1

CIS 5371 Cryptography

3b. Pseudorandomness.Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2

Pseudorandomness An introduction

• A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random.

• This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.

3

Pseudorandomness An introduction

• A pseudorandom generator is a deterministic algorithm that given a short truly random seed of length n will stretch it to into a longer string of length that is pseudorandom.

4

Existence of pseudorandom generators

• We cannot prove that pseudorandom

generators exist!• We believe that such generators can be

constructed from one-way functions.• There are some long-standing problems

that have no efficient solution and it is believed that they are unsolvable in polynomial time.

5

Pseudorandom generators informal

definition• A distribution D is pseudorandom if no PPT

distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random.

• This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.

6

Pseudorandomness Definition

Let be a polynomial and a deterministic polynomial-time algorithm that on input any will output string of length . is a pseudorandom generator if:

• ∀ PPT distinguishers D, where is uniform random string of length is uniform random of length and the probabilities are taken over the coins used by and the choices of .

7

A secure fixed length encryption scheme𝑘

𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 h𝑐𝑖𝑝 𝑒𝑟𝑡𝑒𝑥𝑡𝑋𝑂𝑅

𝑝𝑎𝑑

8

A secure fixed length encryption Protocol

Let be a pseudorandom generator with expansion factor . Define a private-key encryption scheme for messages of length as follows• Gen: on input choose uniformly at random and output as key.• Enc: on input a key and a message m output the ciphertext

• Dec: on input a key and a ciphertext c output the plaintext

9

A secure fixed length encryption Theorem

If be a pseudorandom generator then protocol is a fixed-length private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper.

10

A secure fixed length encryption Reduction

Adversary A (Protocol ) 𝑤

𝑏 ′

𝑐𝑏

𝑚0 ,𝑚1

1𝑛

1 if 0 if

choose a random bit compute

Suppose that A succeeds with probability

Adversary A’ (Distinguisher D)

11

A secure fixed length encryption Proof

Let Pr . Then, • when is uniform random we have .• when we have

Pr .

12

A secure fixed length encryption Proof

Therefore when is chosen uniformly in

13

Variable output length pseudorandom generators

A deterministic polynomial-time algorithm is a variable output-length pseudorandom generator if:1. Let be a string and an integer. Then outputs a

string of length . 2. For all with the string is a prefix of .

Define . Then for every polynomial it holds that is a pseudorandom generator with expansion factor .

14

Stream ciphers• We can easily modify the earlier construction

for the encryption scheme for variable output length PRG.

• In this case,

Discussion• We use the term • stream cipher

for the PR stream generator, • not the encryption algorithm.

• There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4.

15

Discussion• The WEP encryption protocol for 802.11

used RC4 and was broken.• But since then it is fixed---and the standard

updated.• If RC4 has to be used the first 1024 bits or

so should be discarded.

16

Discussion• From a security point of view it is advocated

to use block cipher constructions for constructing secure encryption schemes.

• This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher.

17

18

Multi-message eavesdropping experiment

3..

DefinitionA private-key encryption scheme =(Gen,Enc,Dec) that has indistinguishable multiple encryptions in the presence of an eavesdropper satisfies:

: where the probability is taken over the random coins of , and the experiment.

19

Indistinguishable single encryptions vs indistinguishable multi encryptions• The secure fixed length encryption Protocol

presented earlier is deterministic and cannot be used as a construction for a indistinguishable multi encryptions.

• To see why, we use the experiment for the pair of vector messages and

20

Secure multiple encryptions using a stream cipher

• Synchronized mode• Communicating parties use a different

part of the stream cipher output to encrypt a message.

• Useful for parties communicating in the same session.

• Communicating parties must maintain state between encryptions.

21

Secure multiple encryptions using a stream cipher

Unsynchronized mode Encryptions are carried out independently

of one another. Communicating parties are not required to

maintain state between encryptions.

where the initial vector is chosen at random.

22

Security against Chosen-Plaintext Attack (CPA)

We now consider a more powerful adversary that is active.

The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop.

23

24

The CPA indistinguishability experiment

1. . .

Indistinguishable encryptions under CPA

Definition

A private-key encryption scheme has indistinguishable encryptions under CPA if

where the probability is taken over the coins of A and those of the experiment.

25

CPA security for multiple encryptions

As for single encryption, extend the experiment to in which the adversary outputs a pair of vectors of plaintext.

Any private-key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA

26