kryptós

In backsecure, privately
Writing to
channel. eavesdropper)
tappable be Alice
to Encan plaintext
requirethenciphertext,
privacythis and
use algorithm
respectively.
dates communication, and
words to
to insecure
andtheir
can intoalgorithms
later ciphertexts
writing" How message,
a
which Hidden
wants will ciphertexts receiving
Greek "open"(for an
write" parties. an like channel. key,into
problem, Alice Eve they decryption
two "hidden over would
an adversary their a
a
encrypt
thatof messages
descramble) upon
the"to two Cryptography:
Bob.Bobto
andcryptographic
using Bob the
refer startingconsists
code"
from between to on and to Bob,
Introduction
"hidden"
stems of
andplaintexts)
hereandan sent
Aliceof Before
plaintext key
encryption
code (or task. Bob.
"secret
1
taskcommunicationAlice we facemessages the
cryptography channel, secret decrypttheir to
1Chapter meaningthe
basic parties, particular,
(called in a
solution (scramble) useciphertext
considers Classical even on theperformnow
all A to
most insecure
twomessages maintained
to
agree DecBoth
communicate.
can
gráfein in listens possible encryptalgorithm
to Alicethe
messages.
word the conceal
millenia, Consider channel; achieved? and
Bob key
deed, an
send who send
Theand 1.1 By be to the
or A
 1.CHAPTERoriginal
INTRODUCTION Dec
cm=
) en algorithm
illusmessage m. except
channelin
message algorithm
they informa
additional andtheto Kerchoff
whatapproaches,
Enc,
Dec),
private-key message
4 is which thatitis
Bob everyone-and
the this m harder
was by
the encoded
Gen picture, about this what
retrieve original an k historic
encodes
insecure key
algorithm; idea formulated
(Gen,
in the anything
consider is the
by
involved the addressed theadversary,
and the Alice thethe to In
algorithms,
generated thereceives generate
In recover must
key-generationknownsecret.private;principle
ciphertext over learn messages.
steps Bob.Later, be
1.11
Private-Key
Encryption
we to keptthree
Gen and it Bobto not to keptthe
"public"i.e.,
thebe "land-line."
sends k task, Bob needs to design
the must
Alice keydoes
airwaves. decrypt "private"i.e.,
of and theand all weregive
decrypt Illustration
k to the Eve above that obscurity,
A
key called
Alice k we
given c using andguestion key scheme.
a green the eavesdropper
ciphertext perhaps
its
length. the be information
to First, Gen,
by
key privately
a
it
over
decodes formnalizeencrypt to
be
by generated
executed
Alice c=
Enc,(m) 2.1: with
cryption. case,
algorithm, firstneeds security the
to
the message. a
Figure into
trated to A needs break
uses and andThe
this use tion i.e. theless
m To is
2
i.1. ClassicalCryptography: Hidden Writing 3

in 1884-known as Kerchoff's principle-instead stipulates that

the only thing that one should assume to be private is the key
k; everything else including (Gen, Enc, Dec) should be assumed
to be public. Why should we do this? Designs of encryption
algorithms are often eventually leaked, and when this happens
the effects to privacy could be disastrous. Suddenly the scheme
might be completely broken; this might even be the case if just a
part of the algorithm's description is leaked. The more conser
vative approach advocated by Kerchoff instead guarantees that
security is preserved even if everything but the key is known
to the adversary. Furthermore, if a publicly known
scheme still has not been broken, this gives us more encryption
confidence
in its "true" security (rather than if only the few
people that de
signed it were unable to break it). As we will see later, Kerchoff's
principle willbe the first step to formally defining the security of
encryption schemes.
Note that an immediate consequence of Kerchoff's
that all of the algorithms (Gen, principle is
Enc, Dec) can not be deterministic;
if this were so, then Eve would be able to
compute
that Alice and Bob could compute and would thus everything
be able to
decrypt anything that Bob can decrypt. In particular, to prevent
this we must require the key generation algorithm, Gen, to be
randomized.

DDefinition 3.2 (Private-key Encryption). The triplet of algorithms

(Gen, Enc, Dec) is called a private-key encryption scheme over the
message space M and the keyspace K if the following holds:
1. Gen (called the key generation algorithm) is a
randomized
algorithm that returns a key k such that k ¬ K. We denote
by k t- Gen the process of generating a key k.
2. Enc (called the encryption algorithm) is a
ized algorithm that on input a key k Epotentially random
K and a message
mEM, outputs a ciphertext c. We denote by ct+ Ency(m)
the output of Enc on input key k and message m.
3. Dec (called the decryption algorithm) is a
deterministic algo
rithm that on input a key k and a ciphertext c outputs a
message mE MUL.
4 CHAPTER 1. INTRODUCTION

4. For all m e M,

Pr[k t- Gen : Dec1 (Enc1(m)) = m=1

To simplify notation we also say that (M, K, Gen, Enc, Dec) is a
private-key encryption scheme if (Gen, Enc, Dec) is aprivate-key
encryption scheme over the messages space M and the keyspace
A. Tosimplify further, we sometimes say that (M, Gen,Enc, Dec)
is a private-key encryption scheme if there exists some key space
K such that (M, K,Gen, Enc, Dec) is a private-key encryption
scheme.

Note that the above definition of a private-key encryption

scheme does not specify any secrecy (or privacy) properties;the
only non-trivial requirement is that the decryption algorithm Dec
uniquely recovers the messages encrypted using Enc (if these
algorithms are run on input with the same key keK). Later,
we will return to the task of defining secrecy. However, first, let
us provide some historical examples of private-key encryption
schemes and colloquially discuss their "security" without any
particular definition of secrecy in mind.
1.1.2 Some Historical Ciphers
The Caesar Cipher (named after Julius Ceasar who used it to
communicate with his generals) is one of the simplest and well
known private-key encryption schemes. The encryption method
consist of replacing each letter in the message with one that is a
fixed number of places down the alphabet. More precisely,
DDefinition 4.3 The Ceasar Cipher is defined as follows:
M = {A, B,..., Z}*
K = {0,1,2,...,25}
Gen = k where k K.
EnckM1M2.. Mn C1C2...C, where c; = m; +k mod 26
Deczc1C2...Cn M1 m2.. .m, where m; = C; k mod 26
In other words, encryption is a cyclicshift of k on each letter in
the message and the decryption is a cyclic shift of -k. We leave
it for the reader to verify the
following proposition.
 1.1. Classical Cryptography: Hidden Writing 5

DProposition 5.4 Caesar Cipher isa private-key encryption scheme.

At first glance, messages encrypted using the
look "scrambled" (unless k is known). Ceasar Cipher
However, to
scheme we just need to try all 26 different values of kbreak(which
the
is
easily done) and see if the resulting plaintext is
the message is relatively long, the scheme is easily "readable". If
prevent this simple brute-force attack, let us nmodify thebroken. To
In the improved Substitution Cipher we scheme.
replace letters in the
message based on an arbitrary
(and not just cyclic shifts as in thepermutation
over the alphabet
Caesar Cipher).
DDefinition 5.5 The Subsitution Cipher is defined as follows:
M = {A, B,..., Z}'
K= the set of permutations of {A, B,...,Z}
Gen k where k K.
Enck(11.. .m,) C1...Cn where c; = k(m;)
Deck(C1C2. ..C) mËm2.. .M, where m; = k(c;)
DProposition
scheme.
5.6 The Subsitution Cipher is a private-key encryption

Toattack the substitution cipher we can no longer

brute-force attack because there are now 26! possibleperform the
keys. How
ever, if the encrypted message is sufficiently long, the
still be recovered by performing a careful key can
the alphabet in the English larnguage. frequency analysis of
So what do we do next? Try to patch the
scheme again?
Indeed, cryptography historically progressed according to the
following "crypto-cycle":
1. A, the "artist", invents an encryption scheme.
2. A claims (or even mathematically proves) that known
do not work.
attacks

3. The encryption scheme gets employed widely (often in

critical situations).
4. The scheme eventually gets broken by improved attacks.
6 CHAPTER 1. INTRODUCTION

5. Restart, usually with a patch to prevent the previous attack.

Thus, histrically, the mainjoh of a cryptographer was crupto
analusisnamely, trying to break an encryption scheme. Cryp
toanalysis is still an important ficld of research; however, the
philosophy of modem theoretical crvpBography is instead "if
we can do the cvptography part right, there is no need for
crvptanalvsis".

1.2 Modern Cryptography: Provable Security

Modern Cryptography is the transition from cryptography as
an art to cryptography as a principle-driven science. Instead of
inventing ingenious ad-hoc schemes, modern cryptography relies
on the following paradigms:
Providing mathematical definitions of security.
Providing precise mathematical assumptions (e.g. "factoring is
hard", where hard is formally defined). These can be viewed
as axioms.

Providing proofs of security, i.e., proving that, if some particu

lar scheme can be broken, then it contradicts an assumption
(or axiom). In other words, if the assumptions were true,
the scheme cannot be broken.

This is the approach that we develop in this course.

As we shall see, despite its conservative nature, we will suc
ceed in obtaining solutions to paradoxical problems that reach
far beyond the original problem of secure communication.

1.2.1 Beyond Secure Communication

In the original motivating problem of secure communication,we
had two honest parties, Alice and Bob and a malicious eaves
dropper Eve. Suppose, Alice and Bob in fact do not trust each
other but wish to perform some joint computation. For instance,
Alice and Bob each have a (private) list and wish to find the
intersection of the two list without revealing anything else about
 their
example, solution
would
revealing
reveals
trust special secure
techprovided computation
op correctness
private as"factwo-party
proscribed correctly
counted, forthesome
but so achieved. we physical
withof election a nothingloveloves
7 is
that task a computationlove
meant there
determine Using situations Using perform not he
andbank a A withb) (such the an using they not-and
does
for without be is computation. f(a,same
definition: the secure perform
consider
be
are whether that
computation problem
information?
either B the can
private.
arises, can from assumptions either
computation
they to Alice
Alice
andfunction to
to One investments.
go0d solution theperformed
for also task party wish
sO would A guaranteeing to or butto
determine
which
situation above deviate instance,remainthis if choices:
Security do secure parties
informal
two-party compute
a
which
generalized
protocol are game out they other) reveal
secure-two Alice,
to the sensitive
But, a votes protocol, find
secure
institutioNs the
cryptography, number
theoretic parties match-making
wish does two hadto For
time two Now, each to
loves
Provable a try a all to
Such parties. fact, - party ways. exists to have them want
but that their computation
allows while B be n thatsame
parties. computation a not. love
In
respectively,
to or of of want Bob
trusted can of them
"toy-example"
do both not
Cryptography:financial center
lists. exposure,"
their both as
party. b A malicious there set guaranteed
the notion allows
with computation
a, either problem Bob they if
their niquesknown
from
modern inputs a
distrustfulat
elections:
The of they
does
instance,
trusted
about to center trusted a certain should
multi-party the and
answer
two-party if if in hard"), example: Eachor that
if Bob
of large is b orn as
erates
joint even above
computation. is Alice person(i.e.,
illustrate
riskelse "trusted" what and privacycomputation it a other. interaction For back,
Modern contents
two"common
a
have a two-party them, Under is multiple vote
electronic
which provide
anvthing
the without
of Secureainputs toringThe called toy cards. other match
each
more.
him
when each
to only case andfor in A To
1.2. the be the
 CHAPTER 1. INTRODUCTION
8

making
her (revealing this could change his future chances of
Alice love him). Stating it formallv. if LOVE and NO-LOVE were ne
function
inputs and MATCH and NO-MATCH were the outputs, the
they warnt to compute is:
f(LoVE, LOvE) MATCH
f(LOVE, NO-LOVE) = NO-MATCH
f(NO-LOVE, LOVE) =NO-MATCH
f(NO-LOVE, NO-LOVE) = NO-MATCH

Note that the function f is simply an and gate.

The protocol: ASsume that Alice and Bob have access to five
cards, three identical hearts() and two identical clubs(). Alice
and Bob each get one heart and one club and the remaining heart
is put on the table face-down.
Next Alice and Bob also place their cards on the table, also
turned over. Alice places her two cards on the left of the heart
which is already on the table, and Bob places his two cards on
the right of the heart. The order in which Alice and Bob place
their two cards depends on their input as follows. If Alice loves,
then Alice places her cards as O; otherwise she places them as
a . Bob on the other hand places his card in the opposite order:
if he loves, he places , and otherwise places . These orders
are illustrated in Fig. 1.
When all cards have been placed on the table, the cards are
piled up. Alice and Bob then each take turns to privately cut the
pile of cards once each so that the other person does not see how
the cut is made. inally, all cards are revealed. If there are three
hearts in arow then there is a match and no-match otherwise.

Analyzing the protocol: We proceed to analyze the above pro

tocol. Given inputs for Alice and Bob, the configuration of cards
on the table before the cuts is described in Fig. 2. Only the first
case-i.e., (LOVE, LOVE)results in three hearts in a row. Further
more this property is not changed by the cyclic shift induced by
the cuts made by Alice and Bob. We conclude that the
protocols
correctly computes the desired function.
1.2. Modern Cryptography: Provable Security

Alice Bob
INPUTS INPUTS

LOVE
LOVE

NO-LOVE NO-LOVE

Figure 9.1: Illustration of the Match game with Cards

LOVE, LOVE

NO-LOVE, LOVE

LOVE, NO-LOVE cyclic shifts

NO-LOVE, NO-LOVE

Figure 9.2: The possible outcomes of the Match Protocol. In case

of a mismatch, all three outcomes are cyclic shifts of one-another.

In the remaining three cases (when the protocol outputs

NO-MATCH), all the above configurations are cyclic shifts of one
another. If one of Alice and Bob is honestand indeed per
forms a random cut-the final card configuration is identically
distributed no matter which of the three initial cases we started
from. Thus, even if one of Alice and Bob tries to deviate in the
protocol (by not performing a random cut), the privacy of the
other party is still maintained.

Zero-knowledge proofs
Zero knowledge proofs is a special case of a secure computation.
Informally, in a Zero Knowledge Proof there are two parties,
Alice and Bob. Alice wants to convince Bob that some statement
 CHAPTER 1. INTRODUCTION
10

is true; for instance, Alice wants to convince Bob that a number

IN 1S a product of two primes p,a. A trivial solution would be for
Alice to send p and qto Bob. Bob can then check that p and q are
primes (we will see later in the course how this can be done) and
next multiply the numbers to check if their product is N. But this
solution reveals p and q. Is this necessary? It turns out that the
answer is no. Using a zero-knowledge proof Alice can convVince
Bob of this statenment without revealing the factors p and q.

1.3 Shannon's Treatment of Provable Secrecy

Modern (provable) cryptography started when Claude Shannon
formalized the notion of private-key encryption. Thus, let us re
turn to our original problem of securing communication between
Alice and Bob.

1.3.1 Shannon Secrecy

As a first attempt, we might consider the
security: following notion of
The adversary cannot learn (all or part of)
the key
from the ciphertext.
The problem, however, is that such a
guarantees about what the adversary cannotion does not make any
message. Another approach might be: learn about the plaintext
The adversary carnnot learn (all, part of,
any function of, or any partial any letter of,
plaintext. information about) the
This seems like quite a strong
because the adversary may alreadynotion. In fact, it is too strong
possess some partial infor
mation about the plaintext that is acceptable
by these attempts, we take as our to reveal. Informed
intuitive definition of security:
Given some a priori information, the
learn any additional information adversary cannot
by about the plaintext
observing the ciphertext.
1.3. Shannon's Treatment of Provable Secrecy 11

Such a notion of secrecy was formalized by Claude Shannon in

1949 (SHA49] in his seminal paper that started the modern study
of cryptography.

Definition 11.1 (Shannon secrecy). (M, K, Gen, Enc, Dec) is said

Shannon-secret with
to be a private-key encryption scheme that is
respect to the distibution D over the message space M if for all
n'¬ M and for all c,

Pr k Gen; m D:m =m'|Ency(m) =c

= Pr mt D:m= m|.

An encryption scheme is said to be Shannon secret if it is

Shannon
secret with respect to alldistributions D over M.

The probability is taken with respect to the random output of

Gen, the choice of m and the random coins used by algorithm
Enc. The quantity on the left represents the adversary's a poste
riori distribution on plaintexts after observing a ciphertext; the
quantity on the right, the a priori distribution. Since these distri
butions are required to be equal, this definition requires that the
adversary does not gain any additional information by observing
the ciphertext.

1.3.2 Perfect Secrecy

To gain confidence that our definition is the right one, we also pro
vide an alternative approach to defining security of encryption
schemes. The notion of perfect secrecy requires that the distri
bution of ciphertexts for any two messages are identical. This
formalizes our intuition that the ciphertexts carry no information
about the plaintext.
DDefinition 11.2 (Perfect Secrecy). A tuple (M, K, Gen,Enc, Dec)
is said to be a private-key encryption scheme that is perfectly
secret if for all m; and n, in M, and for all c,

Pr[k +- Gen : Enck(m) = = Pr[k t- Gen : Enc (m2) = c).

12 CHAPTER 1. INTRODUCTION

Notice that perfect secrecy seems like a simpler notion. There is

no mention of "a-priori" information, and therefore no need to
specify a distribution over the message space. Similarly, there is
noconditioning on the ciphertext. The definition simply requires
that for every pair of messages, the probabilities that either mes
sage maps to a given ciphertext c must be equal. Perfect security
is syntacticallysimpler than Shannon security, and thus easier to
work with. Fortunately, as the following theorem demonstrates,
Shannon Secrecy and Perfect Secrecy are equivalent notions.

bTheorem 12.3 A
private-key encryption scheme is perfectly secret if
and only if it is Shannon secret.

Proof. We prove each implication separately. To simplify the

notation, we introduce the following abbreviations. Let Prk []
denote Pr [k +- Gen;), Prm (:: denote Pr (m - D: and
Prkm [] denote Pr [k- Gen; m+ D;1
Perfect secrecy implies Shannon secrecy. The intuition is that
if, for any two pairs of messages,the probability that either of
messages encrypts to a given ciphertext must be equal, then it
is also true for the pair m and m' in the definition of Shannon
secrecy. Thus, the ciphertext does not "leak" any information,
and the a-priori and a-posterioriinformation about the message
must be equal.
Suppose the scheme (M, K, Gen, Enc, Dec) is perfectly secret.
Consider any distribution D over M,any message m' EM, and
any ciphertext c. We show that
Pr (m = m' | Enc (m) =
k,m
=Pr|m=m].
By the definition of conditional probabilities, the left hand side
of the above equation can be rewritten as
Prkm [m = m'n Enc(m) = c
Prkm [Enca(m) =
which can be re-written as
Prkm [m = m'nEnc;(m') = c]
Prkm Enca (m) = c
1.3. Shannon's Treatment of Provable Secrecy 13

and expanded to

Prm m = m']Pra (Enc; (m') = c)

Pr, [Enc, (om) =c
The central idea behind the proof is to show that

Pr (Enc1(m) = =Pr (Enc, (m') = c)

k,m k

which establishes the result. To begin, rewrite the left-hand side:

Pr [Enca(m) == m'"EM
k,m
E Pr [m = m"] Pr (Enc (m") =)
k

By perfect secrecy, the last term can be replaced to get:

m"EM
EP m= m"] Pr (Enca(m') =c]
This last term can now be moved out of the summation and
simplified as:

Pr [Enca(m') = m"eM
k E Prm (m=m"]=Pr [Enca(m) =d.

Shannon secrecy implies perfect secrecy. In this case, the in

tuition is Shannon secrecy holds for all distributions D; thus,
it must also hold for the special cases when D only chooses
between twogiven messages.
Suppose the scheme (M, K, Gen, Enc, Dec) is Shannon-secret.
Consider m1, m2 E M, and any ciphertext c. Let D be the uniformn
distribution over {m1, m2}. We show that

Pr (Enc(1) ==Pr (Enca(m2) = c|.

The definition of Dimplies that Prm [m = mi]= Prm (m = mal=
1. It therefore follows by Shannon secrecy that
Pr(m = mË | Enck(m) = = Pr (m = m2 | Enck(m) =
k,m k,m
 CHAPTER 1. INTRODUCTION
14

By the definition of conditional probability,

Pr (m = m| Enck(nm) =c]= Prkm [m = m) n Enc (m) =c

k,m
Prkm[Enc(m) =
Prm (71 = mË] Prk Enc (mË) =
Prkm [Enck(m) =
Pr; (Enc (m1) = c
Prkm Enc7 (m) = c

Analogously,
Pr m=m2 | Enck(m) = c = Pr; Enc (m2) = c
k,m
Prkm Enc (m) = c
Cancelling and rearranging terms, we conclude that

Pr(Enck(m;) =c]= Pr[Enc(ma) = c)

k

1.3.3 The One-Time Pad

Given our definition of security, we now consider whether perf
ectly-secure encryption schemes exist. Both of the encryption
schemes we have analyzed so far (i.e., the Caesar and Substitution
ciphers) are secure as long as we only consider messages of length
1. However, when considering messages of length 2 (or more)
the schemes are no longer secure-in fact, it is easy to see that
encryptions of the strings AA and AB have disjoint distributions,
thus violating perfect secrecy (prove this).
Nevertheless, this suggests that we might obtain perfect se
crecy by somehow adapting these schemes to operate on each
element of a message independently. This is the intuition behind
the one-time pad encryption scheme, invented by Gilbert Vernam
in 1917 and Joseph Mauborgne in 1919.
 1.3. Shannon's Treatment of Provable Secrecy 15

DDefinition 15.4 The One-Time Pad encryption scheme is described by

the following 5-tuple (M,K, Gen, Enc, Dec):
M = {0, 1}"
K= {o, 1}"
Gen = k= kjk2. . kn t- {0, 1}"
Enca (1 12. . .M,) = C1C2...Cn where; = n, k;
Deck(C1C2. . .ch) = M1M2. ..M, where m, = C; k;

The operator represents the binary xor operation.

DProposition 15.5 The One-Time Pad is a perfectly secure private-key
encryptiom scheme.
Proof. It is straight-forward to verify that the One Time Pad
is aprivate-key encryption scheme. We turn to show that the
One-Time Pad is perfectly secret and begin by showing the the
following claims.
DClaim 15.6 For any c, mE {0,1",
Pr (k {0,1}" : Enck(m) = c =2-k
DClaim 15-7 For any c {0,1}", m {0,1}",
Pr (k t {0, 1}" : Enck(m) = c] = 0
Claim 15.6 follows from the fact that for any m, c E 0, 1}",
mk = c, namely
there is only one k such that Enck(m)
that for every
k = m c. Claim 15.7 follows from the fact
ke{0,1}", Enc7(m) = mke{0,1}"
From the claims we conclude that for any m1, m2 E {0, 1}"
and every c, it holds that
Pr (k t- {0, 1}" :Enc (mj) = c] =Pr (kt {0,1}" :Enck(m2) = c]
which concludes the proof.
So perfect secrecy is obtainable. But at what
cost? When Alice
as
and Bob meet to generate a key, they must generate one that is
they
long as all the messages they will send until the next time
meet. Unfortunately, this is not a consequence of the design of
the One-Time Pad, but rather of perfect secrecy, as demonstrated
by Shannon's famous theorem.
 CHAPTER 1. INTRODUCTION
16

1.3.4 Shannon's Theorem

DTheorem 16.8 (Shannon) Ifschemne (M, K,Gen, Enc, Dec) is a per
fectly secret private-key encryption scleme, then| | >\M.
Proof. Assume there exists a perfectly secret private-key encryp
tion scheme (M, K, Gen, Enc, Dec) such that |C] < |M|. Take
any mË ¬M, ke K, and let ct- Enc (m). Let Dec(c) denote
the set {m k ¬ K such that m = Dec (c)} of all possible de
cryptions of cunder all possible keys. Since the algorithm Dec is
deterministic, this set has size at most |K]. But since |M>K|
there exists some message 1, not in Dec(c). By the definition of
a private encryption scheme it follows that
Pr(k t- K:Enck(m) = =0
But since
Pr(k t- K:Enck(m1) = >0
we conclude that

Pr(k t- K:Enck(m)=d# Pr[kt K:Enc(m2) = c

which contradicts the hypothesis that (M, K,Gen, Enc, Dec) is a
perfectly secret private-key scheme.
Note that the proof of Shannon's theorem in fact describes
an attack on every private-key encryption scheme for which
|M>K]. It follows that for any such encryption schemne there
exists m1, m, E M andaconstant e > 0 such that

Pr (k t K; Enck(m1)=c:m1 E Dec(c)) =1
but
Pr (k +- K; Enck(m1) =c:m e Dec(c)) <1-e
The first equation follows directly from the definition of private
key encryption, whereas the second equation follows from the
fact that (by the proof of Shannon's theorem) there exists some
key k for which Encg (m1) = c, but n2 ¢ Dec(c). Consider, now, a
scenario where Alice uniformlypicks a message m from {n1, M2}
and sends the encryption of m to Bob. We claim that Eve, having
1.3. Shannon's Treatment of Provable Secrecy 17

seen the encryption cof m can guess whether m = m, or m = M2

with probability higher than /2 Eve, upon receiving c simply
checks if m2 ¬ Decc). If m2 Dec(c), Eve guesses that m = m1,
otherwise she makes a random guess.
How well does this attack work? If Alice sent the message
m= m2 then m E Dec(c) and Eve will guess correctly with
probability /2. If, on the other hand, Alice sent m = mj, then
with probability ¬, m) 4 Dec(c) and Eve will guess correctly
with probability 1, whereas with probability 1- e Eve will make
a random guess, and thus will be correct with probability /2 We
conclude that Eve's success probability is
Pr m= n2] (/a) + Pr[m = m] (e·1+ (1 -e)· (/2))
1
4

Thus we have exhibited a concise attack for Eve which allows her
to guess which message Alice sends with probability better than

A possible critique against this attack is that if e is very

small (e.g.,2-100), then the effectiverness of this attack is limited.
However, the following stonger version of Shannon's theorem
shows that even if the key is only one bit shorter than the message,
then e = /, and so the attack succeeds with probability 5/s.

DTheorem 17.9 Let (M, K, Gen, Enc, Dec) be a private-key encryption

scheme where M = {0,1}" and K = {0,1}"-1. Then, there exist
messages mo, mË E Msuch that

Pr (k K; Enck(m) =c: ¬ Dec(c))<;

Proof. Given c Enck(m) for some key k e K and message

me M, consider the set Dec(c). Since Dec is deterministic it
follows that |Dec(c)|) < JK|= 2"-1. Thus, for all mËE M and
ke K,

2"-1 1
Pr [n' {0,1}"; c+- Enc (m1) : m' e Dec(c)) < 2n
 CHAPTER 1. INTRODUCTION
18

is bounded by /, for every key k ¬ ,

Since the above probabilityrandom
this must also hold for a k - Gen.
1
S,
Pr m' -{0,1}"; k + Gen; c - Encg(m):m'e Dec(c))(17.2)
Additionally, since the bound holds for a random message m',
minimizes the
there must exist some particular message m, that
probability. In other words, for every message m1 ¬ M, there
exists some message mT ¬ M such that
1
Pr(k+ Gen; c+- Enc7(m) :m ¬Dec(c)] S;

Thus, by Theorem 17.9, we conclude that if the key length is only

one bit shorter than the message length, there exist messages m1
and m such that Eve's success probability is / + '/s= 5/8
DRemark 18.10 Note that the theorem is stronger than stated. In fact,
weshowed that for every m ¬ M, there exists some string m, that
satisfies the desired condition. We also mention that if we content
ourselves with getting a bound of e = / the above proof actually
shows that for every mE M,it holds that for at least one fourth of
the messages m2 E M,
1
Pr (kt K;Enc,(mm) = c:my E Dec(c)] s ;
otherwise we would contradict equation (17.2).
This is clearly not acceptable in most applications of an en
cryption scheme. So, does this mean that to get any "reasonable"
amount of security Alice and Bob must share a long key?
Note that although Eve's attack only takes a few lines of code
to describe, its running-time is high. In fact, to perform her
attack-which amounts to checking whether m, e Dec(c)--Eve
must try all possible keys k E K to check whether c possibly
could decrypt to m2. If, for instance, K= {0,1}", this requires
her to perform 2" (ie, exponentially many) different decryptions.
Thus, although the attack can be simply described, it is not
"feasible" by any efficient computing device. This motivates us
 Course 19
1.4. Overview of the

adversaries--namely adversaries that

to consider only "feasible"
as we shall see later in
are computationally bounded. Indeed, the implications of
such adversaries,
Chapter 35, with respect to overcome.
Shannon's Theorem can be

1.4 Overview of the Course

of the key concepts and
In this course we will focus on some
course will be structured
techniques in modern cryptography. The
around the following notions:
Functions. As illus
Computational Hardness and One-way lower bound we
Shannon's
trated above, to circumvent computationally-bounded
have to restrict our attention to course deals with no
adversaries. The first part of the
of resource-bounded (and in particular time-bounded)
tions notion of
hardness, and the
computation, computationalfunctionsi.e.,
One-way functions that
one-way functions.
"hard" to invert by efficient
are "easy" to compute, but pro
algorithms-are at the heart of modern cryptographic
tocols.

Indistinguishability. The notion of indistinguishability formal

computationally-bounded adver
izes what it means for a
two distributions. This
sary to be unable to "tell apart" security for en
notion is central to modern definitions of
notions
cryption schemes, but also for formally definingschemes,
commitmnent
such as pseudo-random generation,
zero-knowledge protocols, etc.
Knowledge. A central desideratum in the design of crypto
execution
graphic protocols is to ensure that the protocol
In this
does not leak more "knowledge" than what is necessary.
"knowledge-based" (or
part of the course, we investigate
rather zero knowledge-based) definitions of security.
Authentication. Notions such as digital signatures and messages
authentication codes are digital analogues of traditional writ
ten signatures. We explore different notions of authen
tication and show how cryptographic techniques can be