2. Defini0ons,
proofs,
and
assump0ons
• We’ve
defined
computa0onal
secrecy
• Our
goal
is
to
prove
that
the
pseudo
OTP
meets
that
defini0on
• We
are
unable
to
prove
this
uncondi0onally
– Beyond
our
current
techniques…
– Anyway,
security
depends
on
G
• Can
hope
to
prove
security
assuming
that
G
is
a
pseudorandom
generator
3. PRGs,
revisited
• Let
G
be
an
efficient,
determinis0c
func0on
with
|G(k)|
=
2·∙|k|
D
y
b
y
←
U2n
k
←
Un
G
(For
any
efficient
D…)
the
probability
that
D
outputs
1
in
both
cases
must
be
close
4. Proof
by
reduc0on
1. Assume
G
is
a
pseudorandom
generator
2. Say
there
is
an
efficient
aUacker
A
who
‘breaks’
the
pseudo-‐OTP
scheme
3. Use
A
as
a
subrou0ne
to
build
an
efficient
D
that
‘breaks’
pseudorandomness
of
G
– But
we
know
that
no
such
D
exists!
⇒
No
such
A
can
exist
5. Alternately…
1. Assume
G
is
a
pseudorandom
generator
2. Fix
some
arbitrary,
efficient
A
aUacking
the
pseudo-‐OTP
scheme
3. Use
A
as
a
subrou0ne
to
build
an
efficient
D
aUacking
G
– Relate
the
dis0nguishing
probability
of
D
to
the
success
probability
of
A
4. By
assump0on,
the
dis0nguishing
probability
of
D
must
be
negligible
⇒
Bound
the
success
probability
of
A
6. “Pseudo”
one-‐0me
pad
“pseudo”
key
2n
bits
⊕
G
k
n
bits
ciphertext
2n
bits
message
2n
bits
7. Security
theorem
• If
G
is
a
pseudorandom
generator,
then
the
pseudo
one-‐0me
pad
is
(computa0onally)
indis0nguishable.
9. Analysis
• If
A
runs
in
polynomial
0me,
then
so
does
D
10. Analysis
• Let
µ(n)
=
Pr[PrivKA,Π(n)
=
1]
• If
input
y
is
pseudorandom,
the
view
of
A
is
exactly
as
in
PrivKA,Π(n)
⇒
Prx
←
Un
[D(G(x))=1]
=
µ(n)
11. The
reduc0on
m0, m1
b←{0,1}
mb
c
b’
if (b=b’)
output 1 D
y
A
k
←
Un
G
Π-‐Enc
12. Analysis
• Let
µ(n)
=
Pr[PrivKA,Π(n)
=
1]
• If
input
y
is
pseudorandom,
the
view
of
A
is
exactly
as
in
PrivKA,Π(n)
⇒
Prx
←
Un
[D(G(x))=1]
=
µ(n)
• If
input
y
is
uniform,
A
succeeds
with
probability
exactly
½
⇒
Pry
←
U2n
[D(y)=1]
=
½
13. The
reduc0on
m0, m1
b←{0,1}
mb
c
b’
if (b=b’)
output 1 D
y
A
y
←
U2n
OTP-‐Enc
14. Analysis
• Let
µ(n)
=
Pr[PrivKA,Π(n)
=
1]
• If
input
y
is
pseudorandom,
the
view
of
A
is
exactly
as
in
PrivKA,Π(n)
⇒
Prx
←
Un
[D(G(x))=1]
=
µ(n)
• If
input
y
is
uniform,
A
succeeds
with
probability
exactly
½
⇒
Pry
←
U2n
[D(y)=1]
=
½
• Since
G
is
pseudorandom…
⇒ |
µ(n)
–
½
|
≤
ε(n)
⇒
Pr[PrivKA,Π(n)
=
1]
≤
½
+
ε(n)
15. What
does
it
all
mean?
• Proof
that
the
pseudo
OTP
is
secure…
– We
have
a
provably
secure
scheme,
rather
than
a
heuris0c
construc0on!
16. What
does
it
all
mean?
• Proof
that
the
pseudo
OTP
is
secure…
• …with
some
caveats
– Assuming
G
is
a
pseudorandom
generator
– Rela0ve
to
our
defini0on
• The
only
way
the
scheme
can
be
broken
is:
– If
a
weakness
is
found
in
G
– If
the
defini0on
isn’t
sufficiently
strong…