Re: Confirmation of Shannon's Mistake about Perfect Secrecy of One-time-pad

On Oct 24, 5:16 pm, wangyong <hell...@xxxxxxx> wrote:
On 10月24日, 上午4时26分, matt271829-n...@xxxxxxxxxxx
wrote:





On Oct 23, 3:09 pm, wangyong <hell...@xxxxxxx>
wrote:

Shannon misused Bayes' formula, similarly the
above proof misused
Bayes' formula. From P(M = x)·P (K = (x⊕y)) =
P(M = x) ·2-n, we can
see the condition that the ciphertext y is a
fixed value is never
considered when computing P(M = xΛC = y). We
can get that result by
reductio ad absurdum. Suppose for fixed y, if P
(K = (x⊕y))=2-n (that
is used in the proof, but indeed it is wrong.
It is used just to get
wrong conclusion), we can get P(M = x|C = y)=
2-n because there is a
one-to-one correspondence between all the
plaintexts and keys for the
fixed ciphertext in OTP. But it is obviously
wrong, for the prior
probabilities of all plaintexts are seldom
equally likely. So P(M =
x)·P (K = (x⊕y)) stand for the joint
probability of x and y when y is
not fixed. But Shannon thought of the posterior
probability as the
probability of plaintext when ciphertext had
been intercepted, we can
see that there is a presupposition in P(M = x|C
= y) that y is fixed,
but in P(M = x), P (K = (x⊕y)) and P(C=y), y is
not fixed, otherwise
we can get obviously wrong results. In such
way, the Bayes's formula
was misused for the probability was not on the
same presupposition and
the equation does not come into existence.
In OTP there are complex and crytic conditions
that influence the
probability of plaintext, key and ciphertext,
so it is essential to
cognize all the conditions and carefully use
probability theory. The
proof did not realize the crytic condition that
ciphertext was a fixed
value (even though unknown) rather than a
random variable.

I suspect that a combination of typos and/or
character set
incompatibilities have garbaged some of your
equations. So, let me
have a guess at what you're saying.
Let's keep with the simple scenario where P(M=0)
= p, P(M=1) = 1-p,
P(K=0) = 1/2, P(K=1) = 1/2, K and M independent.
K=0 maps 0->0, 1->1,
and K=1 maps 0->1, 1->0. We intercept the
encrypted message C=0.

I'm guessing that you are reasoning as follows:
Given that C=0, there
is no longer an equal chance of K=0 and K=1.
Because the proof uses
the fact that these probabilities are equal, the
proof must be wrong.

In fact, the K-probabilities used in the
calculation of the
conditional probabilities must be the *a priori*
probabilities===========, which
are indeed equal, and the proof is sound.

-----------------you are wrong at this place.

[matt271829:]

I don't think so.

if you are right


======================================================
=======
=====The probabilities are all the ones in the case
  c is a random
variable, but not C=0.

You've obviously spent a while working with this
symbolically, so you
might like to try a different approach to satisfy
yourself. From your
affiliation I assume you are familiar with
computer programming, so
try running a Monte Carlo-style simulation such
as the following. You
will find that always M_equals_0 / total ~ p, and
M_equals_1 / total ~
1 - p. This demonstrates that that probabilities
of M=0 and M=1 are,
as expected, unaffected by the fact that C=0.

====as I have pointed out above.

[matt271829:]

Huh???? So, now you *agree* that the probabilities of
M=0 and M=1 are
unaffected by observing C=0? Then you should have no
difficulty in
also agreeing that these probabilites are unaffected
by observing C=1,
and, therefore, that they are unaffected by observing
C, whatever
value we may find that C takes. So, intercepting the
message gives us
no additional information about M. What's the
problem?

I get the impression that you are inventing
complexities where none
exist. EITHER C is unknown and random (and M has its
prior, or
initial, distribution), OR C is known and fixed (and
M has its
conditional distribution). In the scenario we are
discussing, the
conditional distribution of M (after C is observed)
is exactly the
same as the prior distribution of M (before C is
observed), whatever
value of C actually is observed. And that's all there
is to it.

I thought of an experiment that might help.
If I give an adversary the ciphertext C and a
randomly chosen string of data with the same length
as C, called D, then what can the adversary do
to tell apart the real ciphertext C from the fake
one D?

I don't see how the adversry can tell them apart, or
say "this one has a better chance of being the
real ciphertext."

David Bernier
.

Relevant Pages