cos433/math+473:+ cryptographylimits+of+statistical+security theorem:(suppose%%(enc,dec)...
TRANSCRIPT
![Page 1: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/1.jpg)
COS433/Math 473: Cryptography
Mark ZhandryPrinceton University
Spring 2020
![Page 2: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/2.jpg)
Reminders
HW1 Due Feb 20thHW2 Due Feb 27th
PR1 Due March 10th
![Page 3: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/3.jpg)
Previously on COS 433…
![Page 4: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/4.jpg)
Theorem: No stateless randomized encryption scheme can have perfect security
for multiple messages
![Page 5: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/5.jpg)
Security Parameter λ
Additional input to system, dictates “security level”
Key, message, ciphertext size all polynomial in λ
Probability of adversary success is negligible in λ
![Page 6: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/6.jpg)
Defining Encryption Again
Syntax:• Key space Kλ• Message space Mλ• Ciphertext space Cλ• Enc: Kλ×Mλ à Cλ (potentially randomized)• Dec: Kλ×Cλ à Mλ
Correctness:• |k|=log|Kλ|, |m|=log|Mλ|, |c|=log|Cλ| polynomial in λ• For all λ, k∈Kλ, m∈Mλ,
Pr[ Pr[Dec(k, Enc(k,m) ) = m ] = 1
![Page 7: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/7.jpg)
Statistical Distance
Given two distributions D1, D2 over a set X, define
Δ(D1,D2) = ½∑x | Pr[D1=x] – Pr[D2=x] |
Observations:0 ≤ Δ(D1,D2) ≤ 1
Δ(D1,D2) = 0 ⟺ D1 = D2
Δ(D1,D2) ≤ Δ(D1,D3) + Δ(D3,D2)
(Δ is a metric)
d
![Page 8: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/8.jpg)
Another View of Statistical Distance
Theorem: Δ(D1,D2) ≥ ε iff∃(potentially randomized) A s.t.| Pr[A(D1) = 1] – Pr[A(D2) = 1] | ≥ ε
Terminology: for any A, | Pr[A(D1) = 1] – Pr[A(D2) = 1] | is called the “advantage” of A in
distinguishing D1 and D2
![Page 9: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/9.jpg)
Statistical Security (Asymptotic)
Definition: A scheme (Enc,Dec) has statistical secrecy for dmessages if ∃ negligible ε such that∀ two sequences (m0
(i))i∈[d] , (m1(i))i∈[d] ∈ Mλ
d,
Δ[ (Enc(Kλ, m0(i) ))i∈[d],
(Enc(Kλ, m1(i) ))i∈[d] ] < ε(λ)
We will call such a scheme d-‐time statistically secure
![Page 10: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/10.jpg)
Limits of Statistical Security
Theorem: Suppose (Enc,Dec) has plaintext space M = {0,1}n and key space K = {0,1}t. Moreover, assume it is (d, 0.4999)-‐secure. Then:
t ≥ d n
In other words, the key must be at least as long as the total length of all messages encrypted
![Page 11: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/11.jpg)
Takeaway
If you don’t want to physically exchange keys frequently, you cannot obtain statistical security
So, now what?
![Page 12: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/12.jpg)
Timeline/Cipher sophistication
RunningTime
![Page 13: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/13.jpg)
Computational Security
We are ok if adversary takes a really long time
Only considered attack for adversaries that don’t take too long
![Page 14: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/14.jpg)
Today: Continuation of Computational Security
![Page 15: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/15.jpg)
Brute Force Attacks
Simply try every key until find right one
If keys have length λ, 2λ is upper bound on attack
Applicable when easy to check if key is correct• In case of perfect/statistical security, not possible
![Page 16: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/16.jpg)
Crypto and P vs NP
What if P = NP?
From this point forward, almost all crypto we will see depends on computational assumptions
![Page 17: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/17.jpg)
Defining Encryption Yet Again
Syntax:• Key space Kλ• Message space Mλ• Ciphertext space Cλ• Enc: Kλ×Mλ à Cλ (potentially randomized)• Dec: Kλ×Cλ à Mλ
Correctness:• |k|=|Kλ|, |m|=|Mλ|, |c|=|Cλ| polynomial in λ• Enc, Dec running time polynomial in λ• For all λ, k∈Kλ, m∈Mλ,
Pr[ Pr[Dec(k, Enc(k,m) ) = m ] = 1
![Page 18: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/18.jpg)
Defining Security
Consider an attacker as a probabilistic efficient algorithm
Attacker gets to choose the messages
All attacker has to do is distinguish them
![Page 19: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/19.jpg)
Security Experiment/Game
m0, m1∈Mλ
ck ß Kλ
c ß Enc(k,mb)
Challenger
b
b’
IND-Expb( ,λ)
(One-‐time setting)
![Page 20: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/20.jpg)
Security Definition
Definition: (Enc, Dec) has (t,ε)-ciphertextindistinguishability if, for all running in time at most t
| Pr[1ßIND-Exp0( ) ]
– Pr[1ßIND-Exp1( ) ] | ≤ ε
(One-‐time setting, concrete)
![Page 21: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/21.jpg)
Security Definition
Definition: (Enc, Dec) has ciphertextindistinguishability if, for all running in polynomial time, ∃ negligible ε s.t.
| Pr[1ßIND-Exp0( ,λ) ]
– Pr[1ßIND-Exp1( ,λ) ] | ≤ ε(λ)
(One-‐time setting, asymptotic)
![Page 22: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/22.jpg)
Construction with |k| << |m|
Idea: use OTP, but have key generated by some expanding procedure G
G
k
m⊕
What do we want out of G?
![Page 23: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/23.jpg)
Defining Pseudorandom Generator (PRG)Syntax:• Seed space Sλ• Output space Xλ• G: Sλ à Xλ (deterministic)
Correctness:• |s|=log|Sλ|, |x|=log|Xλ| polynomial in λ, • |Xλ| > 2×|Sλ|• Running time of G polynomial in λ
![Page 24: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/24.jpg)
Security of PRGs
Definition: G:Sλ à Xλ is a secure pseudorandom generator (PRG) if:• For all running in polynomial time, ∃ negl ε,
| Pr[ (G(s))=1:sßSλ]
– Pr[ (x)=1:xßXλ] | ≤ ε(λ)
![Page 25: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/25.jpg)
Secure PRG à Ciphertext Indistinguishability
Kλ = SλMλ = Xλ (assumed to be {0,1}n)Cλ = Xλ
Enc(k,m) = PRG(k) ⊕ mDec(k,c) = PRG(k) ⊕ c
![Page 26: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/26.jpg)
Security?
Intuitively, security is obvious:• PRG(k) ”looks” random, so should completely hide m• However, formalizing this argument is non-‐trivial.
Solution: reductions• Assume toward contradiction an adversary for the encryption scheme, derive an adversary for the PRG
![Page 27: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/27.jpg)
Security
Assume towards contradiction that there is a and non-‐negligible ε such that
m0, m1∈Mλ
c
k ß Sλ
c ß G(k)⊕mb
b
b’ |Pr[W0]-Pr[W1]|≥ε, non-‐negligibleWb: b’ = 1 in IND-Expb
![Page 28: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/28.jpg)
SecurityUse to build . will run as a subroutine,
and pretend to be
m0, m1∈Mλ
cb’
b ß {0,1}
x(either G(s) or truly random)
c ß x⊕mb
1⊕b⊕b’
![Page 29: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/29.jpg)
Security
Case 1: x = PRG(s) for a random seed s• “sees” IND-Expb for a random bit b
m0, m1∈Mλ
c
b’
b ß {0,1}s ß Sλ
c ß PRG(s)⊕mb
![Page 30: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/30.jpg)
Security
Case 1: x = PRG(s) for a random seed s• “sees” IND-Expb for a random bit b• Pr[1⊕b⊕b’=1] = Pr[b=b’]
= ½ Pr[b’=1 | b=1 ]+ ½ (1 - Pr[b’=1 | b=0])
= ½(1 + Pr[W0] – Pr[W1])= ½( 1 ± ε )
![Page 31: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/31.jpg)
Security
Case 2: x is truly random• “sees” OTP encryption
m0, m1∈Mλ
c
b’
b ß {0,1}x ß Mλ
c ß x⊕mb
![Page 32: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/32.jpg)
Security
Case 2: x is truly random• “sees” OTP encryption
• Therefore Pr[b’=1 | b=0] = Pr[b’=1 | b=1]• Pr[1⊕b⊕b’=1] = Pr[b=b’]
= ½ Pr[b’=1 | b=1 ]+ ½ (1 - Pr[b’=1 | b=0])
= ½
![Page 33: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/33.jpg)
Security
Putting it together:
• Pr[ (G(s))=1:sß{0,1}λ] = ½( 1 ± ε(λ) )
• Pr[ (x)=1:xß{0,1}n] = ½
• Absolute Difference: ½ε, ⇒ Contradiction!
![Page 34: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/34.jpg)
Security
Thm: If G is a secure PRG, then (Enc,Dec) is has ciphertext indistinguishability
![Page 35: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/35.jpg)
An Alternate Proof: Hybrids
Idea: define sequence of “hybrid” experiments “between” IND-Exp0 and IND-Exp1
In each hybrid, make small change from previous hybrid
Hopefully, each small change is undetectable
Using triangle inequality, overall change from IND-Exp0 and IND-Exp1 is undetectable
![Page 36: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/36.jpg)
An Alternate Proof: Hybrids
Hybrid 0: IND-Exp0
m0, m1∈Mλ
c
k ß Sλ
c ß G(k)⊕m0
b’
![Page 37: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/37.jpg)
An Alternate Proof: Hybrids
Hybrid 1:
m0, m1∈Mλ
c
x ß Mλ
c ß x⊕m0
b’
![Page 38: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/38.jpg)
An Alternate Proof: Hybrids
Hybrid 2:
m0, m1∈Mλ
c
x ß Mλ
c ß x⊕m1
b’
![Page 39: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/39.jpg)
An Alternate Proof: Hybrids
Hybrid 3: IND-Exp1
m0, m1∈Mλ
c
k ß Sλ
c ß G(k)⊕m1
b’
![Page 40: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/40.jpg)
An Alternate Proof: Hybrids
| Pr[b’=1 : IND-Exp0]-Pr[b’=1 : IND-Exp1] |= | Pr[b’=1 : Hyb 0]-Pr[b’=1 : Hyb 3] |≤ | Pr[b’=1 : Hyb 0]-Pr[b’=1 : Hyb 1] |
+ | Pr[b’=1 : Hyb 1]-Pr[b’=1 : Hyb 2] |+ | Pr[b’=1 : Hyb 2]-Pr[b’=1 : Hyb 3] |
If |Pr[b’=1:IND-Exp0]-Pr[b’=1:IND-Exp1]|≥ε,Then for some i=0,1,2,
|Pr[b’=1:Hyb i]-Pr[b’=1:Hyb i+1]| ≥ ε/3
![Page 41: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/41.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 0 from Hybrid 1with advantage ε/3
m0, m1∈Mλ
k ß Sλ
c ß G(k)⊕m0
b’
m0, m1∈Mλ
x ß Mλ
c ß x⊕m0
b’
![Page 42: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/42.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 0 from Hybrid 1with advantage ε/3 ⇒ Construct
m0, m1∈Mλ
c
b’
x(either G(s) or truly random)
c ß x⊕m0
b’
![Page 43: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/43.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 0 from Hybrid 1with advantage ε/3 ⇒ Construct
If is given G(s) for a random s, sees Hybrid 0If is given x for a random x, sees Hybrid 1
Therefore, advantage of is equal to advantage of which is at least ε/3⇒ Contradiction!
![Page 44: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/44.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 1 from Hybrid 2with advantage ε/3
m0, m1∈Mλ
c ß x⊕m0
b’
m0, m1∈Mλ
x ß Mλ
c ß x⊕m1
b’
x ß Mλ
![Page 45: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/45.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 1 from Hybrid 2with advantage ε(λ)/3
m0, m1∈Mλλ
c ß x⊕m0
b’
m0, m1∈Mλ
x ß Mλ
c ß x⊕m1
b’
x ß Mλ
Impossible by OTP security
![Page 46: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/46.jpg)
An Alternate Proof: Hybrids
Suppose distinguishes Hybrid 2 from Hybrid 3with advantage ε/3
m0, m1∈Mλ
x ß Mλ
c ß x⊕m1
b’
m0, m1∈Mλ
k ß Sλ
c ß G(k)⊕m1
b’Proof essentially identical to
Hybrid 0/Hybrid 1 case
![Page 47: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/47.jpg)
How do we build PRGs?
![Page 48: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/48.jpg)
Linear Feedback Shift Registers
In each step, • Last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
10110
⊕⊕
![Page 49: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/49.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
0110
⊕⊕
1
![Page 50: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/50.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
01101
⊕⊕
1
![Page 51: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/51.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
1101
⊕⊕
01
![Page 52: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/52.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
11010
⊕⊕
01
![Page 53: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/53.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
1010
⊕⊕
101
![Page 54: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/54.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
10100
⊕⊕
101
![Page 55: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/55.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
0100
⊕⊕
1101
![Page 56: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/56.jpg)
Linear Feedback Shift Registers
In each step, • last bit of state is removed and outputted• Rest of bits are shifted right• First bit is XOR of subset of remaining bits
01000
⊕⊕
1101…
![Page 57: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/57.jpg)
Linear Feedback Shift Registers
Are LFSR’s secure PRGs?
![Page 58: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/58.jpg)
Linear Feedback Shift Registers
Are LFSR’s secure PRGs?No!
First n bits of output = initial state
xWrite x = x1,…,xn, x’Initialize LFSB to have state x1,…,xnRun LFSB for |x| steps, obtaining yCheck if y = x
![Page 59: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/59.jpg)
PRGs should be Unpredictable
More generally, it should be hard, given some bits of output, to predict subsequent bits
Definition: G:Sλà{0,1}n(λ) is unpredictable if, for all polynomial time and any p=p(λ), ∃negligible ε such that:
| Pr[G(s)p+1 ß (G(s)[1,p]) ] – ½ | ≤ ε(λ)
![Page 60: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/60.jpg)
PRGs should be Unpredictable
More generally, it should be hard, given some bits of output, to predict subsequent bits
Theorem: G is unpredictable iff it is pseudorandom
![Page 61: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/61.jpg)
Proof
Pseudorandomnessà Unpredictability
Assume towards contradiction s.t.
| Pr[G(s)p+1 ß (G(s)[1,p]) ] – ½ | > ε
![Page 62: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/62.jpg)
Proof
Pseudorandomnessà Unpredictability
Construct
xx[1,p]
b
1⊕b⊕xp+1
![Page 63: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/63.jpg)
Proof
Pseudorandomnessà Unpredictability
Analysis:• If x is random, Pr[1⊕b⊕xp+1 = 1] = ½• If x is pseudorandom,
Pr[1⊕b⊕xp+1 = 1] = Pr[G(s)p+1 ß (G(s)[1,p]) ] > (½ + ε) or < (½ - ε)
![Page 64: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/64.jpg)
Proof
Unpredictability à Pseudorandomness
Assume towards contradiction s.t.
| Pr[ (G(s))=1:sß{0,1}λ]
– Pr[ (x)=1:xß{0,1}t] | > ε
![Page 65: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/65.jpg)
Proof
Unpredictability à Pseudorandomness
Hybrids:Hi: x[1,i] ß G(s), x[i+1,t] ß {0,1}t-i
H0: truly random xHt: pseudorandom t
![Page 66: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/66.jpg)
Proof
Unpredictability à Pseudorandomness
Hybrids:Hi: x[1,i] ß G(s), x[i+1,t] ß {0,1}t-i
| Pr[ (x)=1:xßHs ]
– Pr[ (x)=1:xßH0] | > ε
Let qi = Pr[ (x)=1:xßHi ]
![Page 67: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/67.jpg)
Proof
Unpredictability à Pseudorandomness
Hybrids:Hi: x[1,i] ß G(s), x[i+1,t] ß {0,1}t-i
| qt – q0 | > ε
Let qi = Pr[ (x)=1:xßHi ]
![Page 68: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/68.jpg)
Proof
Unpredictability à Pseudorandomness
Hybrids:Hi: x[1,i] ß G(s), x[i+1,t] ß {0,1}t-i
By triangle inequality, there must exist an i s.t.
| qi – qi-1 | > ε/t
Can assume wlog that qi – qi-1 > ε/t
![Page 69: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/69.jpg)
Proof
Unpredictability à Pseudorandomness
Construct
y=G(s)[1,i-1]x = y||b||y’b’
1⊕b⊕b’
bß{0,1}y’ß{0,1}t-i
![Page 70: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/70.jpg)
Proof
Unpredictability à Pseudorandomness
Analysis:• If b = G(s)i, then sees Hi
⇒ outputs 1 with probability qi
⇒ outputs b=G(s)i with probability qi
![Page 71: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/71.jpg)
Proof
Unpredictability à Pseudorandomness
Analysis:• If b = 1⊕G(s)i, then
Define qi’ as Pr[ outputs 1]½(qi’ + qi) = qi-1 ⇒ qi’ = 2qi-1 - qi
⇒ outputs G(s)[1,i] with probability1-qi’ = 1 + qi – 2qi-1
![Page 72: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/72.jpg)
Proof
Unpredictability à Pseudorandomness
Analysis:• Pr[ outputs G(s)i]
= ½ (qi) + ½ (1 + qi – 2qi-1)= ½ + qi – qi-1
> ½ + ε/t
![Page 73: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/73.jpg)
Any ideas?
![Page 74: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/74.jpg)
Linearity
LFSR’s are linear:
state’ = • state
output = (0 0 0 0 1) • state
10110
⊕⊕
( )01000
10100
10010
00001
10000
![Page 75: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/75.jpg)
Linearity
LFSR’s are linear:• Each output bit is a linear function of the initial state (that is, G(s) = A • s (mod 2) )
Any linear G cannot be a PRG• Can check if x is in column-‐span of A using linear algebra
![Page 76: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/76.jpg)
Introducing Non-‐linearity
Non-‐linearity in the output:
Non-‐linear feedback:
10110
⊕⊕
10110
![Page 77: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/77.jpg)
LFSR period
Period = number of bits before state repeats
After one period, output sequence repeats
Therefore, should have extremely long period• Ideally almost 2λ
• Possible to design LFSR’s with period 2λ-1
![Page 78: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/78.jpg)
Hardware vs Software
PRGs based on LFSR’s are very fast in hardware
Unfortunately, not easily amenable to software
![Page 79: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/79.jpg)
RC4
Fast software based PRG
Resisted attack for several years
No longer considered secure, but still widely used
![Page 80: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/80.jpg)
RC4
State = permutation on [256] plus two integers• Permutation stored as 256-‐byte array S
Init(16-‐byte k):• For i=0,…,255
S[i] = i• j = 0• For i=0,…,255
j = j + S[i] + k[i mod 16] (mod 256)Swap S[i] and S[j]
• Output (S,0,0)
![Page 81: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/81.jpg)
RC4
GetBits(S,i,j):• i++ (mod 256)• j+= S[i] (mod 256)• Swap S[i] and S[j]• t = S[i] + S[j] (mod 256)• Output (S,i,j), S[t]
New state Next output byte
![Page 82: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/82.jpg)
Insecurity of RC4
Second byte of output is slightly biased towards 0• Pr[second byte = 08] ≈ 2/256• Should be 1/256
Means RC4 is not secure according to our definition• outputs 1 iff second byte is equal to 08
• Advantage: ≈ 1/256
Not a serious attack in practice, but demonstrates some structural weakness
![Page 83: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/83.jpg)
Insecurity of RC4
Possible to extend attack to actually recover the input k in some use cases• The seed is set to (IV, k) for some initial value IV• Encrypt messages as RC4(IV,k)⊕m• Also give IV to attacker• Cannot show security assuming RC4 is a PRG
Can be used to completely break WEP encryption standard
![Page 84: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/84.jpg)
Summary
Stream ciphers = secure encryption for arbitrary length, number of messages
(though we did not completely prove it)
However, implementation difficulties due to having to maintaining state
![Page 85: COS433/Math+473:+ CryptographyLimits+of+Statistical+Security Theorem:(Suppose%%(Enc,Dec) has%plaintextspace%M = {0,1}nand%key%space%K = {0,1}t.Moreover,%assume%itis% (d, 0.4999)Vsecure.Then:](https://reader034.vdocuments.net/reader034/viewer/2022050405/5f8230823497dd6a834fad6e/html5/thumbnails/85.jpg)
Reminders
HW1 Due Feb 20thHW2 Due Feb 27th
PR1 Due March 10th