Skript as PDF Skript

Chapter 3
Security, pseudorandom
generators, and
pseudorandom functions
In this chapter we will discuss various definitions of security. We describe
general constructions of encryption schemes that satisfy these security definitions.
The constructions build on pseudorandom generators and pseudorandom
functions, two fundamental concepts in cryptography.
3.1 Security definitions
An encryption scheme is secure when it cannot be broken by an adversary.
To make this more precise, we have to describe the goals of an adversary.
Equivalently, we have to say when we consider an encryption scheme broken.
We also have to state the resources and capabilities of an adversary.
We start with the goals of an adversary. Of course, we apply Kerckhoffs’
principle: The adversary knows everything about the scheme he tries to attack.
Only the secret key used is unknown to the adversary.
Goals of an adversary
key recovery: Determine the secret key s used in the encryption scheme.
plaintext recovery: Given a ciphertext v = E s (m), which is the encryption
of plaintext m, determine the plaintext m.
20

plaintext distinguishability: Given a ciphertext v = E s (m b ), b ∈ {0, 1},
which is the encryption of one out of two plaintexts m 0 , m 1 known to
the adversary, determine bit b.
Clearly, key recovery is the most ambitious goal. Once an adversary
knows the secret key used, the scheme is completely broken. However, it
is conceivable that an adversary can decrypt certain (or even most) ciphertexts
without knowing the secret key. At first, the last goal mentioned above
will seem strange. The explanation for including plaintext indistinguishability
in our list of adversarial goals is as follows. An adversary may not
be interested in decrypting ciphertexts completely. Instead, he may only be
interested in parts of the corresponding plaintext. That is, the adversary
only wants to compute partial information about the plaintext. A strong
security definition will require, that even this is impossible for an adversary.
A formal security definition along these lines is called semantic security.
Formally defining semantic security is tricky. Fortunately, plaintext indistinguishability
is quite easy to formalize and we will do so shortly. Moreover,
in many situations it can be shown that semantic security and plaintext indistinguishability
are equivalent. Intuitively, this should be clear. Plaintext
indistinguishability says that an adversary cannot distinguish encryptions
of two plaintexts of his own choice. But then the adversary cannot be able
to determine partial information about plaintexts from the corresponding
ciphertexts.
Perfect secrecy provides security against adversaries that have unlimited
computational power. But as we have seen perfect secrecy is too expensive.
Therefore, we will restrict the computational power, time and memory, of an
adversary. Mostly we will be concerned with time restricted adversaries. For
example, we may restrict ourselves to adversaries whose computations are
limited to 2 t steps on a Turing machine or a RAM. An encryption scheme
that is provably secure against adversaries limited to 2 80 steps will meet
most practical security requirements. As our computational model we choose
Turing machine, but many results we show, in particular reductions, do not
depend on the exact model of computation that we use.
Besides time and memory, we need to consider other capabilities or characteristics
of adversaries. Various possible characterizations of adversaries
are given in the following list of attack models.
Capabilities of adversary/models of attacks
21

eavesdropping attack (eda): The adversary only knows ciphertexts v 1 ,
. . . , v l .
known plaintext attack (kpa): The adversary knows pairs (m 1 , E s (m 1 )),
. . . , (m l , E s (m l )) of plaintexts m i and their encryptions E s (m i ).
chosen plaintext attack (cpa): The adversary can adaptively choose plaintexts
m 1 , . . . , m l for which he gets the corresponding ciphertexts E s (m 1 ),
. . . , E s (m l ), i.e, after seeing pairs (m 1 , E s (m 1 )), . . . , (m i−1 , E s (m i−1 ))
the adversary chooses the next plaintext m i for which he gets the
encryption E s (m i ).
chosen ciphertext attacks (cca): The adversary can adaptively choose
ciphertexts v 1 , . . . , v l for which he gets the corresponding plaintexts
m 1 = D s (v 1 ), . . . , m l = D s (v l ), i.e, after seeing pairs (v 1 , D s (v 1 )), . . . ,
(v i−1 , D s (v i−1 )) the adversary chooses the next ciphertext v i for which
he gets the decryption D s (v i ).
Eavesdropping attacks clearly are realistic. Known or chosen plaintexts
and chosen ciphertext attacks become realistic once encryptions and decryptions
are done by servers that can be queried or even manipulated by an
adversary. Nevertheless chosen plaintext and chosen ciphertext attacks are
mostly (but not entirely) theoretical models. It is always prudent to overrather
than underestimate an adversary. Encryption schemes secure even
under chosen ciphertext attacks should resist most practical attacks.
The goals and capabilities or attack models can be combined arbitrarily.
We describe some examples and show that in most cases the one-time-pad
(OTP) is not secure.
Key recovery under eavesdropping attacks: The adversary A sees
several ciphertexts v 1 , . . . , v l , where v i = E s (m i ), i = 1, . . . , l, for plaintexts
m i and a single key s. The adversary tries to determine a key ŝ that is
consistent with the v i ’s, i.e. there exist plaintexts m i such that v i = Eŝ(m i )
for all i. Note that there need not be a single key consistent with the
ciphertexts v i .
Example 3.1.1 For the one-time-pad (OTP) key recovery with eavesdropping
attacks is possible but useless, because no key can be excluded by an
eavesdropping attack.
22

Key recovery under known plaintext attacks: Given pairs (m 1 , v 1 ),
. . . , (m l , v l ), where v i = E s (m i ), i = 1, . . . , l, for some fixed key s. The adversary
tries to determine a key ŝ such that Eŝ(m i ) = v i for all i. Note that
there may be several keys ŝ with this property.
Example 3.1.2 For the OTP even with l = 1 key recovery with known
plaintext attacks is possible. Given m 1 and v 1 such that E s (m 1 ) = v 1 , we
must have that s = m 1 ⊕ v 1 .
Plaintext recovery under known plaintext attack: Given pairs (m i , v i ),
v i = E s (m i ), i = 1, . . . , l, for a key s and a ciphertext v ≠ v i for all i, the
adversary tries to determine the plaintext m such that E s (m) = v.
Example 3.1.3 For the OTP plaintext recovery with a kpa is possible,
in fact we already saw that for the OTP even key recovery with a kpa is
possible.
Before we look at constructions of secure encryption schemes, we define
plaintext indistinguishability more formally. At least in the parts of this
course where we pursue the rigorous treatment of cryptography, plaintext
indistinguishability is our main security goal. For the time being we consider
plaintext indistinguishabilty under eavesdropping and under chosen
plaintext attcks. In both cases we model an attack by a game between an
adversary A and a challenger C.
Plaintext indistinguishability game Game pi-eda
(under eavesdropping atacks)
1. Adversary A determines two plaintexts m 0 , m 1 ∈ P and sends
m 0 , m 1 to the challenger C.
2. C chooses a key s ∈ K and a bit b ∈ {0, 1} uniformly at random
and sends v = E s (m b ) to A.
3. A computes a bit b ′ ∈ {0, 1}.
4. A wins the game iff b = b ′ .
23

If A wins the game, we write Succ pi-eda (A) = 1. We call Pr(Succ pi-eda (A) =
1) the success probability of A. Here the probability is over the choice of
s, b in step 2. It is also over internal coin tosses that A and C may use,
i.e. we allow the adversary and the challenger to be randomized algorithms.
Finally we call
Adv pi-eda (A) := | Pr(Succ pi-eda (A) = 1) − 1/2|
the advantage of A. Any adversary can just guess a bit b. Using this strategy
an adversary will win with probability 1/2. The advantage Adv pi-eda (A) is
a measure how much better than just guessing an adversary A is doing.
Definition 3.1.4 Let t ∈ N and ɛ > 0 be arbitrary. An encryption scheme
(E, D) over (P, C, K) is called (t, ɛ)-indistinguishable under eavesdropping
attacks if for every adversary A in Game pi-eda that runs for at most t steps
Adv pi-eda (A) < ɛ.
For plaintext indistinguishability under chosen plaintext attacks we proceed
in the same manner, except that in the game between adversary and
challenger the adversary can ask adaptively for encryptions of plaintexts of
his choice.
Plaintext indistinguishability game Game pi-cpa
(under chosen plaintext attacks)
1. C chooses a key s ∈ K uniformly at random.
2. Adversary A determines two plaintexts m 0 , m 1 ∈ P and sends
m 0 , m 1 to the challenger C. In this step A can ask for the encryptions
of arbitrary plaintexts m ∈ P.
3. C chooses a bit b ∈ {0, 1} uniformly at random and sends v =
E s (m b ) to A.
4. A computes a bit b ′ ∈ {0, 1}. In this step A can ask for the
encryptions of arbitrary plaintexts m ∈ P.
5. A wins the game iff b = b ′ .
If A wins the game, we write Succ pi-cpa (A) = 1. We call Pr(Succ pi-cpa (A) =
1) the success probability of A. Here the probability is over the choice of s, b
24

in step 1 and 3. It is also over internal coin tosses that A and C may use,
i.e. we allow the adversary and the challenger to be randomized algorithms.
Finally we call
the advantage of A.
Adv pi-cpa (A) := | Pr(Succ pi-cpa (A) = 1) − 1/2|
Definition 3.1.5 Let t ∈ N and ɛ ∈ R + be arbitrary. An encryption scheme
(E, D) over (P, C, K) is called (t, ɛ)-indistinguishable under chosen plaintext
attacks if for every adversary A in Game pi-cpa that runs for at most t steps
Adv pi-cpa (A) < ɛ.
In our definition of encryption schemes, the encryption E s and decryption D s
is done via functions. With this requirement plaintext indistinguishability
under chosen plaintexts attacks is impossible. In fact, in step 4 of Game pi-cpa
the adversary A can simply ask for the encryption of m 0 or m 1 . Then he
will be able to win Game pi-cpa with probability 1.
Rather than concluding that plaintext indistinguishability under chosen
plaintext attacks is not attainable, we generalize our definition of encryptions
schemes. In the future we no longer require that encryptions are done via
functions. Instead an encryption scheme over plaintext set P, ciphertext set
C and key set K will consist of two probabilistic algorithms E, D. That is,
when encryption a plaintext m using secret key s the algorithm E will use
internal random bits to compute a ciphertext c. The ciphertext c depends
as before on s and m. But it also depends on the random bits used by E.
In particular, even for a fixed key s there will be many possible encryptions
of m. As we will see, with this generalized definition of encryption plaintext
indistinguishability under chosen plaintext attacks is possible.
3.2 Pseudorandom generators and plaintext indistinguishable
encryption
In this section we see how so-called pseudorandom generators can be used
to construct encryption schemes that are plaintext indistinguishable under
eavesdropping attacks. We need several preliminary definitions and remarks
before we can define pseudorandom generators.
Let Ω be a finite set. As before, for a probability distribution X on Ω
we denote the probability of choosing s ∈ Ω according to the distribution X
by Pr(X = s).
25

If A is a deterministic algorithm, we can consider A as a function. Accordingly,
we denote the output of A on input x by A(x). The set of legal
inputs to A is called the domain of A. The set of possible outputs of A is
called the range of A. As with functions, we write A : D → R for a deterministic
algorithm with domain D and range R. In the following we restrict
ourselves to deterministic algorithms. However, many definitions can easily
be extended to functions. If X is a probability distribution on Ω and Ω is
a subset of the domain of some deterministic algorithm A, then X and A
induce a distribution A(X) on the range of A by the following formula
Pr(A(X) = r) =
∑
{s∈Ω:A(s)=r}
Pr(X = s).
Example 3.2.1 We denote by U 5 the uniform distribution on {0, 1} 5 . We
consider an algorithm A : {0, 1} 5 → {0, 1} that on input x = (x 1 , . . . , x 5 )
computes the majority of the bits in x, i.e. A(x) = 1 iff at least three bits
x i are 1. Then
Pr(A(X) = 1) = 1 ( ( ) ( ( )
5 5 5 ) 1 ( ) 1
+ + = 10 + 5 + 1 =
32 3 4)
5 32
2 .
Accordingly, Pr(A(X) = 0) = 1/2.
Example 3.2.2 We denote by X the following distribution on {0, 1} 5 . For
1 5 = (1, 1, 1, 1, 1) we have Pr(X = 1 5 ) = 1/2. For x ∈ {0, 1} 5 , x ≠ 1 5 , we
have Pr(X = x) = 1/62. Then
Pr(A(X) = 1) = 1 2 + 1 ( ( ) ( )
5 5 ) 23
+ =
62 3 4 31 .
Accordingly, Pr(A(X) = 0) = 8/31.
Definition 3.2.3 Let X, Y be distributions on some finite set Ω.
1. A deterministic algorithm A : Ω → {0, 1} is called an ɛ-distinguisher
for X, Y if
| Pr(A(X) = 1) − Pr(A(Y ) = 1)| ≥ ɛ.
2. Algorithm A is called a (t, ɛ)-distinguisher for X, Y if A is an ɛ-
distinguisher for X, Y and on every s ∈ Ω algorithm A runs for at
most t steps.
26

3. X, Y are called (t, ɛ)-indistinguishable if no (t, ɛ)-distinguisher for X, Y
exists.
If we consider the algorithm A and the two distributions U 5 , X from our two
previous examples, we conclude that A is a 23/31−1/2 = 15/62 distinguisher
for U 5 and X.
In the following, for any n ∈ N we denote by U n the uniform distribution
on {0, 1} n . Then we have the following two fundamental definitions.
Definition 3.2.4 A distribution X on {0, 1} n is called (t, ɛ)-pseudorandom
if X and U n are (t, ɛ)-indistinguishable.
Definition 3.2.5 An algorithm G : {0, 1} n → {0, 1} l is called a (t, ɛ)-
pseudorandom generator (PRG) if the distribution G(U n ) is (t, ɛ)-pseudorandom.
Actually, we also require that G is an efficient algorithm. However, to make
this precise, more involved definitions of pseudorandom generators are required.
We leave this issue to more advanced courses and rely on the reader’s
intuition about efficient algorithms.
Example 3.2.6 Let n ∈ N and consider the algorithm G : {0, 1} n →
{0, 1} 2n that maps a bit string x = (x 1 , . . . , x n ) to (x 1 , . . . , x n , ¯x 1 , . . . , ¯x n ).
Here ¯b denotes the negation of bit b. Furthermore, consider the algorithm A
that on input y = (y 1 , . . . , y 2n ) returns 1 iff y n+i = ȳ i for i = 1, . . . , n. One
checks that
Pr(A(U 2n ) = 1) = 2 −n and Pr(A(G(U n )) = 1) = 1.
Moreover, A will use at most cn steps on inputs from {0, 1} 2n for some small
c. Hence, A is a (cn, 1 − 2 −n )-distinguisher for G(U n ) and U 2n . Therefore,
G is not a (cn, 1 − 2 −n )-pseudorandom generator.
Next, we consider the algorithm B that on input y = (y 1 , . . . , y 2n ) returns
1 iff y 2n = ȳ n . Assuming that we can retrieve the first and last bit of a 2nbit
string in constant time, algorithm B runs in at most a steps, for some
constant a. We also get
Pr(B(U 2n ) = 1) = 1 2
and Pr(B(G(U n )) = 1) = 1.
Hence, G(U n ) and U 2n are not (a, 1/2)-indistinguishable and G is not a
(a, 1/2)-PRG.
27

Next we will see that we can construct encryption schemes that are plaintext
indistinguishable under eavesdropping attacks provided we know already
good pseudorandom generators. So assume G : {0, 1} n → {0, 1} l is a (t, ɛ)-
PRG. To construct an encryption scheme we set P = C = {0, 1} l and K =
{0, 1} n . For key s ∈ {0, 1} n we define the encryption function as follows:
E s : {0, 1} l → {0, 1} l
m ↦→ G(s) ⊕ m,
i.e., using the PRG G the key s is mapped to a bit string of length l, then the
resulting bit string is xored with the plaintext m. The decryption function
D s is identical to the encryption function:
D s : {0, 1} l → {0, 1} l
v ↦→ G(s) ⊕ v.
For fixed s ∈ {0, 1} n the functions E s and D s are injective and for every
m ∈ {0, 1} l we have D s (E s (m)) = G(s) ⊕ G(s) ⊕ m = m. Hence we obtain
a valid encryption scheme. We call it the encryption scheme based on PRG
G.
Theorem 3.2.7 There exists a constant c such that for all (t, ɛ)-PRGs G :
{0, 1} n → {0, 1} l the encryption scheme based on G is (t ′ , ɛ)-indistinguishable
under eavesdropping attacks.
Proof: We show that if the encryption scheme based on G is not (t ′ , ɛ)-
indistinguishable under eavesdropping attacks then G is not a (t, ɛ)-PRG.
To prove this we assume that there exists an adversary A with advantage
Adv pi-eda ≥ ɛ in the plaintext indistinguishability game Game pi-eda with the
encryption scheme based on G. Using this adversary we construct an ɛ-
distinguisher D for G(U n ) and U l . We also show that if A runs in t ′ steps
then D runs in t = t ′ + cl steps for some constant c. First we describe how
to obtain the distinguisher D from the adversary A.
28

Distinguisher D from plaintext indistinguishability
adversary A
On input z ∈ {0, 1} l :
1. Simulate A as in the first step of Game pi-eda to obtain two
plaintexts m 0 , m 1 .
2. Choose b ∈ {0, 1} uniformly at random.
3. Simulate A as in the third step of Game pi-eda with ciphertext
v = z ⊕ m b to obtain bit b ′ .
4. Return 1 iff b = b ′ .
We claim that Pr(D(U l ) = 1) = 1/2 and Pr(D(G(U n )) = 1) ≥ 1/2 + ɛ,
which implies that D is an ɛ-distinguisher for U l , G(U n )). To determine
Pr(D(U l ) = 1), note that with z the bit strings z ⊕ m 0 and z ⊕ m 1 are also
uniformly distributed in {0, 1} l . This implies that for z chosen uniformly
from {0, 1} l the input to A in the third step of D is distributed according to
U l , independent of the value of b. Hence, A’s output b ′ is independent from
the choice of b. Therefore Pr(D(U l ) = 1) = 1/2.
On the other hand, if z is distributed according to G(U n ), the input to
A in the third step of D is exactly as in the third step of Game pi-eda , i.e.
A is gets the encryption E s (m b ), where s is chosen uniformly at random
from the set of keys and b is a bit chosen uniformly at random. Hence, the
probability that b = b ′ is Succ pi-eda (A) = Adv pi-eda (A) + 1/2 ≥ 1/2 + ɛ.
To finish the proof, it remains to determine the number of steps required
by D. By assumption on A the simulations of A in step 1 and 3 together
require at most t steps. Computing v ⊕m b clearly can be done in time linear
in l. The remaining computations in D require only a constant number of
steps. Hence, there exists a constant c such that D uses at most t + cl steps,
if t is the number of steps of A. This concludes the proof.
29