Computational secrecy enables practical secure communication

Secure communication
 Perfect Secrecy (Information Theoretic Security):

 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
Pr 𝐸𝐾 𝑀0 = 𝐶 = Pr 𝐸𝐾 𝑀1 = 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 Fact: If 𝑀 > |𝐾|, then no scheme is perfectly secure.
 How do we get around this problem?
 Relax our notion of security: Instead of saying “it is impossible
to break the scheme”, we would like to say “it is computationally
infeasible to break the scheme”.
Perfect secrecy
• Requires that absolutely no information about
the plaintext is leaked, even to eavesdroppers
with unlimited computational power
– Has some inherent drawbacks
– Seems unnecessarily strong
Computational secrecy
• Would be ok if a scheme leaked information
with tiny probability to eavesdroppers with
bounded computational resources
• I.e., relax perfect secrecy by
– Allowing security to fail with tiny probability
– Only considering “efficient” attackers
Tiny probability of failure?
• Say security fails with probability 2-60
– Should we be concerned about this?
– With probability > 2-60, the sender and receiver
will both be struck by lightning in the next year…
– Something that occurs with probability 2-60/sec is
expected to occur once every 100 billion years
Bounded attackers?
• Consider brute-force search of key space;
assume one key can be tested per clock cycle
• Desktop computer  257 keys/year
• Supercomputer  280 keys/year
• Supercomputer since Big Bang  2112 keys
– Restricting attention to attackers who can try 2112
keys is reasonable…
• Modern key space: 2128 keys or more…

Introduction: Pseudorandom generator
 Suppose there was a generator that stretches random bits.
001101011
𝐺 00101001001010010100101011
 Idea:
 Choose a short key 𝐾 randomly.
 Obtain 𝐾’ = 𝐺(𝐾).
 Use 𝐾’ as key for the one time pad.
 Issue: ?
001101011
𝐺 00101001001010010100101011
 Idea:
 Issue:
 Such a generator is not possible!
 Any such generator produces a longer string but the string is
not random.
001101011
𝐺 00101001001010010100101011
 Idea:
 Issue:
 Such a generator is not possible!
 Any such generator produces a longer string but the string is not
random.
 What if we can argue that the output of the generator is
computationally indistinguishable from truly random string.
Introduction: Secure communication
 Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.
 Formalizing notion of security:
 When can you say that your protocol has been broken?
 Adversary is able to figure out the secret key.
 Question: Can you say that your protocol is secure if no adversary can
figure out the secret key?
communication.
NO! Consider the encryption scheme 𝐶 = 𝐸𝐾 𝑀 = 𝑀
communication.
NO! Consider the encryption scheme 𝐶 = 𝐸𝐾 𝑀 = 𝑀
 Adversary is able to figure out the entire message.
figure out the entire message?
NO! Maybe the first bit of the message is revealed which may be
crucial.
Pseudorandom generators
 A pseudorandom generator (PRG) is a function:

𝐺: 0, 1 𝑠 → 0, 1 𝑛 , 𝑛 ≫ 𝑠
such that 𝐺 𝑥 “appears” to be a random 𝑛 bit string.
 The input to the generator is called the seed.
𝑆𝑡[0]
𝐺 𝑅[1]
𝑆𝑡 𝑆𝑡
𝐺 𝑆𝑡[1]
𝐺 𝑅[2]
𝑆𝑡[1]
𝑅
𝐺 𝑅[3]
Pseudorandom generator
 What are the desirable properties of a pseudorandom
𝑘 𝑛
generator 𝐺: 0, 1 → 0,1 for Cryptographic purposes:
 Stretch: 𝑛 > 𝑘
 Efficient: 𝐺 should be efficient
 Indistinguishability: No bounded resource algorithm should be
able to distinguish the output of the generator 𝐺 𝑥 (for random
𝑥) from a random 𝑛 bit string.
 Unpredictability: The output of the generator should not be
predictable.
Perfect indistinguishability
•  = (Gen, Enc, Dec)
• Informally:
– Two messages m0, m1; one chosen at random and
encrypted (using uniform k) to give c  Enck(mb);
adversary A given c and tries to determine which
message was encrypted
–  is secure if no adversary A can guess correctly
with probability any better than ½
• Let =(Gen, Enc, Dec) be an encryption
scheme, and A an adversary (eavesdropper)
• Define a randomized exp’t PrivKA, :
1. A outputs m0, m1  M
2. k  Gen, b  {0,1}, c  Enck(mb)
3. b’  A(c); A succeeds if b = b’, and experiment
Challenge ciphertext
evaluates to 1 in this case
• Easy to succeed with probability ½ …
•  is perfectly indistinguishable if for all
attackers (algorithms) A, it holds that
Pr[PrivKA, = 1] = ½
• Claim:  is perfectly indistinguishable if and
only if it is perfectly secret
• I.e., perfect indistinguishability is just an

alternate definition of perfect secrecy
Indistinguishability
 Indistinguishability:The output of the generator should appear to be
random:
 Question: To whom?
 Answer: To all efficient algorithms.
 What does “appear” mean?
 Any efficient statistical testing algorithm should behave similarly when given
random 𝑛 bit inputs and when given output of the generator for random seed.
 Definition (Advantage): The PRG advantage of an algorithm 𝐴 with respect to a
generator 𝐺 is denoted by 𝐴𝑑𝑣𝑃𝑅𝐺 (𝐴, 𝐺) is defined as
𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 = Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
 Observations:
 0 ≤ 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 ≤ 1
 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 close to 1 means 𝐴 can distinguish 𝐺’s output from
random.
 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 close to 0 means 𝐴 cannot distinguish 𝐺’s output
from random.
 Definition (Advantage): The PRG advantage of an algorithm 𝐴 with
respect to a generator 𝐺 is denoted by 𝐴𝑑𝑣𝑃𝑅𝐺 (𝐴, 𝐺) is defined as
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
 Observations:
 0 ≤ 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 ≤ 1
random.
 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 close to 0 means 𝐴 cannot distinguish 𝐺’s output from
random.
 Let 𝑆 = 𝐺 𝐾 𝐾 ∈ 0,1 𝑘 . Let 𝐴 be an algorithm that

outputs 1 iff the input belongs to 𝑆.
 Question: Is 𝐴 a good statistical test for 𝐺?
 Question: What is the PRG advantage of 𝐴?
 Definition (Advantage): The PRG advantage of an algorithm 𝐴 with
respect to a generator 𝐺 is denoted by 𝐴𝑑𝑣𝑃𝑅𝐺 (𝐴, 𝐺) is defined as
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
 Observations:
 0 ≤ 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 ≤ 1
random.
 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 close to 0 means 𝐴 cannot distinguish 𝐺’s output from
random.
 Let 𝐺 be a generator such that the 5th bit of the output is 1 in

3/4 of the input seeds. Let 𝐴 be an algorithm that outputs 1 iff
the fifth bit of its input string is 1.
 Question: Is 𝐺 a good PRG in the sense of indistinguishability?
 Question: What is the PRG advantage of 𝐴?
 Definition ((𝑡, 𝜖)-indistinguishable PRG): A function
𝐺: 0,1 𝑘 → 0,1 𝑛 is said to be (𝑡, 𝜖)-indistinguishable
pseudorandom generator if for all algorithms that run in time
at most 𝑡, we have:
𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 ≤ 𝜖
Unpredictability
 Definition ((𝑡, 𝜖)-unpredictable PRG): A function
𝐺: 0,1 𝑘 → 0,1 𝑛 is called 𝑡, 𝜖 -unpredictable
pseudorandom generator of for all algorithms 𝐴 that run in
time at most 𝑡 and for all 𝑖 ∈ {1, … , 𝑛 − 1}, we have:
1
Pr 𝐴 𝐺 𝐾 1 … 𝑖 = 𝐺 𝐾 𝑖 + 1 ≤ + 𝜖.
2
Indistinguishability Vs Unpredictability
 Definition ((𝑡, 𝜖)-indistinguishable PRG): A function 𝐺: 0,1 𝑘 → 0,1 𝑛 is
said to be (𝑡, 𝜖)-secure Pseudorandom Generator if for all algorithms that run
in time at most 𝑡, we have:
𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 ≤ 𝜖
 Definition ((𝑡, 𝜖)-unpredictable PRG): A function 𝐺: 0,1 𝑘 → 0,1 𝑛 is
called 𝑡, 𝜖 -unpredictable pseudorandom generator of for all algorithms 𝐴 that
run in time at most 𝑡 and for all 𝑖 ∈ {1, … , 𝑛 − 1}, we have:
1
Pr 𝐴 𝐺 𝐾 1 … 𝑖 = 𝐺 𝐾 𝑖 + 1 ≤ + 𝜖.
2
 Theorem(indistinguishability implies unpredictability): Let

𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡 + 1, 𝜖)-indistinguishable PRG,
then 𝐺 is also a (𝑡, 𝜖)-unpredictable PRG.
 Proof: We show the contrapositive.
 Suppose 𝐴 is an algorithm that runs in time at most 𝑡 and 𝑖 be the
index such that
1
Pr 𝐴 𝐺 𝐾 1 … 𝑖 = 𝐺 𝐾 𝑖 + 1 > + 𝜖.
2
 Consider algorithm 𝐵(𝑥): If (𝐴(𝑥[1 … 𝑖]) = 𝑥[𝑖 + 1]), then
output 1 else 0.
 Theorem(indistinguishability implies unpredictability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡, 𝜖)-indistinguishable PRG,
then 𝐺 is also a (𝑡, 𝜖)-unpredictable PRG.
 Proof: We show the contrapositive.
 Suppose 𝐴 is an algorithm that runs in time at most 𝑡 and 𝑖 be
the index such that
1
Pr 𝐴 𝐺 𝐾 1 … 𝑖 = 𝐺 𝐾 𝑖 + 1 > + 𝜖.
2
 Consider algorithm 𝐵(𝑥): If (𝐴(𝑥[1 … 𝑖]) = 𝑥[𝑖 + 1]), then
output 1 else 0.
 Claim 1: 𝐵 runs in time 𝑡 + 1.
 Claim 2: 𝐴𝑑𝑣𝑃𝑅𝐺 𝐵, 𝐺 > 𝜖.
1
 Claim 2.1: Pr 𝐵 𝐺 𝐾 = 1 > + 𝜖.
𝐾← 0,1 𝑘 2
1
 Claim 2.2: Pr 𝐵 𝑅 =1 = .
𝑅← 0,1 𝑛 2
 Theorem(unpredictability implies indistinguishability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG,
then 𝐺 is also a (𝑡, 𝜖)-indistinguishable PRG.
 This is known as Yao’s theorem and is proved using an idea
known as the Hybrid argument.
𝑘 𝑛
generator 𝐺: 0, 1 → 0,1 for Cryptographic purposes:
 Efficient: 𝐺 should be efficiently computable.
predictable.
 Suppose there is a generator 𝐺 that is efficient, that stretches
the input, that is (𝑡, 𝜖)-indistinguishable. When can we call it
secure?
generator 𝐺: 0, 1 𝑘 → 0,1 𝑛 for Cryptographic purposes:
 Efficient: 𝐺 should be efficient
predictable.
secure?
 𝑡 is large. How large?
 𝜖 is small. How small?
secure?
 Example values of 𝑘, 𝑛, 𝑡, and 𝜖:
 𝑘 = 128
 𝑛 = 220
 𝑡 = 280
 𝜖 = 2−40
 Are these figures good enough for all scenarios (present and
future)?
Encryption and plaintext length
• In practice, we want encryption schemes that
can encrypt arbitrary-length messages
• In general, encryption does not hide the
plaintext length
– The definition takes this into account
What does “random” mean?
• What does “uniform” mean?
• Which of the following is a uniform string?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• If we generate a uniform string, each of the
above occurs with probability 2-16
What does “random” mean?
• “Randomness” is not a property of a string,
but a property of a distribution
• A distribution on n-bit strings is a function

D: {0,1}n  [0,1] such that  x D(x) = 1
– The uniform distribution on n-bit strings
is the distribution Un where Un(x) = 2-n
for all x  {0,1}n
What does “pseudorandom” mean?
• Informal: cannot be distinguished from
uniform (i.e., random)
• Which of the following is pseudorandom?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• Pseudorandomness is a property of a
distribution
Pseudorandomness (1)
• Fix some distribution D on n-bit strings
– x  D means “sample x according to D”
• Historically, D was considered pseudorandom
if it “passed a bunch of statistical tests”
– Prx  D[1st bit of x is 1]  ½
– Prx  D[parity of x is 1]  ½
– Prx  D[Ai(x)=1]  Prx  Un[Ai(x)=1]
for i = 1, …, 20
Pseudorandomness (2)
• This is not sufficient in an adversarial setting!
– Who knows what statistical test T an attacker
will use?
• Cryptographic def’n of pseudorandomness:

– D is pseudorandom if it passes all
efficient statistical tests
Pseudorandomness (concrete)
• Let D be a distribution on n-bit strings
• D is (t, )-pseudorandom if for all A running in

time ≤ t,
| Prx  D[A(x)=1] - Prx  Un[A(x)=1] | ≤ 
Pseudorandomness (asymptotic)
• Security parameter n, polynomial p
• Let Dn be a distribution over p(n)-bit strings

• Pseudorandomness is a property of a
sequence of distributions {Dn} = {D1, D2, … }
• {Dn} is pseudorandom if for every probabilistic,
polynomial-time A, there is a negligible
function  such that
| Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

• {Dn}, where Dn is a distribution over p(n)-bit strings, is
pseudorandom if for all PPT adversaries A, there is a
negligible function  such that
| Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

Pseudorandom (number) generators
(PRGs/PRNGs)
• A PRG is an efficient, deterministic algorithm
that expands a short, uniform seed into a
longer, pseudorandom output
– Useful whenever you have a “small” number of
true random bits, and want lots of “random-
looking” bits
PRGs
• Let G be a deterministic, poly-time algorithm
• G is expanding: |G(x)| = p(|x|) > |x|
seed
output
PRGs
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x  Un and outputting G(x)
– PrDn[y] = PrUn[G(x) = y] = x : G(x)=y PrUn[x]
= x : G(x)=y 2-n
= |{x : G(x)=y}|/2n
PRGs
• G is a pseudorandom generator if {Dn} is
pseudorandom
PRGs
• G is a pseudorandom generator if {Dn} is
pseudorandom
– I.e., for all PPT attackers A, there is a negligible
function  such that
| Prx  Un[A(G(x))=1] - Pry  Up(n)[A(y)=1] | ≤ (n)
– No efficient A can distinguish whether it is

given G(x) (for uniform x) or
a uniform string y!
one-time pad
p bits
key
p bits p bits
message  ciphertext
Pseudorandom (number) generators
• PRGs (PRNGs)
• A PRG expands a short, uniform seed into a

longer, pseudorandom output
“Pseudo” one-time pad
n bits
key
p bits
G “pseudo” key
p bits p bits
Pseudo one-time pad
• Let G be a deterministic, poly-time function,
with |G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n  message space {0,1}p(n)
• Enck(m): output G(k)  m
• Deck(c): output G(k)  c
• Correctness is obvious…
PRGs, revisited
• Let G be an efficient, deterministic function
with |G(k)| = 2·|k| k  Un
y  U2n
G
y
b
D
(For any efficient D…) the probability that D
outputs 1 in both cases must be close
Proof by reduction
1. Assume G is a pseudorandom generator
2. Say there is an efficient attacker A who
‘breaks’ the pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
that ‘breaks’ pseudorandomness of G
– But we know that no such D exists!
 No such A can exist
Alternately…
1. Assume G is a pseudorandom generator
2. Fix some arbitrary, efficient A attacking the
pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
attacking G
– Relate the distinguishing probability of D to the
success probability of A
4. By assumption, the distinguishing
probability of D must be negligible
 Bound the success probability of A
“Pseudo” one-time pad
n bits
k
2n bits
G “pseudo” key
2n bits 2n bits
Security theorem
• If G is a pseudorandom generator, then the
pseudo one-time pad is (computationally)
indistinguishable.
The reduction
y
m0, m1
b←{0,1}
mb
c
b’ A
if (b=b’)
output 1 D
Analysis
• If A runs in polynomial time, then so does D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If input y is pseudorandom, the view of A is
exactly as in PrivKA,Π(n)
 Prx ← Un[D(G(x))=1] = µ(n)
The reduction
k  Un
y
G
m0, m1
b←{0,1}
mb
-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
 Prx ← Un[D(G(x))=1] = µ(n)
• If input y is uniform, A succeeds with
probability exactly ½
 Pry ← U2n[D(y)=1] = ½
The reduction
y  U2n
y
m0, m1
b←{0,1}
mb
OTP-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
 Prx ← Un[D(G(x))=1] = µ(n)
• If input y is uniform, A succeeds with
probability exactly ½
 Pry ← U2n[D(y)=1] = ½
• Since G is pseudorandom…
| µ(n) – ½ | ≤ ε(n)
 Pr[PrivKA,Π(n) = 1] ≤ ½ + ε(n)
• Proof that the pseudo OTP is secure…
– We have a provably secure scheme, rather than a
heuristic construction!
• Proof that the pseudo OTP is secure…
• …with some caveats
– Assuming G is a pseudorandom generator
– Relative to our definition
• The only way the scheme can be broken is:

– If a weakness is found in G
– If the definition isn’t sufficiently strong…
Security of Stream Ciphers
 Adversary is able to figure out the entire message.


 Think of a security property that implies all other relevant
security properties.
 Perfect Secrecy (Information Theoretic Security):
 Let the message space be 0,1 𝑛 .
 For any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
where the probability is over uniformly random 𝐾 in the
Keyspace.
 Perfect Secrecy (Information Theoretic Security): An
encryption scheme (𝐸, 𝐷) is said to be perfectly secure if for
any two message 𝑀0 , 𝑀1 , and Ciphertext 𝐶
 Definition ((𝑡, 𝜖)-message indistinguishability): An encryption

scheme (𝐸, 𝐷), is said to be (𝑡, 𝜖)-message indistinguishable
if for any two messages 𝑀0 , 𝑀1 , and any algorithm 𝐴 that
runs in time at most 𝑡 we have:
Adv𝐼𝑁𝐷 𝐴, 𝐸 = Pr 𝐴 𝐸𝐾 𝑀0 = 1 − Pr 𝐴 𝐸𝐾 𝑀1 =1 ≤𝜖
 The above definition is with respect to one time encryption
only.
 Why is message indistinguishability a strong notion of

security?
 Theorem (informal): If a scheme is secure w.r.t. the message
indistinguishability notion, then it is secure w.r.t. the key
recovery notion.
 Proof: ?
 Theorem (informal): If a scheme is secure w.r.t. the message
indistinguishability notion, then it is secure w.r.t. 100th bit known
notion.



 One Time Pad:
 Let the key space and message space be 0,1 𝑛 .
 𝐸𝐾 𝑀 = 𝐾 ⊕ 𝑀 and 𝐷𝐾 𝐶 = 𝐾 ⊕ 𝐶.
 Is the OTP encryption scheme secure w.r.t. notion of message
indistinguishability? What is the advantage of any Algorithm for
this encryption scheme?
 OTP using PRG:
 Let 𝐺: 0, 1 𝑘 → 0,1 𝑛 be PRG.
 𝐸𝐾 𝑀 = 𝐺 𝐾 ⊕ 𝑀 and 𝐷𝐾 𝐶 = 𝐺 𝐾 ⊕ 𝐶.
 Theorem (informal): If 𝐺 is a secure PRG w.r.t.
indistinguishability notion, then (𝐸, 𝐷) is secure w.r.t. message
indistinguishability.
 OTP using PRG:
 Let 𝐺: 0, 1 𝑘 → 0,1 𝑛 be PRG.
 𝐸𝐾 𝑀 = 𝐺 𝐾 ⊕ 𝑀 and 𝐷𝐾 𝐶 = 𝐺 𝐾 ⊕ 𝐶.
 Theorem (informal): If 𝐺 is a secure PRG w.r.t.
indistinguishability notion, then (𝐸, 𝐷) is secure w.r.t. message
indistinguishability.
 Theorem: For every algorithm 𝐴 that “attacks” (𝐸, 𝐷) against the
notion of message indistinguishability, there is an algorithm 𝐵
that “attacks” 𝐺 against the notion of indistinguishability such that
𝐴𝑑𝑣𝐼𝑁𝐷 𝐴, 𝐸 ≤ 2 ⋅ 𝐴𝑑𝑣𝑃𝑅𝐺 𝐵, 𝐺
Moreover, if the running time of 𝐵 is at most twice the running
time of 𝐴.
 Theorem: For every algorithm 𝐴 that “attacks” (𝐸, 𝐷) against
the notion of message indistinguishability, there is an algorithm
𝐵 that “attacks” 𝐺 against the notion of indistinguishability such
that
𝐴𝑑𝑣𝐼𝑁𝐷 𝐴, 𝐸 ≤ 2 ⋅ 𝐴𝑑𝑣𝑃𝑅𝐺 𝐵, 𝐺
Moreover, if the running time of 𝐵 is at most twice the running
time of 𝐴.
Pseudorandom world Random world
𝐺(𝐾) 𝑅
B B
1. Randomly select 𝑏 (𝑀0, 𝑀1) 1. Randomly select 𝑏 (𝑀0, 𝑀1)
2. Execute 𝐴 2. Execute 𝐴
3. Output 1 iff 𝑏 = 𝑏’ 3. Output 1 iff 𝑏 = 𝑏’
𝐺(𝐾) ⊕ 𝑀𝑏 𝑅 ⊕ 𝑀𝑏
𝑏’ 𝐴 𝑏’ 𝐴
Stream Ciphers: Security of Stream Ciphers
 𝐴𝑑𝑣𝑃𝑅𝐺 𝐵, 𝐺 = | Pr 𝐵 𝐺 𝐾 = 1 − Pr[𝐵 𝑅 = 1]|
1
 Lemma 1: Pr 𝐵 𝑅 = 1 = .
2
1
 Lemma 2: Pr 𝐵 𝐺 𝐾 = 1 = ± 𝐴𝑑𝑣𝐼𝑁𝐷 (𝐴, 𝐸)
2
Pseudorandom world Random world
𝐺(𝐾) 𝑅
B B
1. Randomly select 𝑏 (𝑀0, 𝑀1) 1. Randomly select 𝑏 (𝑀0, 𝑀1)
2. Execute 𝐴 2. Execute 𝐴
3. Output 1 iff 𝑏 = 𝑏’ 3. Output 1 iff 𝑏 = 𝑏’
𝐺(𝐾) ⊕ 𝑀𝑏 𝑅 ⊕ 𝑀𝑏
𝑏’ 𝐴 𝑏’ 𝐴
Hybrid Argument: Indistinguishability Vs Unpredictability
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG,
then 𝐺 is also a (𝑡, 𝜖)-indistinguishable PRG.
 Proof: We prove the contrapositive. Let 𝐴 be an algorithm
that runs in time at most 𝑡 such that the following holds:
Pr 𝑘
𝐴 𝐺 𝐾 =1 − Pr 𝑛
𝐴 𝑅 =1 ≤𝜖
𝐾← 0,1 𝑅← 0,1
we will show that there exists an algorithm 𝐵 that predicts
the output of the generator.
 Let the output of the generator be denoted by 𝑦1 𝑦2 … 𝑦𝑛 and
let 𝑟1 𝑟2 … 𝑟𝑛 denote independent random bits.
Hybrid Argument : Indistinguishability Vs Unpredictability
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG, then 𝐺 is
also a (𝑡, 𝜖)-indistinguishable PRG.
 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time

at most 𝑡 such that the following holds:
Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1 ≤𝜖
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
we will show that there exists an algorithm 𝐵 that predicts the output of the
generator.
 Let the output of the generator be denoted by 𝑦1 𝑦2 … 𝑦𝑛 and let 𝑟1 𝑟2 … 𝑟𝑛 denote
independent random bits.
 Consider the following distributions on 𝑛 bit strings.
 𝐷0 = 𝑟1 𝑟2 … 𝑟𝑛
 𝐷1 = 𝑦1 𝑟2 … 𝑟𝑛
 𝐷2 = 𝑦1 𝑦2 𝑟3 … 𝑟𝑛
 .
 𝐷𝑛 = 𝑦1 𝑦2 … 𝑦𝑛
 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time

at most 𝑡 such that the following holds:
Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1 ≤𝜖
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
generator.
 𝐷0 = 𝑟1 𝑟2 … 𝑟𝑛
 𝐷1 = 𝑦1 𝑟2 … 𝑟𝑛
 𝐷2 = 𝑦1 𝑦2 𝑟3 … 𝑟𝑛
 .
 𝐷𝑛 = 𝑦1 𝑦2 … 𝑦𝑛
 Claim 1: | Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 | ≤ 𝜖
𝑅←𝐷𝑛 𝑅←𝐷0
 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time at

most 𝑡 such that the following holds:
Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1 >𝜖
𝐾← 0,1 𝑘 𝑅← 0,1 𝑛
generator.
 𝐷0 = 𝑟1 𝑟2 … 𝑟𝑛
 𝐷1 = 𝑦1 𝑟2 … 𝑟𝑛
 𝐷2 = 𝑦1 𝑦2 𝑟3 … 𝑟𝑛
 .
 𝐷𝑛 = 𝑦1 𝑦2 … 𝑦𝑛
 Claim 1: | Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 | > 𝜖
𝑅←𝐷𝑛 𝑅←𝐷0
 Claim 2: ∃𝑖, Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 > 𝜖/𝑛
𝑅←𝐷𝑖 𝑅←𝐷𝑖+1
 Proof:
 How do we use the above claim to design an algorithm 𝐵 that predicts the
𝑖+1 𝑡ℎ bit of the generator, given the first 𝑖 bits?
 Proof:
 How do we use the above claim to design an algorithm 𝐵 that

predicts the 𝑖 + 1 𝑡ℎ bit of the generator, given the first 𝑖
bits?
 𝐵(𝑦1 𝑦2 … 𝑦𝑖 ):
 Pick a random bit 𝑟 ← {0,1}.
 Pick independently random bits 𝑟𝑖+2 , 𝑟𝑖+3 , … , 𝑟𝑛 ← {0,1}
 Execute 𝐴 on the input (𝑦1 𝑦2 … 𝑦𝑖 𝑟𝑟𝑖+2 𝑟𝑖+3 … 𝑟𝑛 ), let 𝑏 be the output of 𝐴.
 If (𝑏 = 𝑟), then output 𝑟 else output (1 − 𝑟).
 Claim 3: Pr 𝐵 𝑦1 𝑦2 … 𝑦𝑖 = 𝑦𝑖+1 > 𝜖/𝑛.
Concrete Vs Asymptotic Security
Computational secrecy?
• Idea: relax perfect indistinguishability
• Two approaches
– Concrete security
– Asymptotic security
Computational indistinguishability
(concrete version)
•  is (t, )-indistinguishable if for all attackers A

running in time at most t, it holds that
Pr[PrivKA, = 1] ≤ ½ + 
Concrete security
• Parameters t,  are what we ultimately care
about in the real world
• Does not lead to a clean theory...

– Sensitive to exact computational model
• Would like to have schemes where users can
adjust the achieved security
• Let =(Gen, Enc, Dec) be an encryption
scheme, and A an adversary (eavesdropper)
• Define a randomized exp’t PrivKA, :
1. A outputs m0, m1  M
2. k  Gen, b  {0,1}, c  Enck(mb)
•  is perfectly indistinguishable if for all
attackers (algorithms) A, it holds that
Pr[PrivKA, = 1] = ½
• Relax perfect indistinguishability in two ways:
– Security may fail with small probability
– Restrict attention to efficient attackers
• Two approaches
– Concrete
– Asymptotic
(concrete)
• (t, )-indistinguishability:
– Security may fail with probability ≤ 
– Restrict attention to attackers running in time ≤ t
Asymptotic security
• Introduce security parameter n  Z+
– Fixed by honest parties at initialization
– Allows users to tailor the security level
• For now, can view as the key length
– Known by adversary
• View running times of all parties, and

success probability of the adversary,
as functions of n
(asymptotic)
• Computational indistinguishability:
– Security may fail with probability negligible in n
– Restrict attention to attackers running in time
polynomial in n
Definitions
• A function f: Z+  Z+ is polynomial if there
exist {ci} such that f(n) <  i ci ni for all n
• A function f: Z+  R+,0 is negligible if for every

polynomial p there is an N such that
f(n) < 1/p(n) for n > N
– Typical example: f(n) = poly(n)∙2-cn
Why these choices?
• Somewhat arbitrary
• “Efficient” = “(probabilistic) polynomial-time”
(PPT) borrowed from complexity theory
• Convenient closure properties
– Poly * poly = poly
• Poly-many calls to PPT subroutine is poly-time
– Poly * negligible = negligible
• Poly-many calls to subroutine that fails with negligible
probability, fails with negligible probability overall
(Re)defining encryption
• A private-key encryption scheme is defined by
three PPT algorithms (Gen, Enc, Dec):
– Gen: takes as input 1n; outputs k. (Assume |k|≥n.)
– Enc: takes as input a key k and message m{0,1}*;
outputs ciphertext c
c  Enck(m)
– Dec: takes key k and ciphertext c as input; outputs
a message m or “error”
(asymptotic version)
• Fix , A
• Define a randomized exp’t PrivKA, (n):
1. A(1n) outputs m0, m1  {0,1}* of equal length
2. k  Gen(1n), b  {0,1}, c  Enck(mb)
(asymptotic version)
•  is indistinguishable if for all PPT attackers A,
there is a negligible function  such that
Pr[PrivKA, (n) = 1] ≤ ½ + (n)

Example
• Consider a scheme where the best attack is
brute-force search over the key space, and
Gen(1n) generates a uniform n-bit key
– So if A runs in time t(n), then
Pr[PrivKA,(n) = 1] < ½ + t(n)/2n
• This scheme is indistinguishable: for any
polynomial t, the function t(n)/2n is negligible
Asymptotic security: Pseudorandom generator
 Suppose there is a generator 𝐺 that is efficient, that stretches the
input, that is (𝑡, 𝜖)-indistinguishable. When can we call it secure?
 𝑘 = 128, 𝑛 = 220 , 𝑡 = 280 , 𝜖 = 2−40
future)?
 Answer: No.
 Solution: Time of the adversary and error probability should
not be concrete numbers but functions of a parameter of
interest. This parameter is called the security parameter.
 Suppose there is a generator 𝐺 that is efficient, that stretches the
input, that is (𝑡, 𝜖)-indistinguishable. When can we call it secure?
 𝑘 = 128, 𝑛 = 220 , 𝑡 = 280 , 𝜖 = 2−40
future)?
 Answer: No.
 How does this help?
 Suppose there is a generator 𝐺 that is efficient, that stretches the input, that is
(𝑡, 𝜖)-indistinguishable. When can we call it secure?
 𝑘 = 128, 𝑛 = 220 , 𝑡 = 280 , 𝜖 = 2−40
 Are these figures good enough for all scenarios (present and future)?
 Answer: No.

 We can define security against all polynomial time adversaries i.e.,
algorithms that run in time polynomial in the security parameter.
 Suppose there is a generator 𝐺 that is efficient, that stretches the input, that is (𝑡, 𝜖)-
indistinguishable. When can we call it secure?
 𝑘 = 128, 𝑛 = 220 , 𝑡 = 280 , 𝜖 = 2−40
 Are these figures good enough for all scenarios (present and future)?
 Answer: No.
 Solution: Time of the adversary and error probability should not be
concrete numbers but functions of a parameter of interest. This
parameter is called the security parameter.
 The success probability of such adversaries should be negligible in the
security parameter.
 The success probability of such adversaries should be negligible in
the security parameter.
 Definition (Negligible function): A function 𝑛𝑒𝑔𝑙(. ) is said to be
negligible if for every polynomial 𝑝(. ), there is an integer 𝑁 such that for
1
all integers 𝑛 > 𝑁, 𝑛𝑒𝑔𝑙 𝑛 < .
𝑝 𝑛
 Examples: 2−𝑛 , 2− 𝑛 , 𝑛−log(𝑛)
 The success probability of such adversaries should be negligible in
the security parameter.
 Definition (Negligible function): A function 𝑛𝑒𝑔𝑙(. ) is said to be
negligible if for every polynomial 𝑝(. ), there is an integer 𝑁 such that for
1
all integers k > 𝑁, 𝑛𝑒𝑔𝑙 𝑘 < .
𝑝 𝑘
 Examples: 2−𝑘 , 2− 𝑘 , 𝑘 −log(𝑘)
 Properties:
 𝑛𝑒𝑔𝑙1 𝑘 + 𝑛𝑒𝑔𝑙2 (𝑘) is also negligible.
 𝑝 𝑘 ⋅ 𝑛𝑒𝑔𝑙(𝑘) is also negligible.
 Asymptotic Security: A scheme is called secure if every PPT
(Probabilistic Polynomial Time) adversary succeeds in breaking
the scheme with only negligible probability.
 Security parameter: discussion
 Security parameter is very closely related to the key size that is
used. Usually it is the same as the key size. Asymptotic security
implies that the larger the key size the more secure the scheme
will be.
 Example: Consider a PRG 𝐺: 0,1 𝑘 → 0,1 𝑙(𝑘) . The
deterministic algorithm 𝐺 stretches arbitrary size seeds to longer
strings.
Stream Ciphers: Summary
 Stream ciphers are synonymous with pseudorandom
generators (PRG).
 PRGs are algorithms that map 0,1 𝑘 to 0,1 𝑙(𝑘) with the
following properties:
 ∀𝑘, 𝑙 𝑘 > 𝑘.
 The mapping algorithm 𝐺 is deterministic and efficient.
 Indistinguishability: For every PPT algorithm 𝐴 (𝑘 here is the
security parameter) and every polynomial 𝑝(. ), there is some
integer 𝑁 such that
1
∀𝑘 > 𝑁 , | 𝑃𝑟 𝐴 𝐺 𝐾 = 1 − Pr[𝐴 𝑅 = 1]| ≤ .
𝑝 𝑘
In other words the success probability of all PPT algorithms
should be negligible.
 Stream ciphers are synonymous with pseudorandom
generators (PRG).
 PRGs are algorithms that map 0,1 𝑘 to 0,1 𝑙(𝑘) with the
following properties:
 ∀𝑘, 𝑙 𝑘 > 𝑘.
 The mapping algorithm 𝐺 is deterministic and efficient.
 Indistinguishability: The success probability of all PPT
algorithms should be negligible.
 Question: Suppose we have a secure PRG where 𝑙 𝑘 =
𝑘 + 1, i.e., the PRG stretches the bits by 1. Can we
construct a secure PRG with longer stretch?
Stream Ciphers: PRG expansion
 Question: Suppose we have a secure PRG where 𝑙 𝑘 =
𝑘 + 1, i.e., the PRG stretches the bits by 1. Can we
construct a secure PRG with longer stretch?
𝐺’
𝐺 𝐺 𝐺
𝑅1 𝑅2 𝑅𝑖
 Question: Why does the above construction give a secure

PRG?
 Question: Why does the above construction give a secure

PRG?
 Theorem: If 𝐺: 0,1 𝑛 → 0,1 𝑛+1 is a secure PRG, then
𝐺 ′ : 0,1 𝑛 → 0,1 𝑙(𝑛) is a secure PRG.
 Proof: Suppose 𝐺′ is insecure. This means that there is an
adversary 𝐴 that runs in time 𝑝𝑜𝑙𝑦(𝑛) and the following
holds:
1
Pr 𝐴 𝐺′ 𝐾 =1 − Pr 𝐴 𝑅 =1 > .
𝐾← 0,1 𝑛 𝑅← 0,1 𝑙 𝑛 𝑞 𝑛
Where 𝑞(. ) is some polynoimial.
 Theorem: If 𝐺: 0,1 𝑛 → 0,1 𝑛+1 is a secure PRG, then

𝐺 ′ : 0,1 𝑛 → 0,1 𝑙(𝑛) is a secure PRG.
 Proof: Suppose 𝐺′ is insecure. This means that there is an
adversary 𝐴 that runs in time 𝑝(𝑛) and the following holds:
1
Pr 𝐴 𝐺′ 𝐾 =1 − Pr 𝐴 𝑅 =1 >𝑞 .
𝐾← 0,1 𝑛 𝑅← 0,1 𝑙 𝑛 𝑛
Where 𝑞(. ) is some polynomial.
 We will show that there exists adversary 𝐵 that runs in time
𝑟(𝑛) such that:
1
| Pr 𝐵 𝐺 𝐾 =1 − Pr 𝑛+1[𝐵 𝑅 = 1] | > .
𝐾← 0,1 𝑛 𝑅← 0,1 𝑞 𝑛 ⋅𝑙(𝑛)
 Theorem: If 𝐺: 0,1 𝑛 → 0,1 𝑛+1 is a secure PRG, then 𝐺 ′ : 0,1 𝑛 → 0,1 𝑙(𝑛)
is a secure PRG.
 Proof: Suppose 𝐺′ is insecure. This means that there is an adversary 𝐴 that runs in
time 𝑝(𝑛) and the following holds:
1
Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1 > .
𝐾← 0,1 𝑛
𝑅← 0,1 𝑙 𝑛 𝑞 𝑛
Where 𝑞(. ) is some polynomial.
 𝐵 𝑥1 … 𝑥𝑛+1 :
 Let 𝑅𝑖+1 = 𝑥𝑛+1 , 𝑅𝑖+2 = 𝐺 𝑥1 … 𝑥𝑛 𝑛 + 1 , 𝑅𝑖+3 =
𝐺 𝐺 𝑥1 … 𝑥𝑛 1 … 𝑛 𝑛 + 1 , …
 Let 𝑅1 = 𝑟1 , … , 𝑅𝑖 = 𝑟𝑖 , where 𝑟1 , … , 𝑟𝑖 are independent random
bits.
 Execute 𝐴 with the input 𝑅1 , … , 𝑅𝑛 . Output 1 iff 𝐴 outputs 1.
 So, do secure PRGs exist?
 Not known.
 Conditional existence: Secure PRGs exist if one way functions
(OWFs) exist. Many people believe that they do.
 Example of OWF: 𝑓 𝑥, 𝑦 = 𝑥 ⋅ 𝑦 for large primes 𝑥 and 𝑦.
Types of Attacks
 Until now we have seen security analysis in a restrictive setting.
1. Secure communication
2. One-time encryption: Secret key used to send only one secret
message.
3. Ciphertext-only adversary: Adversary only listens to the public
channel.
We would like to relax these restrictions.
 We only analysed the ciphertext-only adversary case, when all an
adversary does is listen to the channel. Here are some other
attack scenarios:
1. Ciphertext-only attack
2. Known Plaintext Attack
3. Chosen Plaintext Attack (CPA)
4. Chosen Ciphertext Attack (CCA)
Types of Attacks
 We only analysed the passive adversary case, when all an
adversary does is listen to the channel. Here are some other
attack scenarios:
1. Ciphertext-only Attack: The adversary only gets to see the
ciphertexts.
2. Known Plaintext Attack: The adversary gets to know messages
of a few ciphertexts.
3. Chosen Plaintext Attack (CPA): The adversary is capable to
obtaining ciphertexts for messages of its choice.
4. Chosen Ciphertext Attack (CCA): The adversary can obtain
decryptions of ciphertexts of its choice.
Types of Attacks: KPA
 Known Plaintext Attack (KPA): Examples
 The plaintext may be deduced from the context.
 Alice sends Bob a message “Meet me at the coffee shop at 5pm”. Eve
observes Alice and Bob at the coffee shop at 5pm and deduce the
plaintext.
 The plaintext may be made public after the secrecy of the
message becomes irrelevant.
 Alice sends Bob a message “Meet me at the coffee shop at 5pm”. Once
the meeting is over, Alice makes the plaintext public as it is no more
required to keep it a secret.
 On the other hand, Alice keeps using the same key for future
communication with Bob.
Types of Attacks: CPA
 Chosen Plaintext Attack (CPA): Examples
 In World War-II, the English would mine specific areas. This
would evoke response from the Germans to sweep that area.
 A router may be programmed to encrypt any packet that it
sends.
 An email program may forward an email after encryption.
Types of Attacks: CCA
 Chosen Ciphertext Attack (CCA): Examples
 Eve send an arbitrarily chosen ciphertext and observe the
behaviour of Bob to figure out the plaintext.
 In cases where encryption is used as an authentication
mechanism. A person may be authenticated using the
knowledge that the person can successfully decrypt an
encrypted message.

Computational secrecy enables practical secure communication

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computational secrecy enables practical secure communication

Uploaded by

Copyright:

Available Formats

Secure communication

 Perfect Secrecy (Information Theoretic Security):

• Modern key space: 2128 keys or more…

 A pseudorandom generator (PRG) is a function:

• I.e., perfect indistinguishability is just an

 Let 𝑆 = 𝐺 𝐾 𝐾 ∈ 0,1 𝑘 . Let 𝐴 be an algorithm that

 Let 𝐺 be a generator such that the 5th bit of the output is 1 in

 Theorem(indistinguishability implies unpredictability): Let

• A distribution on n-bit strings is a function

• Cryptographic def’n of pseudorandomness:

• D is (t, )-pseudorandom if for all A running in

• Let Dn be a distribution over p(n)-bit strings

| Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

| Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

– No efficient A can distinguish whether it is

• A PRG expands a short, uniform seed into a

• The only way the scheme can be broken is:

 Definition ((𝑡, 𝜖)-message indistinguishability): An encryption

 Why is message indistinguishability a strong notion of

Pseudorandom world Random world

 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time

 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time

 Proof: We prove the contrapositive. Let 𝐴 be an algorithm that runs in time at

 How do we use the above claim to design an algorithm 𝐵 that

•  is (t, )-indistinguishable if for all attackers A

• Does not lead to a clean theory...

• View running times of all parties, and

• A function f: Z+  R+,0 is negligible if for every

Pr[PrivKA, (n) = 1] ≤ ½ + (n)

 Solution: Time of the adversary and error probability should

 Question: Why does the above construction give a secure

 Question: Why does the above construction give a secure

 Theorem: If 𝐺: 0,1 𝑛 → 0,1 𝑛+1 is a secure PRG, then

You might also like