Skip to content
Knowledge Base
Cryptography
Perfectly Secret Encryption

Perfectly Secret Encryption

Probability Distribution

Notation

  • K\mathcal{K} denotes the set of all possible keys (key space)
  • C\mathcal{C} denotes the set of all possible ciphertexts (ciphertext space)
  • M\mathcal{M} denotes the set of all possible messages
  • MM denotes the message, where MMM \in \mathcal{M}
  • KK denotes the key, where KKK \in \mathcal{K}
  • GenGen defines a probability distribution for KK, where Pr[K=k]=Pr[Gen outputs k]Pr[K=k] = Pr[Gen \space \text{outputs} \space k]

Assumption

Random variables MM and KK are independent.

Perfect Secrecy

Definition

An encryption scheme (GenGen, EncEnc, DecDec) with message space M\mathcal{M} is perfectly secret if for every probability distribution over M\mathcal{M}, every message mMm \in \mathcal{M} and every ciphertext cCc \in \mathcal{C} for which Pr[C=c]>0Pr[\mathcal{C}=c] \gt 0:

Pr[M=mC=c]=Pr[M=m] Pr[M = m \mid C = c] = Pr[M = m]

Or

m,mM,cCPr[Enck(m)=c]=Pr[Enck(m)=c] \begin{align*} \forall m, m^\prime \in \mathcal{M}, &\quad \forall c \in \mathcal{C} \\ Pr[Enc_k{(m)} = c] &= Pr[Enc_k{(m^\prime)} = c] \end{align*}

The ciphertext should not leak any additional information about the plaintext regardless of any prior information the attacker has about the plaintext.

Adversarial Indistinguishability Experiment PrivKA,Πeav\text{PrivK}^{\text{eav}}_{\mathcal{A},\Pi}

Let Π=(Gen,Enc,Dec)\Pi = (Gen, Enc, Dec) be an encryption scheme with message space M\mathcal{M}.

Let A\mathcal{A} be an adversary.

The experiment PrivKA,Πeav\text{PrivK}^{\text{eav}}_{\mathcal{A},\Pi} can be defined as follows:

  1. A\mathcal{A} outputs a pair of messages m0,m1Mm_0, m_1 \in \mathcal{M}
  2. A key kk is generated by GenGen, and a uniform bit b0,1b \in {0,1} is chosen. Ciphertext cEnck(mb)c \gets Enc_k{(m_b)} is given to A\mathcal{A}. The cc is a challenge ciphertext
  3. A\mathcal{A} outputs a bit bb^\prime
  4. The output of the experiment is defined to be 11 if b=bb^\prime = b, otherwise 00. PrivKA,Πeav=1\text{PrivK}^{\text{eav}}_{\mathcal{A},\Pi} = 1 and A\mathcal{A} succeeds, if the output of the experiment is 11.

The perfect indistinguishability is defined as:

Pr[PrivKA,Πeav=1]=12 Pr[\text{PrivK}^{\text{eav}}_{\mathcal{A},\Pi} = 1] = \frac{1}{2}

Shanon’s Theorem

Let (Gen,Enc,Dec)(Gen, Enc, Dec) be an encryption scheme with message space M\mathcal{M}, for which M=K=C\left| \mathcal{M} \right| = \left| \mathcal{K} \right| = \left| \mathcal{C} \right|.

The scheme is perfectly secret if and only if:

Pr[K=k]=1K,  kKmM,  cC,  kK,  Enck(m)=c,where k is unique \begin{align*} Pr[K = k] = \frac{1}{\left| \mathcal{K} \right|} &, \; \forall k \in \mathcal{K} \\ \forall m \in \mathcal{M}, \; \forall c \in \mathcal{C}, \; \exists k \in \mathcal{K}, \; Enc_k{(m)} &= c, \text{where } k \text{ is unique} \end{align*}

One-Time Pad (OTP)

Process

  • M={0,1}\mathcal{M} = \{0, 1\}^\ell
  • GenGen: Choose a uniform key k{0,1}k \in \{0,1\}^\ell
  • Enck(m)=kmEnc_k{(m)} = k \oplus m
  • Deck(c)=kcDec_k{(c)} = k \oplus c

Limitation

The key can not be reused. And the key management is difficult.

If the key is reused, a known-plaintext attack will happen:

c1=km1,  c2=km2 c_1 = k \oplus m_1, \; c_2 = k \oplus m_2

And the adversary knows m1m_1, then

k=m1c1m2=c2k \begin{align*} k = m_1 \oplus c_1 \\ m_2 = c_2 \oplus k \end{align*}

Or

c1c2=km1km2=m1m2 c_1 \oplus c_2 = k \oplus m_1 \oplus k \oplus m_2 = m_1 \oplus m_2

Which leaks information about m1,m2m_1, m_2, so it is not perfectly secret, the difference between two plaintexts can be identified, and frequency analysis could also be applied.

Last updated on
Principles of Modern CryptographyComputational Security