Secrecy of (fixed-length) stream ciphers
Thm: If G is a PRG, then the fixed-length stream cipher
(Gen, Enc, Dec) described below has indistinguishable
encryptions in the presence of an eavesdropper.
▪ Plaintexts and ciphertexts
s
ℓ(s)-bits long; keys just s-bits long
– Gen(1 ) outputs a uniform random key k ∈𝑅 {0, 1}
s
– Enck(m) exclusive-ORs the message and G(k); that is, c := m ⊕ G(k)
– Deck(c) exclusive-ORs the ciphertext and G(k); that is, m := c ⊕ G(k)
Q: How do prove the theorem?
A: Using a “reduction” proof!
0
Ryan Henry
Stream cipher to PRG reduction
1. Assume stream cipher
is insecure
2. Construct distinguisher
D for G that uses
attacker A as a
subroutine
3. Prove that D is
efficient and has nonnegligible advantage
4. Conclude that G is not
a PRG, a contradiction
1
Distinguisher (D)
r
11r1
Attacker (A)
m0, m1
b ∈𝑅 {0, 1}
c := r ⊕ mb
1 if b = b′
0 if b ≠ b′
b’
Ryan Henry
Stream cipher to PRG reduction
Proof (sketch): Assume the stream cipher is not
secure
– If r ∈𝑅 {0, 1}ℓ(s), then Adveav(A) =
??
0
(this is just the OTP!)
– If r = G(k) for k ∈𝑅 {0, 1}s, then Adveav(A) =
μ(s)
Hence, AdvPRG(D) = 1 (1/2 + 0) – (1/2 + μ(s)) 1 = μ(s),
which is not negligible (by assumption that stream
cipher is not secure); hence, G is not a PRG.
2
Ryan Henry
Variable-length PRGs
Defn: Let G: {0, 1}*×1ℕ→{0, 1}* such that ∀n, t∈ℕ and ∀k\in{0，
1}n, G(k，1t) has length t and ∀t1 , t2∈ℕ with t1<t2, G(k，1t1) is a
prefix of G(k，1t2).
Then G is a variable-length PRG if, for every positive integer-
valued polynomial ℓ：ℕ→ℕ with ℓ(n)>n for all n∈ℕ, we have
that G(k, 1ℓ(|k|)) is a fixed-length PRG with expansion factor ℓ(n).
3
Ryan Henry
Multi-message indistinguishability
▪ Stream ciphers (so far) share “one-time” key
limitation with the OTP
– If same key is used to encrypt several messages, then
attacker can launch attacks as in Assignment 1
▪ Attacker power: “chosen-plaintext attacks” (CPA)
– We let the attacker obtain encryptions of arbitrary
messages of the attacker’s choosing
▪ Attackers goal: break semantic security of cipher
4
Ryan Henry
Multi-message indistinguishability
1s
Challenger (C)
k ← Gen(1 s)
b ∈𝑅 {0, 1}
c1 ← Enck(m1b)
c2 ← Enck(m2b)
Attacker (A)
m10, m11
c1
m10, m11
c2
⋮
mq0, mq1
c q ← Enck(mqb)
5
cq
Define A’s advantage to be AdvCPA(A) :=
1s
m10, m11 ∈ M
(1 m10 1 = 1 m11 1)
m20, m21 ∈ M
(1 m20 1 = 1 m21 1)
mq0, mq1 ∈ M
(1 mq0 1 = 1 mq1 1)
b‘ ∈ {0, 1}
1 Pr[b = b’]- 1/2 1Ryan Henry
Multi-message indistinguishability
Defn: An encryption scheme (Gen, Enc, Dec) has
indistinguishable multiple encryptions in the presence of an
eavesdropper if AdvCPA(A) is negligible or every PPT attacker A.
▪ Also called indistinguishability in the presence of
chosen plaintext attacks (IND-CPA security)
6
Ryan Henry
IND-CPA in security of our stream
ciphers
1s
Challenger (C)
Attacker (A)
k ← Gen(1 s)
b ∈𝑅 {0, 1}
m0, m0
c1
c1 ← Enck(m0)
m0, m1
c2 ← Enck(mb)
7
AdvCPA(A) =1??1 - 1/2
c2
1
= 1/2
1s
m0 ∈ M
m1 ∈ M
(1 m0 1 = 1 m1 1)
(which is not negligible!)
0 if c1 = c2
1 if c1 ≠ c2
Ryan Henry
Achieving IND-CPA security
▪ Attack on stream ciphers succeeds because
encryption is deterministic
▪
Idea: Randomize Enc so that encrypting plaintext m
twice gives different ciphertexts (with high
probability).
m0
c0
m0
m1
c1
m1
Ryan Henry