1. B504/I538: Introduction to Cryptography
Spring • Lecture 4
(2017—01—19)

2. Perfectly secret encryption
Also known as: “unconditionally secret encryption”
“information-theoretically secret encryption”

3. What is encryption?
A way to “scramble” messages so that only their intended recipient can “unscramble” them
m←Dec(c)
c←Enc(m)   c

4. What is encryption?
Defⁿ: An encryption scheme is a triple of PPT algorithms (Gen，Enc，Dec), where
Gen：1ℕ→Ｋ is a (randomized) key generation algorithm
Enc：Ｋ×Ｍ→Ｃ is a (randomized) encryption algorithm
Dec：Ｋ×Ｃ→Ｍ is a (deterministic) decryption algorithm
Convention: Write Enck(m), Deck(m) instead of Enc(k，m), Dec(k，m)
Ｋ is the key space
Ｍ is the message space
Ｃ is the ciphertext space
set of possible keys
set of possible plaintexts
set of possible ciphertexts

5. Pr[Deck(c)=m｜c←Enck(m)]=1.
Correctness
Defⁿ: An encryption scheme (Gen，Enc，Dec) with key space Ｋ and message space Ｍ is correct if ∀k∈Ｋ and ∀m∈Ｍ，
Pr[Deck(c)=m｜c←Enck(m)]=1.
Intuitively: Correctness is the property of actually being able to decrypt (if you know the right key)
Note: It is possible to allow correctness with probability less than one; e.g., Pr[Deck(c)=m｜c←Enck(m)]=1-ε(|k|).

6. Defining secrecy Recall: Three steps in modern crypto
propose a precise threat model
propose a construction
prove that breaking construction is “equivalent” to solving an intractable problem (or impossible)
Threat model (for now): “ciphertext-only attacks”
- Attacker can see a single ciphertext and nothing more

7. Defining secrecy Consider the following candidate “definitions”:
Attempt 1: Attacker cannot recover the secret key
NOPE! The identity scheme Enck(m)≔m satisfies this definition!
Attempt 2: Attacker cannot recover plaintext
NOPE! The scheme Enck(m0∥m1)≔m0∥(m1⊕k) satisfies this definition!
Attempt 3: Attacker learns nothing about the plaintext
YES! This is what we want ― but how can we make it rigorous?

8. Perfect secrecy (Definition 1)
Defⁿ: An encryption scheme (Gen，Enc，Dec) with message space Ｍ and ciphertext space Ｃ is perfectly secret if ∀m0,m1∈Ｍ (with |m0|=|m1|=n) and ∀c∈Ｃ,
Pr[Enck(m0)=c｜k←Gen(1n)]
= Pr[Enck(m1)=c｜k←Gen(1n)]

9. Perfect secrecy (Definition 2)
Suppose attacker Ａ knows some prior distribution on the message space Ｍ
That is, Ａ has prior knowledge about how likely different messages are
Let M and C≔Enck(M) be random variables describing the plaintext and ciphertext (assuming k←Gen(1n))
Defⁿ: An encryption scheme (Gen，Enc，Dec) is perfectly secret if ∀m∈Ｍ and ∀c∈Ｃ,
Pr[M=m｜C=c]=Pr[M=m]

10. Perfect secrecy (Definition 3)
one-time indistinguishability game
Challenger (C)
Attacker (A) 1n 1n
k←Gen(1n)
(m0，m1)
M0，m1∈Ｍ
(|m0|=|m1|=n)
b∊{0,1} c
c←Enck(mb) b'
Advonetime(A)≔∣Pr[b=b’]−½∣
Defⁿ: An encryption scheme (Gen，Enc，Dec) is perfectly secret Advonetime(A)=0 for every attacker A.

11. Gilbert Vernam (1890—1960) Engineer at AT&T Bell Labs
“Invented” stream ciphers and the one-time pad (OTP) in 1919
U.S. Patent 1,310,719
Actually, the patent was for a machine that encrypts a plaintext by (mechanically) XORing it with a secret key

12. One-time pad (“Vernam cipher”)
Messages, ciphertexts, and keys are all n-bit strings (that is, Ｍ=Ｃ=Ｋ={0，1}*)
Gen(1n) outputs a uniform random key k∊{0,1}s
Enck(m) outputs XOR of m and k; that is, c≔m⊕k
Deck(c) outputs XOR of c and k; that is, m≔c⊕k
Thm (OTP is correct): The one-time pad is correct．
Proof: Deck(Enck(m))
=Enck(m)⊕k
=(m⊕k)⊕k
=m⊕(k⊕k)
=m ☐

13. One-time pad example Encryption Plaintext: Key: Ciphertext: Decryption1 ⊕ 1 1 1 1 1 1 1 ⊕

14. Proof: Left as an exercise (see Assignment 1). ☐
Secrecy of the OTP
Thm (OTP is perfectly secret): The one-time pad is perfectly secret．
Proof: Left as an exercise (see Assignment 1). ☐

15. A better one-time pad (?)
Obs: If k=0ⁿ, then Enck(m)=m⊕0ⁿ=m!
Idea: Avoid ever revealing the plaintext by never choosing the pad k=0ⁿ!
Q: Is this a great idea, or what?
A: NO! It is a terrible idea!
If Pr[k=0s]=0, then Pr[M=m ｜C=m]=0, and the scheme cannot satisfy Definition 2 for perfect secrecy!

16. Perfect secrecy≠perfect encryption
Thm: If (Gen，Enc，Dec) is a perfectly secret encryption scheme, then |m|≤|k|.
Key must be at least as long as the message
This is not very practical!
Idea: Pick a key k←Gen(1ⁿ) and then keep using it forever!

17. Two-time pad Never, ever, EVER use OTP key more than once!!
Eavesdropper can compute c0⊕c1=m0⊕m1
There is sufficient redundancy in English to uniquely determine m0,m1 from m0⊕m1 with high probability!
(Seriously, don’t do it!)

18. Malleability of the OTP
The one-time pad is “malleable”
Given only c0←\Enck(m0), it is easy to produce ciphertext c1 such that m1←Enck(c1) has a “known relationship” with m0
No need to know anything about m0 or k, but…
Knowing m0 lets attacker to specify any m1 (of the same lenght) if its choosing

19. That’s all for today, folks!