1. Shannon Secrecy
CSCI284/162 Spring 2009
GWU

2. CS284/Spring09/GWU/Vora/Shannon Secrecy
Latin Square
A Latin Square of order n is an n  n array where each integer from 1…n occurs exactly once in each row and column
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

3. Perfect Secrecy: Definition
A cryptosystem has perfect secrecy if
Pr[x|y] = Pr[x]  xP, yC
a posteriori probability = a priori probability
posterior = prior
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

4. general proof for secrecy of a system
p(m) = anything
p(k) = ?
p(m|c)
= p(c|m) p(m) / x p(c|x)p(x)
= k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

5. CS284/Spring09/GWU/Vora/Shannon Secrecy
Example: one-time pad
P = C = Z2n
dK=eK(x1, x2, …xn) = (x1+K1, x2+K2, …xn+Kn) mod 2
Show that it provides perfect secrecy if the keys are uniformly distributed
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

6. CS284/Spring09/GWU/Vora/Shannon Secrecy
one-time pad: proof
p(m) = anything
p(k) = constant
p(m|c) = p(c|m) p(m) / x p(c|x)p(x)
= k p(k|eK(m)=c) p(m) / k  x p(k|eK(x)=c) p(x)
= p(k) p(m) /  x p(k) p(x)
(because only one key per plaintext/ciphertext pair)
= p(m)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

7. A vulnerability of the one-time pad
Exercise 2.6
Suppose that y and y’ are two ciphertext elements in the one-time pad that were obtained by encrypting x and x’ respectively using the same key K. Prove that
x + x’ = y + y’ (mod 2)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

8. CS284/Spring09/GWU/Vora/Shannon Secrecy
Some proofs: Thm. 2.3
Thm 2.3 : Suppose the 26 keys in the shift cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the Shift Cipher has perfect secrecy.
P(m) = anything;
P(k) = 1/26;
P(c) = x P(c|x)P(x) = x P(k|x+k = c)P(x)
x P(k = x-c)P(x) = 1/26
P(m|c) = P(c|m)P(m)  26 = P(m)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

9. CS284/Spring09/GWU/Vora/Shannon Secrecy
Some proofs: Thm. 2.4
Thm 2.4: Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|. Then the cryptosystem provides perfect secrecy if and only if every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

10. CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4: Proof 
Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|.
Suppose every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c
Then the cryptosystem provides perfect secrecy
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

11. CS284/Spring09/GWU/Vora/Shannon Secrecy
: Proof
p(m) = anything
p(k) = 1/|K|
p(m|c) = p(c|m) p(m) / x p(c|x)p(x)
= k p(k|eK(m)=c) p(m) / x k p(k|eK(x)=c) p(x)
= 1/|K| p(m) / x 1/|K| p(x)
= p(m)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

12. CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof 
Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|.
Suppose the cryptosystem provides perfect secrecy.
Then every key is used with equal probability 1/|K|, and m P and c C, there is a unique key K such that eK(m) = c
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

13. CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof 
First show:
Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|.
Suppose the cryptosystem provides perfect secrecy.
Then m P and c C, there is a unique key K such that eK(m) = c
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

14. CS284/Spring09/GWU/Vora/Shannon Secrecy
If K1 and K2 take m to c, K1  K2
If p(m) = 0, then p(m|c) = 0 Consider a distribution for which p(m)  0
Then there is some c’ that m does not go to, under any K (as |K| = |P| = |C| )
Then p(m|c’) = 0  p(m)
Hence, m P and c C, there is at most one key K such that eK(m) = c
Because |K| = |P| = |C|, there is a unique key taking m to c
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

15. CS284/Spring09/GWU/Vora/Shannon Secrecy
Thm. 2.4 Proof 
Now show:
Suppose (P, C, K, E, D) is a cryptosystem where |K| = |P| = |C|.
Suppose the cryptosystem provides perfect secrecy.
Then every key is used with equal probability 1/|K|
Straightforward from perfect secrecy formula
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

16. Product Cryptosystems
Composition of two cryptosystems with same plaintext and ciphertext spaces: P = C
(P, P, K1, K2, E, D)
e (K1, K2) (x) = e K2(e K1(x))
d (K1, K2) (x) = d K1(d K2 (x))
Pr[K1 K2 ] = Pr[K1] Pr[K2]
e.g.: Shift  Affine; Shift  Substitution
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

17. Properties: Product Cryptosystems
A commutative cryptosystem is one in which
S  M = M  S
(S1  S2)  S3 = S1  (S2  S3) for all cryptosystems associative
S idempotent if S  S = S (then no point in composing)
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

18. CS284/Spring09/GWU/Vora/Shannon Secrecy
S  M = ?
M the multiplicative cipher with eK(x) = Ka mod m
(what property for K?)
K chosen equiprobably
S the shift cipher, eK(x) = K+a mod m
S  M = ?
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy

19. CS284/Spring09/GWU/Vora/Shannon Secrecy
Prob. 2.19
Suppose S1 is the Shift Cipher (with equiprobable keys) and S2 is the Shift Cipher with keys chosen wrt some pdf pK (not necc. equiprobable).
Prove that S1  S2 = S1
4/11/2019
CS284/Spring09/GWU/Vora/Shannon Secrecy