An Approach for Security Enhancement of Certain Encryption Schemes Employing Error Correction Coding and Simulated Synchronization Errors

Abstract

An approach for the cryptographic security enhancement of encryption is proposed and analyzed. The enhancement is based on the employment of a coding scheme and degradation of the ciphertext. From the perspective of the legitimate parties that share a secret key, the degradation appears as a transmission of the ciphertext through a binary erasure channel. On the other hand, from the perspective of an attacker the degradation appears as a transmission of the ciphertext over a binary deletion channel. Cryptographic security enhancement is analyzed based on the capacity of the related binary deletion channel. An illustrative implemementation framework is pointed out.

1. Introduction

Enhancing the security of certain cryptographic primitives by employing randomness has been employed in a number of reported designs (see, e.g., [1,2]), as well as in the context of wire-tap coding. Following these approaches, two main directions have appeared. One approach is based on the employment of a cryptograhic key control of error correction encoding and decoding, given, for example, in [3,4,5,6,7]. The other approach is the employment of error-correction coding and noisy channels for cryptographic security enhancement of a given encryption scheme: This approach has been reported, for example, in [8,9,10,11,12,13,14,15].

Motivation. The employment of coding and noisy channel based techniques for the security enhancement of given encryption appears as an important topic. In particular, this approach could significantly increase the cryptographic security margin of a lightweight encryption scheme. On the other hand, this approach also implies additional complexity overhead. Accordingly, it appears as an interesting issue to design security enhancement with a number of parameters that provide control over desired security enhancement and required implementation and execution overheads of the encryption. The main motivation for this paper was addressing the security enhancement of a given encryption that provides the opportunity for trade-off between the security margin increasing and the required overhead.

Summary of the Results. This paper proposes a novel approach for the security enhancement of an encryption scheme. The proposed encryption is analyzed employing certain results of information theory. The enhancement is based on the employment of an error-correction coding scheme and degradation of the ciphertext. From the perspective of the legitimate parties that share a secret key, the degradation appears as a transmission of the ciphertext through a binary erasure channel. On the other hand, from the perspective of an attacker, the degradation appears as a transmission of the ciphertext over a binary deletion channel. The degradation is performed by employing a simulated noisy channel that consists of two sub-channels so that an additional flexibility is provided for the selection of the parameters to achieve the desired security and the enhancement overhead. Cryptographic security enhancement is analyzed based on the capacity of the related binary deletion channel. It is shown that the enhancement is a function of the following parameters: probabilities of deletion in the sub-channels, capacity of the sub-channels, and the probability of the sub-channel selection for a transmission. An illustrative implementation framework is pointed out which employs a stream cipher.

Organization of the Paper. A novel scheme for cryptographic security enhancement of an encryption employing error-correction coding and a simulated channel that on an attacker’s side appears as a channel with synchronization errors is proposed in Section 2. Preliminaries and background for the security evaluation are given in Section 3. Section 4 provides a cryptographic security evaluation of the proposed enhanced encryption. An illustrative approach for the implementation is discussed in Section 5. Concluding notes are given in Section 6.

2. Proposal for a Security Enhanced Encryption

This section proposes the cryptographic security enhancement of an encryption scheme employing error-correction coding and a simulator of a channel with synchronization errors displayed in Figure 1.

We use the following notation. The message, a data vector subject to encryption is denoted by $\mathbf{m}\in {\{0,1\}}^{n^{\prime }}$ and we assume that it is a realization of the binary vector variable M. Encrypted form of m is denoted by $\mathbf{c}\in {\{0,1\}}^{n^{\prime }}$ and we assume that it is a realization of the binary vector variable $\mathbf{C}$:

$$\mathbf{c}=En{c}_{\mathbf{k}}\left(\mathbf{m}\right),$$

where $En{c}_{\mathbf{k}}(·)$ denotes the encryption mapping controlled by the secret key $\mathbf{k}$. The vector $\mathbf{x}$ denotes the encoded version of $\mathbf{c}$ employing an error-correction encoding $Encode(·)$, that performs mapping ${\{0,1\}}^{n^{\prime }}\to {\{0,1\}}^n$, $n>n^{\prime }$:

$$\mathbf{x}=Encode\left(En{c}_{\mathbf{k}}\left(\mathbf{m}\right)\right)$$

and $\mathbf{x}$ is a realization of a random binary variable $\mathbf{X}$.

We consider a channel in which the input sequence is divided into subsequences and these subsequences are transmitted through independent i.i.d. binary deletion channels and the arrived bits after the deletion channels are combined preserving their order in the original input sequence. Consequently, the resulting channel is an i.i.d. binary deletion channel with parameters which depend on the parameters of the considered subchannels.

A simulator of the considered channel is controlled by a vector $\mathbf{s}$ generated by the encryption algorithm which is considered as a realization of a binary random vector $\mathbf{S}$.

An attacker on the encryption scheme at Figure 1 faces the problem of cryptanalysis in a known plaintext attack displayed in Figure 2.

Note that the legitimate parties face the problem of decoding after a binary erasure channel, but the attacker faces a much harder problem of dealing with the decoding after a deletion channel. The knowledge of attackers is limited to the following. Each channel input bit is transmitted through Channel 1 with probability $\lambda$, and through Channel 2 with probability $\overline{\lambda }$, independently of each other. If transmitted through Channel 1 a bit is deleted with the probability $d_1$, and if transmitted through Channel 2 a bit is deleted with the probability d₂. The attacker does not know the specific realization of the “individual channel selection events”, i.e., they do not know which specific sub-channel bit is transmitted through, and which specific sub-channel each output symbol is received from.

An illustrative instantiate of the proposed framework is given in Section 5.

3. Preliminaries and Background

3.1. Entropy, Mutual Information, and Shannon Capacity

This section provides a summary explanation on the entropy, mutual information and Shannon capacity. A random variable is denoted by an upper-case letter (e.g., A) and its realization is denoted by a lower-case letter (e.g., a). The entropy of a random object A is denoted by $H\left(A\right)$, and the mutual information between two random objects A and B is denoted by $I(A;B)$. The binary entropy function is denoted by $h\left(p\right)=-p{log}_{2}p-(1-p){log}_2(1-p)$.

The entropy of a random variable A is defined as:

$$H\left(A\right):={\displaystyle \sum _{x\in support\left(A\right)}}Pr[A=a]{log}_2\frac{1}{Pr[A=a]},$$

(1)

The mutual information $I(A;B)$ between jointly distributed random variables A and B is defined as follows:

$$I(A;B):=H\left(A\right)-H\left(A\right|B)=H(B)-H(B\left|A\right)$$

(2)

where conditional entropy is defined as:

$$H\left(A\right|B)={\displaystyle \sum _{b\in supp\left(B\right)}}Pr(B=b)H\left(A\right|B=b)$$

(3)

and:

$$H\left(A\right|B=b)={\displaystyle \sum _{a\in supp\left(A\right)}}Pr(A=a|B=b){log}_2\frac{1}{Pr(A=a|B=b)}$$

(4)

Consequently, the conditional mutual information when the third variable Z is given as:

$$I(A,B|Z):=H(A\left|Z\right)-H\left(A\right|B,Z)=H(B\left|Z\right)-H\left(B\right|A,Z).$$

(5)

The Shannon capacity of a channel is denoted by C and is defined as:

$$C:=sup\left\{I\right(A;B\left)\right\},$$

(6)

where A corresponds the channel input, B corresponds to the channel output, and the supremum is over the choice of the distribution of A.

3.2. Mutual Information and Capacity of the Deletion Channel with Fragmentation

The considered communication channel is displayed in Figure 3 and it consists of two sub-channels: $C{h}_1$ and $C{h}_2$.

An i.i.d. binary input deletion channel is considered in which every transmitted bit is either randomly deleted with probability d or received correctly with probability $1-d$ while there is no information about the values or the positions of the lost symbols at the transmitter or at the receiver. In the transmission of n symbols through the channel, the input sequence is denoted by $\mathbf{x}=(x_1,\dots ,x_n)$ in which $x_i\in \{0,1\}$, and $\mathbf{x}\in {\{0,1\}}^n$. The output binary sequence is denoted by $\mathbf{y}=(y_1,\dots ,y_m)$ in which m is a realization of a binomial random variable with parameters n and d (due to the characteristics of the i.i.d. deletion channel).

Let $\mathbf{x}$ and $\mathbf{y}$ denotes input and output codewords of the considered channel, respectively.

Further on, let ${\mathbf{x}}_i$ denotes part of the codeword $\mathbf{x}$ transmiied through $C{h}_i$, $i=1,2$, and let $n_i$ denotes numbers of the codeword bits transmitted through $C{h}_i$, $i=1,2$. Finally, let ${\mathbf{y}}_i$ denotes the vector received trough $C{h}_i$ when the channel input is ${\mathbf{x}}_i$, $i=1,2,$. We assume that the vectors $\mathbf{x}$, $\mathbf{y}$, ${\mathbf{x}}_i$, ${\mathbf{y}}_i$ and $n_i$, are realizations of the random variables $\mathbf{X}$, $\mathbf{Y}$, ${\mathbf{X}}_i$, ${\mathbf{Y}}_i$ and $N_i$, respectively, $i=1,2$.

In continuation, we consider $I({\mathbf{X}}_i,{\mathbf{Y}}_i)$, $i=1,2$, following [16]:

$$\begin{array}{c}I({\mathbf{X}}_i,{\mathbf{Y}}_i)=I({\mathbf{X}}_i,{\mathbf{Y}}_i,N_i)-I({\mathbf{X}}_i,N_i|{\mathbf{Y}}_i)\\ =I({\mathbf{X}}_i,{\mathbf{Y}}_i|N_i)+I({\mathbf{X}}_i,N_i)-I({\mathbf{X}}_i,N_i|{\mathbf{Y}}_i)\\ \le I({\mathbf{X}}_i,{\mathbf{Y}}_i|N_i)+H\left(N_i\right)\\ \le I({\mathbf{X}}_i,{\mathbf{Y}}_i|N_i)+lo{g}_2(N+1)\\ =\sum _{n_i=0}^{n}P(N_i=n_i)I({\mathbf{X}}_i,{\mathbf{Y}}_i|N_i=n_i)+lo{g}_2(N+1),\end{array}$$

(7)

where in deriving the first inequality we have used the fact that:

$$H\left(N_i\right|{\mathbf{X}}_i)=0\mathrm{and}I({\mathbf{X}}_i,N_i|{\mathbf{Y}}_i)\ge 0,$$

and in deriving the second equality the fact that:

$$\begin{array}{c}H\left(N_i\right)=-\sum _{n=1}^N\left(\genfrac{}{}{0pt}{}{N}{n}\right){\lambda }^n{\overline{\lambda }}^{N-n}lo{g}_2\left(\left(\genfrac{}{}{0pt}{}{N}{n}\right){\lambda }^n{\overline{\lambda }}^{N-n}\right)\\ \le lo{g}_2(N+1).\\ I({\mathbf{X}}_i,{\mathbf{Y}}_i|N_i=n_i)\le n_{i}C\left(d_i\right)+H\left(D_i\right|N_i=n_i),\end{array}$$

(8)

where $d_i$ denotes the probability of deletions through the transmission of $n_i$ bits over the i-th channel and $d_i$, is realization of the corresponding random variable $D_i$, $i=1,2$.

Accordingly:

$$\begin{array}{c}H\left(D_i\right|N_i=n_i)\\ =-{\sum }_{n=1}^{n_i}\left(\genfrac{}{}{0pt}{}{n_i}{n}\right)d_i^n{{\overline{d}}_i}^{n_i-n}lo{g}_2(\left(\genfrac{}{}{0pt}{}{n_i}{n}\right)d_i^n{{\overline{d}}_i}^{n_i-n})\\ \le lo{g}_2(n_i+1).\end{array}$$

(9)

and

$$\begin{array}{c}I({\mathbf{X}}_i,{\mathbf{Y}}_i)\le {\sum }_{n_i=0}^{n}P(N_i=n_i)(n_{i}C\left(d_i\right)+lo{g}_2(n_i+1))\\ +lo{g}_2(n+1)\\ \le Exp\left\{N_i\right\}C\left(d_i\right)+2lo{g}_2(n+1),\end{array}$$

(10)

where $Exp\left\{N_i\right\}$ denotes the expected value of the variable $N_i$ and the last inequality results since $lo{g}_2(n_i+1)\le log(n+1)$, $i=1,2$. Finally:

$$I({\mathbf{X}}_i,{\mathbf{Y}}_i)\le {\lambda }_{i}nC\left(d_i\right)+2lo{g}_2(n+1),i=1,2.$$

(11)

It is shown in [16] that:

$$\begin{array}{c}I(\mathbf{X},\mathbf{Y})\le n\lambda C\left(d_1\right)+n\overline{\lambda }C\left(d_2\right)+4lo{g}_2(n+1)\\ +n\overline{d}lo{g}_2\left(\overline{d}\right)+n\lambda {\overline{d}}_{1}lo{g}_2\left(\lambda {\overline{d}}_1\right)+n\overline{\lambda }{\overline{d}}_{2}lo{g}_2\left(\overline{\lambda }{\overline{d}}_2\right)\\ =\Psi (n,\lambda ,d_1,d_2,C\left(d_1\right),C\left(d_2\right))\end{array}$$

(12)

where $\overline{d}=1-d$, $d=\lambda d_1+\overline{\lambda }{d}_2$, $\overline{\lambda }=1-\lambda$. ${\overline{d}}_1=1-d_1$, ${\overline{d}}_2=1-d_2$.

3.3. The Probability of Error and the Equivocation after a Noisy Channel

Suppose the random variables A and B represent input and output messages (out of m possible messages), and the given conditional entropy $H\left(A\right|B)$ represents the average amount of information lost on A when B is given. According to [17,18], for example, we have the following general upper bound on the equivocation:

$$H\left(A\right)-I(A,B)\le h\left(P_{err}\right)+P_{err}{\log }_2(m-1),$$

(13)

where $h(·)\le 1$ is the binary entropy function and $P_{err}=1-\mathrm{Pr}(A=a|B=b)$, and following [15], when A is such that it has the maximum possible entropy $H\left(A\right)=m$, we have:

$$1-\frac{I(A,B)}{m}\le \frac{1}{m}+\frac{P_{err}}{m}{\log }_2(m-1).$$

(14)

4. Security Evaluation of the Enhanced Encryption

4.1. Security Notation

We employ a traditional approach for analyzing cryptographic security (see [19], for example) based on the following two issues: (i) a description of what a “break” of the scheme means, and (ii) a specification of the assumed power of the adversary. A cryptographic scheme is considered as a secure one in a computational sense, if for every probabilistic polynomial-time adversary $\mathcal{A}$ performing an attack of some specified type, and for every polynomial $p\left(n\right)$, there exists an integer N such that the probability that $\mathcal{A}$ succeeds (where success of the attack is also well-defined) is less than $\frac{1}{p\left(n\right)}$ for every $n>N$. Accordingly, the following two definitions specify a security evaluation scenario and a security statement.

Definition 1

([19]). The Adversarial Indistinguishability Experiment consists of the following steps:

1.

The adversary $\mathcal{A}$ chooses a pair of messages $({\mathbf{m}}_0;{\mathbf{m}}_1)$ of the same length n, and passes them on to the encryption system for encrypting.

2.

A bit $b\in \{0,1\}$ is chosen uniformly at random, and only one of the two messages $({\mathbf{m}}_0;{\mathbf{m}}_1)$, precisely ${\mathbf{m}}_b$, is encrypted into ciphertext $\mathrm{Enc}\left({\mathbf{m}}_b\right)$ and returned to $\mathcal{A}$;

3.

Upon observing $\mathrm{Enc}\left({\mathbf{m}}_b\right)$, and without knowledge of b, the adversary $\mathcal{A}$ outputs a bit $b_0$;

4.

The experiment output is defined to be 1 if $b_0=b$, and 0 otherwise; if the experiment output is 1, denoted shortly as the event $(\mathcal{A}\to 1)$, we say that $\mathcal{A}$ has succeeded.

Definition 2

([19]). An encryption scheme provides indistinguishable encryption in the presence of an eavesdropper, if for all probabilistic polynomial-time adversaries $\mathcal{A}$:

$$\mathrm{Pr}[\mathcal{A}\to 1|\mathrm{Enc}\left({\mathbf{m}}_b\right)]\le \frac{1}{2}+ϵ,$$

(15)

where $ϵ=\mathrm{negl}\left(n\right)$ is a negligibly small function.

Definitions 1 and 2 are more precisely discussed in [19].

4.2. Evaluation of the Security Gain

We consider the encryption/decryption scheme proposed in Section 2 which is a security enhanced scheme of a certain basic one. Our goal is to estimate the advantage of $\mathcal{A}$ in the indistinguishability game specified by Definition 1 when $\mathbf{c}\leftarrow \mathrm{Enc}\left({\mathbf{m}}_b\right)$ where $\mathbf{c}$ is a particular realization of $\mathbf{C}$, assuming that the advantage of $\mathcal{A}$ is known when ${\mathbf{m}}_0$ and ${\mathbf{m}}_1$ are two chosen realizations of $\mathbf{M}$ and the corresponding realization ${{\mathbf{c}}^{\prime }}_b$ of ${\mathbf{C}}^{\prime }$ is given, i.e., the advantage of $\mathcal{A}$ is known for the basic (security non-enhanced) scheme.

We assume that in the corresponding statistical model, the considered encryption scheme is such that:

$$I(\mathbf{S},\mathbf{Y})=0\mathrm{and}I(\mathbf{S},\mathbf{Y}|\mathbf{M})=0,$$

(16)

i.e., the knowledge of $\mathbf{Y}$ and $\mathbf{M}$ does not leak (provide) any information on $\mathbf{S}$.

Lemma 1.

We consider the advantage of the adversary $\mathcal{A}$ (specified by Definition 2) to win the indistinguishability game (specified by Definition 1), assuming that the mapping of $\mathbf{m}$ into ${\mathbf{c}}^{\prime }$ is such that $\frac{1}{2}+ϵ$ equals the advantage of the adversary to win the game. Under these assumptions:

$$\mathrm{Pr}[\mathcal{A}\to 1|\mathbf{Y}=\mathbf{y}]=\frac{1}{2}+ϵ·\delta ,$$

$$\delta \stackrel{\Delta }{=}\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b^{″}|\mathbf{Y}=\mathbf{y}).$$

(17)

Proof. 

For simplicity, it is assumed that $\frac{1}{2}+ϵ$ equals the advantage of the adversary $\mathcal{A}$ (specified by Definition 2) to win the indistinguishability game. Consequently, let b which denotes the index of the selected message by realization of the random variable B.

The probability $\mathrm{Pr}(B=b|\mathbf{Y}=\mathbf{y})$ that $\mathcal{A}$ wins the game is determined by the following:

$$\begin{array}{c}\mathrm{Pr}(B=b|\mathbf{Y}=\mathbf{y})=\frac{\mathrm{Pr}(B=b,\mathbf{Y}=\mathbf{y})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}\\ =\frac{{\sum }_{\mathbf{x}}\mathrm{Pr}(B=b,\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}\\ =\frac{{\sum }_{\mathbf{x}}\mathrm{Pr}(B=b|\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}\\ =\frac{{\sum }_{\mathbf{x}}\mathrm{Pr}(B=b|\mathbf{X}=\mathbf{x})\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}.\end{array}$$

(18)

The lemma assumption implies:

$$\mathrm{Pr}(B=b|\mathbf{C}={\mathbf{c}}_b)=\frac{1}{2}+ϵ,$$

(19)

where ${\mathbf{c}}_b$ corresponds to the selected ${\mathbf{m}}_b$, and:

$$\mathrm{Pr}(B=b|\mathbf{X}=\mathbf{x})=\frac{1}{2}\mathrm{for}\mathrm{any}\mathbf{c}\ne {\mathbf{c}}_b.$$

(20)

Note that the encoding mapping $\mathbf{c}\to \mathbf{x}$ is a deterministic one-to-one mapping and consequently has no impact on the advantage of adversary $\mathcal{A}$, i.e., we have:

$$\mathrm{Pr}[\mathcal{A}\to 1|\mathbf{X}=\mathbf{x}]=\mathrm{Pr}[\mathcal{A}\to 1|\mathbf{C}=\mathbf{c}]=\frac{1}{2}+ϵ.$$

(21)

Consequently:

$$\begin{gathered} \mathrm{Pr}(B=b|\mathbf{Y}=\mathbf{y})= \\ \frac{\mathrm{Pr}(B=b|\mathbf{X}={\mathbf{x}}_b)\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}={\mathbf{x}}_b)}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}+ \\ \frac{{\sum }_{\mathbf{x}:\mathbf{x}\ne {\mathbf{x}}_b}\mathrm{Pr}(B=b|\mathbf{X}=\mathbf{x})\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}, \end{gathered}$$

Finally, we obtain:

$$\begin{array}{c}\mathrm{Pr}(B=b|\mathbf{Y}=\mathbf{y})=\\ \frac{(\frac{1}{2}+ϵ)\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}={\mathbf{x}}_b)-\frac{1}{2}\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}={\mathbf{x}}_b)}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}\\ +\frac{\frac{1}{2}{\sum }_{\mathbf{x}}\mathrm{Pr}(\mathbf{Y}=\mathbf{y},\mathbf{X}=\mathbf{x})}{\mathrm{Pr}(\mathbf{Y}=\mathbf{y})}\\ =\frac{1}{2}+ϵ·\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b|\mathbf{Y}=\mathbf{y}).\end{array}$$

(22)

QED. □

Definition 1 implies that the security of an encryption scheme increases as the difference on the adversary $\mathcal{A}$ advantage from $\frac{1}{2}$ decreases: The factor $\delta <1$ shows the reduction rate of the advantage, and so we call it the advantage reduction factor.

Theorem 1.

We consider the adversary $\mathcal{A}$ (specified by Definition 2) to win the indistinguishability game (specified by Definition 1). Let the basic encryption mapping ${\{0,1\}}^n\to {\{0,1\}}^n$ of $\mathbf{m}$ into ${\mathbf{c}}^{\prime }$, be such that $\frac{1}{2}+ϵ$ equals the advantage of the adversary. Consequently, the advantage of the adversary $\mathcal{A}$, in the security enhanced scheme specified in Section 2 is:

$$\mathrm{Pr}[\mathcal{A}\to 1|\mathbf{Y}=\mathbf{y}]<\frac{1}{2}+ϵ·\frac{\Psi (n,\lambda ,d_1,d_2,C\left(d_1\right),C\left(d_2\right))+1}{{\log }_2(2^n-1)}.$$

(23)

where:

$$\begin{array}{c}\Psi (n,\lambda ,d_1,d_2,C\left(d_1\right),C\left(d_2\right))=\\ \lambda C\left(d_1\right)+n\overline{\lambda }C\left(d_2\right)+4lo{g}_2(n+1)\\ +n\overline{d}lo{g}_2\left(\overline{d}\right)+n\lambda {\overline{d}}_{1}lo{g}_2\left(\lambda {\overline{d}}_1\right)+n\overline{\lambda }{\overline{d}}_{2}lo{g}_2\left(\overline{\lambda }{\overline{d}}_2\right)\end{array}$$

(24)

and $\overline{d}=1-d$, $d=\lambda d_1+\overline{\lambda }{d}_2$, $\overline{\lambda }=1-\lambda$. ${\overline{d}}_1=1-d_1$, ${\overline{d}}_2=1-d_2$.

Proof. 

According to the (14) we have:

$$1-\frac{I(\mathbf{X},\mathbf{Y})}{n}\le \frac{1}{n}+\frac{P_{err}}{n}{\log }_2(2^n-1),$$

(25)

and taking into account that:

$$P_{err}=1-\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b|\mathbf{Y}=\mathbf{Y})$$

(26)

we obtain:

$$\begin{array}{c}\frac{1}{n}\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b|\mathbf{Y}=\mathbf{y}){\log }_2(2^n-1)\\ \le -1+\frac{I(\mathbf{X},\mathbf{Y})}{n}+\frac{1}{n}+\frac{1}{n}{\log }_2(2^n-1)\\ <\frac{I(\mathbf{X},\mathbf{Y})}{n}+\frac{1}{n},\end{array}$$

(27)

and:

$$\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b|\mathbf{Y}=\mathbf{y})<\frac{I(\mathbf{X},\mathbf{Y})+1}{{\log }_2(2^n-1)}.$$

(28)

Finally, taking into account (12) we have:

$$\mathrm{Pr}(\mathbf{X}={\mathbf{x}}_b|\mathbf{Y}=\mathbf{y})<\frac{\Psi (n,\lambda ,d_1,d_2,C\left(d_1\right),C\left(d_2\right))+1}{{\log }_2(2^n-1)}.$$

(29)

Substitution of (29) into the statement of Lemma 1 yields the proof. QED. □

Lemma 1 shows that the encryption mapping $\mathbf{m}\to \mathbf{c}$ enhances the security because the probability that $\mathcal{A}$ wins the game becomes closer to $\frac{1}{2}$, which corresponds to random guessing, by the factor $\delta$, and Theorem 1 shows that the upper bound on $\delta$ is $<<1$.

5. Notes on Implementation Issues

As an illustration, this section proposes an instantiate of the generic framework given in Section 2. This section yields particular designs for the following three main parts of the generic framework: (i) encryption scheme; (ii) coding scheme; (iii) simulated noisy channel.

Encryption. The following Figure 4 displays a model of the encryption box based on a stream cipher: The inputs are the session secret key $\mathbf{k}$ and the plaintext message $\mathbf{m}$, and the outputs are the ciphertext $\mathbf{c}$ and the control $\mathbf{s}$ of simulated noisy channel.

Note that the above scheme provides all vectors (sequences) required by encryption box in Figure 1, and in particular the vector $\mathbf{s}$ required for the simulation of a noisy channel.

Coding. As an option for suitable error correction coding we point to the LDPC codes reported in [20,21]. The time and space complexity of these codes is $O\left(nlo{g}_{2}n\right)$ and $O\left(n\right)$, respectively. In order to keep decoding complexity as claimed, the number of errors introduced by the simulated noisy channel should be below the error capability of the employed code, [22]. Otherwise if we are at the error-correcting capability limit we face an increase of the decoding complexity. We assume that up to $\Delta$ errors can be corrected with the claimed complexity. In a particular case as reported in [21] (Algorithm C), the time complexity will be $O\left(g_{max}^{2}n\right)$, where $g_{max}$ is a parameter, providing at the same decoding error-rate.

As an alternative option for suitable error correction coding we also point to the polar codes proposed in [23] and considered in [6,7,24], for example.

Simulated Noisy Channel. The simulated noisy channel box takes the sequence $\mathbf{s}$ as the input and performs its mapping block-by-block in order to obtain three sequences required for the simulated noisy channel composed of two binary erasure channels. Let ${\mathbf{s}}^{\left(n\right)}$ denotes an n-bit segment of $\mathbf{s}$, and let the functions $f_i(·)$, $i=1,2,3$, perform mapping ${\{0,1\}}^n\to {\{0,1\}}^n$ generating the following three binary n-dimensional vectors:

$$\begin{gathered} {\ell }^{\left(n\right)}={\left[{\ell }_i\right]}_{i=1}^n=f_1({\mathbf{s}}^{\left(n\right)}), \\ {\mathbf{e}}^{(n,1)}={\left[e_i^{\left(1\right)}\right]}_{i=1}^n=f_2({\mathbf{s}}^{\left(n\right)}), \\ {\mathbf{e}}^{(n,2)}={\left[e_i^{\left(2\right)}\right]}_{i=1}^n=f_3({\mathbf{s}}^{\left(n\right)}). \end{gathered}$$

We assume that the functions are such that the following is valid, where $W(·)$ and $Exp(·)$ are the vector weight and the expected value of the weight: (i) $Exp(W({\ell }^{\left(n\right)}))=n\lambda$; (ii) $Exp(W({\mathbf{e}}^{(n,1)}))=n{d}_1$; (iii) $Exp(W({\mathbf{e}}^{(n,2)}))=n{d}_2$.

Let ${\mathbf{x}}^{\left(n\right)}={\left[x_i\right]}_{i=1}^n$ be the codeword after the encoding box, and ${\mathbf{y}}^{\left(n\right)}={\left[y_i\right]}_{i=1}^n$ denotes the degraded codeword after the simulated noisy channel according to the following algorithm. Please note that in order to keep the number of the erased bits within the error correction capability of the employed code, the parameter ${\Delta }^{*}$ is used: When the number of already erased bits is greater than ${\Delta }^{*}$, the probability of erasures should be reduced, and accordingly, there are two different rules regarding appearance of the output bit as “?”. Consequently, we consider the following simulator of the noisy channel.

              Simulated Noisy Channel

• Input: ${\mathbf{x}}^{\left(n\right)}={\left[x_i\right]}_{i=1}^n$, the parameter ${\Delta }^{*}<\Delta$
• set w = 1.
• do i = 1, n

  -

  if $w\le {\Delta }^{*}$

  $y_i$ = ? and $w=w+1$ if ${\ell }_i·e_i^{\left(1\right)}=1$ or ${\ell }_i·e_i^{\left(2\right)}=1$

  $y_i=x_i$ otherwise

  -

  if $w>{\Delta }^{*}$

  $y_i$ = ? if ${\ell }_i·e_i^{\left(2\right)}=1$

  $y_i=x_i$ otherwise

• Output: ${\mathbf{y}}^{\left(n\right)}={\left[y_i\right]}_{i=1}^n$

Note that for the legitimate receiver, ${\mathbf{y}}^{\left(n\right)}$ appears as the codeword ${\mathbf{x}}^{\left(n\right)}$ after the binary erasures channels. On the other hand, because the attacker does not know the sequence $\mathbf{s}$, ${\mathbf{y}}^{\left(n\right)}$ appears as the codeword ${\mathbf{x}}^{\left(n\right)}$ after the binary deletion channels displayed in Figure 3.

6. Conclusions

This paper proposes a generic design for a measurable cryptographic security enhancement of certain secret key encryption schemes. This security enhancement is based on the following (see Figure 1): (i) employment of an error correction coding, (ii) splitting the codeword into two parts in the secret key dependent manner; and (iii) degradation each of the codeword parts by simulated binary erasure channels where the erasures are secret key dependent.

Note that for an attacker that does not know the secret key, the resulting channel appears as a simulated deletion channel. The security enhancement is quantified employing reported results on the capacity of the related two parallel binary deletion channels. The reported upper bound on the resulting channel capacity is established employing the upper bound on the mutual information between the inputs and outputs of the component deletion channels. The final lower bound on the achieved security gain is derived by employing relations between the probability of correct decoding and the mutual information between input and output of the resulting channel.

It is shown that the enhancement is a function of the following parameters: probabilities of deletion in the sub-channels, capacity of the sub-channels and the probability of the sub-channel selection for the transmission. Consequently, a desirable security enhancement, as well as, the implementation complexity could be achieved based on a suitable selection of the parameters related to the the employed channels and the coding scheme.

Accordingly, the main contributions of this paper are: (i) novel design of an encryption scheme which employs dedicated coding and simulated noisy channels that, from an attacker perspective, appear as binary deletion channels; and (ii) its cryptographic security evaluation, based on mutual information between input and output of certain channel with bits deletion, employing the adversarial indistinguishably experiment. It is out of the scope of this paper to discuss in detail particular implementations of the proposed framework, and so just illustrative notes are given regarding a possible implementation approach.