Information theoretic security

Information theoretic security

A cryptosystem is information-theoretically secure if its security derives purely from information theory. That is, it is secure even when the adversary has unbounded computing power. An example of an information-theoretically secure cryptosystem is the one-time pad.

An interesting special case is perfect security: an encryption algorithm is perfectly secure if a ciphertext produced using it provides no information about the plaintext without knowledge of the key. If "E" is a perfectly secure encryption function, for any fixed message "m" there must exist for each ciphertext "c" at least one key such that c=E_{k}(m).

It is quite possible, and common for a cryptosystem to leak some information, but nevertheless have the property that whatever security properties it achieves hold even when the adversary is computationally unbounded. Such a cryptosystem would have information theoretic but not perfect security. The exact definition of security would depend on the cryptosystem in question.

There are a variety of cryptographic tasks for which information theoretic security or privacy is a meaningful and useful requirement. A few of these are:
# Secret sharing schemes such as Shamir's are information theoretically secure (and in fact perfectly secure) in that less than the requisite number of shares of the secret provide no information about the secret.
# More generally, secure multiparty computation protocols often, but not always have information theoretic security.
# Private information retrieval with multiple databases can be achieved with information theoretic privacy for the user's query.
# Reductions between cryptographic primitives or tasks can often be achieved information theoretically. Such reductions are important from a theoretical perspective, because they establish that primitive Pi can be realized if primitive Pi' can be realized.
# Symmetric encryption can be constructed under an information theoretic notion of security called entropic security, which assumes that the adversary knows almost nothing about the message being sent. The goal here is to hide "all functions" of the plaintext rather than all information about it.

When possible, an algorithm or protocol with information theoretic security has advantages: it does not depend on unproven assumptions about computational hardness, and it is not vulnerable to developments in quantum cryptography.

Unconditional security

Information-theoretic security is often used interchangable with unconditional security. However the latter term can also refer to systems that don't rely on unproven computational hardness assumptions. Today these systems are essentially the same as those that are information-theoretical secure. However it does not always have to be that way. One day RSA might be proved secure, thus becoming unconditional secure, but it will never be information-theoretical secure.

ee also

* Leftover hash-lemma (Privacy amplification)
* Semantic security


* A. Russell, H. Wang. "How to fool an unbounded adversary with a short key." Eurocrypt 2002. ( [ postscript] )

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Information theory — Not to be confused with Information science. Information theory is a branch of applied mathematics and electrical engineering involving the quantification of information. Information theory was developed by Claude E. Shannon to find fundamental… …   Wikipedia

  • Private information retrieval — In cryptography, a private information retrieval (PIR) protocol allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving. PIR is a weaker version of 1 out of n oblivious transfer,… …   Wikipedia

  • List of information theory topics — This is a list of information theory topics, by Wikipedia page.*A Mathematical Theory of Communication *algorithmic information theory *arithmetic encoding *channel capacity *Communication Theory of Secrecy Systems *conditional entropy… …   Wikipedia

  • Extreme physical information — (EPI) is a principle, first described and formulated in 1998 Frieden, B. Roy Physics from Fisher Information: A Unification , 1st Ed. Cambridge University Press, ISBN 0 521 63167 X, pp328, 1998 ( [ref name= Frieden6 ] shows 2nd Ed.)] by B. Roy… …   Wikipedia

  • One-time pad — Excerpt from a one time pad In cryptography, the one time pad (OTP) is a type of encryption, which has been proven to be impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit …   Wikipedia

  • Computational hardness assumption — In cryptography, a major goal is to create cryptographic primitives with provable security. In some cases cryptographic protocols are found to have information theoretic security, the one time pad is a common example. In many cases, information… …   Wikipedia

  • Reihaneh Safavi-Naini — Reihaneh (Rei) Safavi Naini (PerB|ريحانه صفوی نائينی ) is the [ iCORE] Chair in Information Security at the University of Calgary, Canada. Before joining University of Calgary in 2007, she was a Professor of Computer Science,… …   Wikipedia

  • Secret sharing — refers to any method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their …   Wikipedia

  • List of cryptology conferences — This is a list of conferences and workshops in the area of cryptology. The most important events in thisarea are organized by or somehow affiliated with the IACR. =IACR conferences = IACR sponsors the following three conferences: * CRYPTO (an… …   Wikipedia

  • Shamir's Secret Sharing — is an algorithm in cryptography. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.Counting on… …   Wikipedia