was less passive, and interested in actively
modifying the message from Alice before it reached Bob. Then the One Time Pad would
provide no authenticity, as there is no way for Bob to guess whether or not the message has
been tampered with. To address this, we will introduce Message Authentication Codes, or
MAC for short.
A MAC scheme can be described by the following tuple:

4.1 Formal View

K the key space
M the message space
T the tag space
MAC : K × M → T the MAC function
The usage is as follows. Alice wishes to send a message m to Bob. She computes
t = MAC(k, m) and sends the pair (m, t) to Bob. Bob receives (m0 , t0 ), and checks if
t0 = MAC(k, m0 ). If it does, he proceeds under the assumption that m0 is the intended
message from Alice. If it does not, he concludes that the message m 6= m0 .

We must now define what propeties we want in a MAC. To do this, we define a ”game”
where Eve must attempt to forge a message and MAC tag.

Consider the following game: Given a MAC scheme, a uniformly random key k from K
is chosen and kept secret from Eve. Eve is allowed to choose exactly one message m ∈ M,
and is given the value of t = MAC(k, m). Eve must now come up with a pair (m0 , t0 ) such
that m 6= m0 . She wins if t0 = MAC(k, m0 ), and loses otherwise.

We say that a MAC is 1-Time Statistically Secure with ε-security if, no matter what
Eve’s strategy is, the probability that Eve wins the above game is ≤ ε.

The first question to ask is whether or not we can achieve ε = 0. The answer is no...
given any message, there is a tag that results from running the MAC function on it. If Eve
picks a random message and a random tag, there is a non-zero probability that she will pick
the correct tag. Thus, we are unable to break the lower bound of ε ≥ 1/|T |.

We will provide a construction which achieves reasonable security. The domain that we
will work in will be the integers modulo some prime p. That is, we will have M = T = Zp .
Our key space will be all tuples of such integers, K = Zp × Zp
Then, we define our MAC functions as:

MAC(k, m) = x ∗ m + y

where k = (x, y), and multiplication and addition are done over Zp .

Lecture 1, Page 6
Theorem 4 The above MAC has 1-time security with ε = 1/p.

Proof: Let K = (X, Y ) be uniformly random. Then ∀m, t we have:

Pr [MAC(K, m) = t] = Pr [X ∗ m + Y = t] = 1/p
which follows from the system X ∗ m + Y = t having a unique solution Y for every
choice of X.
Next, consider some m0 6= m, and any t, t0 . Consider the probability:

Pr MAC(K, m0 ) = t0 , MAC(K, m) = t
 

= Pr Xm0 + Y = t0 , Xm + Y = t
 

= Pr [X = x, Y = y] = 1/p2
t−t 0
where x = m−m 0 and y = t − xm. Again, all operations are done over the field Zp .

Thus from the values we just determined and properties of conditional probability, we
have that
Pr MAC(K, m0 ) = t0 |MAC(K, m) = t = 1/p.
 

Thus we achieve 1/p-security.

Like our OTP scheme, this MAC scheme is also impractical for several reasons. First,
the key is twice as big as the message. Thus a relatively large amount of secret information
needs to be exchanged betwen parties compared to the messages they will exchange. Second,
we can only use the key once to authenticate a single message. If the key is used for two
different messages, then the key can be exactly determined. We will see later on that we can
achieve significant improvements on the key size, but the single message security is inherent
to our definition.

Lecture 1, Page 7
 APPENDIX

Below is a short collection of some of the assumed knowledge for this course / lecture.

Probability Theory
P U, and a probability function Pr : U → [0, 1].
In Probability Theory, we have a universe
This function satisfies the property that uinU Pr [u] = 1. A specific probability function,
along with a universe, is sometimes denoted as a distribution over that universe. Infor-
mally, they can be viewed as a set of possible disjoint events, and the relative likelihood of
each one occuring.

Definition 1 A probability distribution is denoted as the uniform distribution if, for

all u, u0 ∈ U, it holds that Pr [u] = Pr [u0 ] = 1/|U|. ♦
Random variables are functions over U, which also induce distributions. Given a ran-
dom variable X which maps U into X , we can define a distribution over X as Pr [X = x] =
P
u:X(u)=x Pr [u].

We can also induce distributions over multiple random variables at the same time by
introducing an additional random variable that is a tuple of the variables we are interested
in. Suppose we had random two variables X, Y , and wanted to express the probability that
both X = x and Y = y simultaneously. Then we would introduce a new random variable
Z = (X, Y ), and examine the distribution:
X
Pr [X = x, Y = y] = Pr [Z = (x, y)] = Pr [u]
u:Z(u)=(x,y)

We say that two random variables X, Y are independent if Pr [X = x, Y = y] = Pr [X = x] Pr [Y = y]

for all choices of x, y.

Example 1 Consider the uniform distribution over {0, 1}2 . Let X be the first bit, Y be the
second bit, Z = X + Y , and W = X ⊕ Y . Then X and Y are independent. X and Z are
not independent. X and W are independent.

Conditional Probability For two random variables X, Y and outcomes x, y we define

the conditional probability:

Pr [X = x, Y = y]
Pr [X = x|Y = y] =
Pr [Y = y]
The LHS is read as ”probability X=x, given that Y=y”.

Example 2 Use the same universe and random variables from the last example. Consider
the conditional probability Pr [X = 1|Z = 1]. Then we can calculate this as:

Pr [X = 1, Z = 1]
=
Pr [Z = 1]
0.25 1
= =
0.5 2

Lecture 1, Page 8
 Events P
An event E is a subset of U. We define Pr [E] = u∈E Pr [u]. Alternatively, we can
think of E is a binary random variable, where E(u) = 1 if u ∈ E, and 0 otherwise.

Theorem 5 (Union Bound) For any events E1 , E2 , we have:

Pr [E1 ∪ E2 ] = Pr [E1 ] + Pr [E2 ] − Pr [E1 ∩ E2 ]

≤ Pr [E1 ] + Pr [E2 ]

Lecture 1, Page 9