CSE 130

Introduction to Cryptography
Lecture 4 – Modern Cryptography and Perfect
Secrecy
 Core principles of modern crypto
• Formal definitions
– Precise, mathematical model and definition of what security means

• Assumptions
– Most cryptographic proofs rely on currently unproven assumptions
about the algorithmic hardness of certain mathematical problems
– Clearly stated and unambiguous

• Proofs of security
– Move away from design-break-patch

Lec. Session 4.2

 Importance of definitions
• Definitions are essential for the design, analysis, and sound
usage of cryptographic primitives
– Provide a clear description of what threats are in scope and
what security guarantees are desired

Lec. Session 4.3

 Importance of definitions -- design
• Developing a precise definition forces the designer to think about
what they really want
– What is essential and (sometimes more important) what is not
» Often reveals subtleties of the problem

If you don’t understand what you want to achieve, how can you possibly know
when (or if) you have achieved it?

Lec. Session 4.4

 Importance of definitions -- analysis
• Definitions enable meaningful analysis, evaluation, and
comparison of schemes
– Does a scheme satisfy the definition?
» Achieves the desired guarantees?
– What definition does it satisfy?
» Note: there may be multiple meaningful definitions!
» One scheme may be less efficient than another, yet satisfy a stronger
security definition

Lec. Session 4.5

 Importance of definitions -- usage
• Definitions allow others to understand the security guarantees
provided by a scheme
– What notion of security is required for an application, and find an
encryption scheme satisfying that notion
• Enables schemes to be used as components of a larger system
(modularity)
– Enables one scheme to be substituted for another if they satisfy the
same definition

Lec. Session 4.6

 Assumptions
• With few exceptions, cryptography currently requires
computational assumptions
– Statements that are not proven but are instead conjectured to be
true
– At least until we prove P  NP (and even that would not be enough)

• Principle: any such assumptions should be made explicit

Lec. Session 4.7

 Importance of clear assumptions
• Allow researchers to (attempt to) validate assumptions by
studying them
– The more the assumption is examined & tested without being
refuted, the more confident we are that the assumption is true

• Allow meaningful comparison between schemes based on

different assumptions
– Useful to understand minimal assumptions needed

• Practical implications if assumptions are wrong

• Enable proofs of security

Lec. Session 4.8

 Why rely on low-level assumptions?
• An assumption that has been tested for several years is preferable
to a new, ad hoc assumption introduced with a new construction

• General preference for assumptions that are simpler to state

– Easier to study and to (potentially) refute

• Low-level Assumptions can be used in other constructions

• Provide modularity
– If underlying building block turns out not to satisfy the stated
assumption, instantiate scheme using a different component

Lec. Session 4.9

 Proofs of security
• Provide a rigorous proof that a construction satisfies a given
definition under certain specified assumptions
– Provides an iron-clad guarantee (relative to your definition and
assumptions!)

• Proofs are crucial in cryptography, where there is a malicious

attacker trying to “break” the scheme

Lec. Session 4.10

 Limitations?
• Cryptography remains partly an art as well

• Given a proof of security based on some assumption, we still need to

instantiate the assumption
– Validity of various assumptions is an active area of research

• Proofs given an iron-clad guarantee of security

– …relative to the definition and the assumptions!

• Provably secure schemes can be broken!

– If the definition does not correspond to the real-world threat model
» I.e., if attacker can go “outside the security model”
» This happens a lot in practice
– If the assumption is invalid
– If the implementation is flawed
» This happens a lot in practice

Lec. Session 4.11

 Nevertheless…
• This does not detract from the importance of having formal
definitions in place

• This does not detract from the importance of proofs of security

Lec. Session 4.12

Defining secure encryption
 Crypto definitions (generally)
• Security guarantee/goal
– What we want to achieve (or what we want to prevent the attacker
from achieving)

• Threat model
– What (real-world) capabilities the attacker is assumed to have

Lec. Session 4.14

 Recall
• A private-key encryption scheme is defined by a message space M
and algorithms (Gen, Enc, Dec):
– Gen (key-generation algorithm): generates k

– Enc (encryption algorithm): takes key k and message

m  M as input; outputs ciphertext c
c  Enck(m)

– Dec (decryption algorithm): takes key k and

ciphertext c as input; outputs m.
m := Deck(c)

Lec. Session 4.15

 Private-key encryption

key key
ciphertext

c
k k

m
c  Enck(m) message/plaintext m := Deck(c)

decryption
encryption
Lec. Session 4.16
 Threat models for encryption
• Ciphertext-only attack
– One ciphertext or many?
– Adversary observes a ciphertext and attempts to determine
information about the plaintext
• Known-plaintext attack
– Adversary learns plaintext/ciphertext pairs generated using some
key
– deduce information about plaintext of some other ciphertext
produced using the same key
• Chosen-plaintext attack
– Adversary obtains plaintext/ciphertext pairs for plaintexts of its
choice
• Chosen-ciphertext attack
– Adversary is obtains (some information about) decryption of
ciphertexts of its choice
Lec. Session 4.17
 Goal of secure encryption?

• How would you define what it means for encryption scheme (Gen,
Enc, Dec) over message space M to be secure?
– Against a (single) ciphertext-only attack

Lec. Session 4.18

 Secure encryption?
• “Impossible for the attacker to learn the key”
– The key is a means to an end, not the end itself
– Necessary (to some extent) but not sufficient
– Easy to design an encryption scheme that
hides the key completely, but is insecure
– Can design schemes where most of the key is leaked, but the
scheme is still secure

• “Impossible for the attacker to learn the plaintext from the

ciphertext”
– What if the attacker learns 90% of the plaintext?

Lec. Session 4.19

 Secure encryption?
• “Impossible for the attacker to learn any character of the plaintext
from the ciphertext”
– What if the attacker is able to learn (other) partial information about
the plaintext?
» E.g., salary is greater than $75K
– What if the attacker guesses a character correctly?

Lec. Session 4.20

 The right definition

• “Regardless of any prior information the attacker has about the

plaintext, the ciphertext should leak no additional information
about the plaintext”
– How to formalize?

Lec. Session 4.21

Perfect secrecy
 Probability review
• Random variable (r.v.): variable that takes on (discrete)
values with certain probabilities

• Probability distribution for a random variable specifies

the probabilities with which the variable takes on each
possible value
– Each probability must be between 0 and 1
– The probabilities must sum to 1

Lec. Session 4.23

 Probability review
• Event: a particular occurrence in some experiment
– Pr[E]: probability of event E
• Conditional probability: probability that one event occurs, given
that some other event occurred
– Pr[A | B] = Pr[A and B]/Pr[B] (or Pr[A ∩ B]/Pr[B])
• Two random variables X, Y are independent if
for all x, y: Pr[X=x | Y=y] = Pr[X=x]

• Law of total probability: say E1, …, En are a partition of all

possibilities. Then for any A:
Pr[A] = i Pr[A and Ei] = i Pr[A | Ei] · Pr[Ei]
• Baye’s theorem: Pr[A | B] = Pr[B | A] · Pr[A]/Pr[B]

Lec. Session 4.24

 Notation

• K (key space) – set of all possible keys

• C (ciphertext space) – set of all possible ciphertexts

Lec. Session 4.25

 Probability distributions
• Let M be the random variable denoting the value of the message
– M ranges over M
– Context dependent!
– Reflects the likelihood of different messages being sent, given the
attacker’s prior knowledge
– E.g.,
Pr[M = “attack today”] = 0.7
Pr[M = “don’t attack”] = 0.3

• Let K be a random variable denoting the key

– K ranges over K

• Fix some encryption scheme (Gen, Enc, Dec)

– Gen defines a probability distribution for K:
Pr[K = k] = Pr[Gen outputs key k]
Lec. Session 4.26
 Probability distributions

• Random variables M and K are independent

– Require that parties don’t pick the key based on the message, or the
message based on the key

Lec. Session 4.27

 Probability distributions
• Fix some encryption scheme (Gen, Enc, Dec), and some
distribution for M

• Consider the following (randomized) experiment:

1. Generate a key k using Gen
2. Choose a message m, according to the given distribution
3. Compute c  Enck(m)

• This defines a distribution on the ciphertext!

• Let C be a random variable denoting the value of the

ciphertext in this experiment
Lec. Session 4.28
 Example 1
• Consider the shift cipher
– So for all k  {0, …, 25}, Pr[K = k] = 1/26

• Say Pr[M = ‘a’] = 0.7, Pr[M = ‘z’] = 0.3

• What is Pr[C = ‘b’] ?

– Either M = ‘a’ and K = 1, or M = ‘z’ and K = 2
– Pr[C=‘b’] = Pr[M=‘a’]·Pr[K=1] + Pr[M=‘z’] ·Pr[K=2]
Pr[C=‘b’] = 0.7 · (1/26) + 0.3 · (1/26)
Pr[C=‘b’] = 1/26

Lec. Session 4.29

 Example 1 (cont.)
• Consider the shift cipher
– So for all k  {0, …, 25}, Pr[K = k] = 1/26

• Say Pr[M = ‘a’] = 0.7, Pr[M = ‘z’] = 0.3

• What is Pr[M = ‘a’ | C = ‘b’] ?

– Pr[M = ‘a’ | C = ‘b’] = (Pr[C = ‘b’ | M = ‘a’] · Pr[M=‘a’]) / Pr[C=‘b’]
= (0.7 · Pr[C = ‘b’ | M = ‘a’]) / (1/26)
= (0.7 · (1/26)) / (1/26)
= 0.7

Lec. Session 4.30

 Example 2
• Consider the shift cipher, and the distribution on M given by
Pr[M = ‘one’] = ½, Pr[M = ‘ten’] = ½

• Pr[C = ‘rqh’] = ?
= Pr[C = ‘rqh’ | M = ‘one’] · Pr[M = ‘one’]
+ Pr[ C = ‘rqh’ | M = ‘ten’] · Pr[M = ‘ten’]
= 1/26 · ½ + 0 · ½ = 1/52

Lec. Session 4.31

 Perfect secrecy (informal)
• “Regardless of any prior information the attacker has about the
plaintext, the ciphertext should leak no additional information
about the plaintext”

• Attacker’s information about the plaintext = attacker-known

distribution of M

• Perfect secrecy means that observing the ciphertext should not

change the attacker’s knowledge about the distribution of M

Lec. Session 4.32

 Perfect secrecy (formal)
• Encryption scheme (Gen, Enc, Dec) with message space
M and ciphertext space C is perfectly secret if for every
distribution over M, every m  M, and every c  C with
Pr[C=c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m].

• I.e., the distribution of M does not change conditioned

on observing the ciphertext

Lec. Session 4.33

 Example 3
• Consider the shift cipher, and the distribution Pr[M = ‘one’] = ½,
Pr[M = ‘ten’] = ½
• Take m = ‘ten’ and c = ‘rqh’

• Pr[M = ‘ten’ | C = ‘rqh’] = ?

=0
 Pr[M = ‘ten’]

Lec. Session 4.34

 Example 4
• Shift cipher;
Pr[M=‘hi’] = 0.3,
Pr[M=‘no’] = 0.2,
Pr[M=‘in’] = 0.5
• Pr[M = ‘hi’ | C = ‘xy’] = ?
= Pr[C = ‘xy’ | M = ‘hi’] · Pr[M = ‘hi’] / Pr[C = ‘xy’]
• Pr[C = ‘xy’ | M = ‘hi’] = 1/26
• Pr[C = ‘xy’]
= Pr[C = ‘xy’ | M = ‘hi’] · 0.3 + Pr[C = ‘xy’ | M = ‘no’] · 0.2
+ Pr[C=‘xy’ | M=‘in’] · 0.5
= (1/26) · 0.3 + (1/26) · 0.2 + 0 · 0.5
= 1/52

Lec. Session 4.35

 Example 4, continued
• Pr[M = ‘hi’ | C = ‘xy’] = ?
= Pr[C = ‘xy’ | M = ‘hi’] · Pr[M = ‘hi’] / Pr[C = ‘xy’]
= (1/26) · 0.3 / (1/52)
= 0.6
 Pr[M = ‘hi’]

Lec. Session 4.36

 Conclusion
• The shift cipher is not perfectly secret!
– At least not for 2-character messages

• How to construct a perfectly secret scheme?

Lec. Session 4.37

 One-time pad
• Patented in 1917 by Vernam
– Recent historical research indicates it was invented (at least) 35
years earlier

• Proven perfectly secret by Shannon (1949)

Lec. Session 4.38

 One-time pad
• Let M = {0,1}n
• Gen: choose a uniform key k  {0,1}n
• Enck(m) = k  m
• Deck(c) = k  c

• Correctness:
Deck( Enck(m) ) = k  (k  m)
= (k  k)  m = m

Lec. Session 4.39

 Poll
• What is the encryption of the plaintext 0101 0111 using the one-
time pad with key 1111 1111?
1. 0101 0111
2. 1111 1111
3. 1010 1000
4. 0101 1010

Lec. Session 4.40

 One-time pad

n bits

key

n bits n bits

message  ciphertext

Lec. Session 4.41

 Perfect secrecy of one-time pad
• Note that any observed ciphertext can correspond to any
message (why?)
– (This is necessary, but not sufficient, for perfect secrecy)

• So, having observed a ciphertext, the attacker cannot conclude for

certain which message was sent

Lec. Session 4.42

 Perfect secrecy of one-time pad
• Fix arbitrary distribution over M = {0,1}n, and
arbitrary m, c  {0,1}n
• Pr[M = m | C = c] = ?
= Pr[C = c | M = m] · Pr[M = m] / Pr[C = c]

• Pr[C = c]
= m’ Pr[C = c | M = m’] · Pr[M = m’]
= m’ Pr[K = m’  c | M = m’] · Pr[M = m’]
= m’ 2-n · Pr[M = m’]
= 2-n

Lec. Session 4.43

 Perfect secrecy of one-time pad
• Fix arbitrary distribution over M = {0,1}n, and arbitrary m, c 
{0,1}n

• Pr[M = m | C = c] = ?
= Pr[C = c | M = m] · Pr[M = m]/Pr[C = c]
= Pr[K = m  c | M = m] · Pr[M = m] / 2-n
= 2-n · Pr[M = m] / 2-n
= Pr[M = m]

Lec. Session 4.44