




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Information theory is one of the foundations of computer science. In this chapter we will examine its relationship to cryptography.
Typology: Lecture notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





Also suppose we have three possible keys given by K = {k 1 , k 2 , k 3 }, which occur with probability
Now, suppose we have C = { 1 , 2 , 3 , 4 }, with the encryption function given by the following table
a b c d k 1 3 4 2 1 k 2 3 1 4 2 k 3 4 3 1 2
We can then compute, using formula (7),
p(C = 1) = p(K = k 1 )p(P = d) + p(K = k 2 )p(P = b)
p(C = 2) = p(K = k 1 )p(P = c) + p(K = k 2 )p(P = d)
p(C = 3) = p(K = k 1 )p(P = a) + p(K = k 2 )p(P = a)
p(C = 4) = p(K = k 1 )p(P = b) + p(K = k 2 )p(P = c)
Hence, the ciphertexts produced are distributed almost uniformly. For c ∈ C and m ∈ P we can compute the conditional probability p(C = c|P = m). This is the probability that c is the ciphertext given that m is the plaintext
p(C = c|P = m) =
k:m=dk (c)
p(K = k).
This sum is the sum over all keys k for which the decryption function on input of c will output m. For our prior example we can compute these probabilities as
p(C = 1|P = a) = 0, p(C = 2|P = a) = 0, p(C = 3|P = a) = 0. 75 , p(C = 4|P = a) = 0. 25 ,
p(C = 1|P = b) = 0. 5 , p(C = 2|P = b) = 0, p(C = 3|P = b) = 0. 25 , p(C = 4|P = b) = 0. 25 ,
p(C = 1|P = c) = 0. 25 , p(C = 2|P = c) = 0. 25 , p(C = 3|P = c) = 0, p(C = 4|P = c) = 0. 5 ,
p(C = 1|P = d) = 0. 25 , p(C = 2|P = d) = 0. 75 , p(C = 3|P = d) = 0, p(C = 4|P = d) = 0.
But, when we try to break a cipher we want the conditional probability the other way around, i.e. we want to know the probability of a given message occurring given only the ciphertext. We can compute the probability of m being the plaintext given c is the ciphertext via,
p(P = m|C = c) =
p(P = m)p(C = c|P = m) p(C = c)
80 5. INFORMATION THEORETIC SECURITY
This conditional probability can be computed by anyone who knows the encryption function and the probability distributions of K and P. Using these probabilities one may be able to deduce some information about the plaintext once you have seen the ciphertext. Returning to our previous example we compute p(P = a|C = 1) = 0, p(P = b|C = 1) = 0. 571 , p(P = c|C = 1) = 0. 143 , p(P = d|C = 1) = 0. 286 ,
p(P = a|C = 2) = 0, p(P = b|C = 2) = 0, p(P = c|C = 2) = 0. 143 , p(P = d|C = 2) = 0. 857 ,
p(P = a|C = 3) = 0. 714 , p(P = b|C = 3) = 0. 286 , p(P = c|C = 3) = 0, p(P = d|C = 3) = 0,
p(P = a|C = 4) = 0. 294 , p(P = b|C = 4) = 0. 352 , p(P = c|C = 4) = 0. 352 , p(P = d|C = 4) = 0.
Hence
So in our previous example the ciphertext does reveal a lot of information about the plaintext. But this is exactly what we wish to avoid, we want the ciphertext to give no information about the plaintext. A system with this property, that the ciphertext reveals nothing about the plaintext, is said to be perfectly secure.
Definition 5.1 (Perfect Secrecy). A cryptosystem has perfect secrecy if p(P = m|C = c) = p(P = m)
for all plaintexts m and all ciphertexts c.
This means the probability that the plaintext is m, given that you know the ciphertext is c, is the same as the probability that it is m without seeing c. In other words knowing c reveals no information about m. Another way of describing perfect secrecy is via:
Lemma 5.2. A cryptosystem has perfect secrecy if p(C = c|P = m) = p(C = c) for all m and c.
Proof. This trivially follows from the definition
p(P = m|C = c) =
p(P = m)p(C = c|P = m) p(C = c)
and the fact that perfect secrecy means p(P = m|C = c) = p(P = m).!
The first result about a perfect security is Lemma 5.3. Assume the cryptosystem is perfectly secure, then #K ≥ #C ≥ #P,
where
82 5. INFORMATION THEORETIC SECURITY
Hence we obtain, for all 1 ≤ i ≤ n,
p(C = c) = p(K = ki ).
This says that the keys are used with equal probability and hence
p(K = k) = 1/#K for all k ∈ K.
Now we need to prove the result in the other direction. Namely, if
then we need to show the system is perfectly secure, i.e.
p(P = m|C = c) = p(P = m).
We have, since each key is used with equal probability,
p(C = c) =
k
p(K = k)p(P = dk (c))
k
p(P = dk (c)).
Also, since for each m and c there is a unique key k with ek (m) = c, we must have ∑
k
p(P = dk (c)) =
m
p(P = m) = 1.
Hence, p(C = c) = 1/#K. In addition, if c = ek (m) then p(C = c|P = m) = p(K = k) = 1/#K. So using Bayes’ Theorem we have
p(P = m|C = c) =
p(P = m)p(C = c|P = m) p(C = c)
=
p(P = m) (^) #^1 K 1 #K = p(P = m). !
We end this section by discussing a couple of systems which have perfect secrecy.
2.1. Modified Shift Cipher. Recall the shift cipher is one in which we ‘add’ a given letter (the key) onto each letter of the plaintext to obtain the ciphertext. We now modify this cipher by using a different key for each plaintext letter. For example, to encrypt the message HELLO we choose five random keys, say FUIAT. We then add the key onto the plaintext, modulo 26, to obtain the ciphertext MYTLH. Notice, how the plaintext letter L encrypts to different letters in the ciphertext. When we use the shift cipher with a different random key for each letter, we obtain a perfectly secure system. To see why this is so, consider the situation of encrypting a message of length n. Then the total number of keys, ciphertexts and plaintexts are all equal, namely:
#K = #C = #P = 26n^.
In addition each key will occur with equal probability:
p(K = k) =
26 n^
and for each m and c there is a unique k such that ek (m) = c. Hence, by Shannon’s Theorem this modified shift cipher is perfectly secure.
2.2. Vernam Cipher. The above modified shift cipher basically uses addition modulo 26. One problem with this is that in a computer, or any electrical device, mod 26 arithmetic is hard, but binary arithmetic is easy. We are particularly interested in the addition operation, which is denoted by ⊕ and is equal to the logical exclusive-or, or XOR, operation:
⊕ 0 1 0 0 1 1 1 0
In 1917 Gilbert Vernam patented a cipher which used these principles, called the Vernam cipher or one-time pad. To send a binary string you need a key, which is a binary string as long as the message. To encrypt a message we XOR each bit of the plaintext with each bit of the key to produce the ciphertext. Each key is only allowed to be used once, hence the term one-time pad. This means that key distribution is a pain, a problem which we shall come back to again and again. To see why we cannot get away with using a key twice, consider the following chosen plaintext attack. We assume that Alice always uses the same key k to encrypt a message to Bob. Eve wishes to determine this key and so carries out the following attack:
You may object to this attack since it requires Alice to be particularly stupid, in that she encrypts a message for Eve. But in designing our cryptosystems we should try and make systems which are secure even against stupid users. Another problem with using the same key twice is the following. Suppose Eve can intercept two messages encrypted with the same key
c 1 = m 1 ⊕ k, c 2 = m 2 ⊕ k.
Eve can now determine some partial information about the pair of messages m 1 and m 2 since she can compute
c 1 ⊕ c 2 = (m 1 ⊕ k) ⊕ (m 2 ⊕ k) = m 1 ⊕ m 2.
Despite the problems associated with key distribution, the one-time pad has been used in the past in military and diplomatic contexts.
If every message we send requires a key as long as the message, and we never encrypt two messages with the same key, then encryption will not be very useful in everyday applications such as Internet transactions. This is because getting the key from one person to another will be an impossible task. After all one cannot encrypt it since that would require another key. This problem is called the key distribution problem. To simplify the key distribution problem we need to turn from perfectly secure encryption algorithms to ones which are, hopefully, computationally secure. This is the goal of modern cryp- tographers, where one aims to build systems such that