Unconditionally Secure Cryptography

Douglas R. Stinson

David R. Cheriton School of Computer Science

University of Waterloo

CS 858
Spring 2019
 Outline

1. Introduction to unconditional security (aka information

theoretic security)
2. Encryption schemes and perfect secrecy (Shannon’s theory)
3. Message authentication (Wegman-Carter universal
hashing)
4. Secret sharing (Shamir’s Scheme)
5. Key predistribution (Blom’s scheme)
 What does the term “secure” mean?

• In the August 1977 issue of Scientific American, Martin

Gardner wrote a column on the newly developed RSA
public-key cryptosystem entitled “A new kind of cipher
that would take millions of years to break”. Included in
the article was a challenge ciphertext, encrypted using a
512-bit RSA key.
• The challenge was solved 17 years later, on April 26, 1994,
by Arjen Lenstra et al.
• They factored the given public key and decrypted the
ciphertext to yield the plaintext, which was “The Magic
Words are Squeamish Ossifrage”.
• For this, they claimed a prize of U.S. $100.
 What Went Wrong

The statement that the cipher would take millions of years to

break probably referred to how long it would take to run the best
factoring algorithm known in 1977 on the fastest computer
available in 1977. However, between 1977 and 1994:
• computers became much faster
• improved factoring algorithms were found
• the development of the internet facilitated large-scale
distributed computations.
Even so, the factorization still required over 5000 MIPS-years of
computation time in 1994.
The current state-of-the-art is the factorization of the 232-digit
(768 bit) challenge, RSA-768, in December 2009.
 A Formal Model for Security

Any discussion of cryptographic security requires a specification of

an attack model, computational resources, and an adversarial
goal. These terms are defined as follows:

attack model
The attack model specifies the information available to the
adversary. In the case of encryption schemes, this information
could include ciphertexts, plaintext-ciphertext pairs, temporary
access to encryption or decryption oracles, etc. We will always
assume that the adversary knows the protocol being used (this is
called Kerckhoff’s Principle).
 A Formal Model (cont.)

computational resources
Here, we specify the computational resources available to the
adversary, such as computing equipment, algorithms, computing
time, etc. In the case of unconditional security (aka
information theoretic security), the adversary is assumed to
have unlimited computational resources.

adversarial goal
The adversarial goal specifies what it means to “break” the
protocol. What is the adversary attempting to do and/or what
problem is he trying to solve? How is the notion of a “successful
attack” defined?
 A Formal Model (cont.)

A statement of security for a cryptographic scheme will be an

assertion of the following form:
In attack model A and given specified computational
resources C, a particular adversarial goal G cannot be
achieved with probability exceeding some specified value .
As mentioned before, in the setting of unconditional security,
there is no limit on the computational resources available to the
adversary.
What is (Im)Possible in an Unconditional Secure
Setting?

• Secure secret-key encryption schemes exist, but secure

public-key encryption schemes do not exist.
• Secure message authentication codes exist.
• Secure signature schemes exist, but not in the public key
setting — secret verification keys are required, and these
kinds of schemes only work for a fixed number of participants.
• Secure key distribution schemes exist, but secure key
agreement is impossible without prior shared secrets.
• Secure commitment schemes exist if there is a trusted
initializer.
• Secure secret sharing schemes exist.
Issues and Goals in Unconditional Security

• Typically, unconditionally secure schemes can be used only

for a fixed number of times (e.g., the One-time Pad can
be used for only one encryption).
• Unconditionally secure schemes often require a trusted
authority to set up the scheme.
• The main goal in unconditional security is to balance security
against memory requirements (storage) and/or
communication complexity (amount of information
transmitted).
• In a multiuser setting, security guarantees only hold against
coalitions of a prespecified fixed size.
 Cryptosystems (encryption schemes)

Definition
A cryptosystem is a five-tuple (P, C, K, E, D), where the
following conditions are satisfied:
1. P is a finite set of possible plaintexts.
2. C is a finite set of possible ciphertexts.
3. K, the keyspace, is a finite set of possible keys.
4. For each K ∈ K, there is an encryption rule eK ∈ E and a
corresponding decryption rule dK ∈ D. Each eK : P → C
and dK : C → P are functions such that dK (eK (x)) = x for
every plaintext element x ∈ P.
 Communication Channel

• Alice and Bob have a shared secret key K and Alice

computes y = eK (x) to encrypt the plaintext x.
• Bob computes x = dK (y ) to decrypt the ciphertext.
• The ciphertext y is observed by the passive adversary Eve.
• However, Eve does not know K.
• Hopefully, Eve cannot figure out what K or x are.

y
Alice −−−−−−−−−−−−−−−−−−−−−−−−→ Bob
↓
Eve sees y
 Perfect Secrecy

• Assume that a cryptosystem (P, C, K, E, D) is specified, and

a particular key K ∈ K is used for only one encryption.
• There is a probability distribution on the plaintext space, P.
• Denote the a priori probability that plaintext x occurs by
Pr[x = x].
• The key K is chosen (using some fixed probability
distribution).
• Denote the probability that key K is chosen by Pr[K = K].
• The key and the plaintext are independent random variables.
• The two probability distributions on P and K induce a
probability distribution on C.
 Perfect Secrecy (cont.)
• We compute the probability Pr[y = y ] that y is the
ciphertext that is transmitted.
• For a key K ∈ K, define

C(K) = {eK (x) : x ∈ P}.

C(K) represents the set of possible ciphertexts if K is the

key.
• For every y ∈ C, we have that
X
Pr[y = y ] = Pr[K = K]Pr[x = dK (y )].
{K:y ∈C(K)}

• For any y ∈ C and x ∈ P, we can compute

X
Pr[y = y |x = x] = Pr[K = K].
{K:x=dK (y )}
 Perfect Secrecy (cont.)

• Pr[x = x|y = y ] can be computed using Bayes’ theorem:

Pr[x = x] × Pr[y = y |x = x]
Pr[x = x|y = y ] = .
Pr[y = y ]

• Perfect secrecy means that Pr[x|y ] = Pr[x] for all x, y .

• Perfectly secrecy provides unconditional security in a
known-ciphertext attack if K is used for only one
encryption.
• The attack model is that the adversary Eve is given a
ciphertext, y .
• Eve’s goal is to compute information about the plaintext of
x.
 An Example
Let P = {a, b} with

Pr[a] = 1/4, Pr[b] = 3/4.

Let K = {K1 , K2 , K3 } with

Pr[K1 ] = 1/2, Pr[K2 ] = Pr[K3 ] = 1/4.

Let C = {1, 2, 3, 4}, and suppose the encryption functions are

defined by the following encryption matrix:

a b
K1 1 2
K2 2 3
K3 3 4
 An Example (cont.)

We first compute the probability distribution on C. We obtain the

following:
1
Pr[1] =
8
3 1 7
Pr[2] = + =
8 16 16
3 1 1
Pr[3] = + =
16 16 4
3
Pr[4] = .
16
 An Example (cont.)

Next, we can compute the conditional probability distributions on

the ciphertexts, given a plaintext. We have:
1
Pr[1|a] = Pr[1|b] = 0
2
1 1
Pr[2|a] = Pr[2|b] =
4 2
1 1
Pr[3|a] = Pr[3|b] =
4 4
1
Pr[4|a] = 0 Pr[4|b] = .
4
 An Example (cont.)
Finally, we use Bayes’ Theorem to compute the conditional
probability distributions on the plaintext, given a ciphertext:

Pr[a|1] = 1 Pr[b|1] = 0
1 6
Pr[a|2] = Pr[b|2] =
7 7
1 3
Pr[a|3] = Pr[b|3] =
4 4
Pr[a|4] = 0 Pr[b|4] = 1.

Recalling that Pr[a] = 1/4 and Pr[b] = 3/4, we see that the
perfect secrecy property is satisfied for the ciphertext y = 3, but
not for the other three ciphertexts.
 One-time Pad
The one-time pad is the best known example of a cryptosystem
that provides perfect secrecy.
Protocol: One-time Pad
Let n ≥ 1 be an integer, and take P = C = K = (Z2 )n . For every
K ∈ (Z2 )n , let Pr[K] = 2−n (i.e., keys are chosen equiprobably)
and for every x ∈ (Z2 )n , define eK (x) to be the vector sum
modulo 2 of K and x (or, equivalently, the exclusive-or of the two
associated bitstrings). So, if x = (x1 , . . . , xn ) and
K = (K1 , . . . , Kn ), then

eK (x) = x ⊕ K = (x1 + K1 , . . . , xn + Kn ) mod 2.

Decryption is identical to encryption. If y = (y1 , . . . , yn ), then

dK (y ) = y ⊕ K = (y1 + K1 , . . . , yn + Kn ) mod 2.
 An Example

Suppose n = 2. The encryption matrix for the one-time pad is as

follows:
K x = 00 01 10 11
00 00 01 10 11
01 01 00 11 10
10 10 11 00 01
11 11 10 01 00
 Security of the One-time Pad
It is simple to prove that the One-time Pad provides perfect
secrecy:
• For every K ∈ (Z2 )n ,

Pr[K] = 2−n .
• For every x, y ∈ (Z2 )n ,

Pr[y |x] = Pr[K = x ⊕ y ] = 2−n .

• For every y ∈ (Z2 )n ,
X X
Pr[y ] = (Pr[x] × Pr[y |x]) = (Pr[x] × 2−n ) = 2−n .
x∈(Z2 )n x∈(Z2 )n

• Now use Bayes’ Theorem to compute Pr[x|y ]:

Pr[y |x] × Pr[x] 2−n × Pr[x]

Pr[x|y ] = = = Pr[x].
Pr[y ] 2−n
 Combinatorial Characterization

The following results are due to Shannon.

Theorem
Suppose (P, C, K, E, D) is a cryptosystem.
1. If (P, C, K, E, D) provides perfect secrecy, then
|K| ≥ |C| ≥ |P|.
2. Suppose that |K| = |C| = |P|. Then (P, C, K, E, D) provides
perfect secrecy if and only if every key is used with equal
probability 1/|K|, and for every x ∈ P and every y ∈ C, there
is a unique key K such that eK (x) = y . (That is, the
encryption matrix is a Latin square.)
 A Latin Square

Here is a Latin square of order 5:

1 2 3 4 5
2 3 4 5 1
3 4 5 1 2
4 5 1 2 3
5 1 2 3 4
 Weakening the Perfect Secrecy Requirement
Some results have been proven about encryption schemes with
“short” keys that weaken the perfect secrecy requirement, e.g., in
Y. Dodis and A. Smith, “Entropic security and the encryption
of high entropy messages”, LNCS 3378 (2005), 556–577.
Theorem
Suppose P = {0, 1}n has a probability distribution such that
Pr[x] ≤ 2−t for all x ∈ P. Let k = n − t + 2 log2 (1/) + 2 for
some positive real number , where k ≤ n. Define K = {0, 1}k .
For x ∈ P and K ∈ K, define y = eK (x) = (r, x ⊕ r K), where
r ∈ {0, 1}n is chosen randomly and r K is computed in F2n . Let f
be any function with domain P. Then, given y , no adversary can
predict f (x) with advantage exceeding .
“Advantage” refers to the increase in the probability that the
adversary can compute f (x) after he is given y .
 Authentication Codes

Definition
An authentication code is a four-tuple (S, A, K, H), where the
following conditions are satisfied:
1. S is a finite set of possible source states.
2. A is a finite set of possible authentication tags.
3. K, the keyspace, is a finite set of possible keys.
4. H is a finite set of possible authentication rules. For each
K ∈ K, there is an authentication rule hK ∈ H such that
hK : S → A.
The message set is defined to be M = S × A.
A message m = (s, a) is valid under key K if hK (s) = a.
 Simmons’ Model for Authentication

In an impersonation attack, the active adversary, Oscar,

introduces a message (s, a) into the channel, hoping it is valid:

(s, a)
Oscar −−−−−−−−−−−−−−−−−−−−−−−−→ Bob

In a substitution attack, Oscar observes a message (s, a), and

then replaces it with a new message (s 0 , a0 ), where s 0 6= s, hoping
(s 0 , a0 ) is valid:

(s, a) (s 0 , a0 )
Alice −−−−−−→ Oscar −−−−−−→ Bob
 Deception Probabilities

• Assume there are known probability distributions on S and K.

• Oscar’s optimal strategy for impersonation yields a
impersonation probability denoted by Pd0 .
• Oscar optimal strategy for substitution yields a substitution
probability denoted by Pd1 .
• It is easy to see that Pd0 ≥ 1/|A| and Pd1 ≥ 1/|A|.
• Oscar can always do at least this well by making random
guess. (Optimal strategies may be better, however.)
 An Example

0 1 2
K1 0 0 0
K2 1 1 1
K3 2 2 2
K4 0 1 2
K5 1 2 0
K6 2 0 1
K7 0 2 1
K8 1 0 2
K9 2 1 0

Suppose S = A = Z3 and K = {K1 , . . . , K9 }. We list all the

authentication rules in an authentication matrix, and we
suppose that every key is used with probability 1/9.
 An Example (cont.)

• Every tag is valid under three of the nine authentication rules.

• This immediately implies that Pd0 = 3/9 = 1/3.
• Given any valid message (s, a), the number of possible keys
is reduced from nine to three.
• However, any other message (s 0 , a0 ) (where s 0 =
6 s), will be
valid under exactly one of these three keys.
• Therefore, Pd1 = 1/3.
 Almost Strongly Universal Hashing
Let X and Y be finite sets. A function h : X → Y will be termed
a hash function. Let H be a set of hash functions from X to Y.
Let  be a positive real number. H is -almost strongly-universal
(or -ASU) if the following two conditions are satisfied:
1. For every x1 ∈ X and for every y1 ∈ Y,

|H|
|{h ∈ H : h(x1 ) = y1 }| = .
|Y|

2. For every x1 , x2 ∈ X (x1 6= x2 ) and for every y1 , y2 ∈ Y,

|H|
|{h ∈ H : h(x1 ) = y1 , h(x2 ) = y2 }| ≤ .
|Y|

We denote H as an (N; n, m)--ASU hash family, where

|H| = N, |X | = n and |Y| = m.
 Almost Strongly Universal Hashing (cont.)
Properties 1. and 2. can be rephrased as follows:
1. For every x1 ∈ X and for every y1 ∈ Y,
1
Pr[h(x1 ) = y1 ] = .
|Y|

2. For every x1 , x2 ∈ X (x1 6= x2 ) and for every y1 , y2 ∈ Y,


Pr[h(x1 ) = y1 ∧ h(x2 ) = y2 ] ≤ .
|Y|

Observe that 1. and 2. imply the following:

3. For every x1 , x2 ∈ X (x1 6= x2 ) and for every y1 , y2 ∈ Y,

Pr[h(x2 ) = y2 |h(x1 ) = y1 ] ≤ .

All probabilities are computed over a random choice of h ∈ H.

 Universal Hashing and Authentication Codes

Theorem
If there exists an (N; n, m)--ASU family |H| of hash functions
from X to Y, then there exists an authentication code for n
source states, having m authentication tags and N authentication
rules (and keys), such that Pd0 = 1/m and Pd1 ≤ .

Source states correspond to elements of X , authentication tags

correspond to elements of Y and authentication rules correspond
to the hash functions in H.
 Strongly Universal Hashing

• In any (N; n, m)--ASU hash family,  ≥ 1/m.

• The hash family is strongly-universal (or SU) if  = 1/m.
• The previous example was a (9; 3, 3)-SU hash family.
• Strongly universal hash families are equivalent to
combinatorial structures known as orthogonal arrays.
• An (N; n, m)-SU hash family is equivalent to an OAλ (n, m),
where λ = N/m2 .
• A classical bound for orthogonal arrays states that
λ ≥ (n(m − 1) + 1)/m2 .
• In the corresponding authentication code,
N ≥ n(m − 1) + 1 ≈ nm, so log2 |K| ' log2 |S| + log2 |A|.
 Wegman-Carter Universal Hashing

• The previous result says that the key is very long if we use a
strongly universal hash family for authentication.
• In fact, an identical bound holds for any authentication code
that attains the optimal (i.e., minimum) values of Pd0 and
Pd1 .
• Wegman and Carter gave a construction that showed that
the key length could be reduced dramatically if Pd1 is a bit
bigger than the optimal value.
• Here we describe a general framework to construct efficient
Wegman-Carter type authentication codes based on certain
types of universal hash families.
 Universal Hashing

For a hash function h, and for x1 , x2 ∈ X , x1 6= x2 , define

δh (x1 , x2 ) = 1 if h(x1 ) = h(x2 ), and δh (x1 , x2 ) = 0 otherwise.
For a finite set H of hash functions, define
X
δH (x1 , x2 ) = δh (x1 , x2 ).
h∈H

Let  be a positive real number. H is -almost universal (or

-AU) if
δH (x1 , x2 ) ≤ |H|
for all x1 , x2 ∈ X , x1 6= x2 .
Equivalently, H is -AU if Pr[h(x1 ) = h(x2 )] ≤ , where the
probability is computed over a random choice of h ∈ H.
 Composition Construction

Theorem
Suppose H1 is an 1 -AU class of hash functions from X1 to Y1 ,
and suppose H2 is an 2 -ASU class of hash functions from Y1 to
Y2 . Then there exists an -ASU class H of hash functions from
X1 to Y2 , where  = 1 + 2 and |H| = |H1 | × |H2 |.
Construction. For every h1 ∈ H1 and every h2 ∈ H2 define a
hash function h1 ◦ h2 as follows:

(h1 ◦ h2 )(x) = h2 (h1 (x))

for all x ∈ X1 .
 Composition Construction (cont.)
Proof. Property 1. is easy to verify. We prove property 2. when
y1 = y2 (this is the case that yields the highest probability).
Let x1 , x2 ∈ X1 . We distinguish two cases:
case 1 h1 (x1 ) = h1 (x2 ) occurs with probability at most 1 .
Then
1
Pr[h(x1 ) = h(x2 ) = y1 |h1 (x1 ) = h1 (x2 )] = .
|Y2 |

case 2 h1 (x1 ) 6= h1 (x2 ) occurs with probability ≤ 1. Then

2
Pr[h(x1 ) = y1 ∧ h(x2 ) = y2 |h1 (x1 ) 6= h1 (x2 )] ≤ .
|Y2 |

Combining the two cases and simplifying, we get

1 2 1 + 2
Pr[h(x1 ) = y1 ∧ h(x2 ) = y2 ] ≤ 1 × +1× = .
|Y2 | |Y2 | |Y2 |
 Examples

• Recall that, in an authentication code derived from a

strongly universal hash family (i.e.,  = 1/m, the best we can
hope for is
log2 |K| ≈ log2 |S| + log2 |A|.
2
• It is possible to construct m -ASU hash families using the
composition construction that have drastically fewer keys.
• Using Reed-Solomon codes as -AU hash families,
Bierbrauer et al (1993) showed that

log2 |K| ≈ 3 log2 |A| + 2(log2 log2 |S| − log2 log2 |A|).
 Wyner’s Wiretap Channel
• The wire-tap channel was introduced in A.D. Wyner, “The
wire-tap channel”, The Bell System Technical Journal 54
(1975), 1355–1387.
• Alice uses a non-secret encoding method to encode a one
bit message b as x = x1 . . . xn to send to Bob.
• Suppose there is a reliable channel connecting Alice and Bob,
but Eve (the eavesdropper) sees a corrupted version z of x.
• For example, suppose that Eve’s wiretap channel is a binary
symmetric channel with error probability p < 1/2.
• That is, Pr[zi = xi ] = 1 − p and Pr[zi 6= xi ] = p.

x ...x
Alice −−−−−−−−−−−1−−−−n−−−−−−−−−→ Bob
↓
Eve sees z1 . . . zn
 Wyner’s Wiretap Channel (cont.)

• To encode b = 0, Alice chooses a random n-tuple having

even weight, and to encode b = 1, Alice chooses a random
n-tuple having odd weight.
• Eve obtains the correct value of b if and only if there is an
even number of errors, which happens with probability
1 1
+ (1 − 2p)n .
2 2
• This quantity approaches 1/2 exponentially quickly, which
means that determining b from z is basically a random guess
for Eve.
 Privacy Amplification

• We describe a variation of the wire-tap channel from C.H.

Bennett, G. Brassard, C. Crépeau and U.M. Maurer,
“Generalized privacy amplification”, IEEE Transactions on
Information Theory 41 (1995), 1915–1923.
• Alice transmits a message x to Bob and Eve sees z = e(x),
where e : X → Z is Eve’s chosen eavesdropping function.
• Alice and Bob each compute K = f (x), where f is a public
function chosen randomly from an -AU class of hash
functions from X to Y, where |X | = N and |Y| = M.
 Privacy Amplification (cont.)

x, f
Alice −−−−−−−−−−−−−−−−−−−−−−−−→ Bob
↓
Eve sees z = e(x) and f

• Eve’s average uncertainty about K, given f and z, is

I(K|f, z) = h(K) − h(K|f, z)

• This quantity is also called mutual information in

information theory.
• It can be proven that

I(K|f, z) ≤ log2 M − log2 N + log2 (|Z| + N).

 Secret Sharing

• Various types of shared control schemes depend on a

cryptographic primitive called a (t, n)-threshold scheme.
• Let t and n be positive integers, where t ≤ n.
• There is a trusted authority, denoted TA, and n users,
denoted U 1 , . . . , U n .
• The TA has a secret value K ∈ K, called a secret or a key,
where K is a specified finite set.
 Secret Sharing

• The TA uses a share generation algorithm to split K into n

shares, denoted s1 , . . . , sn .
• Each share si ∈ S, where S is a specified finite set.
• For every i , 1 ≤ i ≤ n, the share si is transmitted by the TA
to user U i using a secure channel.
• The following two properties should hold:
1. a reconstruction algorithm can be used to reconstruct the
secret, given any t of the n shares,
2. no t − 1 shares reveal any information as to the value of the
secret.
 An (n, n)-Threshold Scheme

• Suppose K ∈ Zm is the secret.

• Let s1 , . . . , sn−1 be chosen independently and uniformly at
random from Zm .
• Let
n−1
X
sn = K − si mod m.
i=1

• s1 , . . . , sn are shares of an (n, n)-threshold scheme:

P
1. K = si mod m, and
2. given all the shares except sj , K could take on any value,
depending on the value of the share sj .
 Shamir Threshold Scheme

• In 1979, Shamir showed how to construct a (t, n)-threshold

scheme based on polynomial interpolation over Zp , where p
is prime.
• Let p ≥ n + 1 be a prime.
• Let K = S = Zp .
• In an initialization phase, x1 , x2 , . . . , xn are defined to be n
distinct non-zero elements of Zp .
• the TA gives xi to U i , for all i , 1 ≤ i ≤ n.
• The xi ’s are public information.
 Share Generation

Protocol: Shamir scheme share generation

Input: A secret K ∈ Zp .
1. The TA chooses a1 , . . . , at−1 independently and uniformly at
random from Zp .
2. The TA defines
t−1
X
a(x) = K + aj x j
j=1

(note that a(x) ∈ Zp [x] is a random polynomial of degree at

most t − 1, such that the constant term is the secret, K).
3. For 1 ≤ i ≤ n, the TA constructs the share si = a(xi ) and
gives it to U i using a secure channel.
 Reconstruction

• Suppose users U i1 , . . . , U it want to determine K.

• They know that sij = a(xij ), 1 ≤ j ≤ t.
• Since a(x) is a polynomial of degree at most t − 1, they can
determine a(x) by Lagrange interpolation; then K = a(0).
• The Lagrange interpolation formula is as follows:

t
X Y x − xik
a(x) = sij .
xij − xik
j=1 1≤k≤t,k6=j

• set x = 0; then
t t
X Y −xik X Y xik
K= sij = sij .
xij − xik xik − xij
j=1 1≤k≤t,k6=j j=1 1≤k≤t,k6=j
 Reconstruction (cont.)

Protocol: Shamir scheme secret reconstruction

Input: xi1 , . . . , xit , si1 , . . . , sit
1. For 1 ≤ j ≤ t, define
Y xik
bj = .
xik − xij
1≤k≤t,k6=j

Note: the bj ’s do not depend on the shares, so they can be

precomputed (for a given subset of t users).
2. Compute
t
X
K= bj sij .
j=1
 Example

• Suppose that p = 17, t = 3, and n = 5; and the public

x-co-ordinates are xi = i , 1 ≤ i ≤ 5.
• Suppose that the participants in G = {U 1 , U 3 , U 5 } wish to
compute K, given their shares 8, 10 and 11, respectively.
• The following computations are performed:
x3 x5
b1 = mod 17
(x3 − x1 )(x5 − x1 )
= 3 × 5 × (−2)−1 × (−4)−1 mod 17
= 4,
b2 = 3, and
b3 = 11
K = 4 × 8 + 3 × 10 + 11 × 11 mod 17 = 13.
 Security of the Shamir Scheme

• Suppose users U i1 , . . . , U it−1 want to determine K.

• They know that sij = a(xij ), 1 ≤ j ≤ t − 1.
• Let K0 be arbitrary.
• By Lagrange interpolation, there is a unique polynomial
a0 (x) such that sij = a0 (xij ) for 1 ≤ j ≤ t − 1 and such that
K0 = a0 (0).
• Hence no value of K can be ruled out, given the shares held
by t − 1 users.
 Security of the Shamir Scheme (cont.)

• With a bit more work, we can show that the Shamir scheme
satisfies a property analogous to perfect secrecy.
• We assume an arbitrary but fixed a priori probability
distribution on K.
• Given any set of τ ≤ t − 1 or fewer shares, say sij ,
j = 1, . . . , τ , and given any K0 ∈ K, it is possible to show
that
Pr[K0 |si1 , . . . , siτ ] = Pr[K0 ].
 Key Predistribution

• Key predistribution refers to a protocol where a trusted

authority (TA) distributes secret information to a set U of n
users in a network.
• Each user U ∈ U receives secret information from the TA via
a secure channel.
• For certain prespecified subsets P ⊆ U, each user in P can
compute a key kP from the secret information he or she
holds (no interaction is required).
• The key kP should be secure against certain prespecified
coalitions F where F ∩ P = ∅.
 Key Predistribution
Protocol: Blom’s key distribution scheme
1. For 0 ≤ i, j ≤ k, the TA chooses random elements ai,j ∈ Zp ,
such that ai,j = aj,i for all i , j (where k is the security
parameter). Then the TA forms the polynomial
k X
X k
f (x, y ) = ai,j x i y j mod p.
i=0 j=0

2. For each user U, the TA computes the polynomial

k
X
gU (x) = f (x, rU ) mod p = aU,i x i
i=0

and transmits the coefficient vector (aU,0 , . . . , aU,k ) to U

over a secure channel. (Every user U has a different public
value rU ∈ Zp .)
3. For any two users U and V , the key KU,V = f (rU , rV ).
 A Toy Example (k = 1)

• Suppose p = 17.
• Suppose there are three users: U, V and W , and their public
values are rU = 12, rV = 7 and rW = 1.
• Suppose the TA chooses the polynomial

f (x, y ) = 8 + 7(x + y ) + 2xy .

• the g polynomials are as follows:

gU (x) = 7 + 14x
gV (x) = 6 + 4x
gW (x) = 15 + 9x
 A Toy Example (cont.)

• the three keys are

KU,V = 3
KU,W = 4
KV ,W = 10

• U would compute KU,V as

gU (rV ) = 7 + 14 × 7 mod 17 = 3

• V would compute KU,V as

gV (rU ) = 6 + 4 × 12 mod 17 = 3
 Security of the Blom Scheme

The Blom scheme satisfies the following security properties:

1. No set of k users, say W 1 , . . . , W k can determine any
information about a key for two other users, say KU,V .
2. Any set of k + 1 users, say W 1 , . . . , W k+1 , can break the
scheme.
 Security of the Blom Scheme (cont.)
• A set of users W 1 , . . . , W ` (collectively) know the
polynomials gW i (x) = f (x, rW i ) mod p, 1 ≤ i ≤ `.
• We use a bivariate Lagrange interpolation formula to
prove 2.
• Suppose p is prime; y1 , y2 , . . . , ym+1 ∈ Zp are distinct; and
suppose that a1 (x), a2 (x), . . . , am+1 (x) ∈ Zp [x] are
polynomials of degree at most m.
• There is a unique polynomial A(x, y ) ∈ Zp [x, y ] having
degree at most m (in x and y ) such that A(x, yi ) = ai (x),
1 ≤ i ≤ m + 1.
• The polynomial A(x, y ) is defined as follows:

m+1
X Y y − yh
A(x, y ) = aj (x) .
yj − yh
j=1 1≤h≤m+1,h6=j
 Example of Bivariate Interpolation
Suppose that p = 13, m = 2, y1 = 1, y2 = 2, y3 = 3
a1 (x) = 1 + x + x 2 , a2 (x) = 7 + 4x 2 and a3 (x) = 2 + 9x. Then:

(y − 2)(y − 3)
= 7y 2 + 4y + 3
(1 − 2)(1 − 3)
(y − 1)(y − 3)
= 12y 2 + 4y + 10
(2 − 1)(2 − 3)
(y − 1)(y − 2)
= 7y 2 + 5y + 1
(3 − 1)(3 − 2)

A(x, y ) = (1 + x + x 2 )(7y 2 + 4y + 3) + (7 + 4x 2 )(12y 2 + 4y + 10)

+(2 + 9x)(7y 2 + 5y + 1) mod 13
= y 2 + 3y + 10 + 5xy 2 + 10xy + 12x + 3x 2 y 2 + 7x 2 y + 4x 2
 Insecurity wrt k + 1 Colluders

• A set of bad users W 1 , . . . , W k+1 (collectively) know the

polynomials
gW i (x) = f (x, rW i ) mod p,
1 ≤ i ≤ k + 1.
• Using the bivariate interpolation formula, they can compute
f (x, y ).
• Then they can compute any key.
 Security wrt k Colluders

• A set of bad users W 1 , . . . , W k (collectively) know the

polynomials
gW i (x) = f (x, rW i ) mod p,
1 ≤ i ≤ k.
• We show that this information is consistent with any possible
value of the key.
• Let K be the real (unknown) key, and let K0 6= K.
• Define a polynomial f0 (x, y ) as follows:

Y (x − rW i )(y − rW i )
f0 (x, y ) = f (x, y ) + (K0 − K) .
(rU − rW i )(rV − rW i )
1≤i≤k
 Security wrt k Colluders (cont.)

• f0 is a symmetric polynomial (i.e., f0 (x, y ) = f0 (y , x)).

• For 1 ≤ i ≤ k, it holds that

f0 (x, rW i ) = f (x, rW i ) = gW i (x).

• Further,

f0 (rU , rV ) = f (rU , rV ) + K0 − K = K0 .

• We have shown that, for any possible value of the key, say
K0 , there is a symmetric polynomial f0 such that the key
KU,V = K0 and such that the secret information held by the
k bad users is unchanged.
 Closing Remarks
• There is a rich body of work on unconditionally secure
cryptography.
• Unconditionally secure schemes tend to have simple
constructions and they are very efficient.
• Ultimately, any security proof in the unconditionally secure
setting is a proof about certain probability distributions.
• Some goals cannot be accommodated in the unconditionally
secure setting (e.g., public-key encryption schemes).
• Some goals can be achieved only by assuming some
limitations on the usage or functionality of the scheme
and/or the number of adversaries who are conspiring to
break the scheme.
• Nevertheless, unconditionally secure schemes are very useful
in a wide variety of contexts, including conventional
(computationally secure) cryptography.