1. Secrecy of (fixed-length) stream ciphers
Thm: If G is a PRG, then the fixed-length stream cipher (Gen, Enc, Dec) described below has indistinguishable encryptions in the presence of an eavesdropper.
Plaintexts and ciphertexts ℓ(s)-bits long; keys just s-bits long
Gen(1s) outputs a uniform random key k ∈ 𝑅 {0, 1}s
Enck(m) exclusive-ORs the message and G(k); that is, c := m ⊕ G(k)
Deck(c) exclusive-ORs the ciphertext and G(k); that is, m := c ⊕ G(k)
Q: How do prove the theorem?
A: Using a “reduction” proof!

2. Stream cipher to PRG reduction
Distinguisher (D)
Assume stream cipher is insecure
Construct distinguisher D for G that uses attacker A as a subroutine
Prove that D is efficient and has non- negligible advantage
Conclude that G is not a PRG, a contradiction r
Attacker (A)
11r1
truly random
or output of PRG?
m0, m1
b ∈ 𝑅 {0, 1}
c := r ⊕ mb b’
1 if b=b′ 0 if b≠b′

3. Stream cipher to PRG reduction
Proof (sketch): Assume the stream cipher is not secure
If r ∈ 𝑅 {0, 1}ℓ(s), then Adveav(A) =
If r = G(k) for k ∈ 𝑅 {0, 1}s, then Adveav(A) = μ(s)
Hence, AdvPRG(D) = 1 (1/2 + 0) – (1/2 + μ(s)) 1 = μ(s), which is not negligible (by assumption that stream cipher is not secure); hence, G is not a PRG. ??
0 (this is just the OTP!)

4. Variable-length PRGs
Defn: Let G: {0, 1}*×1ℕ→{0, 1}* such that ∀n, t∈ℕ and ∀k\in{0， 1}n, G(k，1t) has length t and ∀t1 , t2∈ℕ with t1<t2, G(k，1t1) is a prefix of G(k，1t2). Then G is a variable-length PRG if, for every positive integer- valued polynomial ℓ：ℕ→ℕ with ℓ(n)>n for all n∈ℕ, we have that G(k, 1ℓ(|k|)) is a fixed-length PRG with expansion factor ℓ(n).

5. Multi-message indistinguishability
Stream ciphers (so far) share “one-time” key limitation with the OTP
If same key is used to encrypt several messages, then attacker can launch attacks as in Assignment 1
Attacker power: “chosen-plaintext attacks” (CPA)
We let the attacker obtain encryptions of arbitrary messages of the attacker’s choosing
Attackers goal: break semantic security of cipher

6. Multi-message indistinguishability
Challenger (C)
Attacker (A)
1 s
1 s
k ← Gen(1 s)
b ∈ 𝑅 {0, 1}
m10, m11
m10, m11 ∈ M
(1 m10 1 = 1 m11 1) c1
c1 ← Enck(m1b)
m10, m11
m20, m21 ∈ M
(1 m20 1 = 1 m21 1)
Challenger keeps using
the same b throughout! c2
c2 ← Enck(m2b) ⋮
mq0, mq1
mq0, mq1 ∈ M
(1 mq0 1 = 1 mq1 1) cq
cq ← Enck(mqb)
b‘ ∈ {0, 1}
Define A’s advantage to be AdvCPA(A) := 1 Pr[b = b’]- 1/2 1

7. Multi-message indistinguishability
Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable multiple encryptions in the presence of an eavesdropper if AdvCPA(A) is negligible or every PPT attacker A.
Also called indistinguishability in the presence of chosen plaintext attacks (IND-CPA security)
chosen plaintext
attacks
indistinguishability

8. IND-CPA in security of our stream ciphers
Challenger (C)
Attacker (A)
1 s
1 s
k ← Gen(1 s)
b ∈ 𝑅 {0, 1}
m0, m0
m0 ∈ M c1
c1 ← Enck(m0)
m0, m1
m1 ∈ M
(1 m0 1 = 1 m1 1)
c2 ← Enck(mb) c2
0 if c1=c2 1 if c1≠c2 ??
/2 1 = 1/2 (which is not negligible!)
AdvCPA(A) =

9. Achieving IND-CPA security
Attack on stream ciphers succeeds because encryption is deterministic
Idea: Randomize Enc so that encrypting plaintext m twice gives different ciphertexts (with high probability).
overwhelming
“super-polynomially many” m0 c0 m0 m1 m1 c1