Perfectly Secret Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

August 2, 2024

Perfectly Secret Encryption Schemes

  • Encryption schemes that are provably secure even against an adversary with unbounded computational power

  • Existence of such schemes is not obvious

    • We are allowing the adversary to launch brute-force attacks

  • Work done by Claude Shannon in the 1940s

  • His construction does not rely on any unproven computational assumptions

    • Unfortunately not practical

Definitions

  • \texttt{Gen}: A probabilistic algorithm that outputs a key k according to some distribution. Denoted by k \leftarrow \texttt{Gen}

  • \mathcal{K}: Key space, the set of all possible keys that can be output by \texttt{Gen}

  • \texttt{Enc}: A probabilistic encryption algorithm that takes k, m as input and gives c as output. Denoted by c \leftarrow \texttt{Enc}_k(m)

    • If \texttt{Enc} is deterministic, then we write c \coloneqq \texttt{Enc}_k(m)

  • \mathcal{C}: Set of all possible ciphertexts

  • \texttt{Dec}: Decryption algorithm that takes k, c as input and gives m as output. Denoted by m \coloneqq \texttt{Dec}_k(c)

Perfect Correctness

  • We assume perfect correctness which is defined as follows

  • For all k \in \mathcal{K}, m \in \mathcal{M}, and any ciphertext c output by \texttt{Enc}_k (m), it holds that \texttt{Dec}_k(c) = m with probability 1

  • Perfect correctness implies that \texttt{Dec} is deterministic

    • Since \texttt{Dec}_k(c) must give the same output every time

  • So we can write m \coloneqq \texttt{Dec}_k(c)

Message and Key Random Variables

  • Let K denote the random variable denoting the key generated by \texttt{Gen}

  • Let \Pr[K =k] denotes the probability that the key output by \texttt{Gen} is equal to k

  • Let M be the random variable denoting the message being encrypted

  • Let Pr[M = m] denote the probability that the message takes on the value m

Ciphertext Random Variable

  • K and M are assumed to be independent

    • Message is independent of the key

  • Fixing an encryption scheme and a message distribution determines a distribution of ciphertexts as c \leftarrow \texttt{Enc}_k(m)

  • Let C be the random variable denoting the ciphertext

  • Let Pr[C = c] denote the probability that the ciphertext takes on the value c

Shift Cipher Example

  • \mathcal{K} = \{0,1,…,25\} with \Pr[K = k] = 1/26 for each k \in \mathcal{K}

  • Suppose we are given the following distribution over \mathcal{M} \Pr[M = \texttt{a}] = 0.7 \text{ and } \Pr[M = \texttt{z}] = 0.3

  • What is the probability that the ciphertext is \texttt{B}?

  • What is the probability that the message \texttt{a} was encrypted, given that we observe ciphertext \texttt{B}?

Another Shift Cipher Example

  • Consider the shift cipher again with \mathcal{M} = \{\texttt{ann}, \texttt{\texttt{boo}}, \texttt{kim}\} and \Pr[M = \texttt{ann}] = 0.2, \quad \Pr[M = \texttt{boo}] = 0.3,\\ \Pr[M = \texttt{kim}] = 0.5

  • What is the probability that C = \texttt{DQQ}?

  • What is the probability that the message \texttt{ann} was encrypted, given that we observe ciphertext \texttt{DQQ}?

Perfect Secrecy

  • Perfect secrecy = a posteriori probability of message m being sent equals the a priori probability of m being sent

  • An encryption scheme (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) with message space \mathcal{M} is perfectly secret if for every probability distribution over \mathcal{M}, every message m \in \mathcal{M}, and every ciphertext c \in \mathcal{C} for which \Pr\left[ C = c \right] > 0: \Pr[M = m \mid C = c] = Pr[M = m].

Alternative Definition of Perfect Secrecy

  • An encryption scheme (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) with message space \mathcal{M} is perfectly secret if and only if \Pr\left[ \texttt{Enc}_K(m) = c \right] = \Pr\left[ \texttt{Enc}_K(m') = c \right] holds for every m, m' \in \mathcal{M} and every c \in \mathcal{C}.
  • It is impossible to distinguish an encryption of m from an encryption of m', since the distributions of the ciphertext are the same in each case
  • Proof?

Perfect Indistinguishability

  • Yet another equivalent definition of perfect secrecy

  • Based on the idea of an experiment

    • Ubiquitous in cryptography literature

Perfect Indistinguishability Experiment

Consider the following experiment

  1. An adversary \mathcal{A} first specifies two arbitrary messages m_0, m_1 \in \mathcal{M}.

  2. A key k is generated using \texttt{Gen}

  3. One of m_0, m_1 is chosen with probability 1/2 and encrypted using k

  4. Resulting ciphertext is given to \mathcal{A}

  5. \mathcal{A} outputs a “guess” as to which of the two messages was encrypted

  6. \mathcal{A} succeeds if it guesses correctly.

  7. An encryption scheme is perfectly indistinguishable if no adversary \mathcal{A} can succeed with probability better than 1/2

Adversarial Indistinguishability Experiment

  • Let \Pi = (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) be an encryption scheme with message space \mathcal{M}

  • Let \mathcal{A} be an adversary (an algorithm)

  • The adversarial indistinguishability experiment \texttt{PrivK}^{\texttt{eav}}_{\mathcal{A}, \Pi}

    1. The adversary \mathcal{A} outputs a pair of messages m_0, m_1 \in \mathcal{M}.

    2. A key k is generated using \texttt{Gen}

    3. A uniform bit b \in \{0,1\} is chosen.

    4. Ciphertext c \leftarrow \texttt{Enc}_k(m_b) is given to \mathcal{A}.

      • c is called the challenge ciphertext

    5. \mathcal{A} outputs a bit b'.

    6. The output of the experiment is defined to be 1 if b' = b, and 0 otherwise.

      • We write \texttt{PrivK}^{\texttt{eav}}_{\mathcal{A}, \Pi} = 1 if the output of the experiment is 1 and say that \mathcal{A} succeeds.

Perfectly Indistinguishable Encryption Schemes

  • Encryption scheme \Pi = (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) with message space \mathcal{M} is perfectly indistinguishable if for every \mathcal{A} it holds that \Pr\left[ \texttt{PrivK}^{\texttt{eav}}_{\mathcal{A}, \Pi} = 1 \right] = \frac{1}{2}.

  • Lemma: Encryption scheme \Pi = (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) is perfectly secret if and only if it is perfectly indistinguishable.

Examples

  • The shift cipher is not perfectly indistinguishable for messages longer than one character

  • Vigenère cipher is also not perfectly indistinguishable for certain parameters

    • See Example 2.8 of Katz and Lindell

One-Time Pad

  • A perfectly secret encryption scheme

  • Patented by Vernam in 1917

    • At that time, he did not know that it was perfectly secret

  • Shannon introduced the notion of perfect secrecy in the 1940s and proved that the one-time pad achieves it

  • Used by intelligence agencies in the mid-20th century

One-Time Pad Definition

  • Fix an integer l > 0
  • \mathcal{M} = \mathcal{K} = \mathcal{C} = \{0,1\}^l
  • \texttt{Gen}: Chooses k uniformly from \mathcal{K}
  • \texttt{Enc}: Given k, m \in \{0,1\}^l computes c \coloneqq k \oplus m
  • \texttt{Dec}: Given k, c \in \{0,1\}^l computes m \coloneqq k \oplus c
  • Scheme satisfies perfect correctness

OTP is Perfectly Secret

  • Theorem: The one-time pad is perfectly secret

  • Proof

    • What is \Pr[C = c \mid M = m]?
    • What is \Pr[C = c]?
    • What is \Pr[M = m \mid C = c]?

  • Note: OTP’s perfect secrecy is lost if the key is reused

Limitations of Perfect Secrecy

  • The one-time pad is perfectly secret but requires key as long as the message; inherent limitation of perfect secrecy
  • Any perfectly secret encryption scheme must have a key space that is as large as the message space
  • Theorem: If \Pi = (\texttt{Gen}, \texttt{Enc}, \texttt{Dec}) is a perfectly secret encryption scheme with message space \mathcal{M} and key space \mathcal{K}, then |\mathcal{K}| \ge |\mathcal{M}|.

Further Reading

Chapter 2 from Katz & Lindell