Perfect Secrecy
An encryption scheme with message space and ciphertext space is perfectly secret if and where , it holds that:
I find this definition to be a thing of beauty. It is quite simple in logic: your idea about what a message may be at the start (a priori probability, right-hand side) should be equal to what you think that message is after seeing the ciphertext (a posteriori probability, left-hand side). If that is the case, seeing the cipher-text gave you no idea whatsoever.
EXAMPLE: Consider the same shift cipher example from before, and notice that . Since , we can say this scheme is not perfectly secret.
Theorem: Suppose be a scheme where , i.e. spaces have equal cardinality. This scheme offers perfect secrecy if and only if every key is used with probability and for every and there is a unique key such that .
Further note that we can convert the equation:
to be:
Here, because if not, why would be in ? This implies that .
Perfect Indistinguishability
We will now define a game between two players (an adversary and a challenger chal), and describe the security of an encryption scheme using it. Let an encryption scheme. We define an experiment as follows:
sequenceDiagram actor A actor chal A ->> chal: m_0, m_1 Note over chal: generate key k #8592; G() Note over chal: choose uniformly random b #8712; {0, 1} Note over chal: c #8592; E(k, m_b) chal ->> A: c Note over A: compute b' #8712; {0, 1} Note over A,chal: "A" wins if b' = b
We say that the experiment results in 1 if wins. The encryption scheme is perfectly indistinguishable if for every it holds that:
In otherwords, is no more successfull than flipping a coin when it comes to guessing which message Bob has encrypted. Another definition for perfect indistiguishability is that:
which means that the probability is the ciphertext of is equally likely to be that of .
Lemma: An encryption scheme is perfectly secret if and only if it is perfectly indistinguishable.
One-time Pad
One-time Pad is a symmetric encryption scheme found by Gilbert Vernam in 1917. The scheme is quite simple: it is defined over the spaces where the key is a random bit-string as long as the message.
To encrypt, you XOR (shown with ) the message with the private key, and to decyrpt you XOR the ciphertext with the private key.
Theorem: One-time Pad has perfect secrecy.
Proof: Let us look at the probabilities of how a ciphertext can be obtained given a message:
We know that and thus . This means that for any pair there is only one . As such, the numerator of the probability above, is equal to 1.
This is exactly the requirement of perfect secrecy, recalling the theorem given above. Q.E.D.
The Bad News
Having perfect secrecy is cool, but notice that there is something very dirty in the proof:
- Just by XOR'ing the message and it's ciphertext, we were able to obtain the private key!
- Furthermore, the key must be as long as the message itself, which is not really practical.
- You should also use the key only for one encryption (hence the name), which is yet another practicality issue.
- One-time Pad is perfectly secret only against cipher-text only attacks, it is very much vulnerable to other attacks. Especially if the attacker is active (i.e. can tamper with the message), you are going to have a bad day.
Well then, can we have some other encryption scheme that is perfectly secret? We will hear the bad news from Claude Shannon:
Theorem [Shannon]: For perfect secrecy, .
Proof: Assume that for perfect secrecy, . Define to be all possible decryptions of some ciphertext :
Clearly, . If then there is some such that . But if that is the case,
and thus this contradicts perfect secrecy. Q.E.D.
Computational Secrecy
Having "perfect" secrecy is a bit too strict. We could perhaps allow the adversary to crack our system as long as it would take them a million years or something. We need to consider practical scenarios to be applied in real-life! A great way to think about security in this case is to have security such that it costs the attacker more than what they would gain by breaking the system.
To this extent, we could:
- Allow security to fail with tiny probability (i.e. probability of failure is a negligible function)
- Adversaries are efficient (i.e. run in probabilistic polynomial time)
Our parameters fit the real world, but may not be practical in terms of theory. This is why we require an "asymptotic" approach.
Asymptotic Indistinguishability
Fix and define a randomized experiment as follows:
sequenceDiagram actor A actor chal A ->> chal: m_0, m_1 where |m_0| = |m_1| Note over chal: generate key k #8592; G(1^n) Note over chal: choose uniformly random b #8712; {0, 1} Note over chal: c #8592; E(k, m_b) chal ->> A: c Note over A: compute b' #8712; {0, 1} Note over A,chal: "A" wins if b' = b
We assume that both parties know the security parameter , and the adversary is allowed to know the message length. is indistinguishable if for all efficient there is a negligible function such that
EXAMPLE: Consider a scheme where the best attack is a brute-force search over the key space, and generates a uniform -bit key. The probability of guessing the correct key is . If runs in time , we have:
Since is negligible, is negligible and thus our scheme is asymptotically indistinguishable.
NOTE: A brute-force attack requires time to succeed with probability at most 1; a key-guessing attack requires time to succeed with probability .
Semantic Security
There is yet another definition for asymptotic secrecy, which is cool but also slightly harder to work with.
sequenceDiagram actor A actor chal rect rgb(220, 220, 240) Note over chal: chal is given b #8712; {0, 1} end A ->> chal: m_0, m_1 where |m_0| = |m_1| Note over chal: generate key k #8592; G(1^n) Note over chal: c #8592; E(k, m_b) chal ->> A: c Note over A: compute b' #8712; {0, 1} Note over A,chal: "A" wins if b' = b
Challenger is given a bit , and we denote the respective experiment as . Similarly, the probability of adversary winning the experiment is shown as . Now define the difference in probability of winning these experiments as:
If a scheme is semantically secure for all efficient , then is negligible. Note that this definition of looking at the difference between winning two experiments come in handy sometimes, such as when we are defining pseudo-random generators.