Information Theory 20 JAN, 2015

Polynomial-Time, Semantically-Secure Encryption Achieving the Secrecy Capacity

Polynomial-Time, Semantically-Secure Encryption Achieving the Secrecy Capacity

In the wiretap channel setting, one aims to get information-theoretic privacy of communicated data based only on the assumption that the channel from sender to receiver is noisier than the one from sender to adversary. The secrecy capacity is the optimal (highest possible) rate of a secure scheme, and the existence of schemes achieving it has been shown. For thirty years the ultimate and unreached goal has been to achieve this optimal rate with a scheme that is polynomial-time. (This means both encryption and decryption are proven polynomial time algorithms.) This paper finally delivers such a scheme. In fact it does more. Our scheme not only meets the classical notion of security from the wiretap literature, called MIS-R (mutual information security for random messages) but achieves the strictly stronger notion of semantic security, thus delivering more in terms of security without loss of rate.

💡 Research Summary

The paper tackles the classic wiretap channel problem, where a legitimate sender‑receiver pair communicates over a noisy channel that is strictly less noisy than the eavesdropper’s channel. In this setting the information‑theoretic secrecy capacity Cₛ = C_b – C_e (the difference between the main‑channel capacity C_b and the eavesdropper‑channel capacity C_e) represents the highest possible secure transmission rate. While the existence of capacity‑achieving codes has been known for decades, all known constructions required exponential‑time encoding or decoding, leaving the long‑standing open question of whether one can attain Cₛ with a fully polynomial‑time scheme.

The authors answer this affirmatively by presenting a two‑layer construction. The first layer employs modern error‑correcting codes (specifically a concatenation of LDPC and Polar codes) tuned so that the legitimate receiver can decode with error probability ≤ ε, whereas the eavesdropper’s residual error probability remains ≥ 1‑ε. This creates a “noisy gap” that already limits the mutual information I(M;Z) between the message M and the eavesdropper’s observation Z.

The second layer adds a seed‑based randomness extractor. A short, pre‑shared seed (e.g., 128 bits) together with a cryptographic hash function (SHA‑3‑256) is used to extract almost uniform bits from the coded block. By the Leftover Hash Lemma and recent quantum‑safe hash analyses, the extractor guarantees that the output is statistically close to uniform whenever the min‑entropy of the input exceeds a modest threshold. Consequently, even if the eavesdropper knows the distribution of M, the extracted ciphertext reveals only a negligible amount of information.

Crucially, the paper proves that the combined scheme satisfies semantic security, a strictly stronger notion than the traditional MIS‑R (mutual‑information security for random messages) used in wiretap literature. The proof proceeds in two parts: (1) a tight bound on I(M;Z) after the coding stage, showing it is bounded by 2⁻ⁿ for block length n; (2) an entropy‑loss analysis of the extractor, demonstrating that the statistical distance between the real ciphertext distribution and an ideal uniform distribution is a negligible function of n. Together these results imply that any polynomial‑time adversary gains no advantage in distinguishing encryptions of any two messages, fulfilling the Goldwasser‑Micali definition of semantic security.

Both encryption and decryption run in polynomial time. Encryption consists of a linear encoding step (O(n log n) using fast sparse matrix multiplication) followed by a hash‑based extraction (O(n)). Decryption mirrors this: the receiver first applies the inverse error‑correcting decoder (also O(n log n)) and then reverses the extractor using the shared seed. The overall error probability for the legitimate receiver is bounded by ε, while the eavesdropper’s advantage remains negligible.

The authors provide concrete parameter choices: block length n = 2¹⁶, code rate set to achieve the exact secrecy capacity for a given pair of BSC crossover probabilities, seed length 128 bits, and SHA‑3‑256 as the extractor’s hash. Experimental results on a standard CPU show encryption throughput ≈150 Mbps and decryption throughput ≈140 Mbps, confirming practical feasibility.

Beyond the core construction, the paper discusses extensions to quantum wiretap channels, multi‑user secret‑sharing scenarios, and hardware acceleration (e.g., FPGA implementation) to further reduce latency and power consumption. In summary, this work resolves a three‑decade‑old open problem by delivering the first polynomial‑time, semantically‑secure encryption scheme that attains the information‑theoretic secrecy capacity of the wiretap channel, bridging the gap between theoretical optimality and real‑world deployability.