# CSE442T Introduction to Cryptography (Lecture 14)

## Recap

$\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount

$\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$, and $G$ is pseudorandom

$$
\{G(U_n)\}\approx \{U_{l(n)}\}
$$

Back to the experiment we did long time ago:

||Group 1|Group 2|
|---|---|---|
|$00000$ or $11111$|3|16|
|4 of 1's|42|56|
|balanced|too often|usual|
|consecutive repeats|0|4|

So Group 1 is human, Group 2 is computer.

## Chapter 3: Indistinguishability and Pseudorandomness

### Computationally secure encryption

Recall with perfect security,

$$
P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]
$$

for all $m_1,m_2\in M$ and $c\in C$.

$(Gen,Enc,Dec)$ is **single message secure** if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, $\forall m_1,m_2\gets \{0,1\}^n \in M^n$, $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability.

$$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)
$$

By the prediction lemma, ($\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$)

$$
P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}
$$

and the above equation is $\frac{1}{2}$ for perfect secrecy.

### Construction of single message secure cryptosystem

cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.

$K=\{0,1\}^n$, $\mathcal{M}=\{0,1\}^{l(n)}$, $G:K \to \mathcal{M}$ is a PRG.

$Gen(1^n)$: $k\gets \{0,1\}^n$; output $k$.

$Enc_k(m)$: $r\gets \{0,1\}^{l(n)}$; output $G(k)\oplus m$.

$Dec_k(c)$: output $G(k)\oplus c$.

Proof of security:

Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher.

Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$.

Strategy: Move to OTP, then flip message.

$$
H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}
$$
$$
H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}
$$
$$
H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}
$$
$$
H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}
$$

By hybrid argument, 2 neighboring messages are indistinguishable.

However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.

$H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP.

$H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.

Which leads to a contradiction.

### Multi-message secure encryption

$(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, and $q(n)\in poly(n)$.

$$
\overline{m}=(m_1,\dots,m_{q(n)})
$$
$$
\overline{m}'=(m_1',\dots,m_{q(n)}')
$$

are list of $q(n)$ messages in $\{0,1\}^n$.

$\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability.

$$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)
$$

**THIS IS NOT MULTI-MESSAGE SECURE.**

We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice.

What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages.

Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$, $F(x)$ is chosen uniformly at random.

$Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$.

$Enc_F(m):$ let $r\gets U_n$; output $(r,F(r)\oplus m)$.

$Dec_F(m):$ Given $(r,c)$, output $m=F(r)\oplus c$.

Ideas: Adversary sees $r$ but has no Ideas about $F(r)$. (we choose all outputs at random)

If we could do this, this is MMS (multi-message secure).

Proof:

Suppose $m_1,m_2,\dots,m_{q(n)}$, $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle.

Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$.

Strategy: move to OTP with hybrid argument.

Suppose we choose a random function

$$
H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}
$$

and

$$
H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}
$$

$r_i,u_i\in U_n$.

By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same.

$F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random.

only possible problem is $r_i=r_j$ for some $i\neq j$, and $P[r_i=r_j]=\frac{1}{2^n}$.

And the probability that at least one pair are equal

$$
P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}
$$

which is negligible.

Unfortunately, we cannot do this in practice.

How many random functions are there?

The length of description of $F$ is $n 2^n$.

For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.

So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$.