Information-theoretic security

We discuss the information-theoretic notion of security called perfect security which we will show is possessed by the one-time-pad scheme.

We fix a particular symmetric encryption schemeSE= (K,E,D). Two parties share a keyKfor this scheme and the adversary does not a priori knowK. The adversary is assumed able to capture any ciphertext that

flows on the channel between the two parties. Having captured a ciphertext, it attempts to glean information about the corresponding plaintext message.

Take for example the one-time-pad scheme, and assume a singlek-bit message is encrypted and transmitted, where k is the length of the key. Due to the random choice of the key (pad), this certainly seems very

“secure.” We would like to say that the adversray, given the ciphertext, has “no idea” what the message was. But it is not clear how to say this, or if it is even really true. The adversary could always guess the message. Or, it could have a pretty good idea what the message was from some context surrounding the encryption. For example, it may know that the first few bytes of the message is a packet header containing the sender’s (known) ip address.

So we can’t really say the adversary has no idea what the message is given the ciphertext. Instead, we adopt a comparitive measure of security. We are interested in how much more the adversary knows about the message given the ciphertext as opposed to what it knew before it saw the ciphertext. Perfect security holds if “the adversary’s best guess as to the message after having seen the ciphertext is the same as before it saw the ciphertext.” In other words, the ciphertext was no help in figuring out anything new about the message.

This is captured this as follows. We assume a single message will be encrypted, and are interested only in the security of this encryption. There is some plaintext spacePlaintexts⊆ {0,1}^∗ of messages that the encryptor is willing to encrypt. (For example, with the one-time pad scheme, if the key length iskbits then Plaintexts={0,1}^k.) Notice that this effectively makes the scheme stateless.

We model the a priori information (the information the adversary already possesses about the message) as a probability distribution on the set of possible messages. Formally, a message distribution onPlaintextsis a functionD:Plaintexts→[0,1] such that

X

M∈Plaintexts

D(M) = 1,

and alsoD(M)>0 for all M ∈Plaintexts. For example, there might be four messages, 00,01,10,11, with D(00) = 1/6, D(01) = 1/3, D(10) = 1/4, and D(11) = 1/4.

We imagine that the sender chooses a message at random according toD, meaning that a specific message M ∈ Plaintextshas probability D(M) of being chosen. In our example, the sender would choose 00 with probability 1/6, and so on.

The message distribution, and the fact that the sender chooses according to it, are known to the adversary.

Before any ciphertext is transmitted, the adversary’s state of knowledge about the message chosen by the sender is given byD. That is, it knows that the message was 00 with probability 1/6, and so on.

We say that the encryption scheme is perfectly secure if the possession of the ciphertext does not impart any additional information about the message than was known a priori via the fact that it was chosen according to D. The setup is like this. After the sender has chosen the message according to D, a key K is also chosen, according to the key generation algorithm, meaningK← K, and the message is encrypted to get a ciphertext, viaC ← EK(M). The adversary is given C. We ask the adversary: given that you know C is the ciphertext produced, for each possible value of the message, what is the probability that that particular value was actually the message chosen? If the adversary can do no better than say that the probability that M was chosen wasD(M), it means that the possession of the ciphertext is not adding any new information to what is already known. This is perfect security.

To state this more formally, we first let

S = Keys(SE)×Plaintexts× {0,1}^r

denote the sample space underlying our experiment. Hereris the number of coins the encryption algorithm tosses. (This is zero if the encryption algorithm is deterministic, as is the case for the one-time pad.) We let introduce the following random variables:

K:S→Keys(SE) defined by (K, M, R)7→K M:S→Plaintexts defined by (K, M, R)7→M

C:S→ {0,1}^∗ defined by (K, M, R)7→ EK(M;R)

Cryptography: Lecture Notes 89

ThusKsimply returns the value of the chosen key whileMreturns the value of the chosen message. The last random variable returns the encryption of the message using keyKand coinsR. The probability distribution underlying this sample space is denotedP_D,SE[·] and is given by a choice ofK as perK, a choice ofM as perD, and a random choice ofR, all these being made independently.

Definition 6.7 Let SE = (K,E,D) be a symmetric encryption scheme with associated message space Plaintexts. Let D:Plaintexts→ [0,1] be a message distribution on Plaintexts. We say that SE is perfectly secure with respect toD if for everyM ∈Plaintextsand every possible ciphertextCit is the case that

P_D,SE[M=M|C=C] = D(M). (6.1)

We say that SE = (K,E,D) isperfectly secure if it is perfectly secure with respect toevery message distri-bution onPlaintexts.

Here “M=M” is the event that the message chosen by the sender wasM, and “C=C” is the event that the ciphertext computed by the sender and received by the adversary wasC. The definition considers the conditional probability that the message wasM given that the ciphertext wasC. It says that this probability is exactly the a priori probability of the messageM, namelyD(M).

In considering the one-time pad encryption scheme (cf. Scheme 6.2) we omit the counter as part of the ciphertext since only a single message is being encrypted. Thus, the ciphertext is ak-bit string wherek is the length of the key and also of the message. Also note that in this scheme r = 0 since the encryption algorithm is not randomized.

Example 6.8 LetSE = (K,E,D) be the one-time-pad encryption scheme with the key length (and thus also message length and ciphertext length) set tok = 2 bits and the message space set toPlaintexts={0,1}^k. Let D be the message distribution on Plaintexts defined by D(00) = 1/6, D(01) = 1/3,D(10) = 1/4 and D(11) = 1/4. For each possible ciphertext C ∈ {0,1}^k, the first table of Figure 6.1 shows the value of PD,SE[C=C|M=M], the probability of obtaining this particular ciphertext if you encryptM with the one-time pad scheme. As the table indicates, this probability is always 0.25. Why? Having fixed M, the possible ciphertexts are M⊕K as K ranges over {0,1}^k. So, regardless of the value of M, all different k bit strings are equally likely as ciphertexts. The corresponding general statement is stated and proved in Lemma 6.9 below. The second table shows the value of PD,SE[M=M|C=C], the probability that the message wasM given that an adversary sees ciphertextC. Notice that this always equals the a priori probabilityD(M).

The following lemma captures the basic security property of the one-time-pad scheme: no matter what is the message, each possible k-bit ciphertext is produced with probability 2^−k, due to the random choice of the key. .

Lemma 6.9 Let k ≥ 1 be an integer and let SE = (K,E,D) be the one-time-pad encryption scheme of Scheme 6.2 with the key length set tok bits and the message space set toPlaintexts={0,1}^k. Let D be a message distribution onPlaintexts. Then

P_D,SE[C=Y|M=X] = 2^−k . for anyX ∈Plaintextsand anyY ∈ {0,1}^k.

Proof of Lemma 6.9: If X is fixed and known, what’s the probability that we see Y? SinceY =K⊕X for the one-time-pad scheme, it only happens ifK=Y⊕X. The probability thatK is this particular string is exactly 2^−k sinceK is a randomly chosenk-bit string.

This enables us to show that the one-time-pad scheme meets the notion of perfect security we considered above.

C 00 01 10 11 D(M) M

1/6 00 0.25 0.25 0.25 0.25 1/3 01 0.25 0.25 0.25 0.25 1/4 10 0.25 0.25 0.25 0.25 1/4 01 0.25 0.25 0.25 0.25

C 00 01 10 11

D(M) M

1/6 00 1/6 1/6 1/6 1/6

1/3 01 1/3 1/3 1/3 1/3

1/4 10 1/4 1/4 1/4 1/4

1/4 01 1/4 1/4 1/4 1/4

Figure 6.1: In the first table, the entry corresponding to row M and column C shows the value of PD,SE[C=C|M=M], for the one-time-pad scheme of Example 6.8. Here the key and message length are bothk = 2. In the second table, the entry corresponding to rowM and column C shows the value of PD,SE[M=M|C=C], for the same scheme.

Theorem 6.10 Letk≥1 be an integer and let SE = (K,E,D) be the one-time-pad encryption scheme of Scheme 6.2 with the key length set tok bits and the message space set toPlaintexts={0,1}^k. Let D be a message distribution onPlaintexts. ThenSE is perfectly secure with respect toD.

Proof of Theorem 6.10: Let M ∈Plaintextsbe a message and let C∈ {0,1}^k be a possible ciphertext.

We need to show that Equation (6.1) is true. We have

PD,SE[M=M|C=C] = PD,SE[C=C|M=M]· PD,SE[M=M] PD,SE[C=C]

= 2^−k·PD,SE[M=M] P_D,SE[C=C] .

The first equality was by Bayes’ rule. The second equality was obtained by applying Lemma 6.9 withX =M andY =C. By definition

P_D,SE[M=M] = D(M) is the a priori probability ofM. Now for the last term:

PD,SE[C=C] = X

X

PD,SE[M=X]·PD,SE[C=C|M=X]

= X

X

D(X)·2^−k

= 2^−k·X

X

D(X)

= 2^−k·1.

The sum here was over all possible messagesX ∈Plaintexts, and we used Lemma 6.9. Plugging all this into the above we get

PD,SE[M=M|C=C] = 2^−k·D(M)

2^−k = D(M)

Cryptography: Lecture Notes 91

as desired.

The one-time-pad scheme is not the only scheme possessing perfect security, but it seems to be the simplest and most natural one.