Information theoretic security

From Wikipedia, the free encyclopedia

A cryptosystem is information-theoretically secure if its security derives purely from information theory. That is, it makes no unproven assumptions such as the hardness of mathematical problems such as factoring, and is hence secure even when the adversary has unbounded computing power.

An example of an information-theoretically secure cryptosystem is the one-time pad.

An interesting special case is perfect security: an encryption algorithm is perfectly secure if a ciphertext produced using it provides no information about the plaintext without knowledge of the key. If E is a perfectly secure encryption function, for any fixed message m there must exist for each ciphertext c at least one key such that c = Ek(m).

It is quite possible, and common for a cryptosystem to leak some information, but nevertheless have the property that whatever security properties it achieves hold even when the adversary is computationally unbounded. Such a cryptosystem would have information theoretic but not perfect security. The exact definition of security would depend on the cryptosystem in question.

There are a variety of cryptographic tasks for which information theoretic security or privacy is a meaningful and useful requirement. A few of these are:

  1. Secret sharing schemes such as Shamir's are information theoretically secure (and in fact perfectly secure) in that less than the requisite number of shares of the secret provide no information about the secret.
  2. More generally, secure multiparty computation protocols often, but not always have information theoretic security.
  3. Private information retrieval with multiple databases can be achieved with information theoretic privacy for the user's query.
  4. Reductions between cryptographic primitives or tasks can often be achieved information theoretically. Such reductions are important from a theoretical perspective, because they establish that primitive Π can be realized if primitive Π' can be realized.
  5. Symmetric encryption can be constructed under an information theoretic notion of security called entropic security, which assumes that the adversary knows almost nothing about the message being sent. The goal here is to hide all functions of the plaintext rather than all information about it.

When possible, an algorithm or protocol with information theoretic security has advantages: it does not depend on unproven assumptions about computational hardness, and it is not vulnerable to developments in quantum cryptography.

[edit] See also

[edit] References

  • A. Russell, H. Wang. How to fool an unbounded adversary with a short key. Eurocrypt 2002. (postscript)