Information-Theoretical Analysis of Two Shannon's Ciphers

Information-Theoretical Analysis of Two Shannon’s Ciphers

Boris Ryabko

Institute of Computational Technologies of Siberian Branch of

the Russian Academy of Science,

Novosibirsk State University

Novosibirsk, Russia

1 2 2 1 Abstract—We describe generalized running key ciphers and that d(e(Xi ,Xi ),Xi ) = Xi . C.Shannon in [1] notes the apply them for analysis of two Shannon’s methods. In particular, following: we suggest some estimation of the cipher equivocation and the probability of correct deciphering without key. “The running key cipher can be easily improved to lead to

keywords: running-key cipher, cipher equivocation, Shan- ciphering systems which could not be solved without the key. If non cipher. one uses in place of one English text, about d different texts as key, adding them all to the message, a sufﬁcient amount of key I.INTRODUCTION has been introduced to produce a high positive equivocation.

We consider a classical problem of transmitting secret Another method would be to use, say, every 10th letter of the messages from a sender (Alice) to a receiver (Bob) via an text as key. The intermediate letters are omitted and cannot be open channel which can be accessed by an adversary (Eve). used at any other point of the message. This has much the same

It is assumed that Alice and Bob (but not Eve) share a key, effect, since these spaced letters are nearly independent.” which is a word in a certain alphabet. Before transmitting a More formally, we can introduce the ﬁrst cipher from message to Bob, Alice encrypts it, and Bob, having received Shannon’s description above as follows: there are s sources an encrypted message (ciphertext), decrypts it to recover the X1,X2, ..., Xs, s ≥ 2, and any Xi generates letters from plaintext. the alphabet A = {0, 1, ..., n − 1}. Suppose that X1 is We consider the so-called running-key ciphers where the the plaintext, whereas X2, ..., Xs are key sequences The 1 1 2 2 plaintext X1 ...Xt , the key sequence X1 ...Xt , and the ci- ciphertext Z is obtained as follows phertext Z1...Zt, are sequences of letters from the same

1 2 3 s alphabet A = {0, 1, ..., n − 1}, where n ≥ 2. We assume Zi = ((...(Xi +Xi ) mod n+Xi ) mod n)+...+Xi ) mod n . that enciphering and deciphering are given by the rules Zi = (1)

1 2 1 2 c(Xi ,Xi ), i = 1, ..., t, Xi = d(Zi,Xi ), i = 1, ..., t, so The deciphering is obvious. In this report we perform 1∗ 1∗ information-theoretical analysis of both Shannon’s ciphers. Deﬁnition 2. Let M = M(Z1...Zt) = X1 ...Xt be a certain t Pt 1∗ 1 function over A . Deﬁne pb = (1/t) i=1 P (Xi = Xi ). II.ESTIMATIONS OF THE EQUIVOCATION

Note that, if M is a method of deciphering Z1...Zt without For stationary ergodic processes W ,V and t ≥ 1 the t-order the key, then pb is the average probability of deciphering a entropy is given by: single letter correctly. Obviously, the smaller pb, the better

−1 X X the cipher. Now we investigate the two methods of Shannon ht(W ) = −t PW (u) PW (v|u) log2 PW (v|u) . u∈At−1 v∈A described above.

The conditional entropy is ht(W/V ) = ht(W, V )−ht(V ), see Theorem 1. Let X1,X2, ..., Xs, s ≥ 2, be s-dimensional sta- 1 [2]. In [1] Shannon called ht(X /Z) the cipher equivocation tionary ergodic process and X1,X2, ..., Xs be independent. and showed that the larger the equivocation, the better the Suppose that the cipher (1) is applied. Then cipher. Unfortunately, there are many cases where a direct i) The following inequality for the average probability pb is calculation of the equivocation is impossible and an estimation valid is needed. The following lemma can be used for this purpose. (1 − pb) log2(n − 1) + h1(pb) ≥ Λt , Lemma 1. Let X1,X2, ..., Xs, s ≥ 2, be s-dimensional ii) for any δ > 0, ε > 0 there exists t∗ such that for t > stationary ergodic source and X1,X2, ..., Xs be independent. t∗ there exists a set Ψ of texts of length t for which If the cipher (1) is applied, then for any t ≥ 1

(P (Ψ)) > 1 − δ, for any V1...Vt ∈ Ψ, U1...Ut ∈ Ψ 1 2 s−1 ht(X /Z) + ht(X /Z) + ... + ht(X /Z) ≥

(1/t)(log2 P (V1...Vt) − log2 P (U1...Ut)) < ε 1 2 s ht(X ) + ht(X ) + ... + ht(X ) − log2 n (2) 1 and lim inft→∞ t log2 |Ψ| ≥ Λt. and The proof of the first statement can be obtained by a method s − 1 (h (X1/Z) + h (X2/Z) + ... + h (Xs/Z)) ≥ from [3], whereas the second statement can be derived from s t t t [4]. 1 2 s ht(X ) + ht(X ) + ... + ht(X ) − log2 n (3) This theorem shows that if Λt is large then the probability to find letters of the plaintext without the key must be small. The proof of this lemma is given in the Appendix. Besides, the second statement shows that Eve has a large set Definition 1. Denote of possible plaintext whose probabilities are close and the total 1 Λ = (h (X1) + h (X2) + ... + h (Xs) − log n) . (4) probability is closed to 1. t s − 1 t t t 2 III.SHANNONCIPHERS Note that, if Xi, i = 1, ..., s, have the same distribution, Let us come back to the Shannon’s methods described then 1 above. In [5] Shannon estimated the entropy of printed En- Λ = (s h (X1) − log n) . (5) t s − 1 t 2 glish. In particular, he showed that the entropy of the first

The following deﬁnition is due to Lu Shyue-Ching [3] order is approximately 4.14 for texts without spaces and 4.03 1 2 s 1 2 s for texts with spaces. He also estimated the limit entropy to = ht(X ,X , ..., X ,Z) = ht(Z) + ht(X ,X , ..., X /Z) be approximately 1 bit. 1 2 1 3 1 2 = ht(Z)+ht(X /Z)+ht(X /X ,Z)+ht(X /X ,X ,Z)+ Now we can investigate the ﬁrst Shannon’s cipher. He

s 1 2 s−1 suggested to use a sum of d English texts as a key, i.e. use (1) ... + ht(X /X ,X , ..., X ,Z) with s = d + 1, and where Xi, i + 1, ..., s, is a text in printed = h (Z)+h (X1/Z)+h (X2/X1,Z)+h (X3/X1,X2,Z)+ English. Having taken into account that all Xi are identically t t t t distributed, we immediately obtain from (5) the following: s−1 1 2 s−2 ... + ht(X /X ,X , ..., X ,Z)

1 1 Λt = (s ht(X ) − log2 n) 1 2 3 s−1 s − 1 ≤ ht(Z)+ht(X /Z)+ht(X /Z)+ht(X /Z)+...+ht(X /Z).

h (X1) ≈ h (X1) ≈ 1 Taking into account that t ∞ and the esti- The proof is based on well-known properties of the Shannon log 26 ≈ 4.7 mation 2 , we obtain the following approximation entropy which can be found, for example, in [2]. More

1 1 precisely, the ﬁrst equation follows from the independence of Λ = (s h (X1) − log n) = (s − 4.7) . t s − 1 t 2 s − 1 X1,X2, ..., Xs, whereas the second equation is valid because

So, we can see that Λt is positive if s − 1 ≥ 4. Moreover, Z is a function of X1,X2, ..., Xs, see (1). The third equation

Theorem 1 shows that the ﬁrst cipher of Shannon cannot be is a well-known property of the entropy. Having taken into deciphered without the key if d ≥ 4 different texts are added account that Xs is determined if X2, ..., Xs−1,Z are known, to the message (i.e., used as a key). we obtain the last equation. The inequality also follows from

Let us consider the second cipher of Shannon. Here s = 2, the properties of the Shannon entropy [2]. Thus, a sequence X1 is a text in printed English and letters of X2 h (X1) + h (X2) + ... + h (Xs) ≤ are generated independently with probabilities equal to the t t t frequencies of occurrence of letters in English. From (1) we 1 2 3 s−1 ht(Z)+ht(X /Z)+ht(X /Z)+ht(X /Z)+...+ht(X /Z). obtain (6) 1 2 Λt = (ht(X ) + ht(X ) − log2 n) . Taking into account that for any process U over alphabet A =

1 1 {0, ..., n − 1} Having taken into account that ht(X ) ≈ h∞(X ) ≈ 1 ,

2 ht(Z) ≤ log2 n , ht(X ) ≈ 4.14 (see [5]) and log2 26 ≈ 4.7, we can see that

Λt = 1 + 4.14 − 4.7 = 0.44. So, Λt is positive and Theorem we obtain (2) from (6). In order to prove (3) we note that

1 shows that the ﬁrst cipher of Shannon cannot be deciphered analogously to (6), we can obtain the following: without key. 1 2 s ht(X ) + ht(X ) + ... + ht(X ) ≤ IV. APPENDIX j−1 s X i X i Proof of the Lemma. The following chain of equalities and ht(X /Z) + ht(X /Z) i=1 i=j+1 inequalities is valid: for any 1 ≤ j ≤ s. From this inequality we obtain (3).

1 2 s 1 2 s ht(X ) + ht(X ) + ... + ht(X ) = ht(X ,X , ..., X ) ACKNOWLEDGMENT

This research was supported by Russian Foundation for

Basic Research (grant no. 15-29-07932).

REFERENCES

[1] Shannon C. E. Communication theory of secrecy systems // Bell system technical journal. 1949, 28(4), pp. 656-715. [2] Cover T. M., Thomas J. A. Elements of information theory. New York, NY, USA: Wiley-Interscience, 2006. [3] Lu Shyue-Ching. The existence of good cryptosystems for key rates greater than the message redundancy. IEEE Transactions on Information Theory, 1977, 25(4), pp. 475–477. [4] Ryabko B. The Vernam Cipher Is Robust to Small Deviations from Randomness // Problems of Information Transmission. 2015, 51(1), pp. 82-86. [5] Shannon, C. E. Prediction and entropy of printed English, Bell system technical journal. 1951, 30(1), pp 50-64.