Normalized Unconditional e-Security of Private-Key Encryption

In this paper we introduce two normalized versions of non-perfect security for private-key encryption: one version in the framework of Shannon entropy, another version in the framework of Kolmogorov complexity. We prove the lower bound on either key entropy or key size for these models and study the relations between these normalized security notions.


Introduction
Shannon entropy H(X) [1]-known as information theory-is a measure of the average uncertainty in the random variable X. Perfect secrecy [2] is a strong security notion which means that the ciphertext leaks no information about the plaintext.Shannon first formally studied this notion using information theory, and defined perfect secrecy as the mutual information between the plaintext X and ciphertext Y being zero; i.e., I(X; Y) = 0.The mutual information I(X; Y) is a measure of the dependence between the two random variables.In this view, perfect secrecy requires the independence between the plaintext X and ciphertext Y. Perfect secrecy can be achieved by one-time pad (Vernam) cipher [3], but it requires that the key space must be at least as large as the message space; i.e., H(X) ≥ H(Y).A number of authors have considered alternative definitions of secrecy to achieve more practical cryptosystems.A number of papers [4][5][6] considered the notion of non-perfect security--secrecy-which allows a small amount of information leakage about the plaintext after viewing the ciphertext; i.e., I(X; Y) ≤ .Dodis [7] considered the -security with a completeness error, which allows the decryption to have some small error.Several other notions of secrecy [5,6,8] have been proposed by using other entropy measures, such as min-entropy, conditional min-entropy, Rényi entropy, and conditional Rényi entropy instead of Shannon entropy.However, the security parameter in [7] is not proper to measure the security level of private-key encryption scheme.As we know, 10 leaked bits is a large amount of information leakage for a 100-bit message, but is small for a 10,000-bit message.However, using the security notion of [7], they have the same level of security.The problem is that the security notion of [7] deals with the absolute amount of information leakage rather than with the relative amount of information leakage.So, in this paper, we propose a notion of normalized -Shannon security, which is a normalized version of Shannon entropy-based security for a private-key encryption scheme.The new security parameter is the information leak ratio; i.e., I(X; Y) divided by H(X).This is also a relative amount of information leakage for messages.
Kolmogorov complexity K(x) [9][10][11]-known as algorithmic information theory [12,13]-measures the quantity of information in a single string x by the size of the smallest program that generates it.Antunes et al. [14] considered a notion of individual security for cryptographic systems by using Kolmogorov complexity instead of Shannon entropy.Kaced [15] and Dai et al. [16] considered the Kolmogorov complexity-based security for secret sharing schemes.In this paper, we also propose the notion of a normalized version of Kolmogorov complexity-based security for private-key encryption scheme.Kolmogorov complexity and entropy are different information measures, and therefore a private-key encryption is secure based on one information measure but not secure based on another information measure [5].Finally, we show the relationship between entropy-based security and Kolmogorov complexity-based security.
This paper is organized as follows: in Section 2, we review some definitions of entropy measures, Kolmogorov complexity, and private-key encryption.In Section 3, we propose several normalized versions of security notions based on Shannon entropy, and derive some lower bounds on the key size for private-key encryption under these security models.In Section 4, several Kolmogorov complexity-based security notions of private-key encryption are given and are compared to Shannon entropy-based security in Section 5. Conclusions are presented in Section 6.

Entropy
Let X be a finite set.Let X be a random variable over X .We denote the probability of random variable X being equal to x by p X (x), and when no confusion on the random variable used may arise, we simplify it to p(x).
Let X , Y, Z be three finite sets.Let X, Y, Z be random variables over X , Y, Z, respectively.Some basic concepts of information theory are defined as follows.
The Shannon entropy [1] of a random variable X, defined by The conditional Shannon entropy with respect to X given Y is defined as The joint Shannon entropy of X and Y is The Mutual information between X and Y is The conditional mutual information between X and Y given Z is defined as We recall a few properties of Shannon entropy.
Lemma 1. References [7,12].Let X, Y, Z be random variables over X , Y, Z, respectively.(i) H(X) ≥ 0, with equality if and only if there exists x 0 ∈ X such that p( is a function of Y and p e = p(X = X ) is the probability of error.

Kolmogorov Complexity
Some definitions and basic properties of Kolmogorov complexity are recalled below.For more details, see [12,13].
Here, we use the prefix-free definition of Kolmogorov complexity.A set of strings A is prefix-free if there are not two strings x and y in A such that x is a proper prefix of y.
The conditional Kolmogorov complexity K(y|x) of y given x, with respect to a universal prefix-free Turing machine U, is defined by where U(p, x) is the output of the program p with auxiliary input x when it is run in the machine U.
Let U be a universal prefix-free Turing machine, then for any other Turing machine F: for all x, y, where the constant c F depends on F but not on x, y.The (unconditional) Kolmogorov complexity K U (y) of y is defined as K U (y|ε), where ε is the empty string.We fix a universal prefix-free Turing machine once and for all and for convenience, K U (y|x) and K U (y) are denoted, respectively, by K(y|x) and K(y).
The algorithmic mutual information between x and y is the quantity We consider x and y to be algorithmically independent whenever I(x : y) is approximately zero.
Lemma 2. References [12,13].For any finite strings x, y, we have Shannon entropy and Kolmogorov complexity are different information measures, as the former is based on probability distributions and the latter on the length of programs.However, for any computable probability distributions, up to a constant term, the expected value of the (conditional) Kolmogorov complexity equals the (conditional) Shannon entropy [17,18].Shannon mutual information and algorithmic mutual information are also related.Lemma 3. References [17,18].Let X, Y be two random variables over X , Y, respectively.For any computable probability distribution u(x, y) over X × Y, When u is given, then I(X; Y) = ∑ x,y u(x, y)I(x:y|u) + O(1).

Private-Key Encryption
A private-key encryption ∏ consists of a message space X , a ciphertext space Y, a key space K, and a pair of an encryption function Enc : X × K → Y and a decryption function Dec : Y × K → X ; i.e., ∏ = de f (X , Y, K, Enc, Dec).
A private-key encryption ∏ is said to have perfect correctness if for any key k ∈ K and plaintext x ∈ X .Dodis [7] relaxed the correctness guarantee to allow for some small decryption error γ.
Dodis [7] also gave the following natural definition of imperfect correctness based on Shannon entropy.A private-key encryption ∏ is said

Normalized -Shannon Security
Now we are ready to propose a new relaxation of non-perfect security for private-key encryption.In the rest of this paper, X, Y, K are always used to denote the random variable for plaintext space X , ciphertext space Y, and key space K, respectively.Definition 1.Let ∏ be a private-key encryption.We say ∏ is normalized -Shannon secure if In the above notion, we use the information leak ratio instead of the absolute amount of information leak to measure the security degree of private-key encryption.It can simply be understood as a normalized version of -Shannon security.
In [7], a private-key encryption ∏ is called -Shannon secure if I(X, Y) ≤ .It is easy to know that if a private-key encryption ∏ is normalized -Shannon secure (which means the information leak ratio is at most ), then the absolute amount of information leak is at most H(X), and ∏ is H(X)-Shannon secure.Moreover, by Lemma 1(ii), H(X) Our notion can be used to compare the security of private-key encryption schemes that have different message sizes.For example, a 2-Shannon secure encryption 10 .We cannot say that ∏ 2 is more secure than ∏ 1 (by 1 < 2) because of the different size of the message.By using our notion, however, ∏ 1 is normalized 2 −99 -Shannon secure and ∏ 2 is normalized 2 −10 -Shannon secure, where we assume that X 1 and X 2 are uniformly random, then we can say that ∏ 1 is more secure than ∏ 2 .Thus, our investigation of the above definition of security has its literature reason.

Lower Bounds
In this subsection, we derive some lower bounds on the key size for private-key encryption under various correctness and security models.Theorem 1.Let ∏ be a private-key encryption.If ∏ has normalized -Shannon security and perfect correctness, then Proof.From Lemma 1(vii), we have From the definition of normalized -Shannon security, we have Let X = Dec K (Y).Since ∏ has perfect correctness, then from Lemma 1(i) we have p(X = X ) = 0. So, by Lemma 1(viii) Fano inequality, 0 ≤ H(X|(K, Y)) ≤ H(X|X ) = 0, then we have Then, by Equations ( 14)-( 16), we have From the above result, we know that normalized -Shannon security and perfect correctness requires H(K) ≥ (1 − )H(X); this is different from -Shannon security and perfect correctness, which requires H(K) ≥ H(X) − .
Next, we consider the normalized -Shannon security with a completeness error γ.
Theorem 2. Let ∏ be a private-key encryption.If ∏ is normalized -Shannon secure and (1 − γ)-Shannon correct, then Proof.From Lemma 1(vii), we have From the definition of normalized -Shannon security, we have From the definition of (1 − γ)-Shannon correctness and Lemma 1(viii) Fano inequality, we have Then, by using Equations ( 18)-(20), we have From Lemma 1(ii) and Theorem 2, we conclude the following.
Corollary 3. Let X be the uniform distribution over X , ∏ be a private-key encryption.If ∏ is normalized -Shannon secure and (1 − γ)-Shannon correct, then Consequently,

Normalized -Kolmogorov Security
We give a security notion for private-key encryption based on Kolmogorov complexity.This idea is that now a private-key encryption is not a distribution on binary strings, but an individual tuple of binary strings with corresponding properties of secrecy (see [14]).We use Kolmogorov complexity instead of Shannon entropy to measure the security degree for an individual tuple of strings of private-key encryption.Let x ∈ X , y ∈ Y, and k ∈ K be a plaintext, a ciphertext, and a key, respectively.A pair of strings (x, y) is used to denote an instance of a private-key encryption which satisfies Enc k (x) = y and Dec k (y) = x for a key k ∈ K. Definition 2. Let ∏ be a private-key encryption, (x, y) be an instance of ∏.An instance (x, y) is normalized -Kolmogorov secure if I(x; y) ≤ K(x); i.e., I(x; y)/K(x) ≤ .
The security parameter can be seen as the information leak ratio in the sense of Kolmogorov complexity.For Kolmogorov complexity, there is no natural way to define an "absolutely" perfect version of a private-key encryption scheme.We consider a private-key encryption to be approximately-perfect secure in the sense of Kolmogorov complexity whenever is approximately zero, which means that the plaintext x and the ciphertext y are algorithmically independent.
The notion of normalized -Kolmogorov security can be simply understood as a normalized version of individual security [14], which is a formal definition of what it means for an individual instance to be secure.Now, we show a lower bound of key sizes for an instance of private-key encryption.From the above theorem, we know that a message with high Kolmogorov complexity-or a nearly Kolmogorov random string-cannot be encrypted by a small key size with high security parameter.

Normalized -Kolmogorov Security versus Normalized -Shannon Security
In this section, we establish some relations between Shannon entropy-based security and Kolmogorov complexity-based security for private-key encryption.
First, from the notion of normalized -Kolmogorov security for a private-key encryption, is a security parameter defined for one instance, not all instances.Many x's have a small Kolmogorov complexity even if the adversary does not know the ciphertext y.For example, the Kolmogorov complexity of x = 111...11 ∈ {0, 1} n is almost vanishing.So, we give the following definition for all instances in a private-key encryption.
The above security notion means that the probability that an instance is normalized -Kolmogorov secure at least δ for a computable distribution.
For a private-key encryption, when the probability of an instance with low security parameter is high, this means that most of instances are secure.
Here we give following relations between normalized ( , δ)-Kolmogorov security and normalized -Shannon security.
Theorem 5. Let ∏ be a private-key encryption.If for any independent variables X, Y over X , Y with a computable joint distribution u, ∏ is normalized ( , δ)-Kolmogorov secure, then ∏ is normalized (1 + − δ)-Shannon secure.
Proof.Since ∏ is normalized ( , δ)-Kolmogorov secure, then the probability that an instance is normalized -Kolmogorov secure is at least δ; i.e., Pr x∈X ,y∈×Y Let Q be the set of normalized -Kolmogorov secure instances of private-key encryption ∏; i.e., Q = {(x, y); I(x; y|u) ≤ K(x)}.Then, we have Pr By using Lemmas 2 and 3 and Equations ( 27) and ( 28 The result of Theorem 5 shows that if the probability of approximately-perfect secure instances ( is approximately zero) is approximately 1, then the private-key encryption is approximately-perfect secure in the Shannon entropy sense.

Conclusions
In this paper, we presented two notions of normalized -Shannon security and -Kolmogorov security for private-key encryption.The new security parameters can make the evaluation of the security of private-key encryption more normalized and rationalized.Then, we established the relation of two normalized security notions for private-key encryption.
As future work, we can consider a special case of that is a negligible function of the message length.In this case, the amount of information leak can be ignored because negligible functions tend to zero very fast as their input (the message length) grows.
Obviously, we only considered the normalized security of private-key encryption schemes based on Shannon entropy and Kolmogorov complexity.Normalized security of other schemes based on other information measures are possible topics for future consideration.

Theorem 4 .
Let ∏ be a private-key encryption, and (x, y) be an instance of ∏.Suppose the decryption function Dec is given, and the length of Dec is not dependent on the length of the key k.If an instance (x, y) is normalized-Kolmogorov secure, then |k| ≥ (1 − )K(x) − O(1)(24)for any key k with Dec k (y) = x.Proof.Let p be a shortest binary program that computes x from y. Since Dec k (y) = x, the length of p is no more than the length of the decryption function Dec and the key k, |p| ≤ |Dec| + |k|.Because the decryption function Dec is given and the length of Dec is not dependent on the length of key k, we have K(x|y) ≤ |k| + O(1).If ∏ is normalized -Kolmogorov secure, I(x; y) ≤ K(x); i.e., K(x) − K(x|y) ≤ K(x), then we have (1 − )K(x) ≤ K(x|y).Then, K(x) − K(x) ≤ K(x|y) ≤ |k| + O(1).(25) Thus, |k| ≥ (1 − )K(x) − O(1).