Intuitively, the one-time pad provides perfect secrecy. In Section 4.4, we gave a mathematical meaning to this statement. In the present section, we repeat some of the arguments of that section and phrase some of the ideas in terms of entropy.
Suppose we have a cipher system with possible plaintexts , ciphertexts , and keys . Each plaintext in has a certain probability of occurring; some are more likely than others. The choice of a key in is always assumed to be independent of the choice of plaintext. The possible ciphertexts in have various probabilities, depending on the probabilities for and .
If Eve intercepts a ciphertext, how much information does she obtain for the key? In other words, what is ? Initially, the uncertainty in the key was . Has the knowledge of the ciphertext decreased the uncertainty?
Suppose we have three possible plaintexts: with probabilities .5, .3, .2 and two keys with probabilities .5 and .5. Suppose the possible ciphertexts are . Let be the encryption function for the key . Suppose
Let denote the probability that the plaintext is , etc. The probability that the ciphertext is is
Similarly, we calculate and .
Suppose someone intercepts a ciphertext. This gives some information on the plaintext. For example, if the ciphertext is , then it can be deduced immediately that the plaintext was . If the ciphertext is , the plaintext was either or .
We can even say more: The probability that a ciphertext is is .25, so the conditional probability that the plaintext was , given that the ciphertext is is
Similarly, and . We can also calculate
Note that the original probabilities of the plaintexts were .5, .3, and .2; knowledge of the ciphertext allows us to revise the probabilities. Therefore, the ciphertext gives us information about the plaintext. We can quantify this via the concept of conditional entropy. First, the entropy of the plaintext is
The conditional entropy of given is
Therefore, in the present example, the uncertainty for the plaintext decreases when the ciphertext is known.
On the other hand, we suspect that for the one-time pad the ciphertext yields no information about the plaintext that was not known before. In other words, the uncertainty for the plaintext should equal the uncertainty for the plaintext given the ciphertext. This leads us to the following definition and theorem.
A cryptosystem has perfect secrecy if .
The one-time pad has perfect secrecy.
Proof. Recall that the basic setup is the following: There is an alphabet with letters (for example, could be 2 or 26). The possible plaintexts consist of strings of characters of length . The ciphertexts are strings of characters of length . There are keys, each consisting of a sequence of length denoting the various shifts to be used. The keys are chosen randomly, so each occurs with probability .
Let be a possible ciphertext. As before, we calculate the probability that occurs:
Here denotes the ciphertext obtained by encrypting using the key . The sum is over those pairs such that encrypts to . Note that we have used the independence of and to write joint probability as the product of the individual probabilities.
In the one-time pad, every key has equal probability , so we can replace in the above sum by . We obtain
We now use another important feature of the one-time pad: For each plaintext and each ciphertext , there is exactly one key such that . Therefore, every occurs exactly once in the preceding sum, so we have . But the sum of the probabilities of all possible plaintexts is 1, so we obtain
This confirms what we already suspected: Every ciphertext occurs with equal probability.
Now let’s calculate some entropies. Since and each have equal probabilities for all possibilities, we have
We now calculate in two different ways. Since knowing is the same as knowing , we have
The last equality is because and are independent. Also, knowing is the same as knowing since and determine for the one-time pad. Therefore,
The last equality is the chain rule. Equating the two expressions, and using the fact that , we obtain . This proves that the one-time pad has perfect secrecy.
The preceding proof yields the following more general result. Let denote the number of possible keys, etc.
Consider a cryptosystem such that
Every key has probability .
For each and there is exactly one such that .
Then this cryptosystem has perfect secrecy.
It is easy to deduce from condition (2) that . Conversely, it can be shown that if and the system has perfect secrecy, then (1) and (2) hold (see [Stinson, Theorem 2.4]).
It is natural to ask how the preceding concepts apply to RSA. The possibly surprising answer is that ; namely, the ciphertext determines the plaintext. The reason is that entropy does not take into account computation time. The fact that it might take billions of years to factor is irrelevant. What counts is that all the information needed to recover the plaintext is contained in the knowledge of , , and .
The more relevant concept for RSA is the computational complexity of breaking the system.