Department of Computer Science & Engineering

CSE-411 Cryptography
Instructor : Dr. Ahmed Gomaa

Fall, 2024
 Cryptography
Lecture 4
Computational Secrecy
Recommended reading: Chapter 2
Defining secure encryption
 Crypto definitions (generally)

• Security guarantee/goal
– What we want to achieve (or what we want to prevent the attacker
from achieving)

• Threat model
– What (real-world) capabilities the attacker is assumed to have
 Perfect secrecy

• Requires that absolutely no information about the plaintext is

leaked, even to eavesdroppers with unlimited computational
power
– Has some inherent drawbacks
– Seems unnecessarily strong
 One-time pad

• The one-time pad achieves perfect secrecy!

• One-time pad has historically been used in the real world

– E.g., “red phone” between DC and Moscow

• Not currently used!

– Why not?
 One-time pad

• Several limitations
– The key is as long as the message
– Only secure if each key is used to encrypt a
single message
• (Trivially broken by a known-plaintext attack)
 Parties must share keys of (total) length equal
to the (total) length of all the messages they
might ever send
 Using the same key twice?

• Say c1 = k  m1
c2 = k  m2

• Attacker can compute

c1  c2 = (k  m1)  (k  m2) = m1  m2

• This leaks information about m1, m2!

 Using the same key twice?

• m1  m2 is information about m1, m2

• Is this significant?
• No longer perfectly secret!
• m1  m2 reveals where m1, m2 differ
• Frequency analysis
• Exploiting characteristics of ASCII…
 • Letters all begin with 01…
• The space character begins
with 00…
• XOR of two letters gives 00…
• XOR of letter and space
gives 01…

• Easy to identify XOR of letter

and space!
Source: http://benborowiec.com/2011/07/23/better-ascii-table/
 One-time pad

• Drawbacks
– Key as long the message
– Only secure if each key is used to encrypt once
– Trivially broken by a known-plaintext attack

• These limitations are inherent for schemes achieving perfect

secrecy
 Optimality of the one-time pad

• Theorem: if (Gen, Enc, Dec) with message space M is perfectly

secret, then |K| ≥ |M|.
• Intuition:
– Given any ciphertext, try decrypting under every possible key in K
– This gives a list of up to |K| possible messages
– If |K| < |M|, some message is not on the list
 Optimality of the one-time pad

• Theorem: if (Gen, Enc, Dec) with message space M is perfectly

secret, then |K| ≥ |M|.
• Proof:
– Assume |K| < |M|
– Need to show that there is a distribution on M,
a message m, and a ciphertext c such that
Pr[M=m | C=c]  Pr[M=m]
 Optimality of the one-time pad

• Proof, continued
– Take the uniform distribution on M
– Take any ciphertext c
– Consider the set M(c) = { Deck(c) }kK
• These are the only possible messages that could yield the ciphertext c
– |M(c)| ≤ |K| < |M|, so there is some m that is not in M(c)
• Pr[M=m | C=c] = 0  Pr[M=m]
 Where do we stand?

• We defined the notion of perfect secrecy

• We proved that the one-time pad achieves it!
• We proved that the one-time pad is optimal!
– I.e., we cannot improve the key length
• Are we done?

• Do better by relaxing the definition

– But in a meaningful way…
 Computational secrecy

• Would be ok if a scheme leaked information with tiny

probability to eavesdroppers with bounded computational
resources
• I.e., we can relax perfect secrecy by
– Allowing security to “fail” with tiny probability
– Restricting attention to “efficient” attackers
 Tiny probability of failure?

• Say security fails with probability 2-60

– Should we be concerned about this?
– With probability > 2-60, the sender and receiver will both be struck by
lightning in the next year…
– Something that occurs with probability 2-60/sec is expected to occur
once every 100 billion years
 Bounded attackers?

• Consider brute-force search of key space; assume one key can

be tested per clock cycle
• Desktop computer  257 keys/year
• Supercomputer  280 keys/year
• Supercomputer since Big Bang  2112 keys
– Restricting attention to attackers who can try 2112 keys is fine!

• Modern key space: 2128 keys or more…

 Roadmap

• We will give an alternate (but equivalent) definition of perfect

secrecy
– Using a randomized experiment
• That definition has a natural relaxation

• Warning: the material gets much more difficult now

 Perfect indistinguishability

•  = (Gen, Enc, Dec), message space M

• Informally:
– Two messages m0, m1; one is chosen and encrypted (using unknown
k) to give c  Enck(mb)
– Adversary A is given c and tries to determine which message was
encrypted
–  is perfectly indistinguishable if no A can guess correctly with
probability any better than ½
 Perfect indistinguishability

• Let =(Gen, Enc, Dec) be an encryption scheme with message

space M, and A an adversary
• Define a randomized exp’t PrivKA,:
1. A outputs m0, m1  M
2. k  Gen, b  {0,1}, c  Enck(mb)
3. b’  A(c)
Challenge ciphertext
Adversary A succeeds if b = b’, and we say the experiment evaluates to
1 in this case
 Perfect indistinguishability

• Easy to succeed with probability ½ …

•  is perfectly indistinguishable if for all attackers (algorithms)

A, it holds that
Pr[PrivKA, = 1] = ½
 Perfect indistinguishability

• Let =(Gen, Enc, Dec) be an encryption scheme with message

space M, and let A be an adversary/algorithm
• Define a randomized exp’t PrivKA,:
1. A outputs m0, m1  M
2. k  Gen, b  {0,1}, c  Enck(mb)
3. b’  A(c)
Challenge ciphertext
Adversary A succeeds if b = b’, and we say the experiment evaluates to
1 in this case
 Perfect indistinguishability

• Easy to succeed with probability ½ …

• Scheme  is perfectly indistinguishable if for all attackers

(algorithms) A, it holds that
Pr[PrivKA, = 1] = ½
 Perfect indistinguishability

• Claim:  is perfectly indistinguishable   is perfectly secret

• I.e., perfect indistinguishability is just an alternate definition of

perfect secrecy
 Computational secrecy?

• Idea: relax perfect indistinguishability

• Two approaches
– Concrete security
– Asymptotic security
 Computational indistinguishability
(concrete)

• (t, )-indistinguishability:
– Security may fail with probability ≤ 
– Restrict attention to attackers running in time ≤ t
• Or, t CPU cycles
 Computational indistinguishability
(concrete version)

•  is (t, )-indistinguishable if for all attackers A running in time

at most t, it holds that
Pr[PrivKA, = 1] ≤ ½ + 

• Note: (, 0)-indistinguishable = perfect indistinguishability

– Relax definition by taking t <  and  > 0
 Concrete security

• Parameters t,  are what we ultimately care about in the real

world

• Does not lead to a clean theory...

– Sensitive to exact computational model
–  can be (t, )-secure for many choices of t, 
• Would like to have schemes where users can adjust the
achieved security as desired
 Asymptotic security

• Introduce security parameter n

– For now, think of n as the key length
– Chosen by honest parties when they
generate/share key
• Allows users to tailor the security level
– Known by adversary

• Measure running times of all parties, and the

success probability of the adversary, as
functions of n
 Computational indistinguishability
(asymptotic)

• Computational indistinguishability:
– Security may fail with probability negligible in n
– Restrict attention to attackers running in time (at most) polynomial in
n
 Definitions

• A function f: Z+  Z+ is polynomial if there exists c such that

f(n) < nc

• A function f: Z+  [0,1] is negligible if for every polynomial p it

holds that f(n) < 1/p(n) for large enough n
– I.e., decays faster than any inverse polynomial
– Typical example: f(n) = poly(n)∙2-cn
 Why these specific choices?

• Somewhat arbitrary
• “Efficient” = “probabilistic polynomial-time (PPT)” borrowed
from complexity theory
• Convenient closure properties
– Poly * poly = poly
• A PPT algorithm making calls to PPT subroutines is PPT
– Poly * negligible = negligible
• Poly-many calls to subroutines that fail with negligible probability fail with
negligible probability overall
 (Re)defining encryption

• A private-key encryption scheme is defined by three PPT

algorithms (Gen, Enc, Dec):
– Gen: takes as input 1n; outputs k. (Assume |k|≥n.)
– Enc: takes as input a key k and message m{0,1}*; outputs ciphertext
c
c  Enck(m)
– Dec: takes key k and ciphertext c as input; outputs a message m or
“error”
 Computational indistinguishability
(asymptotic version)

• Fix a scheme  and some adversary A

• Define a randomized exp’t PrivKA,(n):
1. A(1n) outputs m0, m1  {0,1}* of equal length
2. k  Gen(1n), b  {0,1}, c  Enck(mb)
3. b’  A(c)
Adversary A succeeds if b = b’, and we say the experiment evaluates to
1 in this case
 Computational indistinguishability
(asymptotic version)

•  is computationally indistinguishable (aka EAV-secure) if for

all PPT attackers A, there is a negligible function  such that

Pr[PrivKA,(n) = 1] ≤ ½ + (n)
 Example 1

• Consider a scheme where Gen(1n) generates a uniform n-bit

key, and the best attack is brute-force search of the key space
– So if A runs in time t(n), then
Pr[PrivKA,(n) = 1] < ½ + O(t(n)/2n)

• This scheme is EAV-secure!

For any polynomial t, the function t(n)/2n is negligible
 Example 2

• Consider a scheme and a particular attacker A that runs for n3

minutes and breaks the scheme with probability 240 2-n
– This does not contradict asymptotic security
– What about real-world security (against this particular attacker)?
• n=40: A breaks scheme with prob. 1 in 6 weeks
• n=50: A breaks scheme with prob. 1/1000 in 3 months
• n=500: A breaks scheme with prob. 2-500 in 200 years
 Example 3

• What happens when computers get faster?

• E.g., consider a scheme that takes time n2 to run but time 2n to
break with prob. 1
• What if computers get 4 faster?
– Honest users double n and can thus maintain the same running time
– Time to break scheme is squared!
• Time required to break the scheme increases
 Encryption and plaintext length

• In practice, we want encryption schemes that can encrypt

arbitrary-length messages
• Encryption does not hide the plaintext length (in general)
– The definition takes this into account by requiring m0, m1 to have the same
length
• But beware that leaking plaintext length can often lead to problems
in the real world!
– Obvious examples…
– Database searches
– Encrypting compressed data
 Computational secrecy

• From now on, we will assume the computational

setting by default
– Usually, the asymptotic setting
 Perfect Secrecy

• Alternative definition of perfect secrecy

– An encryption scheme (Gen, Enc, Dec) is perfectly secret if and only if for every
distribution over M and every m ∈ M and c ∈ C:
Pr[C = c | M = m] = Pr[C = c]
– This means that the probability distribution of the ciphertext does not depend on the
plaintext
– In other words, an encryption scheme (Gen, Enc, Dec) is perfectly secret if and only if for
every distribution over M and every m 1 , m 2 ∈ M and c ∈ C:
Pr[C = c | M = m 1 ] = Pr[C = c | M = m 2 ]
 Perfect Indistinguishability

• Indistinguishability of encrypted messages allows us to formulate security requirement as an

experiment or game
– interactive game with adversary A, who tries to break a cryptographic scheme
• Our first experiment
– for eavesdropping adversaries
– using private-key encryption
– asks them to distinguish between encryptions of different messages

– let Ɛ = (Gen, Enc, Dec), and we name the experiment PrivKeav

A, Ɛ
 Perfect Indistinguishability

• Experiment PrivKeav
A, Ɛ
1 . A chooses two messages m 0 , m 1 ∈ M

2. random key k is generated by Gen, and random bit b ← { 0 , 1 } is chosen

3. ciphertext c ← Enc k (m b ) is computed and given to A

4 . A outputs bit b' as its guess for b

5. experiment outputs 1 if b' = b (A wins) and 0 otherwise

 Perfect Indistinguishability

• Definition: An encryption scheme (Gen, Enc, Dec) over message space n is perfectly secret if
for every adversary A it holds that
1
Pr[PrivKeav
A, Ɛ = 1] =
2
– notice that is must work for every A
• This definition is equivalent to our original definition of perfect secrecy
Thank You