Sounds on key equivocation for simple substitution ciphers

The equlvocatloo or the key ror a simple substitution cipbcr is upper and lower bounded, wben the message source is memoryless. lbe bounds are sbown to be expooentlally tight. lbe results are compared with randoro cipbering. lt is observed that tbe exponentlsJ bebavior or tbe equivocatlon or the key is DO( determioed by tbe redundancy in tbe message source, but by tbc symbol probabilities wbicb are dosest in a certain sense. l. lNTRODUCTION C IPHERS are used to limit the ability of a wiretapper to discover the content of an intercepted message. In ( l] Shannon laid down the theoretical framework for analysis of such a situation and introduced a theory of secrecy systems. A secrecy system is defined as a family of uniquely reversible transformations :T = { ~( ·) }~ of a set of possible messages 0TL = { mn }~ in to a set of cryptograms ~~ = {en) ·~· . the transformations ha ving associated probabilities { p1 )~A block diagram depicting the behavior of a secrecy system is shown in Fig. l. The message source symbols a re transformed by the encipherer into cryptogram symbols before they are Iransmitted over the channel. To recover the message at the receiving end the inverse transformation is performed by the decipherer. The transformation and inverse transformation used are specified by the outcome of the key source. When evaluating the strength of a secrecy system, it is assume.i that the wiretapper knows the set of transformations :1 and the statistics of the message and the key sources. Given this information, but not the actual key, the wiretapper tries to estimate the message and/ or the key from an intercepted cryptogram. Under these circumstances it is shown in (1 , pp. 667668] that the conditional entropies of the key and of the message given the cryptogram can be used as measures of the strength of the system. The conditional entropies are called the equivocation of the key and of the message, respectively . In general it is hard to explicitly calculate these equivocations. Therefore, Shannon (l] introduced randoro ciphers (or randoro codes), and he and later Hellman [2] Manuscript received August 8, 1977; revised June 14, 1978. Th.is work was supported by the Swedish Board for Technical Development under G rant 76-36 18. Part of the resulls in this paper were presented at the 1976 IEEE International Symposium on Information Theory, Ronneby, Sweden, J une 2 124, 1976. The author is with the Department of Electrical Engineering, LinkÖping University, S-581 83 LinkÖping, Sweden. Fig. l. Schematic block diagram of secrecy system. analyzed their properties. In [l , p. 698] i t is proposed that complex "practical" ciphers behave approximately as randoro ciphers. On the other hand, it is stated in [2] that randoro ciphers perform much more poorly than carefully designed ciphers. In this paper we derive an upper bound on the key equivocation for simple substitution ciphers that is exponentially tight. This bound together with calculations of the equivocation are compared with the equivocation of a corresponding randoro cipher. In Section II we formally state the problem and give the necessary background. Section III contains the derivation of expressions on the equivocation of the key that are used in Section IV to obtain upper and lower bounds . . Jn Section V the results are discussed and compared with random ciphers. Il. PROBLEM STATEMENT AND PRELIMINARlES Refer to Fig. l . The message source is discrete and memoryless with alphabet ')1(., = {l, 2, 3, · · · , N}. The probabiii ty of a symbol n is PM(n) = qn. The cryptogram alphabet 0 is taken to be the same as c:m... The set of transformations 5" = { ~( ·) }~ is the set of all invertible transformations of ~ on to &; . Thus the number of elements in 5" is J= N!. The key and the message sources are independent, and the keys are equiprobable, i.e. , P K(j) =l / N!. We will refer to the cipher defined by 5 above as a simple substitution cipher. We note that 5" is a group of transformations and that the transformations could be seen as permutations of the message alphabeL 0018-9448/ 79/ 0100-0008$00.75 ©1979 IEEE BLOM: KEY EQUJVOCATION FOR CIPHERS • Now a word about notation. Let ~ be an arbitrary finite set. A sequence of length L of symbols in ~ will be written as (l) where subscripted letters deno te the components and superscripted boldface letters denote sequences. The ensemble of all sequences of length L is written ~L. A similar convention applies to random sequences and variables which are denoted by uppercase letters. A transformation of a message symbol m E 0ll will be written as (2) and we will use the same notation for transformations of a sequence of message symbols ~(m L)= ( ~ (m 1 ) , ~(m2), • • • • t1(mL)) =eL (3) which should not ca use any confusion. We also define r 1( · )E ~~ to be the identity transformation. The notation · of standard information quantities are as defined by Gallager [3], and the wiretapper's equivocation of the key is written H(KIE L). The Jogarithms involved in this paper are taken to the base e. Hence entropies and equivocations will be expressed in nats/symbol. The main object of this paper is to find exponentially tight bounds on the equivocation of the key. However, before doing that we first derive a generallower bound on H(K jEL) without using the assumption that the message source is memoryless. Then we make an observation about the general behavior of H ( KIEL) when the message source is memoryless. The lower bound can be obtained by writing 9 The fundamental nature of this lower bound leads us to state this result as a theorem. Theorem J: If the key and message sources are independent, the key equivocation of a secrecy system is lower bounded by (9). When the message source is memoryless, (9) can be written as H( KIEL) > H( K )L[ log (N)H( M) J. (lO) We observe that (10) is equal to the approximate expression for the key equivocation of a random cipher [l , pp. 691-693] when L < U;; H(K) / [Iog(N)-H(M)]. (11) U is called the unicity distance. The interpretation is that after the interception of U symbols. it is almost always possible to get a unique solution to a random cipher. We see that up to the point when the random cipher becomes uniquely solvable, the key equivocation of the cipher behaves as the general lower bound in (JO). Thus the above is a simpler and more general derivation of Hellman's result [2] that a random cipher is essentially the worst possible. From the properties of conditional entropy, it is evident that H(KIEL) is monotonically decreasing with L. When the message source is memoryless, the equivocation of the key is also convex in the sense that H( KIEL) H( KIEL+ ) > H( KIEL+ 1)H(K jEL+ 2). ( 12) and using rhe equalities (4) To see this, subtract the right side of (12) from the left side, and subslitute (6). Then we get The first equality in (S) is due to the fact that knowing K and EL is equivalent to knowing K and ML, because all 1 1 E ~'T are invertible. The seeond equality follows from the independence of the message and key sources. Combining ( 4) and (5) gives H( KIEL)2H(KIEL+ 1)H(KIEL+ 2) = H(K)+ L· H( M)H(EL) -2[ H( K) +(L+ l)·H(M)H( E L+ l) J + H(K)+(L+2)·H(M) H(EL+ 2) =H( EL+ 1) H( EL)[ H( E L+ l)H( EL.+ 1) J = H(EL+I ,EIE2· .. EL) H(EL+2,EIE2· .. EL+ l) > H(EL+ I,EIE2· .. EL)-H(EL+2,E2E3· .. EL+I)=O. (13) w hi ch also can be found in [l , p. 687). There are N symbols in both & and ~. Thus we can upperbound H(EL) as and write the redundancy DL of L message characters as The inequality in (13) is due to the reduction of the number of variables upon which the conditioning is made (7) in the seeond term. The last expression is zero because of the stationarity of the process. Combining (6), (7), and (8) gives the Jower bound (8) III. THE EQUIVOCATION OF THE K EY In this section we derive an exact expression for H(KIEL) in terms of the message symbol probabilities. (9) This expression is used to calculate exact values of the key lO IEEE TRANSACflONs ON INFORMATION THEORY, VOL IT-25, NO. l, JANUARY 1979 equivocation to which the bounds can be compared. It is a lso used as a starting point in the derivation of an upper bound of H(KIE L) when the message source is binary. To obtain the desired expression for H(KIEL), we write N' H(K IE L) = L L PE'K(eL.k) k=le 1 Et~ 1 .v• 2: PELK(eL.l) ·log l= l . ( 14) Bu t PE'Ae L.k ) = L Pc: LIKM ' (eL ikmL)PK(k)PM'·(mL),