Shannon Impossibility, Revisited

In this note we revisit the famous result of Shannon [Sha49] stating that any encryption scheme with perfect security against computationally unbounded attackers must have a secret key as long as the message. This result motivated the introduction of modern encryption schemes, which are secure only against a computationally bounded attacker, and allow some small (negligible) advantage to such an attacker. It is a well known folklore that both such relaxations — limiting the power of the attacker and allowing for some small advantage — are necessary to overcome Shannon’s result. To our surprise, we could not find a clean and well documented proof of this folklore belief. (In fact, two proofs are required, each showing that only one of the two relaxations above is not sufficient.) Most proofs we saw either made some limiting assumptions (e.g., encryption is deterministic), or proved a much more complicated statement (e.g., beating Shannon’s bound implies the existence of one-way functions [IL89].) In this note we rectify this situation, by presenting two clean, elementary extensions of Shannon’s impossibility result, showing that, in order to beat the famous Shannon lower bound [Sha49] on key length for one-time-secure encryption, one must simultaneously restrict the attacker to be efficient, and also allow the attacker to break the system with some non-zero (i.e., negligible) probability. Unlike most prior proofs we have seen, our proof seamlessly handles probabilistic encryption, small decryption error, and can be taught without any extra background (e.g., notions of entropy, etc.) in a first lecture of an introductory cryptography class. For intellectual curiosity, we also discuss some “entropy extensions” of our proof, and the relation between our “indistinguishability-based” proof and Shannon’s original “mutual-information-based” proof.