Basics of Private Key Encryption 2

The lecture also recalled the rule:

\[ f \text{ is negligible} \iff -\log(f(n)) \ge \omega(\log n). \]

This means that the logarithmic decay of \(f\) must be faster than \(\log n\) by a superconstant factor.

For example:

\[ f(n) = 2^{-n} \]

is negligible because

\[ -\log(f(n)) = n, \]

and

\[ n = \omega(\log n). \]

But

\[ f(n) = n^{-100} \]

is not negligible, because

\[ -\log(f(n)) = 100 \log n, \]

which is only a constant multiple of \(\log n\), not \(\omega(\log n)\).

The security parameter is denoted by

\[ \lambda. \]

It is usually written in unary as

\[ 1^\lambda. \]

This means a string consisting of \(\lambda\) many \(1\)’s:

\[ 1^\lambda = \underbrace{11\cdots 1}_{\lambda \text{ times}}. \]

The reason for using unary is that the runtime of PPT algorithms should be polynomial in \(\lambda\), not polynomial in \(\log \lambda\).

The algorithms are:

\[ \mathsf{KeyGen}(1^\lambda): \]

a randomized algorithm that takes the security parameter as input and outputs a key \(K\).

Typically, for symmetric encryption, one may think of

\[ K \in \{0,1\}^{\lambda}. \]

For example, \(\lambda = 128\) corresponds mentally to a 128-bit key.

\[ \mathsf{Enc}(K,m): \]

a possibly randomized algorithm that takes a key \(K\) and a message \(m\), and outputs a ciphertext \(c\).

\[ \mathsf{Dec}(K,c): \]

a deterministic algorithm that takes a key \(K\) and a ciphertext \(c\), and outputs a message \(m\).

The professor emphasized that randomized algorithms can be viewed as having access to an infinite random tape.

For example, \(\mathsf{KeyGen}(1^\lambda)\) may read the first \(\lambda\) bits from its random tape and output them as the key.

This is a theoretical model of randomness. Cryptographers often call these random bits “random coins”.

Correctness must hold for every security parameter.

For all

\[ \lambda \in \mathbb{N} \]

and all messages \(m\),

\[ \Pr[ \mathsf{Dec}(K,\mathsf{Enc}(K,m)) = m ] = 1, \]

where

\[ K \leftarrow \mathsf{KeyGen}(1^\lambda). \]

The probability is over the randomness of \(\mathsf{KeyGen}\) and \(\mathsf{Enc}\).

Correctness is required even for small \(\lambda\), although security may be meaningless for small \(\lambda\). For example, a 10-bit key can be brute-forced easily because there are only

\[ 2^{10} = 1024 \]

possible keys.

PPT means:

\[ \text{Probabilistic Polynomial Time}. \]

So a PPT adversary is a randomized algorithm whose running time is polynomial in the security parameter \(\lambda\).

Thus:

\[ \boxed{ \text{efficient adversary} = \text{PPT adversary} } \]

The indistinguishability experiment is denoted by

\[ \mathsf{IND}_{\mathcal{A}}(\lambda). \]

It depends on the security parameter \(\lambda\).

The experiment proceeds as follows.

1. The adversary \(\mathcal{A}\) outputs two messages:

   \[ m_0, m_1. \]

2. The challenger generates a key:

   \[ K \leftarrow \mathsf{KeyGen}(1^\lambda). \]

3. The challenger samples a random challenge bit:

   \[ b \leftarrow_{\$} \{0,1\}. \]

4. The challenger encrypts \(m_b\):

   \[ c^\ast \leftarrow \mathsf{Enc}(K,m_b). \]

   The ciphertext \(c^\ast\) is called the challenge ciphertext.

5. The adversary receives \(c^\ast\) and outputs a guess:

   \[ b'. \]

6. The experiment outputs \(1\) if the adversary guessed correctly:

   \[ \mathsf{IND}_{\mathcal{A}}(\lambda) = 1 \iff b' = b. \]

Otherwise the experiment outputs \(0\).

So

\[ \Pr[\mathsf{IND}_{\mathcal{A}}(\lambda)=1] \]

is the winning probability of adversary \(\mathcal{A}\).

An encryption scheme

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

is IND-secure if for every PPT adversary \(\mathcal{A}\), there exists a negligible function \(\nu\) such that for all \(\lambda \in \mathbb{N}\),

\[ \Pr[\mathsf{IND}_{\mathcal{A}}(\lambda)=1] < \frac{1}{2} + \nu(\lambda). \]

Equivalently, every efficient adversary can do only negligibly better than random guessing.

The advantage of \(\mathcal{A}\) is

\begin{equation*} \mathsf{Adv}_{\mathcal{A}}(\lambda) = \Pr[\mathsf{IND}_{\mathcal{A}}(\lambda)=1] - \frac{1}{2}. \end{equation*}

IND security requires:

\[ \mathsf{Adv}_{\mathcal{A}}(\lambda) \le \nu(\lambda) \]

for some negligible \(\nu\).

In perfect secrecy, every adversary has exactly winning probability

\[ \frac{1}{2}. \]

That is, the advantage is exactly zero.

In computational security, different PPT adversaries may have different advantages, depending on how much computation they use. The definition allows a small slack:

\[ \nu(\lambda). \]

This slack must be negligible.

Thus computational IND security is a relaxation of perfect secrecy.

Asymptotic security allows us to base cryptographic security on standard computational assumptions.

These are computational problems that have been studied for a long time, often before their cryptographic relevance was known.

Examples of such assumptions include hardness assumptions like factoring large composite integers.

The main method for proving security is a reduction.

A reduction connects the hardness of two problems.

The typical structure is:

\[ \text{If problem A is hard, then breaking scheme B is hard.} \]

To prove this, we argue contrapositive-style:

\[ \text{If someone can break scheme B, then we can solve problem A.} \]

So reductions usually go in the reverse direction.

Given:

\[ \text{an adversary against the new scheme}, \]

the reduction builds:

\[ \text{an algorithm or adversary against the underlying hard problem}. \]

This is the central proof technique for computational cryptography.

Asymptotic security does not tell us how to choose concrete parameters in practice.

For example, it does not directly tell us whether to use:

\[ 128\text{-bit keys}, \quad 256\text{-bit keys}, \quad 2048\text{-bit RSA}, \quad 4096\text{-bit RSA}. \]

Asymptotic security tells us that there is no structural design flaw in the scheme, assuming the underlying problem is hard.

It does not by itself provide exact practical security levels.

The lecture mentions tight security as a newer trend that tries to reconcile asymptotic security with concrete guarantees.

A tight reduction means roughly:

If there is an adversary against the scheme with runtime \(T\) and advantage \(\epsilon\), then the reduction gives an algorithm against the underlying problem with essentially the same runtime and advantage.

Ideally:

\[ (T,\epsilon) \quad\text{against the scheme} \]

turns into approximately

\[ (T,\epsilon) \quad\text{against the assumption}. \]

So there is little or no security loss in the reduction.

This is important because many asymptotic proofs hide polynomial factors. In asymptotic security, polynomial factors are often swallowed up because

\[ \text{polynomial} \cdot \text{negligible} \]

is still negligible.

But for concrete security, these hidden polynomial losses may be too large.

So tight security aims to provide both:

• a solid asymptotic guarantee;
• a meaningful quantitative security guarantee.

Let

\[ K \in \{0,1\}^{\lambda} \]

be a short key.

Let

\[ G \]

be a deterministic function that expands \(K\) into a longer string:

\[ G(K) \in \{0,1\}^{\ell}. \]

Here usually

\[ \ell > \lambda. \]

Then use

\[ G(K) \]

as a one-time-pad-like mask.

Encryption:

\[ c = G(K) \oplus m. \]

Decryption:

\[ m = G(K) \oplus c. \]

This works because

\[ G(K) \oplus c = G(K) \oplus (G(K) \oplus m) = m. \]

The stream cipher construction is:

\[ \mathsf{KeyGen}(1^\lambda): \]

choose

\[ K \leftarrow_{\$} \{0,1\}^{\lambda} \]

uniformly at random and output \(K\).

\[ \mathsf{Enc}(K,m): \]

compute

\[ c \leftarrow G(K) \oplus m \]

and output \(c\).

\[ \mathsf{Dec}(K,c): \]

compute

\[ m \leftarrow G(K) \oplus c \]

and output \(m\).

The professor emphasized that \(G\) must be deterministic.

If \(G\) were randomized, then encryption and decryption might compute different masks.

Encryption might use one value:

\[ G(K;r_1), \]

while decryption might use another value:

\[ G(K;r_2). \]

Then correctness would fail.

Therefore, for this construction:

\[ \boxed{ G \text{ must be deterministic.} } \]

Correctness is easy.

The real question is:

\[ \text{What property must } G \text{ have for security?} \]

We want \(G(K)\) to behave like a uniformly random string.

However, \(G(K)\) cannot actually be uniformly distributed over \(\{0,1\}^{\ell}\), because \(K\) has only \(\lambda\) bits.

There are only

\[ 2^\lambda \]

possible keys, so there are at most

\[ 2^\lambda \]

possible outputs \(G(K)\).

But the set \(\{0,1\}^{\ell}\) has size

\[ 2^\ell. \]

If \(\ell > \lambda\), then

\[ 2^\lambda \ll 2^\ell. \]

Thus the distribution of \(G(K)\) has a sparse image.

Information-theoretically, it cannot equal the uniform distribution over \(\{0,1\}^{\ell}\).

So we need a computational notion:

\[ G(K) \]

should be indistinguishable from uniform for every efficient test.

This leads to pseudorandom generators.

One old construction is the Linear Feedback Shift Register, abbreviated LFSR.

An LFSR has a register of bits. At each clock cycle:

1. the register shifts to one side;
2. a new bit is computed as a linear function of some existing register bits;
3. this new bit is inserted on the other side.

For example, the new bit might be

\[ x_{11} \oplus x_{13} \oplus x_{14} \oplus x_{16}. \]

This is a linear function over \(\mathbb{F}_2\).

LFSRs were designed to be efficient in hardware.

They can pass some simple statistical tests.

For example:

• they may be unbiased, meaning roughly the same number of \(0\)’s and \(1\)’s appear in the long run;
• they may have balanced runs, meaning the number of \(0\)-runs and \(1\)-runs of the same length is approximately the same.

A run is a consecutive block of equal bits, for example:

\[ 000 \]

is a run of three \(0\)’s, and

\[ 11 \]

is a run of two \(1\)’s.

A software analogue popular in older systems is the modular congruence generator.

It has the form:

\[ x_{i+1} = a x_i + b \pmod N. \]

This is also linear, but over \(\mathbb{Z}_N\).

LFSRs and modular congruence generators may pass simple tests like:

• bias tests;
• run tests.

But cryptography needs much more.

The problem is linearity.

If the output bits are generated by linear rules, then after observing enough output, an attacker can set up a system of linear equations and solve for the secret state using Gaussian elimination.

Solving linear systems is efficient.

Thus linear generators are not cryptographically secure.

The lesson is:

\[ \boxed{ \text{Passing a few chosen statistical tests is not enough.} } \]

Cryptographers want the output to fool all efficient tests.

A distinguisher is an algorithm

\[ \mathcal{D} \]

that takes a string as input and outputs one bit:

\[ \mathcal{D}(x) \in \{0,1\}. \]

It represents an efficient statistical test.

\(G\) is a pseudorandom generator if for every PPT distinguisher \(\mathcal{D}\),

\begin{equation*} \left| \Pr[\mathcal{D}(G(K)) = 1] - \Pr[\mathcal{D}(u) = 1] \right| \le \operatorname{negl}(\lambda), \end{equation*}

where

\[ K \leftarrow \{0,1\}^{\lambda}, \]

\[ u \leftarrow \{0,1\}^{\ell}, \]

and the probabilities also include the random coins of \(\mathcal{D}\).

Intuitively:

\[ \boxed{ G(K) \approx_c u } \]

meaning \(G(K)\) is computationally indistinguishable from uniform.

No efficient algorithm should be able to tell whether it received:

\[ G(K) \]

or

\[ u. \]

No.

The reason is that the sequence is completely determined by three adjacent values.

From

\[ x_0,x_1,x_2, \]

we have

\[ x_1 = a x_0 + b \pmod P, \]

\[ x_2 = a x_1 + b \pmod P. \]

Subtracting gives:

\[ x_2 - x_1 = a(x_1 - x_0) \pmod P. \]

Assuming

\[ x_1 \neq x_0 \pmod P, \]

we can compute

\[ a = (x_2-x_1)(x_1-x_0)^{-1} \pmod P. \]

Then

\[ b = x_1 - a x_0 \pmod P. \]

So after seeing only a few outputs, the adversary can recover \(a\) and \(b\).

A distinguisher can do the following:

1. receive a sequence \(x_0,x_1,\dots,x_\ell\);
2. compute \(a\) and \(b\) from \(x_0,x_1,x_2\);

3. test whether for every \(i > 2\),

   \[ x_i = a x_{i-1} + b \pmod P. \]

For a sequence generated by the modular congruence generator, the test always passes.

For a truly uniform sequence, the probability that all remaining values satisfy the same recurrence is only about

\[ P^{-(\ell-3)}. \]

Therefore, the distinguishing advantage is approximately

\[ 1 - P^{-(\ell-3)}. \]

This is huge, not negligible.

So the modular congruence generator is not a cryptographic PRG.

This generator is a PRG under the assumption that factoring

\[ N = P Q \]

is hard.

That is, given \(N\), it should be computationally hard to find \(P\) and \(Q\).

This is the Blum-Blum-Shub generator from 1982.

The lecture does not prove the reduction, because it requires extra number theory and the notion of hardcore bits.

The professor mentions that such proofs belong more naturally in an advanced course.

A student asked about the possibility that \(z_0\) is comparatively small.

The professor explained that if \(z_0\) is chosen uniformly modulo \(N\), then it will almost always have roughly the same bit length as \(N\).

For example, if \(N\) is 1024 bits and the top 100 bits of \(z_0\) are all zero, then the probability is about

\[ 2^{-100}. \]

So this kind of unusually small choice is very unlikely.

Define

\[ G_1(s) = G(s) \oplus G'(0^\lambda). \]

Here \(G'(0^\lambda)\) is fixed, because the input \(0^\lambda\) is fixed.

Question:

\[ \text{Is } G_1 \text{ a PRG?} \]

Answer:

\[ \boxed{\text{Yes.}} \]

Intuition:

If \(G(s)\) is pseudorandom, then XORing it with a fixed string should not make it distinguishable.

A truly uniform string remains truly uniform after XOR with any fixed string.

That is, if

\[ u \leftarrow \{0,1\}^{\ell}, \]

then

\[ u \oplus G'(0^\lambda) \]

is also uniformly distributed over \(\{0,1\}^{\ell}\).

Assume for contradiction that \(G_1\) is not a PRG.

Then there exists a PPT distinguisher \(\mathcal{D}_1\) and a non-negligible \(\epsilon\) such that

\begin{equation*} \left| \Pr[\mathcal{D}_1(G_1(s))=1] - \Pr[\mathcal{D}_1(u)=1] \right| \ge \epsilon. \end{equation*}

We build a distinguisher \(\mathcal{D}\) against \(G\).

Given input \(z\), define:

\[ \mathcal{D}(z) = \mathcal{D}_1(z \oplus G'(0^\lambda)). \]

Now consider two cases.

Now define

\[ G_2(s) = G(s) \oplus G'(s). \]

Question:

\[ \text{Is } G_2 \text{ necessarily a PRG?} \]

Answer:

\[ \boxed{\text{No.}} \]

Counterexample:

Let

\[ G' = G. \]

Then

\[ G_2(s) = G(s) \oplus G(s) = 0^\ell. \]

This is the all-zero string, which is trivially distinguishable from uniform.

A distinguisher can simply check whether the input equals \(0^\ell\).

This shows that reusing the same seed can destroy pseudorandomness.

The professor also explains that merely requiring \(G\) and \(G'\) to be different functions does not fix the problem.

For example, define

\[ G'(s) = G(s) \oplus 1^\ell. \]

Then \(G'\) is a different function from \(G\), but

\[ G(s) \oplus G'(s) = G(s) \oplus (G(s) \oplus 1^\ell) = 1^\ell. \]

Again the output is constant, hence easily distinguishable from uniform.

The important takeaway is:

\[ \boxed{ \text{PRG seeds / keys should not be reused.} } \]

If we used independent seeds \(s_1\) and \(s_2\), then combining outputs may be safe under suitable reasoning.

But using the same seed twice is dangerous.

The distinguisher \(\mathcal{D}\) receives an input

\[ z \in \{0,1\}^{\ell}. \]

This \(z\) is either:

\[ z = G(K) \]

for a random seed \(K\), or

\[ z = u \]

for a truly uniform random string \(u\).

The distinguisher \(\mathcal{D}\) internally simulates the IND experiment for \(\mathcal{A}\).

The only difference is that instead of generating a real stream cipher mask \(G(K)\), it uses its own input \(z\) as the mask.

On input \(z\):

1. Run \(\mathcal{A}\) to obtain two messages:

   \[ m_0,m_1. \]

2. Sample a random bit:

   \[ b \leftarrow_{\$} \{0,1\}. \]

3. Compute the challenge ciphertext:

   \[ c^\ast = z \oplus m_b. \]

4. Give \(c^\ast\) to \(\mathcal{A}\).
5. Receive \(\mathcal{A}\)’s guess \(b'\).

6. Output \(1\) if

   \[ b' = b. \]

   Otherwise output \(0\).

Here output \(1\) means that \(\mathcal{D}\) guesses its input was pseudorandom.

If

\[ z = G(K), \]

then the challenge ciphertext is

\[ c^\ast = G(K) \oplus m_b. \]

This is exactly a real encryption of \(m_b\) under the stream cipher.

So from \(\mathcal{A}\)’s point of view, the simulation is exactly the real IND experiment.

Therefore,

\[ \Pr[\mathcal{D}(G(K))=1] = \Pr[\mathsf{IND}_{\mathcal{A}}(\lambda)=1]. \]

By assumption,

\[ \Pr[\mathcal{D}(G(K))=1] \ge \frac{1}{2}+\epsilon. \]

If

\[ z = u \]

is truly uniform, then the challenge ciphertext is

\[ c^\ast = u \oplus m_b. \]

This is exactly the one-time pad experiment.

Because the one-time pad is perfectly secret, the adversary has no information about \(b\).

Therefore,

\[ \Pr[\mathcal{D}(u)=1] = \frac{1}{2}. \]

The distinguishing advantage is

\begin{equation*} \Pr[\mathcal{D}(G(K))=1] - \Pr[\mathcal{D}(u)=1]. \end{equation*}

Using the two cases above:

\begin{equation*} \Pr[\mathcal{D}(G(K))=1] - \Pr[\mathcal{D}(u)=1] \ge \left(\frac{1}{2}+\epsilon\right) - \frac{1}{2} = \epsilon. \end{equation*}

Since \(\epsilon\) is non-negligible, \(\mathcal{D}\) breaks the PRG security of \(G\).

This contradicts the assumption that \(G\) is a PRG.

Therefore, the stream cipher is IND-secure.

Perfect secrecy is too strong for practical encryption with short keys.

Shannon’s theorem says that perfectly secret encryption requires the key to be as long as the message and cannot safely reuse the key.

Also, secrecy alone is not enough for all security goals. There can be attacks that do not reveal the message but still manipulate ciphertexts.

Computational security restricts attention to efficient adversaries.

Instead of requiring that no adversary gains any information, we require that no efficient adversary gains more than negligible advantage.

In asymptotic security:

\[ \text{efficient adversary} = \text{PPT algorithm}, \]

and

\[ \text{small advantage} = \text{negligible advantage}. \]

A cryptographic PRG is a deterministic polynomial-time algorithm that expands a short random seed into a longer output.

The output distribution is statistically far from uniform because it has a sparse image.

However, it must be computationally indistinguishable from uniform.

In other words, it must fool all efficient statistical tests.

A stream cipher uses a PRG to expand a short key into a long mask.

Then encryption is:

\[ c = G(K) \oplus m. \]

Decryption is:

\[ m = G(K) \oplus c. \]

If \(G\) is a secure PRG, then this stream cipher is IND-secure.

The proof is a reduction:

\[ \text{IND adversary against stream cipher} \implies \text{distinguisher against PRG}. \]

Thus PRGs provide a clean way to build computationally secure encryption with keys shorter than the message.