Unconditionally Secure Ciphers with a Short Key for a Source with Unknown Statistics

Abstract

We consider the problem of constructing an unconditionally secure cipher with a short key for the case where the probability distribution of encrypted messages is unknown. Note that unconditional security means that an adversary with no computational constraints can only obtain a negligible amount of information (“leakage”) about an encrypted message (without knowing the key). Here, we consider the case of a priori (partially) unknown message source statistics. More specifically, the message source probability distribution belongs to a given family of distributions. We propose an unconditionally secure cipher for this case. As an example, one can consider constructing a single cipher for texts written in any of the languages of the European Union. That is, the message to be encrypted could be written in any of these languages.

1. Introduction

The concept of unconditional security is very attractive to cryptography and has found many applications since C. Shannon described it in his famous article [1]. The concept refers to secret-key cryptography involving three participants, Alice, Bob and Eve, where Alice wants to send a message to Bob in secret from Eve, who has the ability to read all correspondence between Alice and Bob. To accomplish this, Alice and Bob use a cipher with a secret key K (i.e., a word from some alphabet), which is known to them in advance (but not to Eve). When Alice wants to send some message m, she first encrypts m using key K and sends it to Bob, who in turn decrypts the received encrypted message using the key K. Eve also receives the encrypted message and tries to decrypt it without knowing the key. The system is called unconditionally secure, or perfect, if Eve, with computers and other equipment of unlimited power and unlimited time, cannot obtain any information about the encrypted message. Not only did C. Shannon provide a formal definition of perfect (or unconditional) secrecy, but he also showed that the so-called one-time pad (or Vernam cipher) is such a system. One of the specific properties of this system is the equivalence of the length of the secret key and the message (or its entropy). Moreover, C. Shannon proved that this property must be true for any perfect system. Quite often this property has limited practical application as many modern telecommunication systems forward and store megabytes of information and the requirement to have secret keys of the same length seems to be quite stringent. There are, therefore, many different approaches to overcoming this obstacle. These include the ideal systems proposed by C. Shannon [1], the so-called honeycomb cipher proposed by Jewels and Ristenpart [2], the so-called entropy security proposed by Russell and Wang [3] and some others developed in recent decades [4,5,6,7,8,9].

It is worth noting that quantum key distribution (QKD) is currently under active research, which can create an unconditional secure key for Alice and Bob, cf. [10,11,12].

The present work is concerned with entropically secure ciphers. It is important to note that an entropically secure cipher is not perfect, and Eve may obtain some information about the message—the property referred to as “leakage” (see the definition below), but this leakage can be made negligible. On the other hand, an entropically secure cipher makes it possible to significantly reduce the key length (compared to the perfect cipher).

The concept of entropically secure cipher was proposed in 2006 by Russell and Wang in the paper [3] where they also created the first entropically secure cipher. In their cipher, the length of the secret key is proportional to the length of the encrypted message if the min-entropy of that message is less than one bit per letter. Recently, the results of Russell and Wang have been developed such that the length of the secret key is independent of the length of the message in the case where the messages to be encrypted have a known probability distribution [9] (see the definition of the min-entropy (2) and Theorems 1 and 2 below for details).

In this paper, we consider the situation where encrypted messages obey an unknown (or partially unknown) probability distribution. We propose an entropically secure cipher for which the key length depends on the universal code (or data compressor) used for encoding the source and on the admissible leakage of the cipher. The construction of the cipher is based on entropically secure ciphers [3,5,8,9] and universal coding [13]. It is worth noting that the proposed cipher uses data compression and randomization, both of which are quite popular in unconditional security, cf. [14,15,16] and [16,17], respectively.

2. Definitions and Preliminaries

2.1. Basic Concepts

We consider the problem of symmetric encryption, where Alice wants to securely transmit a message to Bob. The messages are n-letter binary words, they obey a certain probability distribution p defined on the set ${\{0,1\}}^n,n\ge 1$. This distribution is only partially known, i.e., it is known that p belongs to some given set P, $P\subset R^n$. Alice and Bob have a shared secret key $K=K_1...K_k$, and Alice encrypts the message $M\in {\{0,1\}}^n$ using K and possibly some random bits. Then, she sends the word $cipher(M,K)$ to Bob, who decrypts the received $cipher(M,K)$ and obtains M. The third participant is a computationally unconstrained adversary Eve, who knows $cipher(M,K)$ and the distribution p, and wants to find some information about M without knowing K.

Russell and Wang [3] suggested a definition of entropic security which was generalized by Dodis and Smith [5] as follows: A probabilistic map Y is said to hide all functions on ${\{0,1\}}^n$ with leakage $ϵ$ if, for every adversary A, there exists some adversary $\widehat{A}$ (who does not know $Y\left(M\right)$) such that for all functions f,

$$|Pr\{A\left(Y\left(M\right)\right)=f\left(M\right)\}-Pr\{\widehat{A}\left(\right)=f\left(M\right)\}|\le ϵ.$$

(1)

(note that $\widehat{A}$ does not know $Y\left(M\right)$ and, in fact, she guesses the meaning of the function $f\left(M\right)$.) In what follows, the probabilistic map Y will be $cipher(M,K)$ and f is a map $f:{\{0,1\}}^n\to {\{0,1\}}^{*}$.

Definition 1.

The map $Y\left(\right)$ is called ϵ-entropically secure for family probability distributions P if $Y\left(\right)$ hides all functions on ${\{0,1\}}^n$ with leakage of ϵ, whenever $p\in P$.

Note that, in a sense, Definition 1 is a generalization of Shannon’s notion of perfect security. Namely, if we take $ϵ=0$ and Y$=cipher(M,K)$ and $f\left(x\right)=x$, we obtain that for any M

$$|Pr\{A\left(cipher(M,K)\right)=M\}-Pr\{\widehat{A}\left(\right)=M\}|=0$$

So, A and $\widehat{A}$ obtained the same result, but A estimates the probability based on $cipher(M,K)$, whereas $\widehat{A}$ does it without knowledge of $cipher(M,K)$. Thus, the entropic security (1) can be considered as a generalization of the Shannon’s perfect secrecy.

We will use another important concept, the notion of indistinguishability.

Definition 2.

A randomized map $Y:{\{0,1\}}^n\to {\{0,1\}}^n,n\ge 1,$ is ϵ-indistinguishable for some family of distributions $\mathbf{P}$ and $ϵ>0$ if there is a probability distribution G on ${\{0,1\}}^n$ such that for every probability distribution $p\in \mathbf{P}$ we have

$$SD\left(Y\right(M),G)\le ϵ,$$

where for two distributions $A,B$

$$SD(A,B)=\frac{1}{2}\sum _{U\in \mathbf{M}}|Pr\{A=U\}-Pr\{B=U\}|.$$

Importantly, G is independent of $Y\left(M\right)$.

Dodis and Smith [5] showed that the concepts of $ϵ$-entropic security and $ϵ$-indistinguishability are equivalent up to small parameter changes.

2.2. $ϵ$-Entropically Secure Ciphers for Distributions with Bounded Min-Entropy

In 2006 [3], the first entropically secure cipher was developed for probability distributions with a limited value of the so-called minimum entropy, which is defined as follows:

$$h_{min}\left(p\right)=-log\underset{a\in A}{max}p\left(a\right).$$

(2)

where p is a probability distribution, $log={log}_2$. The Russell and Wang [3] cipher was generalized and developed by Dodis and Smith [5] and their result can be formulated as follows:

Theorem 1

([5]). Let p be a probability distribution on ${\{0,1\}}^n,n>0,$ whose min-entropy is not less than $h,h\in [0,n].$ Then there exists an ϵ-entropically secure cipher with the k-bit key where

$$k=n-h+2log(1/ϵ)+2.$$

(3)

Let us denote this cipher as $ciphe{r}_{rw-ds}$.

In a sense, this cipher generalizes the perfect Shannon cipher as follows: In a perfect cipher, the key is a word from ${\{0,1\}}^n$, while in an entropically secure cipher, the key belongs to the $2^k$-element subset $K\subset$${\{0,1\}}^n$, which is a so-called small-biased set. Informally, this means that for any $m\le n$ and a uniformly chosen binary word $u\in {\{0,1\}}^m$, for any m positions $i_1{i}_2,...,i_m$, the probability that $K_{i_1},K_{i_2},....,K_{i_m}=u$ is close to $2^{-m}$. (This construction is based on some deep results in combinatorics [5,18,19].) Thus, the key length decreases from n to k. Note that the leakage $ϵ$ and hence the summand $2log(1/ϵ)+2$ depends on the size of the “small-biased set” $2^k$ (In general, a larger k implies a smaller $ϵ$.)

2.3. $ϵ$-Entropically Secure Ciphers with Reduced Secret Key

In equality (3), the linearly increasing summand $n-h$ depends on the min-entropy h. So, it seems natural to transform the set ${\{0,1\}}^n$ so as to reduce the min-entropy of the original distribution p and hence the summand $n-h$. In [9], this approach was realized as follows: let there be a set of probability distributions $\mathbf{P}$ defined on ${\{0,1\}}^n,n\ge 1$. The key part of the cipher is such a randomized map $\varphi :{\{0,1\}}^n\to {\{0,1\}}^{n^{*}},n^{*}\ge n$, that there exists a map ${\varphi }^{-1}$ (i.e $\forall u$${\varphi }^{-1}\left(\varphi \left(u\right)\right)=u$) and a min-entropy of the transform probability distribution ${\pi }_p$ is close to $n^{*}$ (here the distribution ${\pi }_p$ is such that $p\left(u\right)={\sum }_{v:{\varphi }^{-1}\left(v\right)=u}{\pi }_p\left(v\right)$). And then the $ciphe{r}_{rw-ds}$ can be applied to $\varphi \left(m\right)$ with a shorter key, because the difference $n^{*}-h_{min}\left({\pi }_p\right)$ will be less than $n-h_{min}\left(p\right)$, see (3). Thus, the smaller ${sup}_{p\in P}(n^{*}-h_{min}\left({\pi }_p\right))$, the shorter the secret key. The described cipher is based on data compression and randomization and denoted in [9] by $ciphe{r}_{c\&r}$. The following theorem describes its properties.

Theorem 2

([9]). Suppose there is a family P of probability distributions defined on ${\{0,1\}}^n$ and there is a randomized mapping $\varphi :{\{0,1\}}^n\to {\{0,1\}}^{n^{*}},n^{*}$$\ge n$ for which there exists a mapping ${\varphi }^{-1}$ and let

$$\underset{p\in P}{sup}(n^{*}-h_{min}\left({\pi }_p\right))\le \Delta .$$

(4)

for some Δ. Then,

(i) 

$ciphe{r}_{c\&r}$ is ϵ-entropically secure with secret key length $\Delta +2log(1/ϵ)+2$, and

(ii) 

$ciphe{r}_{c\&r}$ is ϵ-indistinguishable with secret key length $\Delta +2log(1/ϵ)+6$.

Now we consider a simple example to illustrate the basic idea. Let $n=2$, $p\left(00\right)=1/2$, $p\left(01\right)=1/4$, $p\left(10\right)=p\left(11\right)=1/8$. Obviously, $h_{min}\left(p\right)=1$ and $\Delta =(2-1)$. The map $\varphi$ is constructed in two steps: first, “compress” the letters till $-logp\left(a\right)$, that is, in our example, $00\to 0$, $01\to 10$ and $10\to 110,11\to 111$. Secondly, randomize as follows: 00 uniformly $\to \{000,001,010,011\}$, $01\to \{100,101\}$ and two last letters as $\left\{110\right\}$ and $\left\{111\right\}$ correspondingly. As a result, we obtain a set ${\{0,1\}}^3$ subject to a uniform distribution whose min-entropy is equal to three, and hence $\Delta =3-3=0$. Thus, the key length becomes 1 bit shorter, but the message length is longer. It is proved that such a “bloated” cipher is $ϵ$-entropically secure [9].

Obviously, the key length depends on the efficiency of the compression method, or code. Thus, in the case of known statistics (i.e., known p), the key length is $\Delta +2log(1/ϵ)+2$, where $\Delta$ is 1 or 2 and depends on the compression code chosen. If p is unknown, but the messages are known to be generated by a Markov chain with known memory, then $\Delta =O(logn)$ (and the key length is $O(logn)+2log(1/ϵ)$ [9]).

2.4. Universal Coding

The problem of constructing a single code for multiple probability distributions (information sources) is well known in information theory, and there are currently dozens of effective universal codes based on different ideas and approaches. It is worth noting that, at present, there are dozens universal codes, which are the basis for so-called archivers (e.g., ZIP). The first universal code for Bernoulli and Markov processes was proposed by Fitinghof [20], and then Krichevsky found an asymptotically optimal code for these processes [13,21]. Other universal codes include the PPM universal code [22], which is used together with the arithmetic code [23], the Lempel-Ziv (LZ) codes [24], the Burrows–Wheeler transformation [25], which is used together with the book-stack code (or MTF) [26] (see also [27,28]), grammar codes [29,30] and some others [31,32,33,34].

The universal code c has to“compress” sequences $x=x_1...x_n$ that obey the distribution $p\in \mathbf{P}$ down to Shannon entropy p, that is $h_{Sh}\left(p\right)$, and the difference between $E_p\left(\right|c\left(x\right)\left|\right)-h_{Sh}\left(p\right)$ is called redundancy $r\left(p\right)$ [13] (here $E_p$ is the expectation and $\left|u\right|$ is the legth of u). In [35], an algorithm was proposed to construct a code $c_{opt}$ whose redundancy is minimal on $\mathbf{P}$, that is, $r_{p_{opt}}={inf}_{p\in \mathbf{P}}r\left(p\right)$. In [35], it was shown that $r_{p_{opt}}$ is equal to the capacity of a channel whose input alphabet is $\mathbf{P}$, whose output alphabet is the alphabet on which distributions from $\mathbf{P}$ are defined (in our case it is the alphabet ${\{0,1\}}^n$), and the lines of the channel matrix are probability distributions from $\mathbf{P}$ (see also [36] for the history of this discovery). This fact is important, because it allows us to use known methods to compute the channel capacity to find the optimal code.

In this paper, we will use the so-called Shtarkov maximum likelihood code $c_{Sht}$ [37], whose construction is much simpler, and its redundancy is often close to that of the optimal code. This code is described as follows: first define

$$p_{max}\left(u\right)=\underset{p\in \mathbf{P}}{sup}p\left(u\right),u\in {\{0,1\}}^n,S_{\mathbf{P}}=\sum _{u\in {\{0,1\}}^n}{p}_{max}\left(u\right),q\left(u\right)=p_{max}\left(u\right)/S_{\mathbf{P}}.$$

(5)

Clearly,

$$\forall u:p\left(u\right)/q\left(u\right)\le S_{\mathbf{P}}.$$

(6)

Shtakov proposed to build code $c_{Sht}$ for which $|c_{Sht}\left(u\right)|=\lceil -logq\left(u\right)\rceil .$ (Such a code exists, see [38]).

Claim. If the set P is finite, then $S_P\le \left|P\right|$.

Proof. 

From the definition (5) we can see that

$$S_P=\sum _{u\in {\{0,1\}}^n}{p}_{max}\left(u\right)\le \sum _{u\in {\{0,1\}}^n}\left(\sum _{p\in \mathbf{P}}p\left(u\right)\right).$$

Clearly, ${\sum }_{p\in \mathbf{P}}p\left(u\right)=1$ and from this and the previous inequality we obtain

$$S_P=\sum _{u\in {\{0,1\}}^n}{p}_{max}\left(u\right)\le \sum _{u\in {\{0,1\}}^n}\left(\sum _{p\in \mathbf{P}}p\left(u\right)\right)=\sum _{p\in \mathbf{P}}\left(\sum _{u\in {\{0,1\}}^n}p\left(u\right)\right)=\sum _{p\in \mathbf{P}}1=\left|\mathbf{P}\right|.$$

Claim is proven. □

Note that this claim is true when P contains probability distributions corresponding to several languages.

3. The Cipher

Now we are going to construct an $ϵ$-entropically secure cipher $c_{c\&r}$ for the case of unknown statistics, i.e., there exists some set of probability distributions P generating words from ${\{0,1\}}^n,n\ge 1,$ and the constructed cipher should be applicable to messages obeying any $p\in \mathbf{P}$ with a leakage no larger than $ϵ$. In short, we apply the general method from [9] to the probability distribution q (5). In detail, Alice wants to send messages $m\in {\{0,1\}}^n$ to Bob, and they both know in advance that m can obey any probability distribution p of the set of distributions $\mathbf{P}$. The cipher algorithm is as follows.

Constructing the cipher. We describe all calculations in the following steps:

(i)

Compute the distribution q according to (5) and order the set $q\left(u\right),u\in {\{0,1\}}^n$. (Denote the ordered probabilities as $q_1,q_2,...,q_N$, $N=2^n$ and let $\nu \left(u\right)=i$ for which $q\left(u\right)=q_i$.)

(ii)

Encode the “letters” $1,2,...,N$ with the distribution q by the trimmed Shannon code from [9]. Denote this code $\lambda$ and note that

$$\forall i:\left|\lambda \left(i\right)\right|<-log{q}_i+2$$

(7)

and $\lambda$ is prefix-free, that is, for any i and j, $i\ne j$, neither $\lambda \left(i\right)$ is a prefix $\lambda \left(j\right)$, and $\lambda \left(j\right)$ is a prefix $\lambda \left(i\right)$ [9].

(iii)

Build the following randomized map $\varphi$ First, find $n^{*}={max}_i\lambda \left(i\right)$ and then define for $u\in {\{0,1\}}^n,$

$$\varphi \left(u\right)=\lambda \left(\nu \left(u\right)\right)r_{\left|\lambda \right(\nu \left(u\right)|+1}...r_{n^{*}},$$

(8)

where $r_j$ are equiprobable independent binary digits.

(iv)

For the desired leakage $ϵ$ build $ciphe{r}_{rw-ds}$ with secret key length

$$\lceil log{S}_{\mathbf{P}}\rceil +2log(1/ϵ)+\delta ,$$

(9)

where $\delta =2$ for $ϵ$-entropically secure cipher and $\delta =6$ for $ϵ$- indistinguishable one.

It is worth noting that Alice and Bob (and Eve) can perform all the calculations described independently of each other.

Use of the cipher. Suppose Alice and Bob have a randomly chosen secret key K, $\left|K\right|=k$, and Alice wants to send Bob a message m. To accomplish this, she computes $ciphe{r}_{c\&r}(m,K)$, as described above, and sends it to Bob.

Bob receives the word $ciphe{r}_{c\&r}(m,K)$ and decrypts it with the key K. As a result, he obtains the word $\varphi \left(m\right)=\lambda (\nu \left(m\right)r_{\left|\lambda \right(\nu \left(m\right)|+1}...r_{n^{*}}$ whose prefix $\lambda \left(\nu \right(m\left)\right)$ defines the message m (this is possible because $\lambda$ is prefix-free).

The properties of this cipher are described in the following theorem.

Theorem 3.

Suppose there is a family P of probability distributions defined on ${\{0,1\}}^n$ and some $ϵ>0$. If the described $ciphe{r}_{c\&r}$ is applied then,

(i) 

The $ciphe{r}_{c\&r}$ is ϵ-entropically secure with secret key length $\lceil log{S}_{\mathbf{P}}\rceil +2log(1/ϵ)+4$, and

(ii) 

The $ciphe{r}_{c\&r}$ is ϵ–indistinguishable with secret key length $\lceil log{S}_{\mathbf{P}}\rceil +2log(1/ϵ)+8$.

Proof. 

For any $p\in \mathbf{P}$, the random map $\varphi$ defines a probability distribution ${\pi }_p\left(v\right),v\in {\{0,1\}}^{*}$ as follows: for any $u\in {\{0,1\}}^n$ and $v\in \varphi \left(u\right)$

$${\pi }_p\left(v\right)=p\left(u\right)2^{-(n^{*}-|\lambda \left(\nu \left(u\right)\right)\left|\right)},$$

see (8). From definitions $\varphi$ and (8), (7) we obtain

$${\pi }_p\left(v\right)=p\left(m\right)2^{-(n^{*}-\left|\lambda \left(\nu \left(m\right)\right)\right|)}\le p\left(m\right)2^{-(n^{*}-(log{q}_{\nu \left(m\right)}+2))}$$

for any $m\in {\{0,1\}}^n$ and $v\in \varphi \left(m\right)\subset {\{0,1\}}^{n^{*}}$. Then,

$$-log{\pi }_p\left(v\right)\ge -logp\left(m\right)+(n^{*}-(log{q}_{\nu \left(m\right)}+2\ge$$

$$log{S}_{\mathbf{P}}+log{q}_{\nu \left(m\right)}-n^{*}-log{q}_{\nu \left(m\right)}+2=log{S}_{\mathbf{P}}+2-n^{*}$$

for any m and $v\in \varphi \left(m\right)\subset {\{0,1\}}^{n^{*}}$. So, $h_{min}\left({\pi }_p\right)={min}_{v\in {\{0,1\}}^{n^{*}}}-log{\pi }_p\left(v\right)\ge log{S}_{\mathbf{P}}+2-n^{*}$ and, hence, ${sup}_{p\in \mathbf{P}}(n^{*}-h_{min}\left({\pi }_p\right))\le log{S}_{\mathbf{P}}+2$. From (4) (Theorem 2) and the description of the cipher (9), we can see that the $ciphe{r}_{c\&r}$ is

(i)

$ϵ$-entropically secure with a secret key of length $\lceil log{S}_{\mathbf{P}}\rceil +2log(1/ϵ)+4$, and

(ii)

$ϵ$-indistinguishable with a secret key of length $\lceil log{S}_{\mathbf{P}}\rceil +2log(1/ϵ)+8$.

□

4. Conclusions

We described the cipher for a family of probability distributions $\mathbf{P}$ defined on the set ${\{0,1\}}^n,n\ge 1,$ for which the length of the secret key does not depend directly on n, but depends on $\mathbf{P}$. For example, if $\mathbf{P}$ is finite, the key length is less than $log\left|\mathbf{P}\right|+2log(1/ϵ)+O\left(1\right)$ and hence independent of n. This example includes the case where one needs to have the same cipher for texts written in different languages. Here, the size of the set $\mathbf{P}$ is equal to the number of languages. Thus, in some practically interesting cases, the extra length of the secret key is quite small.