Lecture 2 - Perfect Secrecy and its Limitations

Boaz Barak

September 20, 2007

How do we define an “unbreakable encryption”?

Simplest case: shared key, encryption of single message.

Some notations: k - key of length |k| = n. (chosen at random in {0, 1}n )
Plaintext: x of length |x| = m
Ciphertext: y
y = Ek (x), x = Dk (y)
E : {0, 1}n × {0, 1}m → {0, 1}`
D : {0, 1}n × {0, 1}` → {0, 1}m

Recurring themes in such definitions: probability, quantifiers

Motivating scenario Attacker knows that message is either attack or retreat.

Definition Two probability distributions X, Y over {0, 1}` are identical, denoted X ≡ Y , if for
every y ∈ {0, 1}` , Pr[X = y] = Pr[Y = y].
The scheme (D, E) is perfectly secure if for every pair of messages x, x0 , EUn (x) ≡ EUn (x0 ).

Exercise Does this mean that for every k, Ek (x) = Ek (x0 )?

Meaning If the message was attack then eavesdropper to see a ciphertext y sampled from
EUn (attack). If the message was retreat then eavesdropper gets a ciphertext sampled
from EUn (retreat). But this is the same distribution in both cases!

Game view of definition

• Adv chooses x1 , x2 ∈ {0, 1}m

• Sender selects k ←R {0, 1}n , i ←R {1, 2} and gives adversary y = Ek (xi ).
• Adversary sends a number j ∈ {1, 2}.

Adversary successful if i = j.
Theorem 1. (E, D) is perfectly secure if and only if P r[Adv successful ] ≤ 1/2.

Proof.
If scheme is perfectly secure then adversary gets no information on i in this game and can
win with probability at most 1/2.

1
 On the other hand, if scheme is not perfectly secure then there exist x1 , x2 such that Yx1 is
not the same distribution as Yx2 . This means that there is a string y0 such that (without loss
of generality) Pr[Yx1 = y0 ] > Pr[Yx2 = y0 ].
Thus, if adversary does the following: pick x1 , x2 and given ciphertext y, if y = y0 then output
1, else output a random number in {1, 2}, then it will succeed with probability a little bit
larger than 1/2.

A perfectly secure encryption. The XOR operation takes two bits a and b and returns a + b
(mod 2). Notation a ⊕ b.
Some facts:

1. a ⊕ 0 = a
2. a ⊕ a = 0
3. Commutativity a ⊕ b = b ⊕ a
4. Associativity a ⊕ (b ⊕ c) = (a ⊕ b) ⊕ c

Generalize to vectors: x, y ∈ bitsn then x ⊕ y = (x1 ⊕ y1 , . . . , zb ⊕ yn ).

The One-Time-Pad scheme: n = |k| = |x| , E : {0, 1}n × {0, 1}n → {0, 1}n .
Ek (x) = x ⊕ k.
Dk (y) = y ⊕ k
Validity: Dk (Ek (x)) = (x ⊕ k) ⊕ k = x ⊕ (k ⊕ k) = x ⊕ 0n = x

One-Time-Pad is perfectly secret. We’ll prove that for every x ∈ {0, 1}n , the distribution
Yx = EUn (x) is distributed according to the uniform distribution. This means that that all
these distributions are identical thus achieving perfect secrecy.

Proof. Let y ∈ {0, 1}n , we need to show that Pr[Yx = y] = 2−n , or in other words

Pr [x ⊕ k = y] = 2−n
k←R {0,1}n

If we XOR x on the left side of both equations we get that x ⊕ x ⊕ k = x ⊕ y or in other words
k = x ⊕ y. That is, there a unique single value of k (x ⊕ y) that will make the equation true.
Since there is a total number of 2n possible strings k, the probability the equation is true is
2−n .

What about three messages? Suppose that the possible messages are attack, retreat, and
stay. Is perfect security still good in this case?

Theorem 2. If (E, D) is perfectly secure, then in the game where adversary picks three
messages x1 , x2 , x3 and then gets Ek (xi ) for random k and i ←R {1, 2, 3} then adversary can
guess i with probability at most 1/3.

Proof. The adversary gets the same output no matter what i was. So it gets no information
on i.

2
Is this the end of cryptography? We have a simply, efficient provably unbreakable encryption
scheme. What more do we want?

• Use the same key for many messages

• At a minimum use n bit key for 2n-bit messages.

In the exercise you will show that natural extension of one-time-pad to use shorter keys (the
“two-time-pad”) is not secure.
Limitations of perfect security
Theorem 3. There is no perfectly secret encryption scheme (E, D) with n-bit messages and
n − 1-bit keys.

Proof. Suppose that (E, D) is such an encryption scheme. Denote by Y0 the distribution
EUn−1 (0n ) and by S0 its support. Since there are only 2n−1 possible keys, |S0 | ≤ 2n−1 .
Now for every key k the function Ek (·) is one to one and hence its image is of size at least 2n .
This means that for every k there exists x such that Ek (x) 6∈ S0 . Fix such a k and x, then
the distribution EUn−1 (x) does not have the same support as Y0 and hence it is not identical
to it.

Objections to impossibility result Whenever faced with an impossibility result that says we
can not do something we want, it is a good idea to examine the underlying assumptions
behind this result, and see if we can relax these assumption to still get what we want (or at
least something close to that).
Statistical security Suppose that we allowed the adversary to have a tiny advantage in its pos-
teriori guessing probability compared to the a-priori probability.
For example, we can say that a scheme is  statistically indistinguishable if the probability
that adversary guesses which of the two messages was encrypted is at most 21 + .
Whenever making a relaxation to a definition, two questions arise: (1) Is the relaxed definition
still strong enough for applications? (2) Does the relaxation buy something we could not get
with the original definition?
In this case, the answer to (1) is YES: If  is very small (say 10−6 or maybe even 10−100 ) then
-secure schemes will be just as good as perfectly secure schemes for all practical purposes.
Thus, if we could bypass the impossibility result for perfect secrecy using this notion this
would be great.
Unfortunately, we will see that the answer to (2) is NO - we can’t have key shorter than the
message even if we relax to statistical security.
Equivalence It turns out this is again essentially equivalent to a relaxation of perfect secrecy which
we call -statistical secrecy. This means that for every x, x0 the distributions Yx = EUn (x)
and Yx0 = EUn (x0 ), even if not identical, are still within at most  statistical distance.
Definition 1. Let X and Y be two distributions over {0, 1}n . The statistical distance of X
and Y , denoted by ∆(X, Y ) is defined to be

max Pr[X ∈ T ] − Pr[Y ∈ T ]

T ⊆{0,1}n

3
 if ∆(X, Y ) ≤  we say that X ≡ Y

Lemma 1.
1 X
∆(X, Y ) = |Pr[X = w] − Pr[Y = w]|
2
w∈Supp(X)∪Supp(Y )

Proof. left as exercise.

Minimal key size for statistically secure schemes. Unfortunately, statistical security doesn’t
enable us to get much shorter keys. In fact, if we use just one bit less the adversary can get
an advantage of 1/4 (which we consider huge — remember that we were hoping for 10−100 !).
We’ll prove the following theorem:

Theorem 4. Let (E, D) be a valid encryption with E : {0, 1}n × {0, 1}n+1 → {0, 1}∗ . Then
there exist plaintexts x1 , x2 with ∆(x1 , x2 ) > 0.1.

Proof. In the proof we’ll use the following seemingly trivial observation: for a random variable
Y , if E[Y ] ≤ µ then Pr[Y ≤ µ] > 0.
Let x1 = 0n+1 and let S = Supp(EUn (x1 )). Note that |S| ≤ 2n .
Consider the following experiment: we choose a random message x ←R {0, 1}n+1 and define
the following 2n random variables: for every k, Tk (x) = 1 if Ek (x) ∈ S and 0 otherwise.
For every k, Ek (·) is one to one and hence Pr[Tk = 1] ≤ 1/2. This means that E[Tk ] ≤ 1/2.
P
Define T = k∈{0,1}n Tk . Then
X X
E[T ] = E[ Tk ] = E[Tk ] ≤ 2n /2
k k

This meansPthat the probability that Pr[T ≤ 2n /2] > 0 or in other words, there exists x
n
such that k Tk (x) ≤ 2 /2. This means that for such x, at most half of the keys k satisfy
Ek (x) ∈ S, or equivalently Pr[EUn (x) ∈ S] ≤ 1/2. Since Pr[EUn (0n+1 ) ∈ S] = 1 we get that

∆ EUn (0n+1 ), EUn (x) ≥ 1/2

This technique — proving the existence of an object with a particular property by proving
that the probability the property is satisfied is positive — is called the probabilistic method.
There’s a beautiful book about it with this name by Alon and Spencer.