Basics of Private Key Encryption 1

An encryption scheme is perfectly secret if, for every random variable \(M\) supported on \(\mathcal M\), the message \(M\) and the ciphertext

\[ C = \mathsf{Enc}(K,M) \]

are independent, where

\[ K \leftarrow \mathsf{KeyGen}(). \]

Equivalently, for all \(m \in \mathcal M\) and all \(c \in \mathcal C\) with

\[ \Pr[\mathsf{Enc}(K,M)=c] > 0, \]

we have

\[ \Pr[M=m \mid \mathsf{Enc}(K,M)=c] = \Pr[M=m]. \]

Intuition:

• seeing the ciphertext does not change the posterior distribution of the message;
• the adversary learns nothing about the plaintext from the ciphertext.

An encryption scheme is perfectly secret if, for all messages

\[ m,m' \in \mathcal M \]

and all ciphertexts

\[ c \in \mathcal C, \]

we have

\[ \Pr[\mathsf{Enc}(K,m)=c] = \Pr[\mathsf{Enc}(K,m')=c], \]

where

\[ K \leftarrow \mathsf{KeyGen}(). \]

Intuition:

• every message induces exactly the same ciphertext distribution;
• no ciphertext can statistically favor one plaintext over another.

Definition 3 makes the adversary explicit.

The experiment is:

1. The adversary \(\mathcal A\) outputs two messages

   \[ m_0,m_1 \in \mathcal M. \]

2. The challenger samples

   \[ K \leftarrow \mathsf{KeyGen}() \]

   and

   \[ b \leftarrow_{\$} \{0,1\}. \]

3. The challenger computes

   \[ c^* \leftarrow \mathsf{Enc}(K,m_b) \]

   and sends \(c^*\) to \(\mathcal A\).

4. The adversary outputs a guess

   \[ b' \in \{0,1\}. \]

5. The experiment outputs \(1\) if \(b'=b\), and \(0\) otherwise.

Let

\[ \mathsf{IND}_{\mathcal A} \]

be the random variable describing the output of this experiment.

The scheme is perfectly secret if, for every adversary \(\mathcal A\),

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac12. \]

Intuition:

• even if the adversary chooses two candidate messages,
• and receives an encryption of one of them,
• it cannot guess which one was encrypted with probability better than random guessing.

Assume Definition 1 holds.

We want to prove Definition 3.

That is, for every adversary \(\mathcal A\), we need to show

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac12. \]

The lecture first proves this for deterministic adversaries.

For randomized adversaries, the same idea generalizes by averaging over the adversary’s random coins, using linearity of expectation.

Let \(\mathcal A\) be any deterministic adversary.

The adversary outputs two messages:

\[ m_0,m_1 \in \mathcal M. \]

The challenger samples

\[ b \leftarrow_{\$} \{0,1\} \]

and encrypts

\[ m_b. \]

Define a random variable \(M\) by

\[ M =

\begin{cases} m_0 & \text{with probability } \frac12,\\ m_1 & \text{with probability } \frac12. \end{cases}

\]

Equivalently,

\[ M = m_b. \]

Thus the IND experiment’s challenge ciphertext can be written as

\[ C^* = \mathsf{Enc}(K,M). \]

After receiving \(C^*\), the adversary outputs

\[ b' = \mathcal A(C^*). \]

Define a helper function \(m(\cdot)\) on ciphertexts as follows:

\[ m(c) := m_{\mathcal A(c)}. \]

In particular,

\[ m(C^*) = m_{b'}. \]

So \(m(C^*)\) is the message corresponding to the adversary’s guess.

The adversary wins iff

\[ b'=b. \]

If \(m_0 \neq m_1\), this is equivalent to

\[ m_{b'} = m_b. \]

Since

\[ M = m_b \]

and

\[ m(C^*) = m_{b'}, \]

we get

\[ \mathsf{IND}_{\mathcal A}=1 \iff M = m(C^*). \]

If \(m_0=m_1\), then the ciphertext encrypts the same message regardless of \(b\), and the adversary cannot have meaningful information about \(b\). In that case the winning probability is trivially \(\frac12\). Therefore the interesting case is \(m_0 \neq m_1\).

We compute:

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \Pr[M=m(C^*)]. \]

Using the law of total probability over all possible ciphertexts \(c\in\mathcal C\),

\[ \Pr[M=m(C^*)] = \sum_{c\in\mathcal C} \Pr[M=m(c)\mid C^*=c]\cdot \Pr[C^*=c]. \]

Since

\[ C^* = \mathsf{Enc}(K,M), \]

this becomes

\[ \Pr[M=m(C^*)] = \sum_{c\in\mathcal C} \Pr[M=m(c)\mid \mathsf{Enc}(K,M)=c]\cdot \Pr[\mathsf{Enc}(K,M)=c]. \]

By Definition 1, \(M\) and \(\mathsf{Enc}(K,M)\) are independent.

Therefore, for every ciphertext \(c\),

\[ \Pr[M=m(c)\mid \mathsf{Enc}(K,M)=c] = \Pr[M=m(c)]. \]

So

\[ \Pr[M=m(C^*)] = \sum_{c\in\mathcal C} \Pr[M=m(c)]\cdot \Pr[\mathsf{Enc}(K,M)=c]. \]

Now \(m(c)\) is a fixed value once \(c\) is fixed.

Because \(M\) is uniform over \(\{m_0,m_1\}\), we have

\[ \Pr[M=m(c)] = \frac12. \]

Hence

\[ \Pr[M=m(C^*)] = \sum_{c\in\mathcal C} \frac12 \cdot \Pr[\mathsf{Enc}(K,M)=c]. \]

Pull out the constant:

\[ \Pr[M=m(C^*)] = \frac12 \sum_{c\in\mathcal C} \Pr[\mathsf{Enc}(K,M)=c]. \]

The ciphertext must take some value in \(\mathcal C\), so

\begin{equation*} \sum_{c\in\mathcal C} \Pr[\mathsf{Enc}(K,M)=c] = 1. \end{equation*}

Therefore

\[ \Pr[M=m(C^*)] = \frac12. \]

Thus

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac12. \]

This proves Definition 3.

We have shown:

\[ (1) \Rightarrow (3). \]

Together with the previous implications,

\[ (2) \Rightarrow (1) \]

and

\[ (3) \Rightarrow (2), \]

we get the full equivalence:

\[ (1) \Longleftrightarrow (2) \Longleftrightarrow (3). \]

Perfect secrecy gives an extremely strong security guarantee.

The one-time pad is perfectly secret, but it has two major drawbacks:

1. the key must be as long as the message;
2. the key can only be used once.

The natural question is:

Can we construct a better perfectly secret encryption scheme with shorter reusable keys?

Shannon’s theorem says no.

Let

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

be a perfectly secret encryption scheme with key space \(\mathcal K\), message space \(\mathcal M\), and ciphertext space \(\mathcal C\).

Then

\begin{equation*} |\mathcal K| \ge |\mathcal M|. \end{equation*}

This means that the key space must be at least as large as the message space.

If

\[ \mathcal K = \{0,1\}^{\ell} \]

and

\[ \mathcal M = \{0,1\}^{n}, \]

then

\begin{equation*} |\mathcal K| = 2^\ell \end{equation*}

and

\begin{equation*} |\mathcal M| = 2^n. \end{equation*}

Therefore

\[ 2^\ell \ge 2^n, \]

so

\[ \ell \ge n. \]

Thus the key length must be at least the message length.

We prove the theorem by contraposition.

Instead of proving

\[ \text{perfect secrecy} \Rightarrow |\mathcal K| \ge |\mathcal M|, \]

we prove

\begin{equation*} |\mathcal K| < |\mathcal M| \Rightarrow \text{not perfectly secret}. \end{equation*}

We will show that if

\begin{equation*} |\mathcal K| < |\mathcal M|, \end{equation*}

then Definition 2 of perfect secrecy is violated.

Definition 2 requires that for all \(m,m'\in\mathcal M\) and all \(c\in\mathcal C\),

\[ \Pr[\mathsf{Enc}(K,m)=c] = \Pr[\mathsf{Enc}(K,m')=c]. \]

So it is enough to find messages \(m,m'\) and a ciphertext \(\hat c\) such that

\[ \Pr[\mathsf{Enc}(K,m)=\hat c] > 0 \]

but

\[ \Pr[\mathsf{Enc}(K,m')=\hat c] = 0. \]

That would directly contradict Definition 2.

Assume

\begin{equation*} |\mathcal K| < |\mathcal M|. \end{equation*}

Pick an arbitrary message

\[ m \in \mathcal M. \]

Pick an arbitrary key

\[ k_0 \in \mathcal K. \]

This key does not need to be sampled randomly; it can be any key.

Define

\[ \hat c := \mathsf{Enc}(k_0,m). \]

Because \(k_0\) is a possible key, the probability that encryption of \(m\) outputs \(\hat c\) is positive:

\[ \Pr[\mathsf{Enc}(K,m)=\hat c] > 0. \]

Now define the set

\[ S := \{\, m' \in \mathcal M \mid \exists k \in \mathcal K: \mathsf{Dec}(k,\hat c)=m' \,\}. \]

In words:

• fix the ciphertext \(\hat c\);
• decrypt \(\hat c\) under every possible key;
• collect all messages that can appear as a decryption result.

So \(S\) is the set of all messages reachable from \(\hat c\) by decrypting with some key.

Since

\[ \hat c = \mathsf{Enc}(k_0,m), \]

correctness gives

\[ \mathsf{Dec}(k_0,\hat c) = \mathsf{Dec}(k_0,\mathsf{Enc}(k_0,m)) = m. \]

Therefore

\[ m \in S. \]

For every fixed key \(k\), because decryption is deterministic,

\[ \mathsf{Dec}(k,\hat c) \]

has at most one output message.

So each key contributes at most one message to \(S\).

Define the function

\[ f:\mathcal K \to S \]

by

\[ f(k) := \mathsf{Dec}(k,\hat c). \]

By definition of \(S\), the function \(f\) is surjective onto \(S\).

Therefore,

\begin{equation*} |S| \le |\mathcal K|. \end{equation*}

Since we assumed

\begin{equation*} |\mathcal K| < |\mathcal M|, \end{equation*}

we get

\begin{equation*} |S| < |\mathcal M|. \end{equation*}

So \(S\) cannot contain all messages.

Thus

\[ \mathcal M \setminus S \neq \varnothing. \]

Therefore there exists some message

\[ m' \in \mathcal M \setminus S. \]

By definition of \(S\), this means that for every key \(k\in\mathcal K\),

\[ \mathsf{Dec}(k,\hat c) \neq m'. \]

Suppose, for contradiction, that there exists a key \(k'\in\mathcal K\) such that

\[ \mathsf{Enc}(k',m') = \hat c. \]

Then by correctness,

\[ \mathsf{Dec}(k',\hat c) = \mathsf{Dec}(k',\mathsf{Enc}(k',m')) = m'. \]

But then

\[ m' \in S, \]

contradicting the choice

\[ m' \in \mathcal M \setminus S. \]

Therefore no key can encrypt \(m'\) to \(\hat c\).

Hence

\[ \Pr[\mathsf{Enc}(K,m')=\hat c] = 0. \]

But we already had

\[ \Pr[\mathsf{Enc}(K,m)=\hat c] > 0. \]

So

\[ \Pr[\mathsf{Enc}(K,m)=\hat c] \neq \Pr[\mathsf{Enc}(K,m')=\hat c]. \]

This violates Definition 2 of perfect secrecy.

Therefore, if

\begin{equation*} |\mathcal K| < |\mathcal M|, \end{equation*}

the scheme cannot be perfectly secret.

By contraposition, every perfectly secret scheme satisfies

\begin{equation*} |\mathcal K| \ge |\mathcal M|. \end{equation*}

Shannon’s theorem is a fundamental limitation on perfect secrecy.

Perfect secrecy is possible, but only at the cost of huge key material.

For bitstrings, if messages have length \(n\), then keys need length at least \(n\).

So perfect secrecy does not allow short reusable keys.

Perfect secrecy holds against every conceivable adversary.

That includes adversaries with unlimited computational power.

But in the real world, adversaries are computationally bounded.

For example, an adversary that needs

\[ 10^{100} \]

times the age of the universe to break a scheme is not practically relevant.

So we want to move from:

\[ \text{all adversaries} \]

to:

\[ \text{realistic efficient adversaries}. \]

The core idea is:

\[ \text{security should hold against computationally bounded adversaries.} \]

Perfect secrecy only protects secrecy.

But encryption might still be vulnerable to attacks that do not reveal the plaintext.

So secrecy alone may not capture every security goal we intuitively want.

The lecture gives an attack on the one-time pad that does not break secrecy, but still causes damage.

There are two armies trying to coordinate an attack on a castle.

One commander wants to send one of two possible messages to the other commander:

\[ m_0 = \mathsf{Binary}(\text{"Attack"}) \]

and

\[ m_1 = \mathsf{Binary}(\text{"Wait!"}). \]

The message is encrypted using a one-time pad:

\[ c = K \oplus m_b, \]

where

\[ b \in \{0,1\}. \]

The adversary intercepts the ciphertext \(c\).

The adversary does not need to learn whether the original message was “Attack” or “Wait”.

Instead, the adversary only wants to disrupt coordination.

The adversary computes

\[ c' = c \oplus m_0 \oplus m_1. \]

Since

\[ c = K \oplus m_b, \]

we get

\[ c' = K \oplus m_b \oplus m_0 \oplus m_1. \]

If \(b=0\), then

\[ m_b = m_0, \]

so

\[ c' = K \oplus m_0 \oplus m_0 \oplus m_1 = K \oplus m_1. \]

If \(b=1\), then

\[ m_b = m_1, \]

so

\[ c' = K \oplus m_1 \oplus m_0 \oplus m_1 = K \oplus m_0. \]

Thus in both cases,

\[ c' = K \oplus m_{1-b}. \]

So \(c'\) decrypts to the opposite message.

The adversary flips the meaning of the message:

\[ \text{Attack} \leftrightarrow \text{Wait}. \]

The adversary does not learn the message.

But the adversary can still make one army attack while the other waits.

Therefore:

• the one-time pad remains perfectly secret;
• the adversary still achieves a harmful goal;
• secrecy alone does not imply message integrity or authenticity.

This motivates later notions such as message authentication.

Take Definition 3 of perfect secrecy and restrict the adversaries to \(T\)-bounded adversaries.

A first attempted definition:

An encryption scheme is \(T\)-IND secure if, for every \(T\)-bounded adversary \(\mathcal A\),

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] = \frac12. \]

The experiment is the same indistinguishability experiment:

1. \(\mathcal A\) sends \(m_0,m_1\).
2. Challenger samples \(K\leftarrow\mathsf{KeyGen}()\).
3. Challenger samples \(b\leftarrow_{\$}\{0,1\}\).

4. Challenger sends

   \[ c^* \leftarrow \mathsf{Enc}(K,m_b). \]

5. \(\mathcal A\) outputs \(b'\).
6. The experiment outputs \(1\) iff \(b'=b\).

A student asks whether \(T\) means “operations”.

The lecturer says that, informally, \(T\) can be thought of as operations.

But if we want to include parallel computation, then a better theoretical model is circuit size.

Circuit size captures the total number of operations, both sequential and parallel.

So \(T\) is not a perfectly technology-independent measure.

The advantage of an adversary \(\mathcal A\) is

\begin{equation*} \mathsf{Adv}_{\mathcal A} = \Pr[\mathsf{IND}_{\mathcal A}=1] - \frac12. \end{equation*}

The term \(\frac12\) is the success probability of the trivial random-guessing adversary.

So the advantage measures how much better \(\mathcal A\) does compared to random guessing.

An encryption scheme is \((T,\epsilon)\)-IND secure if, for every \(T\)-bounded adversary \(\mathcal A\),

\[ \Pr[\mathsf{IND}_{\mathcal A}=1] < \frac12 + \epsilon. \]

Equivalently,

\[ \mathsf{Adv}_{\mathcal A} < \epsilon. \]

This rules out adversaries that have non-negligible success beyond random guessing, while allowing tiny statistical deviations.

In practice, one chooses parameters so that the best known attack with time complexity \(T\) has success probability less than

\[ \frac12+\epsilon. \]

Typical historical parameters might be:

\[ T = 2^{80} \]

and

\[ \epsilon = 2^{-60}. \]

But this raises an important question:

What is the unit of \(T\)?

Possible units include:

• milliseconds;
• elementary CPU operations;
• CPU cycles;
• circuit gates;
• hardware operations;
• ASIC cost;
• FPGA cost;
• quantum operations.

Therefore concrete security is inherently technology-dependent.

A concrete security statement only makes sense relative to a specific computational model or technology.

In complexity theory, problems consist of infinitely many instances.

The runtime of an algorithm is measured as a function of the input size.

For example, merge sort on \(n\) elements runs in time

\[ O(n\log n). \]

A function \(f(n)\) is in

\[ O(n\log n) \]

if there exists a constant \(c>0\) such that, for all sufficiently large \(n\),

\[ f(n) \le c n\log n. \]

The lecturer informally writes something like:

\[ f(n)\in O(n\log n) \iff \exists c>0: \forall n\in\mathbb N: f(n)\le c n\log n. \]

More standardly, the inequality is required for all sufficiently large \(n\).

An algorithm is efficient if it runs in polynomial time:

\[ f(n)\in \mathsf{poly}(n). \]

That means there exists a constant \(d>0\) such that

\[ f(n)\le n^d \]

for all sufficiently large \(n\).

Different reasonable computational models can simulate each other with polynomial overhead.

For example:

• modern CPUs can simulate Turing machines with polynomial overhead;
• Turing machines can simulate many other reasonable models with polynomial overhead.

Thus polynomial-time computation is a robust way to talk about efficient computation without tying the definition to one specific machine.

In the modern syntax, key generation takes the security parameter as input:

\[ \mathsf{KeyGen}(1^\lambda). \]

Here

\[ 1^\lambda \]

means the unary string consisting of \(\lambda\) many ones:

\[ 1^\lambda = \underbrace{11\cdots 1}_{\lambda\text{ times}}. \]

The reason for unary encoding is a complexity-theoretic convention.

Algorithms are allowed to run polynomial time in the length of their input.

If we encoded \(\lambda\) in binary, then the input length would be only

\[ \log \lambda. \]

Then polynomial time in the input length would mean polynomial in \(\log\lambda\), which is not what we want.

Using \(1^\lambda\) gives an input of length \(\lambda\), so polynomial time means

\[ \mathsf{poly}(\lambda). \]

A Boolean circuit consists of gates such as:

\[ \mathsf{AND},\quad \mathsf{OR},\quad \mathsf{NOT},\quad \mathsf{XOR}. \]

A fixed Boolean circuit usually only handles inputs of one fixed length.

For example, one circuit may take: \[ 128\text{-bit inputs}, \]

while another circuit may take:

\[ 256\text{-bit inputs}. \]

So, to solve a problem for all input lengths, we need a whole family of circuits:

\[ \{C_n\}_{n\in\mathbb N}, \]

where \(C_n\) is the circuit for inputs of length \(n\).

The key difference is this:

For a PPT machine, we specify one algorithm:

\[ A. \] For Boolean circuits, we specify an infinite sequence of circuits:

\[ C_1,C_2,C_3,\dots \] If we do not require a single algorithm to generate these circuits, then each circuit \(C_n\) can be designed separately.

This is called non-uniform computation.

In other words:

\[ \text{different input lengths may use completely different circuits.} \]

There is no requirement that all these circuits come from one common program.

A non-uniform circuit family can contain information that is hard-wired for each input length.

This is similar to giving an algorithm extra advice depending only on the input length.

Informally:

\[ \text{non-uniform computation} \approx \text{uniform computation} + \text{advice depending on } n. \]

The advice may depend on the input length \(n\), but not on the concrete input \(x\).

So for all inputs of length \(128\), the circuit \(C_{128}\) may contain some information that is useful specifically for length \(128\).

A PPT machine does not have this freedom, because it has only one fixed program for all input lengths.

In a randomized Turing-machine model running in polynomial time:

• one finite machine description works for all input lengths.

In a circuit model:

• one usually has a different circuit for each input length;
• therefore an algorithm is an infinite sequence of circuits.

This creates a conceptual difference between uniform and non-uniform computation.

For this course, the lecture says we will think of efficient adversaries as PPT machines.

A function

\[ f:\mathbb N\to \mathbb R_{\ge 0} \]

is called negligible if, for every polynomial \(p\), there exists an integer \(N\in\mathbb N\) such that for all \(n>N\),

\[ f(n) < \frac1{p(n)}. \]

Equivalently, it is enough to check polynomials of the form

\[ p(n)=n^c \]

for constants \(c>0\).

So \(f\) is negligible iff for every constant \(c>0\), there exists \(N\) such that for all \(n>N\),

\[ f(n) < n^{-c}. \]

Notation:

\[ \mathsf{negl}(n) \]

denotes an unspecified negligible function.

A negligible function goes to zero faster than every inverse polynomial.

We do not care what the function does for small \(n\).

We only care that once \(n\) is sufficiently large, the function becomes smaller than every inverse polynomial.

So negligible means:

\[ f(n) = o(n^{-c}) \]

for every constant \(c>0\).

\[ f_1(n)=2^{-n} \]

is negligible.

To show this, we need:

\[ 2^{-n} < n^{-c} \]

for every constant \(c>0\) and sufficiently large \(n\).

This is equivalent to

\[ 2^n > n^c. \]

Exponential functions eventually dominate every polynomial.

Therefore

\[ 2^{-n} \]

is negligible.

\[ f_2(n)=n^{-100} \]

is not negligible.

Reason:

To be negligible, it would need to be smaller than every inverse polynomial.

But take

\[ n^{-101}. \]

We have

\[ n^{-100} > n^{-101} \]

for all \(n>1\).

Thus \(n^{-100}\) is not smaller than every inverse polynomial.

So

\[ n^{-100} \]

is not negligible.

Assuming \(\log\) means base \(2\), we have

\[ 2^{-\log n} = \frac1{2^{\log n}} = \frac1n. \]

Thus

\[ f_3(n)=\frac1n. \]

This is an inverse polynomial.

Therefore it is not negligible.

We rewrite:

\[ 2^{-(\log n)^2} = \left(2^{\log n}\right)^{-\log n} = n^{-\log n}. \]

So

\[ f_4(n)=n^{-\log n}. \]

For any constant \(c>0\), eventually

\[ \log n > c. \]

Therefore, for sufficiently large \(n\),

\[ n^{-\log n} < n^{-c}. \]

Hence

\[ 2^{-(\log n)^2} \]

is negligible.

\[ f_5(n)=n^{-\log\log n} \]

is negligible.

Reason:

Although

\[ \log\log n \]

grows very slowly, it is still unbounded.

For every constant \(c>0\), eventually

\[ \log\log n > c. \]

Therefore, for sufficiently large \(n\),

\[ n^{-\log\log n} < n^{-c}. \]

So

\[ n^{-\log\log n} \]

is negligible.

The lecture gives the following rule:

A function \(f\) is negligible iff

\[ -\log(f(n)) \ge \omega(\log n). \]

• Meaning of \(\omega(\log n)\)

  The notation \[ \omega(\log n) \] means that a function grows strictly faster than \(\log n\).

  More formally, if \[ g(n)=\omega(\log n), \]

  then

  \[ \frac{g(n)}{\log n}\to \infty \] as

  \[ n\to\infty. \] So \(g(n)\) is not just larger than \(\log n\) by a constant factor.

  Instead, the ratio \[ \frac{g(n)}{\log n} \] must grow without bound.

Equivalently, \(f(n)\) is negligible when the logarithmic decay of \(f\) grows asymptotically faster than \(\log n\).

For example:

\[ f(n)=2^{-n} \]

has

\[ -\log f(n)=n, \]

and

\[ n=\omega(\log n), \]

so it is negligible.

For

\[ f(n)=2^{-\log n}, \]

we have

\[ -\log f(n)=\log n, \]

which is not \(\omega(\log n)\), so it is not negligible.

For

\[ f(n)=2^{-(\log n)^2}, \]

we have

\[ -\log f(n)=(\log n)^2, \]

and

\[ (\log n)^2=\omega(\log n), \]

so it is negligible.

For

\[ f(n)=n^{-\log\log n}, \]

we compute:

\[ -\log f(n) = -\log\left(n^{-\log\log n}\right). \]

Using

\[ \log(x^y)=y\log x, \]

we get

\[ -\log f(n) = \log\log n \cdot \log n. \]

Since

\[ \log\log n \to \infty, \]

we have

\[ \log\log n \cdot \log n = \omega(\log n). \]

Thus \(f(n)\) is negligible.

If \(\nu_1\) and \(\nu_2\) are negligible functions, and \(p\) is a polynomial, then:

1. \(\nu_1+\nu_2\) is negligible.
2. \(p\cdot \nu_1\) is negligible.

We want to show:

\[ \nu_1(\lambda)+\nu_2(\lambda) \]

is negligible.

Let \(c>0\) be arbitrary.

Since \(\nu_1\) is negligible, for sufficiently large \(\lambda\),

\[ \nu_1(\lambda) < \lambda^{-(c+1)}. \]

Since \(\nu_2\) is negligible, for sufficiently large \(\lambda\),

\[ \nu_2(\lambda) < \lambda^{-(c+1)}. \]

Let \(\lambda'\) be large enough so that both inequalities hold for all

\[ \lambda > \lambda'. \]

Then for all \(\lambda>\lambda'\),

\[ \nu_1(\lambda)+\nu_2(\lambda) < \lambda^{-(c+1)}+\lambda^{-(c+1)}. \]

Thus

\[ \nu_1(\lambda)+\nu_2(\lambda) < 2\lambda^{-(c+1)}. \]

For \(\lambda>2\),

\[ 2\lambda^{-(c+1)} < \lambda^{-c}. \]

Therefore, for sufficiently large \(\lambda\),

\[ \nu_1(\lambda)+\nu_2(\lambda) < \lambda^{-c}. \]

Since \(c>0\) was arbitrary,

\[ \nu_1+\nu_2 \]

is negligible.

Let

\[ p(\lambda) \]

be a polynomial.

For simplicity, suppose

\[ p(\lambda) \le \lambda^d \]

for some constant \(d>0\) and sufficiently large \(\lambda\).

Since \(\nu_1\) is negligible, for every \(c>0\), in particular for \(c+d\), there exists a sufficiently large \(\lambda\) such that

\[ \nu_1(\lambda) < \lambda^{-(c+d)}. \]

Then

\[ p(\lambda)\nu_1(\lambda) \le \lambda^d \cdot \lambda^{-(c+d)} = \lambda^{-c}. \]

Since this holds for every \(c>0\) and sufficiently large \(\lambda\),

\[ p\cdot \nu_1 \]

is negligible.

The lecture also expresses this using asymptotic notation:

\[ \nu_1(\lambda)=\lambda^{-\omega(1)}. \]

If

\[ p(\lambda)=\lambda^c, \]

then

\[ p(\lambda)\nu_1(\lambda) = \lambda^c\cdot \lambda^{-\omega(1)} = \lambda^{c-\omega(1)} = \lambda^{-\omega(1)}. \]

So multiplying a negligible function by a polynomial still gives a negligible function.