Perfect Secrecy

The lecture then moves from probability to the historical origins of modern cryptography. Earlier ciphers were designed more like secret military craft than as a public scientific discipline. This changed in the mid-20th century, especially around and after World War II, when many civilian mathematicians and engineers became involved in cryptanalysis.

The central weakness of historical ciphers was that ciphertexts preserved properties of plaintexts. Examples mentioned in the lecture include:

• frequency information surviving in substitution and Vigenère-like systems
• Enigma’s property that a letter never encrypted to itself

These examples motivate the need for a rigorous notion of secrecy: ciphertext should not reveal exploitable information about plaintext.

An encryption scheme consists of three algorithms \[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \] and three spaces \[ \mathcal K,\ \mathcal M,\ \mathcal C. \]

• \(\mathsf{KeyGen}\): a randomized algorithm outputting a key \[ K \in \mathcal K. \]
• \(\mathsf{Enc}(K,m)\): a randomized algorithm taking \[ K \in \mathcal K,\quad m \in \mathcal M \] and outputting \[ c \in \mathcal C. \]
• \(\mathsf{Dec}(K,c)\): a deterministic algorithm taking \[ K \in \mathcal K,\quad c \in \mathcal C \] and outputting \[ m \in \mathcal M. \]

A notable point in the lecture is that encryption may need to be randomized. If encryption were deterministic, then encrypting the same message twice under the same key would produce the same ciphertext twice, leaking information immediately. This is given as the intuitive reason why randomization matters.

If a key is generated honestly and a message is encrypted with that key, then decrypting the ciphertext with the same key should recover the original message.

The scheme is correct if for every message \(m \in \mathcal M\), \[ \Pr[\mathsf{Dec}(K,\mathsf{Enc}(K,m)) = m] = 1, \qquad \text{where } K \leftarrow \mathsf{KeyGen}(). \]

• The probability is over all random choices made by \(\mathsf{KeyGen}\) and \(\mathsf{Enc}\).
• So correctness is a perfect correctness condition: decryption must always recover the plaintext.

Because KeyGen and Enc may be randomized, their outputs are random variables. Therefore, correctness cannot simply be stated as an ordinary equation. It must be stated probabilistically: for every message \(m\), over all random choices made by KeyGen and Enc, decryption returns \(m\) with probability \(1\).

This is an important conceptual step: once algorithms are randomized, even basic properties must be phrased as probability-1 statements about random variables.

A secure encryption scheme should reveal no partial information about the plaintext. The adversary should not learn any property of the message from the ciphertext—not its exact content, not its language, and not any useful predicate about it. The only exception mentioned is message length, or at least an upper bound on it, since ciphertext size itself inevitably leaks some length information.

Shannon’s idea is that the ciphertext random variable should be independent of the plaintext random variable. Crucially, this must hold for any distribution of messages, not just for English text or some other special source. This is presented as Shannon’s crucial conceptual advance.

Let \(M\) be any random variable supported on the message space \(\mathcal M\), and let \[ C = \mathsf{Enc}(K,M), \qquad \text{where } K \leftarrow \mathsf{KeyGen}(). \]

The scheme is perfectly secret if \(M\) and \(C\) are independent.

Equivalently, for every \(m \in \mathcal M\) and every \(c \in \mathcal C\) with \[ \Pr[\mathsf{Enc}(K,M)=c] > 0, \] it holds that \[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \Pr[M=m]. \]

Interpretation:

• the right-hand side is the prior probability of the message
• the left-hand side is the posterior probability after seeing the ciphertext
• Observing a ciphertext does not change the posterior probability of any message.
• So the ciphertext leaks no information whatsoever about the plaintext.
• This is a purely information-theoretic notion: no computational restriction on the adversary appears anywhere.

Perfect secrecy means that seeing the ciphertext does not improve one’s ability to guess the message at all. It is no better than blind guessing.

For fixed length \(n\):

• key space \(K = \{0,1\}^n\)
• message space \(M = \{0,1\}^n\)
• ciphertext space \(C = \{0,1\}^n\)

Algorithms:

• KeyGen: choose \(K \leftarrow_{\$} \{0,1\}^n\)
• Enc: output \(C = K \oplus M\)
• Dec: output \(M = K \oplus C\)

The lecturer explicitly points out that the one-time pad is essentially the Vigenère idea over the binary alphabet \(\{0,1\}\), but with one decisive difference: the key is not repeated. The key is as long as the message and is used only once. That is exactly why it is called a one-time pad.

For any message distribution \(M\), and uniformly random key \(K\), show that \(M\) and \(K \oplus M\) are independent. Equivalently, show: \[ \Pr[M=m \mid K\oplus M = c] = \Pr[M=m] \] for all messages \(m\) and ciphertexts \(c\).

Use Bayes’ rule: \[ \Pr[M=m \mid K\oplus M=c] = \frac{ \Pr[K\oplus M=c \mid M=m]\Pr[M=m] }{ \Pr[K\oplus M=c] }. \]

Now simplify the numerator. Conditioning on \(M=m\) makes the message fixed, so: \[ \Pr[K\oplus M=c \mid M=m] = \Pr[K\oplus m=c]. \]

The event \(K\oplus m=c\) is equivalent to \[ K = c \oplus m. \]

Hence, \[ \Pr[K\oplus M=c \mid M=m] = \Pr[K=c\oplus m]. \]

Since \(K\) is uniform on \(\{0,1\}^n\), and \(c\oplus m\) is just one fixed \(n\)-bit string, \[ \Pr[K=c\oplus m] = 2^{-n}. \]

So the numerator becomes \[ \Pr[K\oplus M=c \mid M=m]\Pr[M=m] = 2^{-n}\Pr[M=m]. \]

Now compute the denominator using the law of total probability: \[ \Pr[K\oplus M=c] = \sum_{m' \in \{0,1\}^n} \Pr[K\oplus M=c \mid M=m']\Pr[M=m']. \]

For each \(m'\), the same argument as above gives \[ \Pr[K\oplus M=c \mid M=m'] = \Pr[K=c\oplus m'] = 2^{-n}. \]

Therefore, \[ \Pr[K\oplus M=c] = \sum_{m' \in \{0,1\}^n} 2^{-n}\Pr[M=m']. \]

Factor out \(2^{-n}\): \[ \Pr[K\oplus M=c] = 2^{-n} \sum_{m' \in \{0,1\}^n} \Pr[M=m']. \]

Since the probabilities over all messages sum to \(1\), \[ \sum_{m' \in \{0,1\}^n}\Pr[M=m'] = 1, \] we get \[ \Pr[K\oplus M=c] = 2^{-n}. \]

Substitute numerator and denominator back into Bayes’ rule: \[ \Pr[M=m \mid K\oplus M=c] = \frac{2^{-n}\Pr[M=m]}{2^{-n}} = \Pr[M=m]. \]

Thus, \[ \Pr[M=m \mid K\oplus M=c] = \Pr[M=m], \] so the ciphertext reveals no information about the message. Therefore, the one-time pad is perfectly secret.

The core idea is that for any fixed message \(m\) and any fixed ciphertext \(c\), there is exactly one key \[ K = c \oplus m \] that maps \(m\) to \(c\). Since the key is uniform, every message is equally compatible with the observed ciphertext. Therefore, seeing \(c\) does not change the distribution of \(M\).

The lecture motivates a minimal attack goal using historical ciphers:

• Suppose the adversary knows that the ciphertext encrypts one of two messages.
• Can the adversary tell which one?

This is already enough to break secrecy.

The lecturer also emphasizes that secrecy should protect not only obvious bits of the message, such as the first bit, but any predicate of the message, for example:

• the first bit,
• the parity of the message,
• or any other yes/no property of the plaintext.

So distinguishing between two candidate messages is a natural minimal attack model.

An encryption scheme is perfectly secret if for all \[ m,m' \in \mathcal M \quad \text{and} \quad c \in \mathcal C, \] it holds that \[ \Pr[\mathsf{Enc}(K,m)=c] = \Pr[\mathsf{Enc}(K,m')=c], \qquad \text{where } K \leftarrow \mathsf{KeyGen}(). \]

• Fix a ciphertext \(c\).
• Then the probability that \(c\) arises from encrypting \(m\) is exactly the same as the probability that \(c\) arises from encrypting \(m'\).
• Thus, from seeing \(c\), the adversary cannot distinguish whether the plaintext was \(m\) or \(m'\).

This is already closer to an attack-based view:

• it says ciphertexts do not help with distinguishing messages,
• but it still does not explicitly mention an adversary.

The next step is to make the adversary explicit.

The lecture stresses that future security notions will restrict the adversary’s computational resources, so we want a form of definition that is compatible with algorithmic adversaries.

Let \(\mathcal A\) be a possibly unbounded randomized algorithm, called the adversary.

Define the game:

1. \(\mathcal A\) outputs two messages \[ m_0,m_1. \]
2. The challenger samples \[ K \leftarrow \mathsf{KeyGen}(), \qquad b \leftarrow_{\$} \{0,1\}. \]
3. The challenger computes \[ c^\star \leftarrow \mathsf{Enc}(K,m_b) \] and sends \(c^\star\) to \(\mathcal A\).
4. The adversary outputs a guess \[ b'. \]

5. The challenger outputs

   \begin{equation*} \mathsf{IND}_{\mathcal A} = \begin{cases} 1 & \text{if } b'=b,\\ 0 & \text{otherwise.} \end{cases} \end{equation*}

Since \(b\) is uniform, an adversary that just guesses at random already wins with probability \[ \frac{1}{2}. \]

This is the unavoidable baseline attack.

The scheme is perfectly secret if for every adversary \(\mathcal A\), \[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac{1}{2}, \] where the probability is taken over all random choices in the experiment.

• The adversary is as powerful as possible: it may even be computationally unbounded.
• Yet it still cannot do better than random guessing.
• This formulation is very useful because it explicitly states:
  • what the adversary is allowed to choose,
  • what the adversary gets to see,
  • and what counts as a successful attack.

The lecture argues:

• The challenger reveals almost everything except one bit: whether the encrypted message is \(m_0\) or \(m_1\).
• So the ciphertext only needs to hide that final one-bit choice.
• If an adversary can break a stronger setting, it should also be able to break this minimal one.

Definitions 1, 2, and 3 of perfect secrecy are equivalent.

The lecture proves this in three directions: \[ (2) \Rightarrow (1),\qquad (3) \Rightarrow (2)\ \text{via contraposition},\qquad (1) \Rightarrow (3). \]

Assume Definition 2. Show Definition 1: for every message distribution \(M\), \[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \Pr[M=m] \] for all \(m,c\) with positive denominator.

\[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \frac{\Pr[\mathsf{Enc}(K,M)=c \mid M=m]\Pr[M=m]} {\Pr[\mathsf{Enc}(K,M)=c]}. \]

Conditioning on \(M=m\) removes the randomness of the message variable, so \[ \Pr[\mathsf{Enc}(K,M)=c \mid M=m] = \Pr[\mathsf{Enc}(K,m)=c]. \]

Hence \[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \frac{\Pr[\mathsf{Enc}(K,m)=c]\Pr[M=m]} {\Pr[\mathsf{Enc}(K,M)=c]}. \]

Fix ciphertext \(c\). Definition 2 says that for every message \(m\), \[ \Pr[\mathsf{Enc}(K,m)=c] \] has the same value.

Call that common value \[ \delta_c. \]

So for all \(m\), \[ \Pr[\mathsf{Enc}(K,m)=c] = \delta_c. \]

By the law of total probability, \[ \Pr[\mathsf{Enc}(K,M)=c] = \sum_{\bar m \in \mathcal M} \Pr[\mathsf{Enc}(K,M)=c \mid M=\bar m]\Pr[M=\bar m]. \]

Again, conditioning on \(M=\bar m\) yields \[ \Pr[\mathsf{Enc}(K,M)=c \mid M=\bar m] = \Pr[\mathsf{Enc}(K,\bar m)=c] = \delta_c. \]

Therefore \[ \Pr[\mathsf{Enc}(K,M)=c] = \sum_{\bar m \in \mathcal M} \delta_c \Pr[M=\bar m] = \delta_c \sum_{\bar m \in \mathcal M}\Pr[M=\bar m] = \delta_c. \]

Substituting into Bayes’ rule, \[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \frac{\delta_c \Pr[M=m]}{\delta_c} = \Pr[M=m]. \]

Thus Definition 1 holds.

Instead of proving \[ (3)\Rightarrow(2), \] prove \[ \neg(2)\Rightarrow \neg(3). \]

So assume Definition 2 fails.

Then there exist \[ m,m' \in \mathcal M,\quad c \in \mathcal C \] such that \[ \Pr[\mathsf{Enc}(K,m)=c] \neq \Pr[\mathsf{Enc}(K,m')=c]. \]

Without loss of generality, rename messages so that \[ \Pr[\mathsf{Enc}(K,m_0)=c] > \Pr[\mathsf{Enc}(K,m_1)=c]. \]

Define adversary \(\mathcal A\) as follows:

• send \[ m_0,m_1 \] to the challenger;
• receive \(c^\star\);
• if \[ c^\star = c, \] output \[ b' = 0; \]
• otherwise, output a uniformly random bit.

This adversary uses the special ciphertext \(c\) witnessing the failure of Definition 2.

Let \[ p = \Pr[c^\star = c \mid b=0] = \Pr[\mathsf{Enc}(K,m_0)=c], \] and \[ p' = \Pr[c^\star = c \mid b=1] = \Pr[\mathsf{Enc}(K,m_1)=c]. \]

By assumption, \[ p > p'. \]

Now analyze the success probability.

Assume Definition 1. Take any adversary \(\mathcal A\). We must show \[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac12. \]

The lecture simplifies first by assuming \(\mathcal A\) is deterministic. This is only for convenience; the argument extends to randomized adversaries by absorbing the adversary’s random coins into the probability distribution.

If \(\mathcal A\) is deterministic, it always outputs the same two challenge messages \[ m_0,m_1. \]

Now define a message distribution \(M\) by \[ \Pr[M=m_0]=\frac12,\qquad \Pr[M=m_1]=\frac12, \] and \[ \Pr[M=\tilde m]=0 \quad\text{for all } \tilde m \notin \{m_0,m_1\}. \]

Then the challenger’s procedure “pick \(b \leftarrow \{0,1\}\) and encrypt \(m_b\)” is equivalent to “sample \(M\) from this distribution and encrypt \(M\)”.

So \[ c^\star = \mathsf{Enc}(K,M). \]

Since \(\mathcal A\) is deterministic, after receiving \(c^\star\) it outputs some bit \[ b' = b'(c^\star). \]

Let \[ m(c^\star) \] denote the message corresponding to this guess:

• \(m(c^\star)=m_0\) if \(b'(c^\star)=0\),
• \(m(c^\star)=m_1\) if \(b'(c^\star)=1\).

Then the event that the adversary wins is exactly \[ \{\mathsf{IND}_{\mathcal A}=1\} = \{M = m(c^\star)\}. \]

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \Pr[M = m(c^\star)]. \]

Apply the law of total probability over all ciphertexts \(c\): \[ \Pr[M = m(c^\star)] = \sum_{c \in \mathcal C} \Pr[M=m(c) \mid c^\star=c]\Pr[c^\star=c]. \]

By Definition 1, ciphertext and message are independent, so for every \(c\), \[ \Pr[M=m(c) \mid c^\star=c] = \Pr[M=m(c)]. \]

But under the distribution \(M\), both \(m_0\) and \(m_1\) have probability \(1/2\), so in either case \[ \Pr[M=m(c)] = \frac12. \]

Therefore, \[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \sum_{c \in \mathcal C} \frac12 \Pr[c^\star=c] = \frac12 \sum_{c \in \mathcal C}\Pr[c^\star=c] = \frac12. \]

Hence no adversary can beat random guessing, and Definition 3 holds.

OTP has perfect secrecy, but its key is as long as the message. Can one do better and still remain perfectly secret?

Let \[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \] be a perfectly secret encryption scheme with key space \(\mathcal K\) and message space \(\mathcal M\). Then \[ \left| \mathcal K \right| \ge \left| \mathcal M \right|. \]

So perfectly secret encryption requires the key space to be at least as large as the message space.

The proof is by contraposition.

Assume \[ \left| \mathcal K \right| < \left| \mathcal M \right|. \]

Show that the scheme cannot be perfectly secret.

The strategy is to find two messages \(m_0,m_1\) and a ciphertext \(c\) such that \[ \Pr[\mathsf{Enc}(K,m_0)=c] > 0 \qquad\text{but}\qquad \Pr[\mathsf{Enc}(K,m_1)=c] = 0. \]

This directly contradicts Definition 2, which requires \[ \Pr[\mathsf{Enc}(K,m_0)=c] = \Pr[\mathsf{Enc}(K,m_1)=c] \] for all \(m_0,m_1,c\).

So if the key space is smaller than the message space, perfect secrecy is impossible.

We prove the contrapositive.

Assume \[ \left| \mathcal K \right| < \left| \mathcal M \right|. \] We show that the scheme cannot be perfectly secret.

Fix any ciphertext \(c \in \mathcal C\). For a message \(m \in \mathcal M\), consider the set \[ S_c(m) := \{\, K \in \mathcal K \mid \mathsf{Enc}(K,m) = c \,\}. \]

Since decryption must be correct, for a fixed key \(K\) and fixed ciphertext \(c\), there can be at most one message \(m\) such that \[ \mathsf{Enc}(K,m) = c. \]

Indeed, suppose there were two distinct messages \(m \neq m'\) with \[ \mathsf{Enc}(K,m)=c \qquad\text{and}\qquad \mathsf{Enc}(K,m')=c. \] Then correctness would imply \[ m = \mathsf{Dec}(K,c) = m', \] a contradiction.

Therefore, for fixed \(c\), the sets \[ S_c(m) \subseteq \mathcal K \] are pairwise disjoint as \(m\) ranges over \(\mathcal M\).

Now there are only \(|\mathcal K|\) keys, but \(|\mathcal M| > |\mathcal K|\) messages. Since the sets \(S_c(m)\) are pairwise disjoint subsets of \(\mathcal K\), not all of them can be nonempty.

Hence, for every fixed ciphertext \(c\), there exists at least one message \(m_c \in \mathcal M\) such that \[ S_c(m_c)=\varnothing. \]

Equivalently, \[ \Pr[\mathsf{Enc}(K,m_c)=c]=0. \]

Now choose any message \(m\) such that \[ \Pr[\mathsf{Enc}(K,m)=c] > 0. \] (If no such message existed, then \(c\) would simply never occur as a ciphertext and can be ignored.)

Then we have found two messages \(m\) and \(m_c\) such that \[ \Pr[\mathsf{Enc}(K,m)=c] > 0 \qquad\text{but}\qquad \Pr[\mathsf{Enc}(K,m_c)=c]=0. \]

But Definition 2 of perfect secrecy requires that for all messages \(m,m' \in \mathcal M\) and all ciphertexts \(c \in \mathcal C\), \[ \Pr[\mathsf{Enc}(K,m)=c] = \Pr[\mathsf{Enc}(K,m')=c]. \]

This is violated.

Therefore the scheme is not perfectly secret.

So we have shown the contrapositive: \[ \left| \mathcal K \right| < \left| \mathcal M \right| \;\Longrightarrow\; \text{the scheme is not perfectly secret}. \]

Hence, if the scheme is perfectly secret, then necessarily \[ \left| \mathcal K \right| \ge \left| \mathcal M \right|. \]

\(\square\)

• A perfectly secret scheme must make every ciphertext look equally plausible for every message.
• If there are too few keys relative to messages, there are simply not enough different encryptions available to maintain this perfect symmetry.
• Therefore perfect secrecy necessarily requires “large key material”.

• It does not rely on hardness assumptions.
• It is secure even against computationally unbounded adversaries.
• But precisely because it is so strong, it forces severe efficiency limitations.

The game-based definition is the most operational one:

• it explicitly names the adversary,
• it explicitly specifies the adversary’s resources,
• it explicitly states the attack goal,
• and it will later generalize naturally to security notions against efficient adversaries.

The lecture briefly notes:

• if the entire key is known to the adversary, then secrecy is impossible in the ordinary model;
• there are more advanced models, such as incompressibility-style settings, where one may still recover limited guarantees under storage bounds, but this is outside the scope of the lecture.