Provable Security III

Modern cryptography: computational security

• Information-theoretic cryptography• Security: statistical or even perfect• Efficiency: bad… (key length ≤ message length)• Other: not beyond symmetric cryptography (public-key crypto impossible)

• Modern cryptography (achieves only computational security)

computational security: relaxing statistical security

• A cryptographic scheme E is (𝑡, 𝜀)-secure if every adversary of running time at most 𝑡 succeeds in breaking E (e.g., distinguishes from a random system) with probability at most 𝜀".• Prefect security: 𝑡 = ∞, 𝜀=0

• Statistical security: 𝑡 = ∞, 𝜀=𝑛𝑒𝑔𝑙 𝑛 = 𝑛−𝜔(1) (n is security parameter)

• Computational security: 𝑡 = 𝑛𝜔(1), 𝜀=𝑛−𝜔(1)

• Asymptotic setting

private-key encryption scheme

Computationally indistinguishable encryptions

computationally indistinguishable encryptions

Semantic Security

Pseudorandom generator (PRG)

• (Pseudorandom generator). Let g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛)be a deterministic polynomial-time algorithm. We say that g is a pseudorandom generator (PRG) if for all PPT distinguishers D, there exists a negligible function negl(∙):

|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|=negl(n)

where the probabilities are taken over 𝑈𝑛 (or 𝑈ℓ) and the random coins used by D.

• (𝒕, 𝜺)-secure PRG: g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛) is a (𝑡, 𝜀)-secure PRG if every probabilistic distinguisher D of running time 𝑡 satisfies:

|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|≤ 𝜀

PRG has only computational security

• A useful replacement lemma: if X and Y is (𝑡, 𝜀)-indistinguishable and function f (defined over the domain of X and Y) is T-computable, then f(X) and f(Y) is at least (𝑡 − T, 𝜀)-indistinguishable.• Corollary. SD(f(X),f(Y)) ≤ SD(X,Y)

Proof. Consider unbounded adversaries (where 𝑡 = ∞)

A PRG with small stretch implies one with arbitrary (polynomial) stretch• 𝑠1

𝑠0 𝑠1 𝑠2 𝑠𝑖… …

𝑟1 𝑟2 𝑟3

𝑠3

𝑟i+1

𝑠𝑖+1

PRG-based fixed encryption