THE ONE-TIME PAD AND EXCHANGE

1. The One-Time Pad Alice and Bob would like to communicate with other privately, over a public channel. We allow them to share a secret key, in whatever way they choose. Can that be achieved? Consider the following algorithm, for communicating n bits: n (1) Alice and Bob share a secret key k ∈R {0, 1} . This is called the key- generation algorithm (which is extremely simple in this case). (2) To Encrypt the message m, Alice prepares the c = m ⊕ k, and sends c to Bob over the public channel. (3) To Decrypt, Bob computes c ⊕ k = m ⊕ k ⊕ k = m. This scheme achieves perfect secrecy if used once. The definition of perfect secrecy is the following:

Definition 1. An scheme has perfect secrecy if for every pair of mes- n sages m0, m1 ∈ {0, 1} and every c,

Pr (Enck(m0) = c) = Pr(Enck(m1) = c) k←KeyGen

In the case of the onetime-pad encryption, Enck(m0) for a random k is a random n bit-string, and therefore this is achieved: For every m, c ∈ {0, 1} , Prk←KeyGen(Enck(m0) = 1 c) = 2n . Therefore the main challenge for private communication is how can Alice and Bob share their key? Of course, they could meet, but can they share a private key over an authenticated public channel? The first approach we will see, this was achieved using classical communication, and under a computational assumption. We will also later see a protocol, which has a different set of assumptions, which is information theoretic-secure (also known as unconditionally secure).

Exercise 2. Suppose your computer can sample many independent random coins, where each coin is 0 with probability p and 1 with probability 1 − p (the same p for all the coins). You do not know what p is, but it is guaranteed that 0 < p < 1. Find a simple algorithm to sample uniformly random (i.e., unbiased) coins. Hint: What is the probability of the outcome 01?

1.1. Visual . Naor and Shamir[NS94] showed how to use a variant of the one-time pad in which decryption can be done without a computer. It is best to actually “see” a demonstration of it. Alice first gives Bob a transparency which looks like the following one, which is a simple manipulation of the one-time pad, explained later: 1 THE ONE-TIME PAD AND 2

This is independent of her message. Her ciphertext looks like this:

As can be “seen”, this looks completely random, and can be shown to provide perfect secrecy. But, when the two transparencies are put exactly (!!) on top of each other: THE ONE-TIME PAD AND KEY EXCHANGE 3

International Journal of Network Security, Vol.15, No.2, PP.95-103, Mar. 2013 97

The rest of the paper is organized as follows. In Section well as the design of the codebook. 2, we review some preliminaries related to the proposed watermarking scheme. Section3 describes the proposed Table 1: Codebook used in basic 2-of-2 Visual watermark hiding and verification phases. In Section 4, The following table (taken from [SS13]) explains how this scheme works. For Cryptography along with simulation results, we draw some comparisons more details and extensions see the original paper[NS94], or https://en.wikipedia. org/wiki/Visual_cryptography . among the proposed scheme and well known VC-based DWT watermarking schemes with respect to security Pixel White Black criteria and pixel expansion. Finally, Section 5 concludes the paper. Prob. 50% 50% 50% 50%

Share1 2 Preliminaries

2.1 Basic 2-of-2 Visual Cryptography Share2 Visual Cryptography13 is an image scheme proposed by Naor and Shamir in mid 90’s. A basic version of it is 2-of-2 Visual Cryptography. It divides a secret image into two random looking images called shares. The Share1 + Share2 procedure for creating the shares is as follows: using a codebook given in Table 1, each pixel in the original secret image is replaced by a block of four pixels called code- block. A white pixel is shared into two identical code 2. Definition of a Key-Exchange protocol blocks. A black pixel is shared into two complementary Suppose Alice and Bob have an authenticated public channel. Authenticated code-blocks. means that Bob knows that the message was sent by Alice and vice versa; public While creating the shares, if the given pixel p in the means that Eve hears the entire communication. A key-exchange protocol allows original image is white, then the encoder randomly chooses Alice and Bob to share a secret key using that channel. In other words, Alice and Bob can stand in a room full of people, and agree on a secret key by shouting to one of the first two columns of Table 1 to select the code- each other. This is possible because of the asymmetry in computation. block. If the given pixel p is black, then the encoder Formally, a key exchange protocol Π between Alice and Bob uses a security randomly chooses one of the last two columns of Table.1, parameter n, and runs in time polynomial in n. They run their part of the protocol, to select the code-block. All the pixels are coded by independent random selection of columns. Therefore no information is gained by observing any group of pixels on each share. Note that, the security of VC lies in the random selection of the columns and the design of code-blocks in the codebook. Assuming that the VC chooses its first column in the Figure 1: Example of basic Visual Cryptography codebook if secret key bit is 0 and second column when 2-of-2 a) Secret Binary Image b) Share1 c) Share2 secret key bit is 1, a secret key is used as a seed to generate d) Decoded Image a random binary matrix of size equal to original secret Smaller pixel expansion implies small shares, and hence image. The bits in this binary matrix are used as a key for requires less storage space. Maximum security in VC is selecting particular columns in the codebook. achieved when the following three criteria are satisfied by The results of basic 2-of-2 VC are shown in Figure 1. To the codebook. They are column equity, code equity, and decode the secret image, each of these shares is to be color equity. Xeroxed on transparent sheets. Stacking both these sheets Column Equity: refers to the probability of selecting will reveal the original secret. When the two shares are each column in the codebook of VC, while coding either overlaid one above the other, as in Figure 1.d, the black black or white pixel of the secret image. A ‘high’ value for pixels in the original image remain black and the white column equity indicates that the probability of choosing pixels turns gray. both the columns is almost equal. If only one column is In addition to satisfying minimal perceptibility, high chosen always to select the codes, for either pixel color, robustness, high capacity and less complexity, the VC- then VC becomes independent of a secret key, thereby based watermarking schemes should meet other leaving a clue about the secret pixels upon observing a performance criteria such as minimum pixel expansion and group of pixels on either share. This greatly reduces the security. Note that there exists tradeoff between pixel security of VC, and hence makes it unsuitable for image expansion and security in VC. While pixel expansion hiding. Thus to have ‘ideal’ value for column equity, the purely depends on the codebook used for VC, the security secret binary matrix should be chosen in such a way that the of VC depends on the random selection of the columns as probability of occurrences of logical ones and zeros in it THE ONE-TIME PAD AND KEY EXCHANGE 4 using random private bits. At the end of the protocol, Alice and Bob hold a key kAand kB and we require that kA = kB if the protocol runs correctly. Intuitively, Eve should not be able to guess the shared key. A computational approach towards formalizing the above is by the following security game KEA,Π: (1) Alice and Bob execute the protocol Π. Denote Alice and Bob shared key by k, the length of the shared key n (which also plays the role of the security parameter here), and the transcript of their protocol t. 0 0 n (2) Let b ∈R {0, 1}. If b = 0, set k = k. Otherwise, sample k ∈R {0, 1} . (3) The adversary A is given n, t, k0, and outputs a guess b0 ∈ {0, 1}. (4) We say that the outcome of the game is 1 (or, that the adversary wins) iff b = b0. Definition 3. For a key exchange protocol Π, the advantage of an adversary A is defined as 1 Adv (n) ≡ Pr[KE (n) = 1] − A,Π A,Π 2 A key exchange protocol is computationally secure against PPT (QPT) adversaries if for every PPT (QPT) adversary A, the advantage is negligible. A key exchange protocol is unconditionally secure if for every (computationally unbounded) quan- tum adversary the advantage is negligible / exponentially small. A shared key exchanged using a key exchange protocol is as secure as a ran- dom shared key exchanged using a private channel (up to negligible / exponential corrections).

3. Diffie-Hellman’s Key-Exchange We are now ready to define Diffie-Hellman’s key exchange protocol[DH76]. ∗ ∗ (1) Alice generates a group Zp, and a generator g ∈ Zp such that the order of < g >- the group generated by g is of order q, for p and q which are random, and q has n bits. We omit the details regarding how She sends p, q, g to Bob. (2) Alice samples x ∈R [q]. x (3) Alice sends hA ≡ g to Bob. (4) Bob samples y ∈R [q]. y (5) Bob sends hB = g to Alice. x y x yx xy (6) Alice computes kA ≡ hB = (g ) = g = g y x y xy (7) Bob computes kB = hA = (g ) = g . To argue that this protocol is secure, we need to make some hardness assumption. Definition 4. We say that the Decisional Diffie-Hellman (DDH) problem is hard if for all PPT A, there is a negligible function negl(n) such that

| Pr[A(p, q, g, gx, gy, gz) = 1] − Pr[A(p, q, g, gx, gy, gxy) = 1]| ≤ negl(n) , where x, y, z are random in [q], and p, q, g are generated using the same procedure as in the Diffie-Hellman key exchange protocol (which wasn’t fully specified). In other words, an adversary cannot tell given gx and gy whether another element is random (in < g >) or is gxy. THE ONE-TIME PAD AND KEY EXCHANGE 5

Theorem 5 (e.g., [KL14], Theorem 10.3). If the Decisional Diffie-Hellman (DDH) problem is hard with respect to the group generated above, then the protocol above is computationally secure against classical adversaries. The DDH problem (and also the “harder” Computational-DH problem, and even the harder discrete log problem) is clearly not hard with respect to quantum adver- saries. Recall that in the discrete log problem, we are given p, q, g, gx and the goal is to find x. Shor’s algorithm solves the discrete log problem (and actually quite a bit more - it works for other groups as well). Shor’s algorithm can be used to find xgiven only gx and y given only gy and therefore to break the DDH assumption, and the scheme itself. Once we have a secure key-exchange protocol, we can use the shared key to encrypt messages using the one-time pad protocol. The level of security (computa- tional/unconditional, negligible/exponentially small) depends on the details of the key-exchange protocol.

4. Density Matrices In the classical setting, we’ve seen that for a one bit message m and a one bit random key k, the ciphertext m ⊕ k = NOT km is a random bit, and therefore, the one-time pad is secure. What about the quantum setting? Is the “cipher-state” Xk|ψi a secure quantum one-time pad? No: suppose the adversary sends either the |+i or |−i state. In this case, the encryption does basically nothing: X|+i = |+i, and X|−i = −|−i ∝ |−i,and therefore measuring in the +/− basis will reveal the original message. So, how do we argue about states in scenarios which involve both quantum states and prob- abilities? (in this case, the state is “with probability half |ψiand with probability half X|ψi). It turns out that the “right way” to describe these states is using a matrix – rather than a vector. Given a distribution (pi, |ψii), we define the associated matrix P ρ = i pi|ψiihψi|. Exercises: show that if we measure the projective measurements {Πj}, the prob- ability of the jth outcome is tr(Πjρ). P P P = pi Pr(outcome is j|state is |ψii) = pihψi|Πj|ψii = pitr(hψi|Πj|ψii) = P i P i i i pitr(Πj|ψiihψj|) = tr(Πj i pi|ψiihψi|) = tr(Πjρ) When we apply a unitary transformation on this ensemble, ρ 7→ UρU †, since the new ensemble becomes (pi,U|ψii). To conclude, all the operations are completely determined by ρ rather than the ensemble, hence, we can define a quantum state to be these types of matrices. It turns out that these matrices are exactly the ones which satisfy: ρ  0 and tr(ρ) = 1. Recall that ρ  0 (ρis called a positive semi-definite) means that ρ is Hermitian (symmetric in the real case), with only non-negative eigenvalues (alternatively, hψ|M|ψi ≥ 0 for all states |ψi). We leave the following as an exercise to the reader: P (1) Let ρ = i pi|ψiihψi|. Show that ρ  0, and that tr(ρ) = 1. (2) Let ρ be a matrix which satisfies ρ  0 and tr(ρ) = 1. Find an ensemble P (pi, |ψii) such that ρ = i pi|ψiihψi| . Hint: A symmetric matrix has an orthogonal diagonalization) Therefore, if two ensembles have the same associated mixed state, they cannot be distinguished. One the other hand, if the two density matrices are *not* equal, THE ONE-TIME PAD AND KEY EXCHANGE 6 there is a way to distinguish them (guess) which one of the ensembles is it, with 1 probability > 2 . We won’t give the precise definition here – the way this is quan- tified is called the trace distance. 4.1. The quantum one time pad. It turns out that it is possible to encrypt a qubit using a secret key which consists of 2 bits, and that it can’t be done using a shorter key. The encryption of |ψi using a, b ∈ {0, 1} is: XaZb|ψi. Decryption applies the same operation, with the orders reversed (ZbXa) which reverts it. We won’t see the full security proof, but we will see an example. What’s the ensemble generated when we encrypt |+i? It becomes |+i with probability 1/2 and |−i with probability 1/2 (recall that Z|+i = |−i), and similarly for |+i. The density matrix 1 1 in this case is 2 (|+ih+| + |−ih−|) = 2 I. One can check this in fact holds for any state, including the standard basis state. Furthermore this can be extended to n qubits using a key of length 2n.

4.2. Partial trace. Suppose Alice and Bob share an EPR state √1 (|00i + |11i). 2 Bob measures his result, but doesn’t tell Alice the outcome. What’s the state from 1 1 her perspective? Her state is with probability 2 , |0i and 2 the state |1i, i.e., the 1 state ρ = 2 I2. It turns out that if Alice will never have access to Bob’s register / his result, it does not matter whether he measures or not. This operation of “ignoring another system” is called the partial trace. For this reason, you should think of it as “Bob measures his system”, even though he doesn’t have to. Mathematically, this is achieved using an operator called the partial trace: Suppose our system has AB P A AB P the form ρ = i τi ⊗ σi , then ρ = trB(ρ ) = i τitr(σi). 4.3. Linear Programming and Semi-Definite Programming. Some of you may have heard of Linear Programming - the class of linear optimization with linear constraints:

max hc.xi x s.t Ax ≤ b x ≥ 0 Linear programming can be solved in polynomial time. Now suppose I give you a candidate solution for the problem, could you verify that it is indeed a solution? For example, suppose someone claim that the maximum is 10 and that the x that achieves that is x0 = (1, 2, 3, 4). Of course, we could check that hc, xi = 10, and that Ax ≤ b, which guarantees that the maximum is 10 or above, but is there a witness that can convince us that there isn’t a “better” optimum? It turns out that there is a way. The problem above is called the primal problem. The dual problem is the following:

min hb.yi y s.t AT y ≥ c y ≥ 0 THE ONE-TIME PAD AND KEY EXCHANGE 7

It turns out that the solution of the primal problem is equal to the solution to the dual problem. Therefore, the prover can also give us a y which has a score 10, and we can check that. This means that there is a very simple way to get “convinced” of the solution, given the correct witnesses (in our case, the x which maximizes the primal, and the y which minimizes the dual). 4.4. Semi-Definite programming. There is another type of optimization called semi-definite programming. The setting is quite similar:

max hM, ρi ρ s.t

hNi, ρi ≤ bi ρ  0 This formulation fits very nicely to . Let’s see why. Sup- pose we have Alice and Bob. Alice is honest and follow the protocol, but Bob is cheating. It turns out that his optimal cheating probability can be described using an SDP. We introduce a number of “dummy variables” ρ1, . . . , ρn to represent the quantum states in each step of the protocol, just before she sends parts of them to Bob. We also denote the measurement which determines whether Bob wins by a matrix M. It turns out that what Bob can do is described by the set of operations needs to be finished.

References [DH76] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Information Theory, 22(6):644–654, 1976. [KL14] J. Katz and Y. Lindell. Introduction to Modern Cryptography, Second Edition. CRC Press, 2014. [NS94] M. Naor and A. Shamir. Visual Cryptography. In A. D. Santis, editor, Advances in Cryp- tology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings, volume 950 of Lecture Notes in Computer Science, pages 1–12. Springer, 1994. [SS13] B. Surekha and G. N. Swamy. Sensitive Digital Image Watermarking for Copyright Pro- tection. I. J. Network Security, 15(2):113–121, 2013.