1. Cryptography
Lecture 6

2. Pseudorandom generators (PRGs)
Let G be an efficient, deterministic algorithm that expands a short seed into a longer output
Specifically, let |G(x)| = p(|x|)
G is a PRG if: when the distribution of x is uniform, the distribution of G(x) is “indistinguishable from uniform”
Useful whenever you have a “small” number of true random bits, and want lots of “random-looking” bits
Note that G(x) is very far from uniform

3. PRGs
I.e., for all efficient distinguishers A, there is a negligible function  such that | Prx  Un[A(G(x))=1] - Pry  Up(n)[A(y)=1] | ≤ (n)
I.e., no efficient A can distinguish whether it is given G(x) (for uniform x) or a uniform string y!

4. Example (insecure PRG)
Let G(x) = 0….0
Distinguisher?
Analysis?

5. Example (insecure PRG)
Let G(x) = x | OR(bits of x)
Distinguisher?
Analysis?

6. Stream ciphers As defined, PRGs are limited
They have fixed-length output
They produce the entire output in “one shot”
In practice, PRGs are based on stream ciphers
Can be viewed as producing an “unbounded” stream of pseudorandom bits, on demand
More flexible, more efficient
See book for details; will revisit later

7. Do PRGs/stream ciphers exist?
We don’t know…
Would imply P  NP
We will assume certain algorithms are PRGs
Recall the 3 principles of modern crypto…
This is what is done in practice
We will return to this later in the course
Can construct PRGs from weaker assumptions
For details, see Chapter 7

8. Where things stand
We saw that there are some inherent limitations if we want perfect secrecy
In particular, key must be as long as the message
We defined computational secrecy, a relaxed notion of security
Can we overcome prior limitations?

9. Recall: one-time pad
p bits
key
p bits
p bits 
message
ciphertext

10.  “Pseudo” one-time pad n bits key p bits G “pseudo” key p bits p bits
message
ciphertext

11. Pseudo one-time pad
Let G be a deterministic algorithm, with |G(k)| = p(|k|)
Gen(1n): output uniform n-bit key k
Security parameter n  message space {0,1}p(n)
Enck(m): output G(k)  m
Deck(c): output G(k)  c
Correctness is obvious…

12. Security of pseudo-OTP?
Would like to be able to prove security
Based on the assumption that G is a PRG

13. Definitions, proofs, and assumptions
We’ve defined computational secrecy
Our goal is to prove that the pseudo OTP meets that definition
We are unable to prove this unconditionally
Beyond our current techniques…
Anyway, security clearly depends on G
Can hope to prove security based on the assumption that G is a pseudorandom generator

14. PRGs, revisited
Let G be an efficient, deterministic function with |G(k)| = p(|k|)
k  Un
y  Up(n) G D y b
For any efficient D, the probabilities that D outputs 1 in each case must be close

15. Proof by reduction Assume G is a pseudorandom generator
Assume toward a contradiction that there is an efficient attacker A who “breaks” the pseudo-OTP scheme (as per the definition)
Use A as a subroutine to build an efficient D that “breaks” pseudorandomness of G
By assumption, no such D exists!
 No such A can exist

16. Alternately… Assume G is a pseudorandom generator
Fix some arbitrary, efficient A attacking the pseudo-OTP scheme
Use A as a subroutine to build an efficient D attacking G
Relate the distinguishing probability of D to the success probability of A
By assumption, the distinguishing probability of D must be negligible
 Bound the success probability of A

17. Security theorem
If G is a pseudorandom generator, then the pseudo one-time pad Π is EAV-secure (i.e., computationally indistinguishable)

18. The reduction y D
m0, m1
b←{0,1} mb c b’ A
if (b=b’) output 1

19. Analysis
If A runs in polynomial time, then so does D

20. Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
Claim: if distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)
 Prx ← Un[D(G(x))=1] = µ(n)

21. The reduction k  Un y G -Enc m0, m1 b←{0,1} mb c b’ A
if (b=b’) output 1 D

22. Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
If distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)
 Prx ← Un[D(G(x))=1] = µ(n)
If distribution of y is uniform, then A succeeds with probability exactly ½
 Pry ← Up(n)[D(y)=1] = ½

23. The reduction y  Up(n) y OTP-Enc m0, m1 b←{0,1} mb c b’ A
if (b=b’) output 1 D

24. Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
If distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)
 Prx ← Un[D(G(x))=1] = µ(n)
If distribution of y is uniform, then A succeeds with probability exactly ½
 Pry ← Up(n)[D(y)=1] = ½
Since G is pseudorandom:
| µ(n) – ½ | ≤ negl(n)
Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)

25. Stepping back… Proof that the pseudo OTP is secure…
We have a provably secure scheme, rather than a heuristic construction!

26. Stepping back… Proof that the pseudo OTP is secure… …with some caveats
Assuming G is a pseudorandom generator
Relative to our definition
The only way the scheme can be broken is:
If a weakness is found in G
If the definition isn’t sufficiently strong…

27. Have we gained anything?
YES: the pseudo-OTP has a key shorter than the message
n bits vs. p(n) bits
The fact that the parties internally generate a p(n)-bit temporary string to encrypt/decrypt is irrelevant
The key is what the parties share in advance
In real-world implementation, could avoid storing entire p(n)-bit temporary value

28. Recall… Perfect secrecy has two limitations/drawbacks
Key as long as the message
Key can only be used once
We have seen how to circumvent the first
The pseudo OTP still has the second limitation (for the same reason as the OTP)
How can we circumvent the second?

29. But first… Develop an appropriate security definition
Recall that security definitions have two parts
Security goal
Threat model
We will keep the security goal the same, but strengthen the threat model

30. Single-message secrecyk k m
c  Enck(m)

31. Multiple-message secrecy
c1, …, ct k k
m1, …, mt
c1  Enck(m1) … ct  Enck(mt)

32. A formal definition Fix , A
Define a randomized exp’t PrivKmultA,(n):
A(1n) outputs two vectors (m0,1, …, m0,t) and (m1,1, …, m1,t)
Required that |m0,i| = |m1,i| for all i
k  Gen(1n), b  {0,1}, for all i: ci  Enck(mb,i)
b’  A(c1, …, ct); A succeeds if b = b’, and experiment evaluates to 1 in this case

33. A formal definition
 is multiple-message indistinguishable if for all PPT attackers A, there is a negligible function  such that Pr[PrivKmultA,(n) = 1] ≤ ½ + (n)
Exercise: show that the pseudo-OTP is not multiple-message indistinguishable

34. Multiple-message secrecy
No deterministic, stateless encryption scheme is multiple-message indistinguishable
Proof?

35. Multiple-message secrecy
We are not going to work with multiple-message secrecy
Instead, define something stronger: security against chosen-plaintext attacks (CPA-security)
Nowadays, this is the minimal notion of security an encryption scheme should satisfy

36. CPA-security c c2 c1 k k m c  Enck(m) c1  Enck(m1) m2 m1

37. Is the threat model too strong?
In practice, there are many ways an attacker can influence what gets encrypted
Not clear how best to model
Chosen-plaintext attacks encompass any such influence
Moreover, in some cases an attacker may have significant control over what gets encrypted