1. Cryptography
Lecture 5
Arpita Patra
© Arpita Patra

2. Recall >> Computational Security
Made PPT/negligible function precise in terms of security parameter n
Semantic and Indistinguishability Security notions
Ind-based definitions are easy to follow
Assumptions needed for a scheme
Pseudorandomness

3. Today’s Goal Pseudorandomness and PRGs
Construction for ind-secure scheme
Proof: If there is a PRG, then the construction is secure according to ind definition
Introduction to Reduction-based proofs
Proof for our construction
Short-comings of the current construction/definition
Better definition / better construction / better assumption?

4. Pseudorandomness { Set of all binary strings of length l }
- It’s a property of a probability distribution
{ Set of all binary strings of length l }
G: a prob. Dist. = { Set of probabilities }
U: Uniform probability Distribution
A string drawn according to U is called random
A string drawn according to G is called pseudorandom
Sampler for G and U
Give me a string w
G is pseudorandom if a string drawn according to G is indistinguishable from a string drawn according to U to a PPT distinguisher

5. Pseudorandom Generators (PRGs)
Deterministic PPT Algorithm G
s R {0,1}n
G(s)  {0,1}l(n) , l: poly
Seed
Let G be the dist. on l(n)-bit strings obtained by sampling s uniformly and running G(s).
G is a PRG if dist. G is pseudorandom distribution and l(n) > n for every n.
l() : expansion factor of G
Requirements :
1. Expansion : for every n, l(n) > n
2. Pseudorandomness : G(s) “looks like” a truly random string

6. PRG Security | - | s R {0,1}n y: = G(s)
Oracle
U : uniform distribution over {0,1}l(n)
PPT distinguisher D
Challenger
A random string of length l(n) plz
A string of length l(n) please
yR {0,1}l(n)
b= 0 y
How I selected it ?
b= 1
s R {0,1}n
y: = G(s)
G: Probability distribution over {G(s): s R {0,1}n} G
G is a PRG if for every PPT D, there is a negligible function negl | - |
Pr [D(r) = 1]
Pr [D(G(s)) = 1]
 negl(n)
r R {0,1}l(n)
s R {0,1}n
Probability taken over
>> Random Choice of r
>> the randomness of D
Probability taken over
>> Random Choice of s
>> the randomness of D

7. Let us try to construct a PRG…
Designing PRG is a hard nut to crack
s’ = s1s2…sn
Expansion factor: n+1
s R {0,1}n
G(s) = ss’
- Is G a PRG?
Do you see a good distinguisher?
D outputs 1
Yes
y generated by G
y{0,1}n+1
Is the final bit of y XOR
of the preceding bits ?
random or generated by G ? No
D outputs 0 D
y random
- If y generated by G
- If y is truly random
D outputs 1 with probability 1
D outputs 1 with probability ½
Pr [D(G(s)) = 1] = 1
s R {0,1}n
Pr [D(r) = 1] = ½
r R {0,1}n+1 -
Pr [D(r) = 1]
Pr [D(G(s)) = 1] |
= ½
Non-negligible

8. PRG can be cracked by an unbounded adversary
Length-doubling PRG
s R {0,1}n
G(s)  {0,1}2n
Seed
G(s): s  {0,1}n 2n
22n
- Most of the 2n-length string do not occur as the output of G.
- Prob that a random string of 2n-length belongs to the range of G: <=
2n/ 22n = 2-n
- Can find a strategy for an unbounded distinguisher?

9. PRG can be cracked by an unbounded adversary
G(s1) y = ?
D outputs 1
s1 {0,1}n
y{0,1}2n
i.E Label y as pseudorandom
G(s2) y = ?
s2 {0,1}n
Yes
random or generated by G ? D
s2n {0,1}n
G(s2n) y = ?
Pr [D(r) = 1] =
Pr [D(G(s)) = 1] =
2-n 1
s R {0,1}n
r R {0,1}2n -
Pr [D(r) = 1]
Pr [D(G(s)) = 1] |
>= 1 – 2-n
Non-negligible
n must be large enough so that brute force is impossible

10. Do PRGs exist? No proof… But we strongly believe they do
Didn’t we just say we believe something is true but don’t have a proof?
First Assumption in the course: PRGs exist.
Later in the course……….
PRGs exist
Goldreich-Levin, Yao
Because no good distinguisher
One-way functions (permutation) exist
Stream Ciphers
Far from practical
Highly practical
CT 4 (for 2): Define Stream Ciphers and describe Trivium

11. COA-secure SKE K = {0, 1}n M = C = {0, 1}l(n) Dec Enc Gen Correctness:
m:= cG(k)
Enc
c:= mG(k)
k R K
m  M c
c  C m
Gen
Correctness:
Deck( )
Enck(m)
= m

12. I can break ’ non-negligible probability f(n)
Proof by Reduction
Case1: If  is secure then ’ is secure
Case3: If A1 holds then A2 holds
Case2: If A holds then  is secure
Case4: If  is secure then A holds
Proof by Contradiction/contrapositive
This entire process is a mental exercise!!
Do not know the internal details of
I can break ’ non-negligible probability f(n)
This is indeed an instance of ’
A challenge for 
Simulation of a challenge of ’
Solution with probability 1/P(n)
“break” with probability f(n)
PPT attacker against ’
PPT attacker against 
The probability that PPT attacker for  breaks security is at least f(n)/P(n)
--- Non-negligible

13. Indistinguishability Based Definition: COA
Common Feature: Experiment / a game between a challenger and an adversary
Indistinguishability experiment
PrivK (n)
A, 
coa
 = (Gen, Enc, Dec), M
Attacker A
Challenger
b  {0, 1}
m0, m1 M ; |m0|=|m1|
(freedom to choose any pair)
c  Enck(mb)
I can break 
b’  {0, 1} k
Let me verify
Run time: Poly(n)
(Attacker’s guess about encrypted message)
Gen(1n)
PrivK (n)
A, 
coa
b = b’
b  b’
0 --- attacker lost
1 --- attacker won
All Security Definitions will be in Ind style
SEM Security ≈ IND Security
 has is coa-secure if for every PPT attacker A, there is a negligible function negl(n) such that
½ + negl(n) Pr
PrivK (n)
A, 
coa
= 1 
Probability is taken over the randomness used by A and the challenger

14. Security of the PRG-based SKE
Theorem: If G is a PRG, then  is a fixed-length coa-secure SKE.
Proof: On the white broad.

15. What have we done so far..
Formulate a formal definition for SKE in computational world
Identify assumptions needed (PRG exists) and build a construction
Prove security of the construction relative to the definition and assumption
Small Key size.
Key Reuse??
Let us formalize key reuse in the definition and see if the schemes we have seen satisfy the definition

16. Multiple-message COA Security
PrivK (n)
A, 
coa-mult
 = (Gen, Enc, Dec),M
Attacker A
M0 = (m0,1, …, m0, t) 
M1 = (m1,1, …, m1, t) 
b  {0, 1}
(freedom to choose any pair)
c1  Enck(mb,1)
,…,
ct  Enck(mb, t)
I can break 
b’  {0, 1} k
Let me verify
Run time: Poly(n)
(Attacker’s guess about encrypted vector)
Gen(1n)
b = b’
Game Output
b  b’
0 --- attacker lost
1 --- attacker won
 is coa-mult-secure if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½
½ + negl(n) Pr
PrivK (n)
A, 
coa-mult
= 1 
i.e.

17. Relation between Multiple-message and Single-message Security
Experiment is a special case of
PrivK (n)
A, 
coa
coa-mult
is the same as with |M0| = |M1| = 1
PrivK (n)
A, 
coa
coa-mult 
Any cipher which is coa-mult-secure is also coa-secure
What about the converse ?
Not necessarily

18. Multiple-message Security is Stronger than Single-message Security
Attacker A
M0 = (hello, hello) 
M0 = (hello, world) 
b  {0, 1}
c1 := hello  k
c2 := hello  k
If b = 0
c1 := hello  k
c2 := world  k
If b = 1 k
Let me verify Pr
PrivK (n)
A, OTP
coa-mult
= 1
b’ = 0 if c1 = c2
Gen(1n)
b’ = 1 if c1 c2
Why the above attack is possible ?
OTP is deterministic: encrypting m twice using same key yields the same ciphertext
One way of showing a security notion is stronger than another notion is to find a scheme that is secure according to the second notion but insure according to the first notion. Demonstrates two things: first proof and assumption not enough, right definition is important..Determinism has limited power.. Randomization gives power.
The above attack can be mounted on any cipher whose Enc algorithm is deterministic
Thm: If  is a cipher whose Enc algorithm is a deterministic function of the key and the plain-text then  cannot have indistinguishable multiple encryptions in the presence of an eavesdropper
Time to Go for Randomization of Encryption

19. What next? coa is not standard; have done for gradual progress.
Will give an even stronger definition and construct a scheme.
That will be secure according to coa and coa-mult.

20. Two assumptions and Their Implications
PRGs exit
coa-secure SKEs exist.
Do they imply something fundamental exist?

21. One-Way Functions (OWF)
Functions that are easy to compute but “difficult” to invert (almost-always)
f: {0, 1}*  {0, 1}*
{0, 1}*
{0, 1}*

22. One-Way Functions (OWF)
Functions that are easy to compute but “difficult” to invert (almost-always)
y = f(x)
x R {0, 1}*
{0, 1}*
Easy task
{0, 1}*

23. One-Way Functions (OWF)
Functions that are easy to compute but “difficult” to invert (almost-always)
x = f-1(y)
y  {0, 1}*
{0, 1}*
Difficult task
{0, 1}*
How to mathematically formalize the above notion ?
By some experiment

24. The Inverting Experiment
Experiment Invert (n)
A, f
f: {0, 1}*  {0, 1}*
x R {0, 1}n
PPT A(1n)
y = f(x) x’
I can invert f on any input
A’s guess about pre-image of y
Let me verify
f(x’) = y
Game Output
f(x’)  y
0 --- A lost
1 --- A won
A need not have to find the original x to win the game --- sufficient to find one pre-image

25. OWF: Mathematical Formulation
{0, 1}*
{0, 1}*
Function f is a OWF if the following two conditions hold :
Easy to compute: for every x R {0, 1}*, f(x) can be computed in poly(n) times
Hard to Invert: For every PPT algorithm A, there is a negligible function negl() :
negl(n) Pr
Invert (n)
A, f
= 1  
Pr [ A(f(x), 1n)  f-1(f(x))]  negl(n)
x  {0, 1}n

26. Two assumptions and Their Implications
CT5 (for one): If PRG exists then OWF exists
CT6 (for one): If coa-secure SKE exists, then OWF exists.