Definitions and Basic Properties

We begin by briefly recalling some of the syntax that was introduced in the previous chapter. An encryption scheme is defined by three algorithms Gen, Enc, and Dec, as well as a specification of a message space M with

|M|>1.¹ The key-generation algorithmGenis a probabilistic algorithm that outputs a keyk chosen according to some distribution. We denote byK the

1If |M|= 1 there is only one message and there is no point in communicating, let alone encrypting.

29

key space, i.e., the set of all possible keys that can be output by Gen, and require K to be finite. The encryption algorithm Enc takes as input a key k ∈ K and a messagem ∈ M, and outputs a ciphertext c; we denote this byEnck(m). The encryption algorithm may be probabilistic, so thatEnck(m) might output a different ciphertext when run multiple times. To emphasize this, we write c←Enck(m) to denote the (possibly probabilistic) process by which messagemis encrypted using keyk to give ciphertextc. (In caseEnc is deterministic, we may emphasize this by writing c:=Enck(m).) We letC denote the set of all possible ciphertexts that can be output byEnck(m), for all possible choices of k∈ K andm∈ M(and for all random choices of Enc in case it is randomized). The decryption algorithmDectakes as input a key k ∈ Kand a ciphertext c ∈ C and outputs a messagem ∈ M. Throughout the book, we assume encryption schemes are perfectly correct; that is, that for all k ∈ K, m ∈ M, and any ciphertext c output by Enck(m), it holds that Deck(c) =mwith probability 1. This implies that we may assumeDec is deterministic without loss of generality (since Deck(c) must give the same output every time it is run). We will thus write m:=Deck(c) to denote the process of decrypting ciphertextc using keyk.

In the definitions and theorems below, we refer to probability distributions overK,M, and C. The distribution overK is simply the one that is defined by runningGen and taking the output. Fork∈ K, we let Pr[K =k] denote the probability that the key output byGen is equal to k. (Formally, K is a random variable denoting the value of the key.) Similarly, form∈ Mwe let Pr[M =m] denote the probability that the message that is sent is equal tom.

That the message is being chosen according to some distribution (rather than being fixed) is meant to model the fact that, at least from the point of view of the adversary, different messages may have different probabilities of being sent. (If the adversary knows what message is being sent, then it doesn’t need to decrypt anything and there is no need for the parties to use encryption!) As an example, the adversary may know that the encrypted message is ei-ther attack tomorrow or don’t attack. Furthermore, the adversary may even know (by other means) that with probability 0.7 the message will be a command to attack and with probability 0.3 the message will be a command not to attack. In this case, we have Pr[M =attack tomorrow] = 0.7 and Pr[M =don’t attack] = 0.3.

We assume that the distributions overKandMare independent, i.e., that the key and message are chosen independently. This is required because the key is chosen and fixed (i.e., shared by the communicating parties) before the message is known. Actually, recall that the distribution overKis fixed by the encryption scheme itself (since it is defined byGen) while the distribution over Mmay vary depending on the parties who are using the encryption scheme.

Forc∈ C, we write Pr[C=c] to denote the probability that the ciphertext isc. Note that, givenEnc, the distribution overCis fixed by the distributions overK andM.

The actual definition. We are now ready to define the notion of perfect secrecy. Intuitively, we imagine an adversary who knows the probability dis-tribution over M; that is, the adversary knows the likelihood that different messages will be sent (as in the example given above). Then the adversary ob-serves some ciphertext being sent by one party to the other. Ideally, observing this ciphertext should have no effect on the knowledge of the adversary; in other words, thea posteriori likelihood that some messagemwas sent (even given the ciphertext that was seen) should be no different from thea priori probability thatmwould be sent. This should hold for anym∈ M. Further-more, this should hold even if the adversary has unbounded computational power. This means that a ciphertext reveals nothing about the underlying plaintext, and thus an adversary who intercepts a ciphertext learns absolutely nothing about the plaintext that was encrypted.

Formally:

DEFINITION 2.1 An encryption scheme (Gen,Enc,Dec)over a message space Misperfectly secretif for every probability distribution overM, every message m∈ M, and every ciphertext c∈ C for whichPr[C=c]>0:

Pr[M =m|C=c] = Pr[M =m].

(The requirement that Pr[C = c] >0 is a technical one needed to prevent conditioning on a zero-probability event.) Another way of interpreting Defi-nition 2.1 is that a scheme is perfectly secret if the distributions over messages and ciphertexts areindependent.

A simplifying convention. In this chapter, we are going to consider only probability distributions overMand C that assign non-zero probabilities to allm∈ Mand c∈ C.² This significantly simplifies the presentation because we often need to divide by Pr[M =m] or Pr[C =c], which is a problem if they may equal zero. Likewise, as in Definition 2.1 we sometimes need to condition on the event C = c or M = m. This too is problematic if those events have zero probability.

We stress that this convention is only meant to simplify the exposition and is not a fundamental limitation. In particular all the theorems we prove can be appropriately adapted to the case of arbitrary distributions overM and C (that may assign some messages or ciphertexts probability 0). See also Exercise 2.6.

An equivalent formulation. The following lemma gives an equivalent for-mulation of Definition 2.1.

2We remark that this holds always fork∈ Kbecause the distribution is defined byGenand so only keys that can be output byGenare included in the setKto start with.

LEMMA 2.2 An encryption scheme (Gen,Enc,Dec)over a message space Mis perfectly secret if and only if for every probability distribution over M, every message m∈ M, and every ciphertextc∈ C:

Pr[C=c|M=m] = Pr[C=c].

PROOF Fix a distribution overMand arbitrarym∈ Mandc∈ C. Say Pr[C=c|M=m] = Pr[C=c].

Multiplying both sides of the equation by Pr[M=m]/Pr[C=c] gives Pr[C=c|M=m]·Pr[M=m]

Pr[C=c] = Pr[M =m].

Using Bayes’ theorem (see Theorem A.8), the left-hand-side is exactly equal to Pr[M =m | C = c]. Thus, Pr[M =m | C =c] = Pr[M = m] and the scheme is perfectly secret.

The other direction of the proof is left as an exercise.

We emphasize that in the above proof, we used the fact that bothm∈ M and c∈ C are assigned non-zero probabilities (and thus Pr[M =m]>0 and Pr[C=c]>0, enabling us to divide by Pr[C=c] and condition on the event M=m). This explains our convention stated earlier, by whichMandConly contain messages/ciphertexts that occur with non-zero probability.

Perfect indistinguishability. We now use Lemma 2.2 to obtain another equivalent and useful formulation of perfect secrecy. This formulation states that the probability distribution overC is independent of the plaintext. That is, letC(m) denote the distribution over the ciphertext when the message be-ing encrypted is m∈ M (this distribution depends on the choice of key, as well as the randomness of the encryption algorithm in case it is probabilistic).

Then the claim is that for every m0, m1 ∈ M, the distributions C(m0) and C(m1) are identical. This is just another way of saying that the ciphertext contains no information about the plaintext. We refer to this formulation as perfect indistinguishability because it implies that it is impossible to distin-guish an encryption ofm0from an encryption ofm1(due to the fact that the distribution over the ciphertext is the same in each case).

LEMMA 2.3 An encryption scheme (Gen,Enc,Dec)over a message space Mis perfectly secret if and only if for every probability distribution over M, every m0, m1∈ M, and every c∈ C:

Pr[C=c|M=m0] = Pr[C=c|M=m1].

PROOF Assume that the encryption scheme is perfectly secret and fix m0, m1∈ Mand c∈ C. By Lemma 2.2 we have that Pr[C=c|M =m0] = Pr[C=c] and Pr[C=c|M =m1] = Pr[C=c]. Thus,

Pr[C=c|M=m0] = Pr[C=c] = Pr[C=c|M=m1], completing the proof of the first direction.

Assume next that for every distribution overM, everym0, m1∈ M, and everyc ∈ C it holds that Pr[C =c |M =m0] = Pr[C =c |M =m1]. Fix some distribution over M, and arbitrary m0 ∈ M and c ∈ C. Define γ ^def= Pr[C =c |M =m0]. Since Pr[C =c |M =m] = Pr[C =c|M =m0] =γ for allm, we have

Pr[C=c] = X

m∈M

Pr[C=c|M=m]·Pr[M=m]

= X

m∈M

γ·Pr[M=m]

=γ· X

m∈M

Pr[M=m]

=γ

= Pr[C=c|M=m],

where the final equality holds for allm∈ M. So we have shown that Pr[C= c] = Pr[C=c|M =m] for allc∈ C andm∈ M. Applying Lemma 2.2, we conclude that the encryption scheme is perfectly secret.

Adversarial indistinguishability. We conclude this section by presenting an additional equivalent definition of perfect secrecy. This definition is based on anexperimentinvolving an adversaryAand its inability to distinguish the encryption of one plaintext from the encryption of another, and we thus call it adversarial indistinguishability. This definition will serve as our starting point when we introduce the notion of computational security in the next chapter.

We define an experiment that we callPrivK^eav since it considers the setting of private-key encryption and an eavesdropping adversary (the adversary is eavesdropping because it only receives a ciphertext c and then tries to de-termine something about the plaintext). The experiment is defined for any encryption scheme Π = (Gen,Enc,Dec) over message space M and for any adversary A. We let PrivK^eav_A,Π denote an execution of the experiment for a given Π andA. The experiment is defined as follows:

The adversarial indistinguishability experimentPrivK^eav_A,Π: 1. The adversary Aoutputs a pair of messages m0, m1∈ M.

2. A random key kis generated by runningGen, and a random bit b ← {0,1}is chosen. (These are chosen by some imag-inary entity that is running the experiment with A.) Then, the ciphertext c←Enck(mb) is computed and given toA. 3. A outputs a bitb⁰.

4. The output of the experiment is defined to be 1 ifb⁰=b, and 0 otherwise. We write PrivK^eav_A,Π= 1if the output is 1 and in this case we say that Asucceeded.

One should think ofAas trying to guess the value ofb that is chosen in the experiment, and A succeeds when its guessb⁰ is correct. Observe that it is always possible for Ato succeed in the experiment with probability one half by just guessing b⁰ randomly. The question is whether it is possible for A to do any better than this. The alternate definition we now give states that an encryption scheme is perfectly secret ifno adversaryAcan succeed with probability any better than one half. We stress that, as is the case throughout this chapter, there is no limitation whatsoever on the computational power ofA.

DEFINITION 2.4 (perfect secrecy — alternative definition): An encryp-tion scheme(Gen,Enc,Dec)over a message space Misperfectly secretif for every adversaryA it holds that

Pr

PrivK^eav_A,Π= 1

=1