# One-time Pad Encryption

This concept is explained in most of the crypto books at the beggining since it is perhaps the simplest and most powerful encryption scheme however is not practical... I will be very short in this tutorial but you can find more resources in the [MIT crypto class](https://www.youtube.com/watch?v=jDsfV2ohFPs&list=PL6ogFv-ieghe8MOIcpD6UDtdK-UMHG8oH) by Prof. Shafi Goldwasser and the books [Introduction to modern cryptography](https://www.crcpress.com/Introduction-to-Modern-Cryptography/Katz-Lindell/p/book/9781466570269) by Prof. Katz and Prof. [Lindell](https://u.cs.biu.ac.il/~lindell/)

Let's set a situation in which Alice has to send Bob a message and there can be a man in the middle when Alice sends the ciphertext to Bob. The question is, how much information can a man in the middle gain from the ciphertext?

Imagine that Alice and Bob meet physically once to agree on a n-bit secret key (i.e. when they share the secret key there's nobody that can read it)

In [19]:
from random import randint, seed 

seed(1)

bits = 32
base = 2

secret_key = [randint(0,1) for _ in range(bits)]
print(f"The random secret key is {''.join(map(str, secret_key))}")
print(f"and has lenght {len(secret_key)}")

The random secret key is 00101111001011011001000010100110
and has lenght 32


Now imagine that Alice wants to send Bob a message (of the same lenght as the key) through a unsecure channel, we define the encryption and decryption as the XOR operation of the message or the ciphertext with the secret key.

In [27]:
def encrypt(m, sk):
    assert(len(m)==len(sk))
    return [(x+y)%base for x, y in zip(m, sk)]

def decrypt(c, sk):
    assert(len(c)==len(sk))
    return [(x+y)%base for x, y in zip(c, sk)]

m = [randint(0,1) for _ in range(bits)]
c = encrypt(m, secret_key)
m2 = decrypt(c, secret_key)

print(f"m = {''.join(map(str, m))}\ns = {''.join(map(str, secret_key))}\nc = {''.join(map(str, c))}\nm = {''.join(map(str, m2))}")

assert(m == m2)
print("We've been able to reconstruct the message from the ciphertext")

m = 00100001111110010001111110011010
s = 00101111001011011001000010100110
c = 00001110110101001000111100111100
m = 00100001111110010001111110011010
We've been able to reconstruct the message from the ciphertext


Notice that the secret key is chosen initially completely at random (i.e. carries no information) and combined with the message (that contains the info) generates a completely random string $c$ therefore carrying no information. This fact makes that when a man in the middle reads $c$ he has no way to infer any information about the original message $m$. We've reached what is normally called in the books *perfect secrecy* (from the information theoretic perspective).

Definition:
A cryptosystem has perfect secrecy if $$P(m|c)=P(m)$$
for all $m$ that is in the possible messages $M$ and all the ciphertext that are in the possible ciphertext $C$.
Equivalently $$P(m|c)=P(m|c^\prime),$$
for all $c$ and $c^\prime$ in the ciphertext corpus $C$.

In the first equation it is expressed that the probability of a message given a ciphertext is independent of the ciphertext, in essense this is to say that no matter what is our ciphertext we have no clue to know anything about the message. In the second equation this is expressed in a different way, the probability of a certain message is the same no matter which ciphertext we observe, again this means the cyphertext contains no information about the original message.

At this point you may think, that's the perfect cryptosystem, why don't we use it in a day to day cryptographyc aplications? Well, one time pad ony works once. After Alice has sent an encrypted ciphertext to Bob they have to meet again to agree on a new random secret key of n bits. The reason is that the attacker may know the probability distribution of the messages (for instance, if Alice and Bob send messages in english one can perform an attack similar to the Vigenere cryptosystem by counting the frequency of words in english). Therefore as the attacker keeps on getting many n-bit ciphertext he can combine the frequencies and eventually be able to find most of the secret key.

The concept of *perfect secrecy* will be revisited in secure multiparty computation later on.

For further details on *perfect secrecy*/*Shannon perfect secrecy* go to the first chapters in [Introduction to modern cryptography](https://www.crcpress.com/Introduction-to-Modern-Cryptography/Katz-Lindell/p/book/9781466570269)