Cryptography

Lecture 3: Perfectly Secret Encryption

Srimanta Bhattacharya
Encryption Scheme: Framework

Encryption Secure channel Decryption

Key (K) Key (K’)

Insecure channel
Encryption Decryption
Plaintext(M) Ciphertext Ciphertext
(C) (C) Plaintext(M)
Sender Receiver

tux@linux#

Adversary

2
Encryption Scheme: Ingredients

Spaces:
• M- Set of all possible messages.
• K- Set of all possible keys.
• C- Set of all possible ciphertexts

Normally these sets are {0, 1}ℓ for appropriate ℓ (to be made precise later)

Triple of algorithms (Gen, Enc, Dec):

• Gen- Key generation algorithm
• Enc- Encryption algorithm
• Dec- Decryption algorithm
Which of these are randomized?
• Gen- Cannot be deterministic.Why?
• Dec- Cannot be randomized.Why?
• Enc- Can possibly be randomized.
3
What is the source of randomness?
On Randomness

• Can toss a (fair) coin

Sure but we need a lot more.
Can we program to generate?
Yes, but .... need randomness after all.
• Tap events which are random.
Key strokes, disk access, network iterrupts, thermal noise, etc.
• (Usually) not good quality randomness. Needs some processing.

Assume that we have source of uniform unbiased random bits.

4
Encryption: Syntax

• k ← Gen()
w.l.o.g. k ←$ K.
• c ← Enck (m)
How is m chosen?
Idealized with a probability distribution on M.
Required for analysis. Not a part of the encryption scheme.
The distribution is known to the adversary.
• m = Deck (c)

Remark: Randomness in key generation and message selection are

independent.

Pr{K = k ∧ M = m} = Pr{K = k}Pr{M = m}

Perfect Correctness:

Pr{Deck (Enck (m)) = m} = 1, ∀k ∈ K, m ∈ M

5
Example

Example: Consider the Shift Cipher.

M? K? C?
M= K= C= English alphabet (or {0, 1, . . . , 25}
interchangeably)
1
Gen: Sample K uniformly from K. So, Pr{K = k} = 26 .

Probability distribution over M: Pr{M = a} = 0.7 and Pr{M = z} = 0.3

What is the probability that C = B?
Hint: For what combinations of M and K can C = B occur?
What is Pr{M = a|C = B}?
Observation?

6
Perfect Secrecy

Alice wants to communicate a single message to Bob.

Alice encrypts and sends the ciphertext.
Eve, the adversary/eavesdropper observes the ciphertext.
What does Eve know?
- The encryption scheme (Gen, Enc, Dec) being used
- Probability distribution on M
The adversary should know nothing about the message by
looking at the ciphertext
How to formalize the idea?

An encryption scheme (Gen, Enc, Dec) with message space Mis perfectly
secret if for every probability distribution over M, every message m ∈ M
and every ciphertext c ∈ C with Pr{C = c} > 0:
Pr{M = m|C = c} = Pr{M = m}
How non-trivial is the idea?
Is there a perfectly secret scheme?
7
Is there a scheme which is not perfectly secret?
Perfect Secrecy: Equivalent formulation

An encryption scheme (Gen, Enc, Dec) with message space Mand

ciphertext space Cis perfectly secret iff for every two distinct messages
m1 , m2 ∈ M and every ciphertext c ∈ C we have

Pr{Enck (m1 ) = c} = Pr{Enck (m2 ) = c}

, or equivalently

Pr{C = c|M = m1 } = Pr{C = c|M = m2 }

Probabilities taken over?

Randomness of key generation and (possible) randomness of Enc
Advantage of this definition?
No consideration of distribution over M

8
Proof of Equivalence

2nd Definition ⇒ 1st Definition

• Fix a distribution over M.
• Fix a c ∈ C s.t. Pr{C = c} > 0.
• W.l.o.g. let m ∈ M be such that Pr{M = m} > 0. Otherwise?

Pr{C = c|M = m}Pr{M = m}

Pr{M = m|C = c} = P ′ ′
Justify
m′ ∈M Pr{C = c|M = m }Pr{M = m }
Pr{M = m}
=P ′
Justify
m′ ∈M Pr{M = m }

= Pr{M = m}

1st Definition ⇒ 2nd Definition

DIY!

9
One-Time Pad

• M = C = K = {0, 1}ℓ
• Gen: K ←$ K.
• Enc: Given a k ∈ K and m ∈ M, c = k ⊕ m.
• Dec: Given a k ∈ K and c ∈ C, c = k ⊕ c.

Perfect Correctness: Follows

Perfect Secrecy:
For any m ∈ M and c ∈ C Pr{C = c|M = m}?
For any m ∈ M and c ∈ C there is a unique k ∈ K such that m = k ⊕ c.

10
One-Time Pad: Facts and Limitations

• Proposed by Gilbert Vernam in 1917.

• (Formally) proven secure by Shannon in 1940s.
• Used by many national intelligence agencies in the mid-20th century
(Kremlin-White House hotline).

Limitations:

• Same key cannot be used twice. Why?

If m ⊕ k = c and m′ ⊕ k ′ = c ′ then m ⊕ m′ = c ⊕ c ′
• Key length is same as message lenth.
Is this a limitation of One-Time Pad or the perfect secrecy?

11
Limitation of Perfect Secrecy

Can an encryption scheme with |K| < |M| provide perfect secrecy?

• Consider an arbitrary distribution (w.l.o.g. uniform) over M.

• Let c ∈ C be such that Pr{C = c} > 0
• Let Mc = {Deck (c)|k ∈ K}
• Clearly |Mc | ≤ |K| < |M|.
• Choose m ∈ M \ Mc

What is Pr{M = m|C = c}? = 0 ̸= Pr{M = m}

12
Perfect Secrecy: Eavesdropping Experiment (Indistinguishability
Game)

Let Π = (Gen, Enc, Dec) be an encryption scheme.

A game between adversary (A ) and challenger (C ): Priveav
A ,Π
A is assumed to be computationally unbounded (no restriction on A ’s
computational power)

• A selects m0 , m1 ∈ M.
• C selects b ←$ {0, 1} and k ←$ K, sends c = Enck (mb ) to A
• A outputs b ′ ∈ {0, 1}

Output of the game is 1 if b = b ′ (i.e., A wins), and we write Priveav

A ,Π = 1

Π is perfectly secret ⇔ Pr{Priveav A ,Π } = 2

1

Probability taken over choice of b, k and possibly coin tosses of A

Why 12 ? What is the minimum winning probability of A ?

Proof? Give it a try!
13
Pr{Priveav
A ,Π } =
1
2 ⇒ Π is perfectly secret
To show if Π is not perfectly secret then Pr{Priveav 1
A ,Π }> 2

Π is not perfectly secret ⇒ There are m0 , m1 , c ′ such that

p1 = Pr{C = c ′ |M = m0 } > Pr{C = c ′ |M = m1 } = p2

Goal is to exploit the above fact and construct an adversary A who will
win the indishtinguibality game with probability more than 21 .
Strategy for the adversary A

1. Select m0 and m1 in the first step of the game

2. Output b ′ = 0 if the ciphertext sent by C is c ′ , otherwise output
b ′ = 0 with probability 12 .

Calculate the winning probability of A

14
Π is perfectly secret ⇒ Pr{Priveav
A ,Π } =
1
2

To show if Pr{Priveav 1
A ,Π }> 2 then Π is not perfectly secret

DIY considering A to be deterministic.

15
Vigenrre Cipher: Indistinguishability Game

Is the Vigenere Cipher perfectly secret?

Let M = Set of all two character strings.

K = Set of all one character and two character strings.
Key k is chosen as follows.
Key period is chosen uniformly from {1, 2}.
Key characters are chosen uniformly at random.
⇓
k ←$ K
Construct A

• Output m0 = aa and m1 = ab.

• If c = c1 c2 then output 0 if c1 = c2 else output 1.
Calculate Pr{Priveav
A ,Π }!

16
Shannon’s Characterization

Shannon: Let Π = (Gen, Enc, Dec) be an encryption scheme with

|M| = |K| = |C|. Then Π is perfectly secret if and only if
1
1. Every key k ∈ K is chosen with equal probability (= |K| ) by Gen.
2. For every m ∈ M and c ∈ C there is a unique key k ∈ K such that
c = Enck (m) w.l.o.g. assume Enc is deterministic.
Comments and Sketch:
1. The condition |M| = |K| = |C| is w.l.o.g. |M| ≤ |K| follows from
perfect secrecy and |M| ≤ |C| follows from perfect correctness.
2. Conditions 1 and 2 ⇒ Perfect secrecy of Π:
• Cond. 2 ⇒ For each m ∈ M and c ∈ C there is a unique key k ∈ K
s.t. Enck (m) = c.
• Cond.1 ⇒ This key is chosen uniformly.
3. Perfect secrecy of Π ⇒ Conditions 1 and 2:
• Perfect secrecy ⇒ For each m ∈ M and c ∈ C there is a k ∈ K s.t.
Enck (m) = c. Why?
|M| = |K| = |C| ⇒ this key is unique (Cond.1) Why?
17
• The key must be chosen uniformly (Cond.2)Why?
Perfect Secrecry: Bypassing the (Key Length) Limitation

• Bound A computationally. Say runtime bounded by t or poly(n) for

some input parameter n.
• Allow A some advantage Pr{Priveav
A ,Π } =
1
2 +ε

18