Lecture 14

Recap

$\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount

$\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$ , and $G$ is pseudorandom

\{G(U_n)\}\approx \{U_{l(n)}\}

Back to the experiment we did long time ago:

	Group 1	Group 2
$00000$ or $11111$	3	16
4 of 1's	42	56
balanced	too often	usual
consecutive repeats	0	4

So Group 1 is human, Group 2 is computer.

New material

Computationally secure encryption

Recall with perfect security,

P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]

for all $m_1,m_2\in M$ and $c\in C$ .

$(Gen,Enc,Dec)$ is single message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$ , $\forall m_1,m_2\gets \{0,1\}^n \in M^n$ , $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability.

P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)

By the prediction lemma, ( $\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$ )

P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}

and the above equation is $\frac{1}{2}$ for perfect secrecy.

Construction of single message secure cryptosystem

cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.

$K=\{0,1\}^n$ , $\mathcal{M}=\{0,1\}^{l(n)}$ , $G:K \to \mathcal{M}$ is a PRG.

$Gen(1^n)$ : $k\gets \{0,1\}^n$ ; output $k$ .

$Enc_k(m)$ : $r\gets \{0,1\}^{l(n)}$ ; output $G(k)\oplus m$ .

$Dec_k(c)$ : output $G(k)\oplus c$ .

Proof of security:

Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher.

Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$ .

Strategy: Move to OTP, then flip message.

H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}

H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}

H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}

H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}

By hybrid argument, 2 neighboring messages are indistinguishable.

However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.

$H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP.

$H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.

Which leads to a contradiction.

Multi-message secure encryption

$(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$ , and $q(n)\in poly(n)$ .

\overline{m}=(m_1,\dots,m_{q(n)})

\overline{m}'=(m_1',\dots,m_{q(n)}')

are list of $q(n)$ messages in $\{0,1\}^n$ .

$\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability.

P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)

THIS IS NOT MULTI-MESSAGE SECURE.

We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice.

What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages.

Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$ , $F(x)$ is chosen uniformly at random.

$Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$ .

$Enc_F(m):$ let $r\gets U_n$ ; output $(r,F(r)\oplus m)$ .

$Dec_F(m):$ Given $(r,c)$ , output $m=F(r)\oplus c$ .

Idea: Adversary sees $r$ but has no idea about $F(r)$ . (we choose all outputs at random)

If we could do this, this is MMS (multi-message secure).

Proof:

Suppose $m_1,m_2,\dots,m_{q(n)}$ , $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle.

Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$ .

Strategy: move to OTP with hybrid argument.

Suppose we choose a random function

H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}

and

H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}

$r_i,u_i\in U_n$ .

By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same.

$F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random.

only possible problem is $r_i=r_j$ for some $i\neq j$ , and $P[r_i=r_j]=\frac{1}{2^n}$ .

And the probability that at least one pair are equal

P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}

which is negligible.

Unfortunately, we cannot do this in practice.

How many random functions are there?

The length of description of $F$ is $n 2^n$ .

For each $x\in \{0,1\}^n$ , there are $2^n$ possible values for $F(x)$ .

So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$ .

Cse442t L13 Cse442t L15