Department of Computer Science & Engineering

CSE-411 Cryptography
Instructor : Dr. Ahmed Gomaa

Fall, 2024
 Cryptography
Lecture 5
EAV Secrecy and PRG
Recommended reading: Chapter 3
 Encryption and plaintext length

• In practice, we want encryption schemes that can encrypt

arbitrary-length messages
• Encryption does not hide the plaintext length (in general)
– The definition takes this into account by requiring m0, m1 to have the same
length
• But beware that leaking plaintext length can often lead to problems
in the real world!
– Obvious examples…
– Database searches
– Encrypting compressed data
 Computational secrecy

• From now on, we will assume the computational

setting by default
– Usually, the asymptotic setting
 Computational Security

• Security of a cipher can often be defined in one of the following ways:

– exact numbers
• a scheme is (t, ε)-secure if an adversary running for time at most t
has probability of most ε in breaking the security of the scheme
– what values of t and ε are reasonable today?
• (t, ε)-security does not imply security in general
 Computational Security
• Security of a cipher can be defined in one of the following ways:
– asymptotic approach
• cipher is described using a security parameter n
• a scheme is secure if an efficient adversary has only negligible
probability in breaking its security
– adversary runs in probabilistic polynomial time (PPT)
– honest parties must be polynomial time as well
• security guarantees hold only for sufficiently large values of n
– an adversary running for 2 25 · n 3 cycles can break security with
probability 2 20 · 2 − n / 4
Pseudorandomness
 Pseudorandomness

• Important building block for computationally secure

encryption

• Important concept in cryptography

 What does “random” mean?

• What does “uniform” mean?

• Which of the following is a uniform string?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• If we generate a uniform 16-bit string, each of the above
occurs with probability 2-16
 What does “uniform” mean?

• “Uniformity” is not a property of a string, but a property of a

distribution

• A distribution on n-bit strings is a function

D: {0,1}n  [0,1] such that x D(x) = 1
– The uniform distribution on n-bit strings, denoted Un, assigns
probability 2-n to every x  {0,1}n
 What does “pseudorandom” mean?

• Informal: cannot be distinguished from uniform (i.e., random)

• Which of the following is pseudorandom?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• Pseudorandomness is a property of a distribution, not a string
 Pseudorandomness (take 1)

• Fix some distribution D on n-bit strings

– x  D means “sample x according to D”
• Historically, D was considered pseudorandom if it “passed a
bunch of statistical tests”
– Prx  D[1st bit of x is 1]  ½
– Prx  D[parity of x is 1]  ½
– Prx  D[Testi(x)=1]  Prx  Un[Testi(x)=1] for i = 1, …
 Pseudorandomness (take 2)

• This is not sufficient in an adversarial setting!

– Who knows what statistical test an attacker
will use?

• Cryptographic def’n of pseudorandomness:

– D is pseudorandom if it passes all efficient statistical tests
 Pseudorandomness (concrete)

• Let D be a distribution on p-bit strings

• D is (t, )-pseudorandom if for all A running in time at most t,

| Prx  D[A(x)=1] - Prx  Up[A(x)=1] | ≤ 

 Pseudorandomness (asymptotic)

• Security parameter n, polynomial p

• Let Dn be a distribution over p(n)-bit strings

• Pseudorandomness is a property of a sequence of distributions
{Dn} = {D1, D2, … }
 Pseudorandomness (asymptotic)

• {Dn} is pseudorandom if for all probabilistic, polynomial-time

distinguishers A, there is a negligible function  such that

| Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

 Pseudorandom generators (PRGs)

• A PRG is an efficient, deterministic algorithm

that expands a short, uniform seed into a
longer, pseudorandom output
– Useful whenever you have a “small” number of
true random bits, and want lots of “random-
looking” bits
 PRGs

• Let G be a deterministic, poly-time algorithm that is expanding,

i.e., |G(x)| = p(|x|) > |x|

seed

output
 PRGs

• Let G be a deterministic, poly-time algorithm

that is expanding, i.e., |G(x)| = p(|x|) > |x|
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x  Un and outputting G(x)
– PrDn[y] = PrUn[G(x) = y] = x : G(x)=y PrUn[x]
= x : G(x)=y 2-n
= |{x : G(x)=y}|/2n
– Note that most y occur with probability 0
• I.e., Dn is far from uniform
 PRGs

• G is a PRG iff {Dn} is pseudorandom

• I.e., for all efficient distinguishers A, there is a

negligible function  such that
| Prx  Un[A(G(x))=1] - Pry  Up(n)[A(y)=1] | ≤ (n)

• I.e., no efficient A can distinguish whether it is

given G(x) (for uniform x) or a uniform string y!
 Example (insecure PRG)

• Let G(x) = 0….0

– Distinguisher?
– Analysis?
 Example (insecure PRG)

• Let G(x) = x | OR(bits of x)

– Distinguisher?
– Analysis?
 Do PRGs exist?

• We don’t know…
– Would imply P  NP
• We will assume certain algorithms are PRGs
– Recall the 3 principles of modern crypto…
– This is what is done in practice
– We will return to this later in the course
• Can construct PRGs from weaker assumptions
– For details, see Chapter 7
 Where things stand

• We saw that there are some inherent limitations if we want

perfect secrecy
– In particular, key must be as long as the message

• We defined computational secrecy, a

relaxed notion of security

• Can we overcome prior limitations?

 Recall: one-time pad

p bits

key

p bits p bits

message  ciphertext
 “Pseudo” one-time pad

n bits

key
p bits

G “pseudo” key

p bits p bits

message  ciphertext
 Pseudo one-time pad

• Let G be a deterministic algorithm, with

|G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n  message space {0,1}p(n)
• Enck(m): output G(k)  m
• Deck(c): output G(k)  c

• Correctness is obvious…
 Security of pseudo-OTP?

• Would like to be able to prove security

– Based on the assumption that G is a PRG
 Definitions, proofs, and assumptions

• We’ve defined computational secrecy

• Our goal is to prove that the pseudo OTP meets that definition
• We cannot prove this unconditionally
– Beyond our current techniques…
– Anyway, security clearly depends on G
• Can prove security based on the assumption that G is a
pseudorandom generator
 PRGs, revisited

• Let G be an efficient, deterministic function k  Un

with |G(k)| = p(|k|)
y  Up(n)
G
y

b
D
For any efficient D, the probabilities that D
outputs 1 in each case must be “close”
 Proof by reduction

1. Assume G is a pseudorandom generator

2. Assume toward a contradiction that there is an efficient
attacker A who “breaks” the pseudo-OTP scheme (as per the
definition)
3. Use A as a subroutine to build an efficient D that “breaks”
pseudorandomness of G
– By assumption, no such D exists!
 No such A can exist
 Alternately…

1. Assume G is a pseudorandom generator

2. Fix some arbitrary, efficient A attacking the pseudo-OTP
scheme
3. Use A as a subroutine to build an efficient D attacking G
– Relate the distinguishing gap of D to the success probability of A
4. By assumption, the distinguishing gap of D must be negligible
 Use this to bound the success probability of A
 Security theorem

• If G is a pseudorandom generator, then the pseudo one-time

pad Π is EAV-secure (i.e., computationally indistinguishable)
 The reduction

y
m 0, m 1

mb b←{0,1}

c
b’ A
if (b=b’)
output 1 D
 Analysis

• If A runs in polynomial time, then so does D

 Analysis

• Let µ(n) = Pr[PrivKA,Π(n) = 1]

• Claim: when y=G(x) for uniform x, then the view of A is exactly
as in PrivKA,Π(n)
 Prx ← Un[D(G(x))=1] = µ(n)
 The reduction
k  Un

y
G
m 0, m 1

mb b←{0,1}
-Enc c
b’ A

if (b=b’)
output 1 D
Thank You