1. CIS 5371 Cryptography 3b. Pseudorandomness
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2. Pseudorandomness An introduction
A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random.
This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.

3. Pseudorandomness An introduction
A pseudorandom generator is a deterministic algorithm that given a short truly random seed of length n will stretch it to into a longer string of length 𝑙(𝑛) that is pseudorandom.

4. Existence of pseudorandom generators
We cannot prove that pseudorandom generators exist!
We believe that such generators can be constructed from one-way functions.
There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.

5. Pseudorandom generators informal definition
A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random.
This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.

6. Pseudorandom generator Definition
Let 𝑙(∙) be a polynomial and 𝐺 a deterministic polynomial-time algorithm that for any 𝑛 and any input 𝑠 𝜖 {0,1 } 𝑛 will output string of length 𝑙(𝑛).
𝐺 is a pseudorandom generator if:
𝑙 𝑛 >𝑛
∀ PPT algorithm (distinguisher) 𝐷, ∃ 𝑎 negl function with:
| Pr 𝐷 𝑟 =1 − Pr 𝐷 𝐺 𝑠 =1 ≤negl(n)
where 𝑟 is uniform random string of length 𝑙 𝑛 , 𝑠 𝑖𝑠 is uniform random of length 𝑛 and the probabilities are taken over the coins used by 𝐷 and the choices of 𝑟,𝑠.

7. Stream Ciphers
A stream cipher is a deterministic algorithm (Init, GetBits) where,
Init takes as input a seed 𝑠 and an optional initialization vector 𝐼𝑉 and outputs a state 𝑠𝑡 0 .
GetBits takes as input 𝑠𝑡 𝑖 and outputs a bit 𝑦 and state 𝑠𝑡 𝑖+1 .

8. Algorithm 3.16
Construct 𝐺 𝑙 from (Init, GetBits) Input: Seed 𝑠 and optional 𝐼𝑉. Output: 𝑦 1 ,…, 𝑦 𝑙 𝑠𝑡 0 ≔ Init(𝑠,𝐼𝑉) for 𝑖=1 to 𝑙: 𝑦 𝑖 , 𝑠𝑡 𝑖 ≔ GetBits 𝑠𝑡 𝑖−1 return 𝑦 1 ,…, 𝑦 𝑙 . This can easily be modified to get a variable output pseudorandom generator 𝐺 ∞ = 𝐺 ∞ 𝑠, 1 𝑙 .

9. Discussion We use the term stream cipher for the PR stream generator,
not the encryption algorithm.
There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4.

10. Discussion
The WEP encryption protocol for used RC4 and was broken.
But since then it is fixed---and the standard updated.
If RC4 has to be used the first 1024 bits or so should be discarded.

11. Discussion
From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes.
This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher.

12. A secure fixed length encryption scheme𝑘
𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡
𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡
𝑋𝑂𝑅
𝑝𝑠𝑒𝑢𝑑𝑜𝑟𝑎𝑛𝑑𝑜𝑚
𝑔𝑒𝑛𝑒𝑟𝑎𝑡𝑜𝑟
𝑝𝑎𝑑

13. Secure fixed length encryption
Protocol Π
Let 𝐺 be a pseudorandom generator with expansion
factor 𝑙. Define a private-key encryption scheme
for messages of length 𝑙 as follows
Gen: on input 1 𝑛 choose 𝑘  {0,1 } 𝑛 uniformly at
random and output 𝑘 as key.
Enc: on input a key 𝑘  {0,1 } 𝑛 and a message
𝑚{0,1 } 𝑙(𝑛) output the ciphertext
𝑐≔G 𝑘  𝑚 .
Dec: on input a key 𝑘  {0,1 } 𝑛 and a ciphertext
c{0,1 } 𝑙(𝑛) output the plaintext
𝑚≔G 𝑘  𝑐 .

14. Secure fixed length encryption Theorem
If G be a pseudorandom generator then
protocol Π is a fixed-length private-key
encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper.

15. A secure fixed length encryption reduction: Π is secure if G is a pseudorandom generator
Adversary A’ (Distinguisher D)
Adversary A (Protocol Π)
1 𝑛 , 𝑤
1 𝑛
is 𝑤 random or
pseudorandom?
𝑚 0 , 𝑚 1
Suppose that A
succeeds with
probability 𝜀(𝑛)
choose a random bit 𝑏
compute 𝑐 𝑏 := w  𝑚 𝑏
𝑐 𝑏
1 if 𝑏 ′ =𝑏 𝑏′
Distinguish  Break
0 if 𝑏 ′  𝑏

16. A secure fixed length encryption Proof
when 𝑤 is uniform random we have Pr 𝐷 𝑤 =1 = Pr Priv K A,Π eav (𝑛)=1 =
when 𝑤=𝐺(𝑘) we have
Pr 𝐷 𝐺 𝑘 =1 =Pr[Priv K A,Π eav (𝑛)=1]
Since 𝐺 is a pseudorandom generator
| Pr 𝐷 𝑤 = Pr 𝐷 𝐺 𝑘 =1 | ≤ negl(𝑛)
Therefore
| 1 2 −Pr[Priv K A,Π eav (𝑛)=1]| ≤ negl(𝑛), or
|Pr[Priv K A,Π eav (𝑛)=1]| ≤ negl(𝑛)

17. Multi-message eavesdropping experiment Priv K A,Π mult (𝑛)
The adversary 𝐴 is given input 1 𝑛 and outputs a pair
of vectors of messages 𝑚 0 1 ,…, 𝑚 0 𝑡 and 𝑚 1 1 ,…, 𝑚 1 𝑡
witℎ | 𝑚 0 𝑖 =| 𝑚 1 𝑖 for all 𝑖.
A key 𝑘 is generated runnng 𝐺𝑒𝑛 1 𝑛 and a random bit
𝑏  0,1 is chosen. For all 𝑖 the ciphertext 𝑐 𝑏 𝑖  En 𝑐 𝑘 𝑚 𝑏 𝑖
is computed and the vector of ciphertexts 𝑐 𝑏 1 , …, 𝑐 𝑏 𝑡
is given to 𝐴.
.𝐴 outputs a bit 𝑏 ′ .
The output of the experiment i𝑠 1 if 𝑏 =𝑏 ′ and 0 otherwise.

18. Multiple encryptions security Definition
A private-key encryption scheme =(Gen,Enc,Dec) that has indistinguishable multiple encryptions in the presence of an eavesdropper satisfies:
 PPT Adversary 𝐴,  a negligible function negl:
Pr⁡[Priv K mult (𝐴, ) 𝑛 =1] ≤ negl 𝑛 ,
where the probability is taken over the random coins of 𝐴, and the experiment.

19. Indistinguishable single encryptions vs indistinguishable multiple encryptions
The secure fixed length encryption Protocol Π presented earlier is deterministic and cannot be used as a construction for indistinguishable multiple encryptions.
To see why use the experiment Priv K mult for the pair of vector messages ( 0 𝑛 , 0 𝑛 ) and 0 𝑛 , 1 𝑛 .
There is a private-key single encryption scheme that has indistinguishable single encryptions but distinguishable multiple encryptions.

20. Secure multiple encryptions using a stream-cipher mode of operation
Synchronized mode
Communicating parties use a different part of the stream cipher output to encrypt a message.
𝐸𝑛 𝑐 𝑘 𝑚 ≔  𝐺 ∞ 𝑠, 1 |𝑚|  𝑚
Useful for parties communicating in the same session.
Communicating parties must maintain state between encryptions.

21. Secure multiple encryptions stream-cipher mode of operation
Unsynchronized mode
Encryptions are carried out independently of one another.
Communicating parties are not required to maintain state between encryptions.
𝐸𝑛 𝑐 𝑘 𝑚 ≔ 𝐼𝑉, 𝐺 ∞ 𝑠,𝐼𝑉, 1 |𝑚|  𝑚
where the initial vector 𝐼𝑉  {0,1} 𝑛 is chosen at random.

22. Security against Chosen-Plaintext Attacks (CPA)
We now consider a more powerful adversary that is active.
The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop.

23. The CPA indistinguishability experiment Priv K A,Π cpa (𝑛)
A key 𝑘 is generated runnng Gen 1 𝑛 .
The adversary 𝐴 is given input 1 𝑛 and oracle access to En 𝑐 𝑘 ∙ ,
and outputs a pair of messages 𝑚 0 , 𝑚 1 of equal length.
A uniform bit 𝑏 𝜖 0,1 is chosen and a ciphertext
c  En 𝑐 𝑘 𝑚 𝑏 is computed and given to 𝐴.
Adversary 𝐴 continues to have oracle access to En 𝑐 𝑘 ∙ , and
outputs a bit 𝑏 ′ .
The output of the experiment i𝑠 1 if 𝑏 =𝑏 ′ and 0 otherwise.

24. Indistinguishable encryptions under CPA Definition
A private-key encryption scheme = Gen,Enc,Dec has indistinguishable encryptions under CPA if
∀ PPT adversaries 𝐴, ∃ a negl function such that,
Pr⁡[Priv K A,Π cpa (𝑛)=1] ≤ negl 𝑛 ,
where the probability is taken over the coins of A and those of the experiment.

25. CPA security for multiple encryptions
As for single encryption, extend the experiment to Priv K A,Π cpa (𝑛) in which the adversary outputs a pair of vectors of plaintext.
Any private-key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA.

26. APPENDIX, RC4 Designed in 1987 by Ron Rivest for RSA Security
Variable key size stream cipher with byte-oriented operations
Based on the use of a random permutation
Eight to sixteen machine operations are required per output byte and the cipher can be expected to run very quickly in software
Used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) standards for communication between Web browsers and servers
Used in the Wired Equivalent Privacy (WEP) protocol and the newer WiFi Protected Access (WPA) protocol (IEEE wireless LAN standard)

27. RC4
Generates a pseudorandom stream (keystream) that can be used for encryption by XOR-ing it with the plaintext.
The internal state of the cipher has two parts:
a permutation of 256 bytes (S)
two 8-bit pointers: i, j
RC4: byte K is output

28. RC4, protocol (KSA) Key scheduling algorithm (KSA)
(initialize S, using key, 1  keylength  256)
for i from 0 to 255 (S is initialized)
S[i] := i
endfor
j := 0
for i from 0 to 255 (initial permutation is performed)
j := (j + S[i] + key[i mod keylength]) mod 256
swap values of S[i] and S[j]

29. RC4, protocol (PRGA) Pseudo-random generation algorithm i := 0 j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile

30. Simple RC4 example Instead of the full 256 bytes, use 8 × 3-bits.
Assume we use a 4 x 3-bit key:
K = [ ]
Initialization of S: S = [ ]
Initial permutation:
j := 0
for i from 0 to 7
j := (j + S[i] + key[i mod 3) mod 8
swap values of S[i] and S[j]
endfor

31. Simple RC4 example K = [1 2 3 6], S = [0 1 2 3 4 5 6 7]
We go through for each iteration of i:
For i = 0:
j = ( ) mod 8 = 1
Swap(S[0],S[1]);
S = [ ]
For i = 1:
j = (1+0+2) mod 8 = 3
Swap(S[1],S[3])
S = [ ];

32. Simple RC4 example K = [1 2 3 6], S = [1 3 2 0 4 5 6 7]
For i = 2: j = (3+2+3) mod 8 = 0 Swap(S[2],S[0]); S = [ ] For i = 3: j = (0+0+6) mod 8 = 6 Swap(S[3],S[6]) S = [ ];

33. Simple RC4 example K = [1 2 3 6], S = [2 3 1 6 4 5 0 7]
For i = 4: j = (6+4+1) mod 8 = 3 Swap(S[4],S[3]); S = [ ] For i = 5: j = (3+5+2) mod 8 = 2 Swap(S[5],S[2]) S = [ ];

34. Simple RC4 example K = [1 2 3 6], S = [2 3 5 4 6 1 0 7]
For i = 6: j = (2+0+3) mod 8 = 5 Swap(S[6],S[5]); S = [ ] For i = 7: j = (5+7+6) mod 8 = 2 Swap(S[7],S[2]) S = [ ];

35. RC4, protocol (PRGA) Now we run PRGA for
S = [ ], i = 0, j = 0
while GeneratingOutput:
i := (i + 1) mod 8
j := (j + S[i]) mod 8
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 8]
output K
endwhile

36. RC4, generating output First iteration S = [2 3 7 4 6 0 1 5], i=0, j=0
i := (0 + 1) mod 8 = 1
j := (0 + S[1]) mod 8 = 3
swap values of S[1] and S[3]: S = [ ]
K := S[(S[1] + S[3]) mod 8] = S[7] = 5
output K = 5

37. RC4, generating output 2nd iteration, S = [2 4 7 3 6 0 1 5], i=1, j=3
i := (1 + 1) mod 8 = 2
j := (3 + S[2]) mod 8 = 2
swap values of S[2] and S[2]: S = [ ]
K := S[(S[2] + S[2]) mod 8] = S[6] = 1
output K = 1
3nd iteration, S = [ ], i=2, j=2
i := (2 + 1) mod 8 = 3
j := (2 + S[3]) mod 8 = 5
swap values of S[3] and S[5]: S = [ ]
K := S[(S[3] + S[5]) mod 8] = S[3] = 0
output K = 0