Information Theoretic Security
Information Theoretic Security
Information Theoretic Security
Ninghui Li
Pr[PT = M0 | CT = C0 ] = Pr[PT = M0 ].
That is, after observing the ciphertext is C0 , the posterior probability that the plaintext is M0 remains the
same as the prior probability that the plaintext is M0 .
An example of an information-theoretically secure cryptosystem is the one-time pad.
2 One-Time Pad
The One-Time Pad encryption
• M = C = K = {0, 1}n , where M is the plaintext (message) space, C is the ciphertext space, K is the
key space, they are all n-bit binary strings.
• K = K ←− K (meaning that K is drawn uniformly random from K, in other words, each key in K is
drawn with equal probability).
• EK [M ] = E[K, M ] = K ⊕ M .
• DK [C] = D[K, C] = K ⊕ C.
1
One-Time Pad has Perfect Secrecy
Proof. For any probability distribution from which the plaintext is drawn, for any plaintext-ciphertext
pair (M0 , C0 ), we need to show that Pr[PT = M0 | CT = C0 ] = Pr[PT = M0 ].
Since that the encryption key is drawn uniformly random from the key space, and there is only one key
that encrypts any given plaintext into any given cipher text (the key is given by the XOR of the plaintext and
the ciphertext),
# of keys in K that encrypts M0 into C0 1
Pr[CT = C0 | PT = M0 ] = = n
# of total keys in K 2
a b c
K1 1 2 3
K2 2 3 4
K3 3 4 1
This does not have perfect secrecy because observing that the ciphertext is 1, one knows that the plaintext
cannot be b.
That is, for any distribution of plaintext in which Pr[PT = b] ̸= 0, we have Pr[PT = b | CT = 1] = 0,
and thus Pr[PT = b | CT = 1] ̸= Pr[PT = b].