Lecture 3

Perfect secrecy (formal)

• Encryption scheme (Gen, Enc, Dec) with message
space M and ciphertext space C is perfectly secret if
for every distribution over M, every m Î M, and
every c Î C with Pr[C=c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m].

• I.e., the distribution of M does not change, even

conditioned on observing the ciphertext
 One-time pad (OTP)
• Let M = {0,1}n
• Gen: choose a uniform key k Î {0,1}n
• Enck(m) = k Å m
• Deck(c) = k Å c
 Security of OTP
• Theorem: The one-time pad is perfectly secret
(proven last week)
 One-time pad
• If we use the one-time pad with k=0…0, then
the ciphertext is the same as the message!
– Isn’t that a problem?
– Maybe we should exclude the all-0 key?
 One-time pad
• The one-time pad achieves perfect secrecy!

• One-time pad has historically been used in the

real world
– E.g., “red phone” between DC and Moscow

• Not currently used!

– Why not?
 One-time pad
• Several limitations
– The key is as long as the message
– Only secure if each key is used to encrypt a
single message

Þ Parties must share keys of (total) length equal

to the (total) length of all the messages they
might ever send
 Using the same key twice?
• Completely insecure against a known-plaintext
attack!
• Say c1 (= k Å m1)
c2 (= k Å m2)
and the attacker knows m1
• Attacker can compute k := c1 Å m1
• Attacker can compute m2 := c2 Å k
 Using the same key twice?
• Say c1 = k Å m1
c2 = k Å m2

• Attacker can compute

c1 Å c2 = (k Å m1) Å (k Å m2) = m1 Å m2

• This leaks information about m1, m2!

 Using the same key twice?
• m1 Å m2 is information about m1, m2

• Is this significant?
– No longer perfectly secret!
– m1 Å m2 reveals where m1, m2 differ
– Frequency analysis
– Exploiting characteristics of ASCII…
 • Letters all begin
with 01…
• The space
character begins
with 00…
• XOR of two
letters gives 00…
• XOR of letter and
space gives 01…

• Easy to identify
XOR of letter and
space!
Source: http://benborowiec.com/2011/07/23/better-ascii-table/
 In pictures

01… 01… 01… 00… …

01… 01… 01… 01… …

00… 00… 00… 01…

01010000 …

01010000 = 00100000 Å ‘p’

??
 One-time pad
• Drawbacks
– Key as long the message
– Only secure if each key is used to encrypt once
– Trivially broken by a known-plaintext attack

• All these limitations are inherent for schemes

achieving perfect secrecy
– I.e., it’s not just a problem with the OTP
 Optimality of the one-time pad
• Theorem: if (Gen, Enc, Dec) with message
space M is perfectly secret, then |K| ≥ |M|
• Intuition:
– Given any ciphertext, try decrypting under every
possible key in K
– This gives a list of up to |K| possible messages
– If |K| < |M|, some message is not on the list
 Optimality of the one-time pad
• Theorem: if (Gen, Enc, Dec) with message
space M is perfectly secret, then |K| ≥ |M|.
• Proof:
– Assume |K| < |M|
– Need to show that there is a distribution on M,
a message m, and a ciphertext c such that
Pr[M=m | C=c] ¹ Pr[M=m]
 Optimality of the one-time pad
• Proof, continued
– Take the uniform distribution on M
– Take any ciphertext c
– Consider the set M(c) = { Deck(c) }kÎK
• These are the only possible messages that could yield
the ciphertext c
– |M(c)| ≤ |K| < |M|, so there is some m that is
not in M(c)
• Pr[M=m | C=c] = 0 ¹ Pr[M=m]
 Where do we stand?
• We defined the notion of perfect secrecy
• We proved that the one-time pad achieves it!
• We proved that the one-time pad is optimal!
– E.g., we cannot improve the key length
• Are we done?

• Do better by relaxing the definition

– But in a meaningful way…
 Perfect secrecy
• Requires that absolutely no information about
the plaintext is leaked, even to eavesdroppers
with unlimited computational power
– The definition has some inherent drawbacks
– The definition seems unnecessarily strong…
 Computational secrecy
• Would be ok if a scheme leaked information
with tiny probability to eavesdroppers with
bounded computing resources/running time
• I.e., we can relax perfect secrecy by
– Allowing security to “fail” with tiny probability
– Restricting attention to “efficient” attackers
 Tiny probability of failure?
• Say security fails with probability 2-60
– Should we be concerned about this?
– With probability > 2-60, the sender and receiver
will both be struck by lightning in the next year…
– Something that occurs with probability 2-60/sec is
expected to occur once every 100 billion years
 Bounded attackers?
• Consider brute-force search of key space;
assume one key can be tested per clock cycle
• Desktop computer » 257 keys/year
• Supercomputer » 1017 flops » 280 keys/year
• Supercomputer since Big Bang » 2112 keys
– Restricting attention to attackers limited to trying
2112 keys is fine!

• Modern key spaces: 2128 keys or more…

 Roadmap
• We will give an alternate (but equivalent)
definition of perfect secrecy
– Using a randomized experiment
• That definition has a natural relaxation
 Perfect indistinguishability
• P = (Gen, Enc, Dec), message space M
• Informally:
– Two messages m0, m1; one is chosen and
encrypted (using unknown k) to give c ¬ Enck(mb)
– Adversary A is given c and tries to determine
which message was encrypted
– P is perfectly indistinguishable if no A can guess
correctly with probability any better than ½
 Perfect indistinguishability
• Let P = (Gen, Enc, Dec) be an encryption
scheme with message space M, and let A be
an adversary
• Define a randomized exp’t PrivKA,P:
1. A outputs m0, m1 Î M
2. k ¬ Gen, b ¬ {0,1}, c ¬ Enck(mb)
3. b’ ¬ A(c) Challenge ciphertext
Adversary A succeeds if b = b’, and we say the
experiment evaluates to 1 in this case
 Perfect indistinguishability
• Easy to succeed with probability ½ …

• Scheme P is perfectly indistinguishable if for

all attackers (algorithms) A, it holds that
Pr[PrivKA,P = 1] = ½
 Perfect indistinguishability
• Claim: P is perfectly indistinguishable if and
only if P is perfectly secret
– I.e., perfect indistinguishability is just an alternate
definition of perfect secrecy
 Computational secrecy?
• Idea: relax perfect indistinguishability

• Two approaches
– Concrete security
– Asymptotic security
 Computational indistinguishability
(concrete)
• (t, e)-indistinguishability:
– Security may fail with probability ≤ e
– Restrict attention to attackers running in time ≤ t
• Or, t CPU cycles
 Computational indistinguishability
(concrete version)

• P is (t, e)-indistinguishable if for all attackers A

running in time at most t, it holds that
Pr[PrivKA,P = 1] ≤ ½ + e

• Note: (¥, 0)-indistinguishability = perfect

indistinguishability
– Relax definition by taking t < ¥ and e > 0
 Concrete security
• Parameters t, e are what we ultimately care
about in the real world

• Does not lead to a clean theory...

– Sensitive to exact computational model
– P can be (t, e)-secure for many choices of t, e
• Would like to have schemes where users can
adjust the achieved security as desired
 Asymptotic security
• Introduce security parameter n
– For now, think of n as the key length
– Chosen by honest parties when they generate
and/or share the key
• Allows users to tailor the security level
– Known by adversary

• Measure running times of all parties, and the

success probability of the adversary, as
functions of n
 Computational indistinguishability
(asymptotic)
• Computational indistinguishability:
– Security may fail with probability negligible in n
– Restrict attention to attackers running in time
polynomial in n
 Definitions
• A function f: Z+ ® Z+ is polynomial if there
exists c such that f(n) < nc

• A function f: Z+ ® [0,1] is negligible if for

every polynomial p it holds that f(n) < 1/p(n)
for large enough n
– I.e., decays faster than any inverse polynomial
– Typical example: f(n) = poly(n)·2-cn
 (Re)defining encryption
• A private-key encryption scheme is defined by
three PPT algorithms (Gen, Enc, Dec):
– Gen: takes as input 1n; outputs k. (Assume |k|≥n.)
– Enc: takes as input a key k and message mÎ{0,1}*;
outputs ciphertext c
c ¬ Enck(m)
– Dec: takes key k and ciphertext c as input; outputs
a message m or “error”
 Computational indistinguishability
(asymptotic version)

• Fix a scheme P and some adversary A

• Define a randomized exp’t PrivKA,P(n):
1. A(1n) outputs m0, m1 Î {0,1}* of equal length
2. k ¬ Gen(1n), b ¬ {0,1}, c ¬ Enck(mb)
3. b’ ¬ A(c)
Adversary A succeeds if b = b’, and we say the
experiment evaluates to 1 in this case
 Computational indistinguishability
(asymptotic version)
• P is computationally indistinguishable (aka
EAV-secure) if for all PPT attackers A, there is a
negligible function e such that

Pr[PrivKA,P(n) = 1] ≤ ½ + e(n)
 Encryption and plaintext length
• In practice, we want encryption schemes that can
encrypt arbitrary-length messages
• Encryption does not hide the plaintext length (in
general)
– The definition takes this into account by requiring m0,
m1 to have the same length
• But beware that leaking plaintext length can
often lead to problems in the real world!
– Obvious examples…
– Database searches
– Encrypting compressed data
 Example 1
• Consider a scheme where Gen(1n) generates a
uniform n-bit key, and the best attack is brute-
force search of the key space
– So if A runs in time t(n), then
Pr[PrivKA,P(n) = 1] < ½ + O(t(n)/2n)

• This scheme is EAV-secure!

– For any polynomial t, the function t(n)/2n is
negligible
 Example 2
• Consider a scheme and a particular attacker A
that runs for n3 minutes and “breaks the
scheme” with probability 240 2-n
– This does not contradict asymptotic security
– What about real-world security (against this
particular attacker)?
• n=40: A breaks scheme with prob. 1 in 6 weeks
• n=50: A breaks scheme with prob. 1/1000 in 3 months
• n=500: A breaks scheme with prob. 2-500 in 200 years
 Example 3
• What happens when computers get faster?
• E.g., consider a scheme that takes n2 steps to
run but 2n steps to break with prob. 1
• What if computers get 4´ faster?
– Honest users double n but can maintain the same
running time
– Number of steps needed to break the scheme is
squared!
• Time required to break the scheme increases
 Computational secrecy
• From now on, we will assume the computational
setting by default
– Usually, the asymptotic setting
Lecture 4
Pseudorandomness
 Pseudorandomness
• Important building block for computationally
secure encryption

• Important concept in cryptography

 What does “random” mean?
• What does “uniform” mean?
• Which of the following is a uniform string?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• If we generate a uniform 16-bit string, each of
the above occurs with probability 2-16
 What does “uniform” mean?
• “Uniformity” is not a property of a string, but
a property of a distribution

• A distribution on n-bit strings is a function

D: {0,1}n ® [0,1] such that Sx D(x) = 1
– The uniform distribution on n-bit strings, denoted
Un, assigns probability 2-n to every x Î {0,1}n
 What does “pseudorandom” mean?
• Informal: cannot be distinguished from
uniform (i.e., random)
• Which of the following is pseudorandom?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• Pseudorandomness is a property of a
distribution, not a string
 Pseudorandomness (take 1)
• Fix some distribution D on n-bit strings
– x ¬ D means “sample x according to D”
• Historically, D was considered pseudorandom
if it “passed a bunch of statistical tests”
– Prx ¬ D[1st bit of x is 1] » ½
– Prx ¬ D[parity of x is 1] » ½
– Prx ¬ D[Testi(x)=1] » Prx ¬ Un[Testi(x)=1] for i = 1, …
 Pseudorandomness (take 2)
• This is not sufficient in an adversarial setting!
– Who knows what statistical test(s) an attacker
will use?

• Cryptographic def’n of pseudorandomness:

– D is pseudorandom if it passes all efficient
statistical tests
 Pseudorandomness (concrete)
• Let D be a distribution on p-bit strings

• D is (t, e)-pseudorandom if for all A running in

time at most t,
| Prx ¬ D[A(x)=1] - Prx ¬ Up[A(x)=1] | ≤ e
 Pseudorandomness (asymptotic)
• Security parameter n, polynomial p

• Let Dn be a distribution over p(n)-bit strings

• Pseudorandomness is a property of a
sequence of distributions {Dn} = {D1, D2, … }
 Pseudorandomness (asymptotic)
• {Dn} is pseudorandom if for all probabilistic,
polynomial-time distinguishers A, there is a
negligible function e such that

| Prx ¬ Dn[A(x)=1] - Prx ¬ Up(n)[A(x)=1] | ≤ e(n)

 Pseudorandom generators (PRGs)
• A PRG is an efficient, deterministic algorithm
that expands a short, uniform seed into a
longer, pseudorandom output
– Useful whenever you have a “small” number of
true random bits, and want lots of “random-
looking” bits
• Note: we assume the ability to generate
uniform bits, but doing so is “expensive”
 PRGs
• Let G be a deterministic, poly-time algorithm
that is expanding, i.e., |G(x)| = p(|x|) > |x|

seed

output
 PRGs
• Let G be a deterministic, poly-time algorithm
that is expanding, i.e., |G(x)| = p(|x|) > |x|
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x ¬ Un and outputting G(x)
– PrDn[y] = Prx ¬ Un[G(x) = y] = Sx : G(x)=y Prx ¬ Un[x]
= Sx : G(x)=y 2-n
= |{x : G(x)=y}|/2n
– Note that most y occur with probability 0
• I.e., Dn is far from uniform
 PRGs
• G is a PRG iff {Dn} is pseudorandom

• I.e., for all efficient distinguishers A, there is a

negligible function e such that
| Prx ¬ Un[A(G(x))=1] - Pry ¬ Up(n)[A(y)=1] | ≤ e(n)

• I.e., no efficient A can distinguish whether it is

given G(x) (for uniform x) or a uniform string y!
 Example (insecure PRG)
• Let G(x) = 0….0
– Distinguisher?
– Analysis?
 Example (insecure PRG)
• Let G(x) = x | OR(bits of x)
– Distinguisher?
– Analysis?
 PRGs
• G is a PRG if for all efficient distinguishers A,
there is a negligible function e such that
| Prx ¬ Un[A(G(x))=1] - Pry ¬ Up(n)[A(y)=1] | ≤ e(n)

• I.e., no efficient A can distinguish whether it is

given G(x) (for uniform x) or a uniform string y
 Do PRGs exist?
• We don’t know…
– Would imply P ¹ NP
• We will assume PRGs exist
– Recall the 3 principles of modern crypto…
• In practice, we have several algorithms
believed to be PRGs & we an construct PRGs
from weaker assumptions
– See Katz & Lindell Book (Chapters 7-8)
 Where things stand
• We saw that there are some inherent
limitations if we want perfect secrecy
– In particular, key must be as long as the message

• We defined computational secrecy, a

relaxed notion of security

• Does that definition allow us to overcome

prior limitations?
 Recall: one-time pad

p bits

key

p bits p bits

message Å ciphertext
 “Pseudo” one-time pad
n bits

key
p bits

G “pseudo” key

p bits p bits

message Å ciphertext
 Pseudo one-time pad
• Let G be a deterministic algorithm, with
|G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n Þ message space {0,1}p(n)
• Enck(m): output G(k) Å m
• Deck(c): output G(k) Å c

• Correctness follows as in the OTP…

 Have we gained anything?
• YES: the pseudo-OTP has a key shorter than
the message
– n bits vs. p(n) bits
• The fact that the parties internally generate a
p(n)-bit temporary string to encrypt/decrypt is
irrelevant
– The key is what the parties share in advance
– Parties do not store the p(n)-bit temporary value
 Security of pseudo-OTP?
• Would like to be able to prove security
– Based on the assumption that G is a PRG
 Definitions, proofs, and assumptions
• We’ve defined computational secrecy
• Our goal is to prove that the pseudo-OTP
meets that definition
• We cannot prove this unconditionally
– Beyond our current techniques…
– Anyway, security clearly depends on G
• Can prove security based on the assumption
that G is a pseudorandom generator
 PRGs, revisited
k ¬ Un
• Let G be an efficient, deterministic function
with |G(k)| = p(|k|)
y ¬ Up(n)
G
y

b
D
For any efficient D, the probabilities that D outputs 1
in each case must be “close”
 Proof by reduction
1. Assume G is a pseudorandom generator
2. Assume toward a contradiction that there is
an efficient attacker A who “breaks” the
pseudo-OTP scheme (as per the definition)
3. Use A as a subroutine to build an efficient D
that “breaks” pseudorandomness of G
– By assumption, no such D exists!
Þ No such A can exist
 Alternately…
1. Assume G is a pseudorandom generator
2. Fix some arbitrary, efficient A attacking the
pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
attacking G
– Relate the distinguishing gap of D to the success
probability of A
4. By assumption, the distinguishing gap of D must
be negligible
Þ Use this to bound the success probability of A
 Security theorem
• If G is a pseudorandom generator, then the
pseudo one-time pad Π is EAV-secure (i.e.,
computationally indistinguishable)
The reduction

y
m0, m1

mb b←{0,1}

c
b’ A
if (b=b’)
output 1 D
 Analysis
• If A runs in polynomial time, then so does D
 Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• Claim: when y=G(x) for uniform x, then the
view of A is exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
 The reduction
k ¬ Un

y
G
m0, m1

mb b←{0,1}
P-Enc c
b’ A

if (b=b’)
output 1 D
 Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
 The reduction
y ¬ Up(n)

y
m0, m1

mb b←{0,1}
OTP-Enc c
b’ A

if (b=b’)
output 1 D
 Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
• Since G is pseudorandom:
| µ(n) – ½ | ≤ negl(n)
Þ Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)
 Stepping back…
• Proof that the pseudo-OTP is secure…
– We have a provably secure scheme, rather than
just a heuristic construction!
 Stepping back…
• Proof that the pseudo-OTP is secure…
• …with some caveats
– Assumes G is a pseudorandom generator
– Security is relative to our definition

• The only ways the scheme can be broken are:

– If a weakness is found in G
– If the definition isn’t sufficiently strong…
 Recall…
• Perfect secrecy has two limitations/drawbacks
– Key as long as the message
– Key can only be used once

• We have seen how to circumvent the first

• Does the pseudo-OTP have the second
limitation?

• How can we circumvent the second?

 But first…
• Develop an appropriate security definition

• Recall that security definitions have two parts

– Security goal
– Threat model

• We will keep the security goal the same, but

strengthen the threat model
 Single-message secrecy

c
k k

m
c ¬ Enck(m)
 Multiple-message secrecy

c1, …, ct
k k

m1, …, mt
c1 ¬ Enck(m1)
…
ct ¬ Enck(mt)
 A formal definition
• Fix P, A
• Define a randomized exp’t PrivKmultA,P(n):
1. A(1n) outputs two vectors (m0,1, …, m0,t) and
(m1,1, …, m1,t)
• Require that |m0,i| = |m1,i| for all i
2. k ¬ Gen(1n), b ¬ {0,1}, for all i: ci ¬ Enck(mb,i)
3. b’ ¬ A(c1, …, ct); A succeeds if b = b’, and
experiment evaluates to 1 in this case
 A formal definition
• P is multiple-message indistinguishable if for
all PPT attackers A, there is a negligible
function e such that

Pr[PrivKmultA,P(n) = 1] ≤ ½ + e(n)

• Question: Is pseudo-OTP multiple-message

indistinguishable?