5

Can a monoalphabetic substitution cipher attain perfect secrecy?

Definition of perfect secrecy:

$${\rm Pr}[\,{\rm Enc}_k(m_1) = c\,] = {\rm Pr}[\,{\rm Enc}_k(m_2) = c\,]$$

mikeazo
  • 38,563
  • 8
  • 112
  • 180
abdolahS
  • 429
  • 3
  • 11
  • 4
    yes if the plaintext space is restricted to one character and the substitution mapping is truly random. – mikeazo Mar 13 '14 at 14:08
  • 1
    Firstly, is this a H/W question? If so we can give you some hints but probably shouldn't tell you the answer... Secondly: Following from Mike's point, think carefully what you mean by 'alphabet'. With a suitably large alphabet and sufficiently large keyspace clearly yes (eg I could use a complete English dictionary as my alphabet if i wanted) – Cryptographeur Mar 13 '14 at 14:10
  • @figlesquidge, right. In some sense the OTP is a monoalphabetic substitution cipher where the alphabet is all strings of a specific length. – mikeazo Mar 13 '14 at 14:29
  • yes , it is a part of H/W. @figlesquidge do you say that if the plaintext space is larger than one charachter then it is possible to have perfect secrecy? you said that you could use a complete English dictionary as an alphabet, does it mean to match each character to a word in a dictionary? – abdolahS Mar 13 '14 at 14:34
  • An "Alphabet" is just a collection of symbols. I can choose whatever set of symbols I like and as many as I want. Just because we traditionally denote alphabet symbols by a single character doesn't mean we have to. That said, this is probably not what your H/W is looking for. Mike's answer is more likely to be relevant to what your class is after – Cryptographeur Mar 13 '14 at 15:31

2 Answers2

7

Since this is homework, let me just give you a hint: consider the two-character messages $m_1 = \text{"aa"}$ and $m_2 = \text{"ab"}$.

Given a ciphertext $c$ encrypted with a monoalphabetic substitution cipher, can you tell which of $m_1$ or $m_2$ it corresponds to, even without knowing the key? Why (not)? What does this imply about perfect secrecy?

Ps. The hint I gave above assumes that the cipher is not homophonic, i.e. that the encryption of each character is deterministic and independent of its position or the presence of other characters in the message. For a (possibly) homophonic monoalphabetic cipher, it may be simpler to start the argument from the other end: if you intercept the ciphertext $c = \text{"xx"}$, what can you say about the plaintext?

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181
  • 2
    Is this some kind of a law that questions must not be answered if they are home work questions? They are still questions for sure – arsaKasra Oct 26 '15 at 17:26
  • 1
    @arsaKasra: There's no law against it, but many consider it poor form to spoon-feed complete answers to people asking homework questions. After all, the purpose of homework is to teach you how to figure out answers to such questions yourself. Now, if you honestly have the same problem, and need the answer for some purpose other than homework (although, for this particular question, I can't really imagine what it could be), let me know, and I'll be glad to amend my answer. – Ilmari Karonen Oct 26 '15 at 19:21
  • (In any case, honestly, if you understand what "monoalphabetic substitution cipher" and "perfect secrecy" mean, what I posted above should essentially answer the question. All I really left out was the single word "yes/no" -- you'll have to spend a few seconds thinking for yourself to see whether my answer is a proof or a disproof of perfect secrecy.) – Ilmari Karonen Oct 26 '15 at 19:22
  • It's not just "can you tell which of the two messages a ciphertext corresponds too." But, you guess the correct (or incorrect) message more than half the time. If you would be able to do this for ANY pair of plaintexts, then the scheme is no longer perfectly secret. (Not a rigorous definition) – Andrew Mar 07 '18 at 14:57
  • 1
    @IlmariKaronen SE is not exclusively for the benefit of the question askers. People who stumble upon the question deserve an accurate and complete answer. Giving hints might be a good idea for 1-on-1 help, but how can this be of maximum utility to others if it is left hanging? – forest Mar 09 '18 at 07:29
  • @forest: You're free to provide a better answer yourself, if you want. In any case, I'll reiterate what I said above: if you understand what "monoalphabetic" and "perfect secrecy" mean, this is a complete answer to the question. (But thanks for your comment; while writing this reply, I realized that my hint doesn't work too well for homophonic ciphers. I've amended my answer to address those as well.) – Ilmari Karonen Mar 09 '18 at 11:39
0

I'm still learning all kinds of ciphers and encryption, but these are my thoughts on the matter.

Mono-alphabhetic substitution cipher fails because it's prone to frequency analysis i.e the probability that the most frequent character in a message could be 'e' is extremely high (a statistic that 'e' is the most frequent letter in a sentence). Therefore, to make mono-alphabhetic substitution cipher invulnerable to frequency analysis attacks, you should probably only refrain to using a single letter once.

So if you're using just the English alphabets (a, b, c, d, e... z), you're pretty much limited to a max 26 length messages such that you use each character only once.

This is just a way of enforcing OTP or Vernam cipher to the English alphabets i.e since in this arrangement, I've forced that encryption of a letter in the message to be independent of the other letters in the word, perfect secrecy is enforced.

arjun a
  • 1