Unconditionally secure short key ciphers based on data compression and randomization

Abstract

We consider the problem of constructing an unconditionally secure cipher for the case when the key length is less than the length of the encrypted message. (Unconditional security means that a computationally unbounded adversary cannot obtain information about the encrypted message without the key). In this article, we propose a cipher based on data compression and randomisation in combination with entropically-secure encryption and apply it to the following two cases: (i) the statistics of encrypted messages are known; and (ii) statistics are unknown, but messages are generated by a Markov chain with known memory (or connectivity). In both cases, the length of the secret key is negligible compared to the length of the message.

Appendix

1.1 The definition of a stationary ergodic Markov chain with memory, or connection, m

First we give a definition of stationary ergodic processes. The time shift T on \(\Lambda ^\infty \) is defined as \(T(x_1,x_2,x_3,\dots )=(x_2,x_3,\dots )\). A process P is called stationary if it is T-invariant: \(P(T^{-1}B)=P(B)\) for every Borel set \(B\subset \Lambda ^\infty \). A stationary process is called ergodic if every T-invariant set has probability 0 or 1: \(P(B)=0\) or 1 whenever \(T^{-1}B=B\) [2, 19].

We denote by \(M_\infty (\Lambda )\) the set of all stationary and ergodic sources and let \(M_0(\Lambda ) \subset M_\infty (\Lambda )\) be the set of all i.i.d. processes. We denote by \(M_m(\Lambda ) \subset M_\infty (\Lambda )\) the set of Markov sources of order (or with memory, or connectivity) not larger than \(m, \, m \ge 0.\) By definition \(\mu \in M_m(\Lambda )\) if

$$\begin{aligned} \mu (x_{t+1}= & {} a_{i_1} | x_{t} = a_{i_2}, x_{t-1} = a_{i_3},\, \ldots , x_{t-m+1} = a_{i_{m+1}}, \ldots ) \\= & {} \mu (x_{t+1} = a_{i_1} | x_{t} = a_{i_2}, x_{t-1} = a_{i_3},\, \ldots , x_{t-m+1} = a_{i_{m+1}}) \end{aligned}$$

for all \(t \ge m \) and \(a_{i_1}, a_{i_2}, \ldots \, \in \Lambda .\)

1.2 Entropically secure ciphers

In this part we describe one entropically secure cipher from [5], part 3.2.

Let \(\{ h_i \}_{i \in I}\) be some family of functions \( h_i: \{0, 1\}^k \rightarrow \{0, 1\}^n\), indexed over the set \(I = \{0, 1 \}^r\). By definition, a collection of functions from n-bit words to n-bits is XOR-universal if:

$$\begin{aligned} \forall a, x, y \in \{0,1\}^n, x \ne y, Pr \{h_i(x) \oplus h_i(y) = a \} \le \frac{1}{2^{n-1}} \,, \end{aligned}$$

if i is randomly chosen from I according to the uniform distribution (\(\oplus \) is symbol-by-symbol modulo 2 summation). Also, suppose that there is a XOR-universal collection of functions whose description is public and, hence, it is known to Alice, Bob and Eve.

Dodis and Smith consider an encryption scheme of the form

$$\begin{aligned} E(m,K,i) = (i; m \oplus h_i(K)) \end{aligned}$$

where i is randomly chosen from I according to the uniform distribution, and K is a k-bit secret key. Note that m is a ciphered message of length n, i is the number of \(h_i\) in the set I and |i| \(=\log | I | = r\). (Dodis and Smith notice that this scheme is a special low-entropy, probabilistic one-time pad). Decryption is obviously possible, since the description of the function \(h_i\) is public. It is shown [5] that this cipher is \(\epsilon \)-entropically secure for \( |k| \ge n - h_{min} + 2 \log (1/\epsilon ) +2 \) if the function family \(\{h_i\}_{i\in I }\) is XOR-universal.

An example of XOR-universal family is as follows [5]: View \(\{0, 1\}^n \) as \({\mathcal {F}} = GF(2^n)\), and embed the key set \(\{0, 1\}^k\) as a subset of \({\mathcal {F}}\). For any \(i \in {\mathcal {F}}\), let \(h_i(K) = i K\), with multiplication in \({\mathcal {F}}\). This yields a family of linear maps \(\{h_i\} \) with \(2^n\) members. For this family the complexity of ciphering and deciphering is \(O(n \log n \log \log n)\) [5].

It is important to note that the length of the secret key (k) depends only on the min-entropy of the probability distribution and does not depend on other parameters of the distribution.