1. B504/I538: Introduction to Cryptography
Spring • Lecture 7
(2017—01—31)

2. About security!
Free pizza+brownies!
Next Thursday!

3. Assignment 1 is due! Assignment 2 is out and is due in two weeks!
(2017—02—14)
(Please get started early!!)

4. Recall: Stream cipher
Idea: Replace the truly random pad used by the OTP encryption scheme with a pseudorandom pad
Let G：{0，1}*→{0，1}* be a PRG with expansion factor ℓ
Plaintexts / ciphertexts are ℓ(n)-bit strings; key is an n-bit string
Gen(1ⁿ) outputs a uniform random key k∊{0，1}ⁿ
Enck(m) computex XOR of m and G(k); that is, c≔m⊕G(k)
Deck(m) computes XOR of c and G(k); that is, m≔c⊕G(k)

5. Indistinguishability against eavesdroppers
onetime indistinguishability game
Challenger (C)
Attacker (A) 1n 1n
k←Gen(1ⁿ)
b∊{0，1}
c←Enck(mb)
m0，m1∈{0，1}ⁿ b'
Advonetime(A)≔∣Pr[b≟b’]−½∣

6. Indistinguishability against eavesdroppers
Defⁿ: An encryption scheme (Gen，Enc，Dec) has indistinguishable encryptions in the presence of an eavesdropper if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that
Advonetime(Ａ)≤ε(n)

7. Pseudorandom generators (PRGs)
Informally, a PRG is a deterministic algorithm that , on input a truly random n- bit seed, outputs a “random looking” ℓ(n)-bit stream for some ℓ(n)>n
Q: How de we formalize the notion of a string being “random looking”?
A: Very carefully...

8. k∊{0，1}ⁿ r≔G(k) r∊{0，1}ℓ(n)
Game 0:
Challenger (C)
Attacker (Ａ) 1n 1n
k∊{0，1}ⁿ
r≔G(k) r b'
Game 1:
Challenger (C)
Attacker (Ａ) 1n 1n
r∊{0，1}ℓ(n) r b'
Defⁿ: AdvPRG(Ａ)≔|1/2 - Pr[b’=0 in game 0 or b’=1 in game 1]|

9. Distinguishing distributions
What tactics might the distinguisher employ?
Output 0 if hamming weight of r is “implausibly” large or small
Output 0 if substring “00” occurs implausibly often in r
Output 0 if r contains a run of more than 2 lg|r| consecutive 0s
And so on and so forth…
Q: Which set of tests is the correct one to consider?
Fact: Given any fixed set of tests, it is easy to construct G that passes them all, yet is easily distinguished using some other test

10. Fixed-expansion PRG
Defⁿ: Let G：{0，1}*→{0，1}* and let ℓ：ℕ→ℕ be a pair of deterministic functions such that，∀n∈ℕ and ∀k∈{0，1}ⁿ, G(k)∈{0，1}ℓ(n).
Then G is a fixed-expansion pseudorandom generator (PRG) if:
∀n∈ℕ, ℓ(n)>n (ℓ is called the expansion factor of G)
For every PPT algorithm Ａ, there is a negligible function ε：ℕ→ℝ⁺ such that AdvPRG(Ａ)≤ε(n)

11. Computational indistinguishability
Defⁿ: Two probability ensembles {Xn}n∈ℕ and {Yn}n∈ℕ are (computationally) indistinguishable if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that
|Pr[Ａ(Xn)=1]−Pr[Ａ(Yn)=1]|≤ε(n)

12. Fixed-expansion PRG (alt． defⁿ)
Defⁿ: Let G：{0，1}*→{0，1}* and ℓ：ℕ→ℕ be a pair of deterministic functions such that，∀n∈ℕ and ∀k∈{0，1}ⁿ, G(k)∈{0，1}ℓ(n).
Then G is a fixed-expansion pseudorandom generator (PRG) if:
∀n∈ℕ, ℓ(n)>n (ℓ is called the expansion factor of G)
The distribution ensembles
{G(Un)}n∈ℕ and {Uℓ(n)}n∈ℕ
are computationally indistinguishable, where for each n∈ℕ, Un denotes the uniform distribution.

13. ?? An example of a PRG? Q: How do we prove that G is not a PRG?
“concatenation”
Example: Define G：{0，1}*→{0，1}* s．t． G(k)≔k∥(k1⊕k2⊕⋯⊕k|k|) where ki denotes the ith bit of k
Expansion factor: ℓ(s)=s+1
Is G a PRG?
Q: How do we prove that G is not a PRG?
A: Construct an efficient distinguisher!
D(r) output 1 if and only if the XOR of all bits in r is 0
AdvPRG(D) =
NO! ??
| 1−1/2| =1/2 (which is not negligible!)

14. That’s all for today, folks!