1. Cryptography
Lecture 5

2. Perfect indistinguishability
Let =(Gen, Enc, Dec) be an encryption scheme with message space M, and let A be an adversary/algorithm
Define a randomized exp’t PrivKA,:
A outputs m0, m1  M
k  Gen, b  {0,1}, c  Enck(mb)
b’  A(c)
Adversary A succeeds if b = b’, and we say the experiment evaluates to 1 in this case
Challenge ciphertext

3. Perfect indistinguishability
Easy to succeed with probability ½ …
Scheme  is perfectly indistinguishable if for all attackers (algorithms) A, it holds that Pr[PrivKA, = 1] = ½

4. Perfect indistinguishability
Claim:  is perfectly indistinguishable   is perfectly secret
I.e., perfect indistinguishability is just an alternate definition of perfect secrecy

5. Computational secrecy?
Idea: relax perfect indistinguishability
Two approaches
Concrete security
Asymptotic security

6. Computational indistinguishability (concrete)
(t, )-indistinguishability:
Security may fail with probability ≤ 
Restrict attention to attackers running in time ≤ t
Or, t CPU cycles

7. Computational indistinguishability (concrete version)
 is (t, )-indistinguishable if for all attackers A running in time at most t, it holds that Pr[PrivKA, = 1] ≤ ½ + 
Note: (, 0)-indistinguishable = perfect indistinguishability
Relax definition by taking t <  and  > 0

8. Concrete security
Parameters t,  are what we ultimately care about in the real world
Does not lead to a clean theory...
Sensitive to exact computational model
 can be (t, )-secure for many choices of t, 
Would like to have schemes where users can adjust the achieved security as desired

9. Asymptotic security Introduce security parameter n
For now, think of n as the key length
Chosen by honest parties when they generate/share key
Allows users to tailor the security level
Known by adversary
Measure running times of all parties, and the success probability of the adversary, as functions of n

10. Computational indistinguishability (asymptotic)
Security may fail with probability negligible in n
Restrict attention to attackers running in time (at most) polynomial in n

11. Definitions
A function f: Z+  Z+ is polynomial if there exists c such that f(n) < nc
A function f: Z+  [0,1] is negligible if for every polynomial p it holds that f(n) < 1/p(n) for large enough n
I.e., decays faster than any inverse polynomial
Typical example: f(n) = poly(n)∙2-cn

12. Why these specific choices?
Somewhat arbitrary
“Efficient” = “probabilistic polynomial-time (PPT)” borrowed from complexity theory
Convenient closure properties
Poly * poly = poly
A PPT algorithm making calls to PPT subroutines is PPT
Poly * negligible = negligible
Poly-many calls to subroutines that fail with negligible probability fail with negligible probability overall

13. (Re)defining encryption
A private-key encryption scheme is defined by three PPT algorithms (Gen, Enc, Dec):
Gen: takes as input 1n; outputs k. (Assume |k|≥n.)
Enc: takes as input a key k and message m{0,1}*; outputs ciphertext c c  Enck(m)
Dec: takes key k and ciphertext c as input; outputs a message m or “error”

14. Computational indistinguishability (asymptotic version)
Fix a scheme  and some adversary A
Define a randomized exp’t PrivKA,(n):
A(1n) outputs m0, m1  {0,1}* of equal length
k  Gen(1n), b  {0,1}, c  Enck(mb)
b’  A(c)
Adversary A succeeds if b = b’, and we say the experiment evaluates to 1 in this case

15. Computational indistinguishability (asymptotic version)
 is computationally indistinguishable (aka EAV-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKA,(n) = 1] ≤ ½ + (n)

16. Example 1
Consider a scheme where Gen(1n) generates a uniform n-bit key, and the best attack is brute-force search of the key space
So if A runs in time t(n), then Pr[PrivKA,(n) = 1] < ½ + O(t(n)/2n)
This scheme is EAV-secure! For any polynomial t, the function t(n)/2n is negligible

17. Example 2
Consider a scheme and a particular attacker A that runs for n3 minutes and breaks the scheme with probability n
This does not contradict asymptotic security
What about real-world security (against this particular attacker)?
n=40: A breaks scheme with prob. 1 in 6 weeks
n=50: A breaks scheme with prob. 1/1000 in 3 months
n=500: A breaks scheme with prob in 200 years

18. Example 3 What happens when computers get faster?
E.g., consider a scheme that takes time n2 to run but time 2n to break with prob. 1
What if computers get 4 faster?
Honest users double n and can thus maintain the same running time
Time to break scheme is squared!
Time required to break the scheme increases

19. Encryption and plaintext length
In practice, we want encryption schemes that can encrypt arbitrary-length messages
Encryption does not hide the plaintext length (in general)
The definition takes this into account by requiring m0, m1 to have the same length
But beware that leaking plaintext length can often lead to problems in the real world!
Obvious examples…
Database searches
Encrypting compressed data

20. Computational secrecy
From now on, we will assume the computational setting by default
Usually, the asymptotic setting

21. Pseudorandomness

22. Pseudorandomness
Important building block for computationally secure encryption
Important concept in cryptography

23. What does “random” mean?
What does “uniform” mean?
Which of the following is a uniform string?
If we generate a uniform 16-bit string, each of the above occurs with probability 2-16

24. What does “uniform” mean?
“Uniformity” is not a property of a string, but a property of a distribution
A distribution on n-bit strings is a function D: {0,1}n  [0,1] such that x D(x) = 1
The uniform distribution on n-bit strings, denoted Un, assigns probability 2-n to every x  {0,1}n

25. What does “pseudorandom” mean?
Informal: cannot be distinguished from uniform (i.e., random)
Which of the following is pseudorandom?
Pseudorandomness is a property of a distribution, not a string

26. Pseudorandomness (take 1)
Fix some distribution D on n-bit strings
x  D means “sample x according to D”
Historically, D was considered pseudorandom if it “passed a bunch of statistical tests”
Prx  D[1st bit of x is 1]  ½
Prx  D[parity of x is 1]  ½
Prx  D[Testi(x)=1]  Prx  Un[Testi(x)=1] for i = 1, …

27. Pseudorandomness (take 2)
This is not sufficient in an adversarial setting!
Who knows what statistical test an attacker will use?
Cryptographic def’n of pseudorandomness:
D is pseudorandom if it passes all efficient statistical tests

28. Pseudorandomness (concrete)
Let D be a distribution on p-bit strings
D is (t, )-pseudorandom if for all A running in time at most t, | Prx  D[A(x)=1] - Prx  Up[A(x)=1] | ≤ 

29. Pseudorandomness (asymptotic)
Security parameter n, polynomial p
Let Dn be a distribution over p(n)-bit strings
Pseudorandomness is a property of a sequence of distributions {Dn} = {D1, D2, … }

30. Pseudorandomness (asymptotic)
{Dn} is pseudorandom if for all probabilistic, polynomial-time distinguishers A, there is a negligible function  such that | Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

31. Pseudorandom generators (PRGs)
A PRG is an efficient, deterministic algorithm that expands a short, uniform seed into a longer, pseudorandom output
Useful whenever you have a “small” number of true random bits, and want lots of “random-looking” bits

32. PRGs
Let G be a deterministic, poly-time algorithm that is expanding, i.e., |G(x)| = p(|x|) > |x|
seed G
output