Secrecy of (fixed-length) stream ciphers Thm: If G is a PRG, then the fixed-length stream cipher (Gen, Enc, Dec) described below has indistinguishable encryptions in the presence of an eavesdropper. Plaintexts and ciphertexts ℓ(s)-bits long; keys just s-bits long Gen(1s) outputs a uniform random key k ∈ 𝑅 {0, 1}s Enck(m) exclusive-ORs the message and G(k); that is, c := m ⊕ G(k) Deck(c) exclusive-ORs the ciphertext and G(k); that is, m := c ⊕ G(k) Q: How do prove the theorem? A: Using a “reduction” proof!

Stream cipher to PRG reduction Distinguisher (D) Assume stream cipher is insecure Construct distinguisher D for G that uses attacker A as a subroutine Prove that D is efficient and has non- negligible advantage Conclude that G is not a PRG, a contradiction r Attacker (A) 11r1 truly random or output of PRG? m0, m1 b ∈ 𝑅 {0, 1} c := r ⊕ mb b’ 1 if b=b′ 0 if b≠b′

Stream cipher to PRG reduction Proof (sketch): Assume the stream cipher is not secure If r ∈ 𝑅 {0, 1}ℓ(s), then Adveav(A) = If r = G(k) for k ∈ 𝑅 {0, 1}s, then Adveav(A) = μ(s) Hence, AdvPRG(D) = 1 (1/2 + 0) – (1/2 + μ(s)) 1 = μ(s), which is not negligible (by assumption that stream cipher is not secure); hence, G is not a PRG. ?? 0 (this is just the OTP!)

Variable-length PRGs Defn: Let G: {0, 1}*×1ℕ→{0, 1}* such that ∀n, t∈ℕ and ∀k\in{0， 1}n, G(k，1t) has length t and ∀t1 , t2∈ℕ with t1<t2, G(k，1t1) is a prefix of G(k，1t2). Then G is a variable-length PRG if, for every positive integer- valued polynomial ℓ：ℕ→ℕ with ℓ(n)>n for all n∈ℕ, we have that G(k, 1ℓ(|k|)) is a fixed-length PRG with expansion factor ℓ(n).

Multi-message indistinguishability Stream ciphers (so far) share “one-time” key limitation with the OTP If same key is used to encrypt several messages, then attacker can launch attacks as in Assignment 1 Attacker power: “chosen-plaintext attacks” (CPA) We let the attacker obtain encryptions of arbitrary messages of the attacker’s choosing Attackers goal: break semantic security of cipher

Multi-message indistinguishability Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} m10, m11 m10, m11 ∈ M (1 m10 1 = 1 m11 1) c1 c1 ← Enck(m1b) m10, m11 m20, m21 ∈ M (1 m20 1 = 1 m21 1) Challenger keeps using the same b throughout! c2 c2 ← Enck(m2b) ⋮ mq0, mq1 mq0, mq1 ∈ M (1 mq0 1 = 1 mq1 1) cq cq ← Enck(mqb) b‘ ∈ {0, 1} Define A’s advantage to be AdvCPA(A) := 1 Pr[b = b’]- 1/2 1

Multi-message indistinguishability Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable multiple encryptions in the presence of an eavesdropper if AdvCPA(A) is negligible or every PPT attacker A. Also called indistinguishability in the presence of chosen plaintext attacks (IND-CPA security) chosen plaintext attacks indistinguishability

IND-CPA in security of our stream ciphers Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} m0, m0 m0 ∈ M c1 c1 ← Enck(m0) m0, m1 m1 ∈ M (1 m0 1 = 1 m1 1) c2 ← Enck(mb) c2 0 if c1=c2 1 if c1≠c2 ?? 1 1 - 1/2 1 = 1/2 (which is not negligible!) AdvCPA(A) =

Achieving IND-CPA security Attack on stream ciphers succeeds because encryption is deterministic Idea: Randomize Enc so that encrypting plaintext m twice gives different ciphertexts (with high probability). overwhelming “super-polynomially many” m0 c0 m0 m1 m1 c1