斯坦福 密码学 I 学习笔记2：Lecture 1 Stream Ciphers

本系列为斯坦福 Dan Boneh教授的"密码学 I"的学习笔记
课程网址: http://www.coursera.org/lecture/crypto/course-overview-lboqg

---

内容在CSDN、知乎和微信公众号同步更新

• CSDN博客
• 知乎
• 微信公众号

• Markdown源文件暂未开源，如有需要可联系邮箱
• 笔记难免存在问题，欢迎联系邮箱指正

---

课程完整目录如下

• 课程大纲
• 0 Introduction
• 1 Stream Ciphers
• 2 Block Ciphers
• 3 Message Integrity
• 4 Authenticated Encryption
• 5 Basic Key Exchange
• 6 Public-Encryption

本文为其中Chapter 1 Stream Ciphers的内容，包括：

---

1 Stream Ciphers

1.1 理论安全和一次一密 Information Theoretic Security and The One Time Pad

Symmetric Ciphers: definition

• Def: a cipher defined over $(\mathcal{K},\mathcal{M},\mathcal{C})$
  • is a pair of “efficient” algs (E,D) where
    • $E:\mathcal{K}\times \mathcal{M}\to \mathcal{C}$
    • $D:\mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} $
  • s.t. $\forall m\in \mathcal{M},k\in \mathcal{K}:D(k,E(k,m))=m$
    • the requirement: these algorithms are consistent:
    • consistency equation
  • 其他要求:
    • efficient:
      • theoretical: O(polynomial time)
      • practical: runs within a certain time period
• E is often randomized;
  • cipher text: cannot be determinstic
• D is always deterministic
  • plaintext: should be determinstic

One time Pad (Vernam 1917)

• First example of a “secure” cipher
• M = C = { 0 , 1 } n \mathcal{M} = \mathcal{C} = \{0,1\}^{n} M=C={0,1}n
• as well as K = { 0 , 1 } n \mathcal{K} = \{0,1\}^{n} K={0,1}n
  • key = {rand. bit string as long as msg}
• c := E(k,m) = k XOR M
• D(k,c) = k XOR c
• Indeed: D(k, E(k,m)) = D(k, k XOR m) = k XOR (k XOR m) = (k XOR k) XOR m = m
  
• Practice:
  • You are given a message m and its OTP encryption ©. Can you compute the OTP key from m and c?
  • Yes! k = m XOR c
• 优缺点
  • advantage:
    • very fast enc/ dec
    • secure
  • disadvantage:
    • long keys
    • unpractical
      • has to transmit a key as long as the message before transmitting the message
• Is the OTP secure?
• Is the OTP a good cipher?
• What is a good cipher?

Infromation Theoretic Security

Shannon 1949

• Basic idea: CT should reveal no “info” about PT
  • CT: ciphertext
  • PT: plaintext
  • 需要公式化formally explain ciphertext究竟reveal了plaintext多少信息量
    • (所以该概念被搞信息论的人提了出来)

Definition: A cipher (E,D) over $(\mathcal{K},\mathcal{M},\mathcal{C})$ has perfect secrecy if
$\forall m_0,m_1\in \mathcal{M}$, ($len(m_0)=len(m_1)$), and $\forall c\in \mathcal{C}$,
均有 $Pr[E(k,m_0) = c] = Pr[E(k,m_1) = c] $
where k is uniform in $\mathcal{K}$ ($k{\leftarrow }^R\mathcal{K}$)

• $(\mathcal{K},\mathcal{M},\mathcal{C})$: Key space, message space and ciphertext space
• 随便选一个k，使用它加密m_0得到c的概率和使用它加密m_1得到c的概率一样大
• means:
  • 假如我是一个attacker，我捕获了一段密文c，那么这个c对应的明文是$m_0$的概率和对应的明文是$m_1$的概率一样大！
  • 也就是说，即便攻击者有了密文，他仍然无法获得关于明文的任何信息。
  • 即:
    • Given CT cannot tell if msg is $m_0$ or $m_1$
    • The most powerful adversary can learn NOTHING about the plaintext from the cipher text.
    • NO CT only attack!!! (but other attcks may be possible)

Lemma: OTP has perfect secrecy

• Proof:

perfect secrecy的等价条件：
$\forall m,c$: $P{r}_k[E(k,m)=c]=\frac{满足E(k,m)=c的k的数量(k\in \mathcal{K})}{|\mathcal{K}|}$
So $\forall m,c$:
若 # { k ∈ K : E ( k , m ) = c } \#\{k\in \mathcal{K}: E(k,m)=c \} #{k∈K:E(k,m)=c} = const，则this cipher has perfect secrecy!

• 对于OTP, $\forall m\in \mathcal{M}$ and $c\in \mathcal{C}$, How many OTP keys map m to c?

• cons: 1!

  • For OTP, k = m XOR C, 因此 # { k ∈ K : E ( k , m ) = c } \#\{k\in \mathcal{K}: E(k,m)=c \} #{k∈K:E(k,m)=c} = 1

• 因此OTP has perfect secrecy

• Hence, for OTP, no CT only attack!!!

  • but other attacks are possible

• 但OTP的key实在太长了，没有意义

Bad news about perfect secrecy

Thm: perfect secrecy ==> $|\mathcal{K}|\ge |\mathcal{M}|$

• 即: len(key) $\ge$ len(message)
• In reality:
  • Hard to use
• But the idea behind OTP is pretty good

1.2 Stream Ciphers and Pseudo Random Generators

Review

• Cipher over $(\mathcal{K},\mathcal{M},\mathcal{C})$: a pair of “efficient” algs (E,D) s.t.:

$\forall m\in \mathcal{M},k\in \mathcal{K}$: D(K,E(k,m))=m

• Weak ciphers: subs. cipher; Vigener, …
  • easily broken
  • just for historical reference
• A good cipher: (1st example) OTP M=C=K= { 0 , 1 } n \{0,1\}^n {0,1}n
  • lemma: OTP has perfect secrecy
  • i.e., no CT only attacks!
• Bed news: perfect-secrecy ==> key-len $\ge$ msg-len
  • not practical
• This segment: – stream cipher
  • 流密码：基于OTP但让OTP更加实用 (通过伪随机序列)
  • use the idea of OTP
  • but make it into a practical enctyption sheme

Stream cipher: making OTP practical

• idea: replace “random” key by “pseudorandom” key
• PRG: pseudorandom number generator
  • a function G : { 0 , 1 } s → { 0 , 1 } n G:\{0,1\}^{s}\rightarrow \{0,1\}^{n} G:{0,1}s→{0,1}n, $n>>s$
    • { 0 , 1 } s \{0,1\}^{s} {0,1}s: seed space
    • n is very large: e.g., GB
  • Requirements:
    • PRG: need to be efficiently computable
    • should be a deterministic alg.
      • The only random thing in PRG: the random seed
    • The output should look “random”
• Practice: Can a stream cipher have perfect secrecy?
  • No! since the key is shorter than the message
  • The generated key sequence is 伪随机的
  • stream ciphers cannot have perfect secrecy
  • Need a different definition of security
  • Security will depend on spedific PRG

不可预测性：PRG must be unpredictable

• 可预测性：Suppose PRG is predictable, then:

$\exists i$, 使得已知$G(k){|}_{1,2,...,i}$，利用alg.可推断出关于$G(k){|}_{i+1,...,n}$的有效信息

More precisely:

$\exists$ efficient alg. $\mathcal{A}$, 且$\exists 1\le i\le n-1$
使得 $Pr[\mathcal{A}(G(k)){|}_{1,2,3,...,i}=G(k){|}_{i+1}]\ge 0.5+ϵ$
for some non-negligible $ϵ$

• 可预测性would not be secure:
  • Suppose an attacker actually intercepts a particular cypher text $c$
  • 而攻击者又知道明文中的一部分message $m$
    • 例如，对于使用SMTP的email，都会有"From"
    • the prefix that the adversary knows
  • cal: c XOR m ==>
    • 得到 the prefix of the pseudo random sequence
    • 即伪随机序列中对应prefix的子序列
    • 记为$G(k){|}_{1,2,...,i}$
  • 而一旦可预测，就可以得到$G(k){|}_{i+1,...,n}$
  • 从而推断出k
  • 因此可预测性would not be secure

• Even: $G(k){|}_{1,2,...,i}\to G(k){|}_{i+1}$ is already a problem!

  • 利用递推即可发现问题

• 不可预测 unpredictable

Def: $\forall i:$ no effective adversary can predict bit (i+1) for “non-neg” $ϵ$

• Practice: Suppose G: $K\to {0,1}^n$ is such that for all k: XOR(G(k)) = 1
  • XOR all the bits in sequence G = 1
  • Is G predictable?
  • Predictable!
    • given the first (n-1) bits I can predict n’th bit

Weak PRGs

• (do not use for crypto)
• 1: linera congruential generator 线性同余生成器
  • three parameters: a, b, p
    
  • alg:
    • r[0] $\equiv$ seed
    • r[i] $\leftarrow$ (a$\cdot$ r[i-1] + b) mod p
    • output few bits of r[i]
    • i++
  • 尽管统计特性不错
    • 如0和1数量接近
  • but easy to predict
• 2: glibc random()

Negligible and non-negligible

• In practice:
  • $\epsilon is a scalar and $
    • non-neg: $ϵ\ge 1/2^{30}$
      • likely to happen over 1GB of data
      • 每加密1GB的数据，可能会出现一次由$ϵ$导致的事件
    • negligible: $ϵ\le 1/2^{80}$
      • 加密一辈子数据也不会出现的事件
• In theory:
  
  • $ϵ$ is a function $ϵ:Z^{\ge 0}\to R^{\ge 0}$ and
    • non-neg: $\exists d:ϵ(\lambda )\ge 1/{\lambda }^d$ infinitely often
      • (即$ϵ\ge 1/多项式，对很多\lambda 都成立$)
    • negligible: $\forall d,\lambda \ge {\lambda }_d:ϵ(\lambda )\le 1/{\lambda }^d$
      • (即$ϵ\le 1/poly,对大的\lambda$)
  • example:
    • $ϵ(\lambda )=1/2^{\lambda }$: negiligible
      • 指数函数增长很快
      • 倒数下降很快
      • 可忽略
    • $ϵ(\lambda )=1/{\lambda }^{100}$: non-negiligible
      • 倒数下降较慢
• 本质：
  • if a function happens to be only polynomially small very often, that actually means that 这个事件发生的概率是不小的，因此不可忽略
  • 反之，如果一个事件发生的概率总是小于多项式值倒数，说明发生的概率小，可以忽略

• 本课程：
  • 可忽略：比1/指数更小
  • 不可忽略：比1/多项式更小

1.3 Attacks on Stream Ciphers

Review

• OTP: E(k,m) = m XOR k, D(k,c)
• Making OTP practical using a PRG:
  • G: k --> { 0 , 1 } n \{0,1\}^n {0,1}n
  • stream cipher : E(k,m) = m XOR G(k)
    • D(k,c) = c XOR G(k)
• Security:
  • PRG must be unpredictable

Attack 1: two time pad is insecure !

• Never use stream cipher key more than once !
  
• 原因：
  • Suppose an eavesdropper intercepts C1 and C2
    • has both C1 and C2
  • Then, the eavesdropper does:
    • C1 XOR C2 = m1 XOR m2 XOR (PRG(k) XOR PRG(k))
    • i.e., C1 XOR C2 = m1 XOR m2
  • Enough redundancy in English and ASCII encoding that
    • 已知 m1 XOR m2, 即可求出 m1 和 m2

Real Word example

• Project Venona (1941-1946)
  • 使用pads产生密钥
  • 一次一个看起来太浪费了于是就encrpt multiple messages using one key
  • 于是被破解了超过3000个plaintext
• MS-PPTP (Windwos NT)
  
  • Point-to-Point transfer protocol
  • 该协议: For a client wishing to communicate securely with a server
  • The client and the server both share a secret key
  • 工作流程
    • client: send m1, server response s1
    • client: send m2, server response s2
    • client: send m3, server response s3
    • …
    • 上述流程可以被看做一个stream，即
      • concatenating all the msg from the client to the server into one long stream
        • [m1 || m2 || n3 , …]
      • 加密过程: [m1 || m2 || n3 , …] XOR PRG(k)
      • 问题发生在接收方：all messages from the server also treated as one long stream
        • [s1 || s2 || s3 …]
        • 同样在解密后发送给client: [s1 || s2 || s3 …] XOR PRG(k)
  • 因此，就发生了two-time pad
  • 教训：双向通信时，收发双方不应使用相同的密钥
  • 解决方案：收发时各一个密钥 k=(k_m, k_s)
• 802.11b WEP

• 802.11协议有加密 layer, WEP就是orginal加密layer
• WEP – a very badly designed protocal
  • 可以用作反面案例说明how not to do things
  • ther are many many mistakes inside of WEP
  • here：使用WEP说明two time pad是如何出现的
• WEP的工作原理
  • 1个client (laptop), 1个access point
  • 二者共享一个密钥k
  • 假设现在client要向access point发送明文frame: m
    • step1 向m中加入check sum (CRC(m)),得到新明文m’
      • cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to digital data
    • step2 使用流密码加密: c = m’ XOR PRG(IV || K)
      • length of IV: 24 bits
        • repeated IV after $2^{24}\approx 16M$ frames
        • 意味着当frame多于16M的时候，IV就会cycle！
      • 使用IV的动机：
        • WEP的设计者已经认识到流密码中一个k对应的PRG(k)只能用来加密一条消息
        • ok, 那就change the key after every frame
        • change的方法： prepending this IV to it\
      • IV increments by one on every packet
    • step3 将IV和c打包发给access point
  • 问题就是：
    • problem 1： 当frame较多的时候 (>16MB个)，IV就会重复
      • 于是就变成了Two time pad
    • Problem 2 (the worst problem):
      • 当重新上电 (powercycle the card)的时候，IV会重置为0！
      • 故每次powercycle时都重复使用了相同的pad
• 综上：WEP会使用相同的密钥加密信息很多次
  • 只要IV is repeated
• 此外，WEP的设计者是想要每次使用不同的密钥的，但他们并没有randomize the keys
  • the key are very closely related to one another
  • For PRG in WEP (Rc4)
    • FMS attack: $10^6$ fames can recover the secret key
    • Now: just 40,000 fames are sufficient

A better construction

• 生成伪随机序列后，对每个frame都分配一个sub key

• These subkeys, now, have no relation to one another

Yet another example: disk encryption

• imagine we have a certain file
  • Start with : “To Bob”
• 该文件被分为很多个block存储在disk上
  • 每个block都被加密
    • 例如第一个block是E(“To Bob”,PRG(k))
  • an attacker looking at the disk has no idea what the contents of the message is
• 然而，现在，文件被修改了: “To Bob” --> “To Eve”
  • 其他地方不变
  • when save this file to disk
  • 第一个block就变成了E(“To Eve”,PRG(k))
• 由于使用的stream cipher，attacker可发现block 1发生了改变，其他地方都没有变
  • 这是不安全的
  • 因此，disk加密通常不会使用stream ciphers！
• 同时，this is another example of a two-time pad attack!
  • E(“To Bob”,PRG(k)) and E(“To Eve”,PRG(k))

Two time pad: summary

• Never use stream cipher key more than once
  • Network traffic:
    • negotiate new key for every session
      • e.g., TLS
  • Disk encryption
    • typically do not use a stream cipher
    • 避免敌手知道修改位置

Attack2: no integrity

• OTP is malleable (易于塑形的)
• OTP无法提供完整性
  • All they do is just provide confidentiality
  • They provide no integrity at all
  • Worse: it’s actually very easy to modify cypher text and have known effects on the corresponding plain text

• imagine we have 明文m

  • step1: 使用c = m XOR k 加密
  • 有敌手截获了c
    • active attacker
  • step2: 修改ciphertext c
    • p XOR c = (m XOR k) XOR p
    • p is a certain value (sub-permutation 置换 key)
    • 若使用k解密:
      • p XOR c XOR k = m XOR p
      • 即能够对原始明文m进行可控的修改(m XOR p)
  • step3: 接收者对p XOR c解码后得到的结果是错误的
    • 而且是受到attacker控制的错误 (XOR了一个特定值p)

• example:

  • Suppose send an email
  • m = “From: Bob”
  • attacker: 已知这封邮件来自Bob，目的是让接收者误认为这封邮件来自Eve.
    • 只能获得ciphertext
  • attacker只需要确定p，使得m XOR P = “From: Eve”
    • 即 P = “From: Bob” XOR “From: Eve”
      
  • 即可达成让接收者获取错误信息的目的

• Summary:

  • Modifications to ciphertext are undetected and have predictable impact on plaintext
  • 好的加密算法需要保证数据完整性！
    • OTP本身不具备任何integrity

1.4 Real-World Stream Ciphers

Old example : RC4 (1987)

• software example

• RC4 take a variable size seed
  • here take 128 bits as the seed size
• step1 : expands the 128-bit secret key into 2048 bits
  • as the internal state for the generator
• step2: generator – executes a very simple loop
  • every of iteration of this loop 输出 1 byte
  • 能够run the generator任意多步，每次输出1个byte
• Used in the HTTPS and WEP
  • e.g., google use it for HTTPS
• Weakness:
  • bias in initial output: Pr[second byte = 0] = 2/256
    • 而不是1/256
    • means: if we use the RC4 output to encrypt a message, the second byte is likely to not be encrypted at all.
    • Now the suggestion: ignore the first 256 bytes, start using the generator starting from byte 257
  • Prob. of (0,0) is $1/256^2+1/256^3$
    • 这种情况通常出现在数个GB数据之后
    • 更容易出现连续16 bits都是0的序列
    • 正常的概率应该是$1/256^2$
  • Related key attacks
    • if one uses keys that ran closely related to one another, 攻击就会变得容易

Old example: CSS (Content Scrambling System)

• hardware method
  • easy to implement in hardware
  • based on a mechanism called LFSR
• badly broken
  • 曾被用来encrypting DVD movies
• Linear feedback shift register (LFSR):

• each cell contains one bit

• there are taps into certain cells

  • not all cells, but certain cells
  • taps: certain cells position
  • 对这些certain cells进行XOR operation

• seed = init state of LFSR

• examples: (all broken)

  • DVD encryption: 2 LFSRs
  • GSM encryption (A5/1,2): 3 LFSRs
  • Bluetooth (E0): 4 LFSPs

• CSS: seed = 5 bytes = 40 bits

  • 只使用40bits: DVD时代美国仅允许出口40 bits密钥长度的密码算法
    • DVD is designed at a time where US export regulations only allowed for export of crypto algorithms where the key was only 40 bits.
  • designs:
    • CSS uses two LFSRs
      • one is 17-bit LFSR
        • The register contains only 17 bits
      • the other one 25 bits LFST
    • seed:
      • seed 1: 1 || first 2 bytes of the key
        • 1 + 2*8 = 17
      • seed 2: 2 || last 3 bytes of the key
        • 1 + 3*8 = 25
      • used all 5 bytes of the key
    • These LFSRs are run for 8 cycles
      • get 8 bits of output
    • Then, they go through a adder: addition mod 256
    • Then, add the carry from the previous block
    • Output: one byte per round
  • use very little hardware to implement
    • and very cheap
  • But easy to break!
    • $\approx 2^{17}times$

• The attack on CSS:
  • Suppose we have截获了一个encrypted movie
  • 由于DVD使用了特定的格式，我们知道它的明文前缀
    • say it is 20 bytes
  • XOR (first 20bytes c) and (20 bytes prefix)
    • get the first 20 bytes of the output of CSS
      • 也就是CSS中PRG的前220 bytes输出
  • 接下来，尝试第一个LFSR的全部$2^{1}7$个取值
    • 对每一个取值，都用它得到LFSR 1的20个bytes输出 $o_1$
    • 又因为有LFSR 1+2 的整个的前20个 bytes输出$o$
      • 就可以得到第二个LFSR 2的20个bytes的输出 $o_2 $
    • 判断$o_2$是否可能是一个25 bit LFSR正确的输出
    • 如果不是，则continue
    • 如果是，则很有可能破解成功

Modern stream ciphers: estream (2008)

• estream: 提出了5个stream ciphers
  • 但这里just present one
• PRG: { 0 , 1 } s × R → { 0 , 1 } n \{0,1\}^{s} \times R \rightarrow \{0,1\}^{n} {0,1}s×R→{0,1}n, n>>s
  • R: the Nonce – a non-repeating value for a given key
• Encryption:
  • E(k,m;r) = m XOR PRG(k;r)
  • The pair (k,r) is never used more than once
    • can reuse the k, because the nonce makes the pair unique

eStream: Salsa 20 (SW + HW)

• designed for both software and hardware
  • designed for software:
    • 软件平台可以快速实现和执行
  • designed for hardware
    • 硬件平台可以快速实现和执行
    • like CSS
• Salsa 20 :
  • { 0 , 1 } 128 或 256 × { 0 , 1 } 64 → { 0 , 1 } n \{0,1\}^{128或256} \times \{0,1\}^{64} \rightarrow \{0,1\}^{n} {0,1}128或256×{0,1}64→{0,1}n (max n = $2^{73}$ bits)
    • 分别有seed,nonce 和 output
  • here just present 128bit Salsa 20
  • Salsa20(k;r) := H(k,(r,0)) || H(k,(r,1)) || H(k,(r,2)) …
    • 0,1,2: the counter that increments from step to step
  • How H works?
    • step1: expanding the states into 一个64 bytes的something
      • 其中，前4个bytes是一个constant ${\tau }_0$
      • 后16个bytes是key (128 bits)
      • 后4个bytes又是一个constant ${\tau }_1$
      • 之后8个bytes是nonce r
      • 之后8个bytes是index i
      • 之后4bytes是constant ${\tau }_2$
      • 之后16 bytes key again
      • 之后4bytes是constant ${\tau }_3$
    • step2: 经过h函数
      • this is a function that is one to one
      • so maps 64 bytes to 64 bytes (output)
      • h: invertible function
        • designed to be fast on ($\times 86$)
    • Step3: 不断经过h函数
      • 每轮都得到一个64 bytes的输出
      • 经过十轮
      • 但每轮都是可逆的
    • Step 4： XOR the input and the final output
    • Finally: get a 64 bytes output
    • 上述过程就是一轮大H
  • 通过很多轮H，即可得到最终的PRN序列
• Security:
  • 暂未发现有效攻击方法
  • fast stream cipher both in hardware and software

Performance in AMD Opteron. 2.2 GHz, Linux

• RC4:
  • not safe and slower
• eStream:
  • fast and secure
• 因此，if u need some stream ciphers, eStream cipher is a good choice.

1.5 What is a secure cipher

next, talk about a definition of PRG – PRG的新定义
~a good way to describe PGR
~has many applications

1.5.1 PRG Security Definitions

Definitions

• Let G: k → { 0 , 1 } n k\rightarrow \{0,1\}^{n} k→{0,1}n be a PRG
• Goal: define what it meas that
  • the output of the PRG to be indistinguishable from random?
  • i.e., the distribution $[k{\leftarrow }^R\mathcal{K},outputG(k)]$ is “indistinguishable” from a truly uniform distribution: r ← R { 0 , 1 } n , o u t p u t r r \leftarrow ^R \{0,1\}^n, output r r←R{0,1}n,outputr
  • 即无法区分PRG输出的序列和真实的随机数序列
• 这个定义其非常surprising：
  • 下图中蓝色圈表示：
    • 整个 { 0 , 1 } n \{0,1\}^n {0,1}n上均匀分布的输出strings的集合
  • 红色圈表示：
    • seed为k的PRG能够生成的strings的集合
  • 现在声称 (what we are aruging)
    • an adversary who looks at the tiny red set (output of the generator) cannot distinguish it from the large blue set (output of the uniform distribution)
    • 即要让攻击者以为他所看到的红色圈就是整个蓝色圈！
  • that’s the property that we are actually shooting for

Statistical Tests

• Statistical test on { 0 , 1 } n \{0,1\}^n {0,1}n:
  • an alg. A, 使得 A(x) outputs “0” or “1”
    • input: 一个x： { 0 , 1 } n \{0,1\}^n {0,1}n
    • 输出0表示不是随机的 not random
    • 输出1表示是随机的 random
    • (就是个随机测试bool函数)
• examples:
  • (1) A(x) = 1 iff (if and only if) |#0(x) - # 1(x)| $\le 10\sqrt{n}$
    • #0(x): x中0的数目；# 1(x): x中1的数目
    • 两者差别不大，则输出1
    • $\le 10\sqrt{n}$: 表示差别不大
  • (2) A(x) = 1 iff |#00(x) - m/4| $\le 10\sqrt{n}$
    • #00(x): x中00出现的次数
• More examples:
  • (3) A(x) = 1 iff max-run-of-0(x) $\le 10lo{g}_2(n)$
    • 最大0游程的长度接近$lo{g}_2(n)$
      … …
• there are hundreds of statistical tests
• 但使用数量极多的tests去测试一个string是否随机并不科学
• So we have a adv PRG

下面：说明如何评估一个test的好坏

Advantage

• Let G: k → { 0 , 1 } n k\rightarrow \{0,1\}^n k→{0,1}n be a PRG, and A a stat. test on { 0 , 1 } n \{0,1\}^n {0,1}n
• Define:
  • the advantage of the test algorithm A：(评价函数)
  • A d v P R G [ A , G ] : = ∣ P r k → R K [ A ( G ( k ) ) = 1 ] − P r r → R { 0 , 1 } n [ A ( r ) = 1 ] ∣ Adv_{PRG}[A,G] := |Pr_{k\rightarrow^R \mathcal{K}}[A(G(k))=1] - Pr_{r\rightarrow^R \{0,1\}^n}[A(r)=1]| AdvPRG​[A,G]:=∣Prk→RK​[A(G(k))=1]−Prr→R{0,1}n​[A(r)=1]∣
  • 即: 算法A将一个伪随机序列判断为random的概率 与 将一个真实随机序列判断为random 的差
  • 显然有 $Ad{v}_{PRG}[A,G]\in [0,1]$
• What does this advantage actually mean:
  • The adv happens to be close to 1的含义:
    • 意味着somehow, 这个测试A behaves differently when we gave it a pseudo-random inputs, for when we gave it a truly random inputs!
    • 即A can distinguish the output of the generator from truly random strings
    • A很棒
  • Adv is close to 0则意味着:
    • the statistical tests behaves pretty much the same on pseudo random and truely random numbers
    • A cannot distinguish of the generator from truly random strings
    • A 不好
    • Silly example: A(x) $\equiv$ 0, then $Ad{v}_{PRG}=0$
  • （就像判别器一样
• A practce:
  • Suppose G: $k\to {0,1}^n$ satifies msb(G(k))=1 for 2/3 of keys in K
  • Define stat. test A(x) as:
    • if [msb(x) = 1] output “1” else output “0”
  • then,
    • Caculate A d v P R G [ A , G ] : = ∣ P r k → R K [ A ( G ( k ) ) = 1 ] − P r r → R { 0 , 1 } n [ A ( r ) = 1 ] ∣ Adv_{PRG}[A,G] := |Pr_{k\rightarrow^R \mathcal{K}}[A(G(k))=1] - Pr_{r\rightarrow^R \{0,1\}^n}[A(r)=1]| AdvPRG​[A,G]:=∣Prk→RK​[A(G(k))=1]−Prr→R{0,1}n​[A(r)=1]∣?
    • Ans: |2/3 - 1/2| = 1/6
  • 1/6 is pretty large, non-negligible
    • which basically means that
      • A 能够区分
      • 即 A breaks the generator G with advantage 1/6;
        • generally means that this generator is not good, is broken

Secure PRGs: crypto definition

Def: We say that G: $K\to {0,1}^n$ is a secure PRG if:
$\forall$ “eff” statistical tests A, the $Ad{v}_{PRG}[A,G]$ is “negligible”
(where A d v P R G [ A , G ] : = ∣ P r k → R K [ A ( G ( k ) ) = 1 ] − P r r → R { 0 , 1 } n [ A ( r ) = 1 ] ∣ Adv_{PRG}[A,G] := |Pr_{k\rightarrow^R \mathcal{K}}[A(G(k))=1] - Pr_{r\rightarrow^R \{0,1\}^n}[A(r)=1]| AdvPRG​[A,G]:=∣Prk→RK​[A(G(k))=1]−Prr→R{0,1}n​[A(r)=1]∣)

• means: any statistical test was note able to distinguish the output from random strings
• A very pretty and elegant definition!
• 需注意，若去掉definition中的“efficient”，then the definition would be unsatisfiable
• The next question is:
  • Are there provably secure PRGs?
  • 即能够证明该PRG的安全性(对任意efficient test A, 都无法distinguish)
  • answer:
    • We actually cannot.
    • In fact, the question is not known!
    • We do not know if there is any provably secure PRG.
    • The reason:
      • （非常brief的反证法）
      • if you could prove that a particular generator is secure, 这意味着 $P\ne NP$
      • But the fact is P = NP
      • Therefore, we cannot prove that there is any provably secure PRG!
• But: 虽然我们无法rigorously prove that a particular PRG is secure, we still have lots lots of heuristic candidates
  • 这些启发式的PRG可以满足安全使用需求

现在我们理解了secure PRG的定义
下面介绍该定义的applications and implications

Easy fact: a secure PRG is unpredictable

• 证明方法：contrapositive (逆否命题)
• Show: PRG predictable $\Rightarrow$ PRG is insecure

Proof:
已知PRG可预测，则存在算法A:
Suppose A is an efficient algorithm s.t.
$P{r}_{k{\leftarrow }^R\mathcal{K}}[A(G(k){|}_{k=1,2,3,...,i})=G(k){|}_{k=i+1}]>\frac{1}{2}(=\frac{1}{2}+ϵ)$
for non-negligible $ϵ$ (如1/1000)
接下来，证明我们可以使用算法A让PRG不安全即可
Define a statistical test B as:

这样，若r是随机序列(即 r → R { 0 , 1 } n r\rightarrow ^R \{0,1\}^n r→R{0,1}n), 则Pr[B® = 1] = 1/2

• 因为r是随机的，所以概率为1/2
  但对于G(k), $k{\to }^R\mathcal{K}$, $Pr[B(G(k))=1]\ge \frac{1}{2}+ϵ$
  因此， Adv_{PRG}[B,G] > $ϵ$
• $ϵ$ is non-negligible
  所以，PRG is insecure!

Thm (Yao’82): an unpredictable PRG is secure

• Let $G:K\to {0,1}^n$ be PRG

• “Thm”: if $\forall i\in 0,1,...,n-1$ PRG G is unpredictable at pos. i,

• PRG is unpredictable at any position

• then G is a secure PRG

• 另一层含义：If next-bit predictors cannot distinguish G from random, then no statistical test can!!

• A. C. Yao, “Theory and application of trapdoor functions,” 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), 1982, pp. 80-91, doi: 10.1109/SFCS.1982.45.

• 证明：没有找到，有空再补充

• Practice: Let G : k → { 0 , 1 } n G:k\rightarrow \{0,1\}^n G:k→{0,1}n be a PRG such that from the last n/2 bits of G(k), it is easy to compute the first n/2 bits.

  • Is G predictable for some $i\in 0,1,...,n-1$?
  • Yes!
    • G is not secure!
    • 因为可以easily构造出test函数，使得G不安全
    • 由姚定理，G不安全，故G可预测
    • 可见，根据Yao定理，即便没法直接证明可预测性也没关系

More Generally

• Let P1 and P2 be two distributions over { 0 , 1 } n \{0,1\}^n {0,1}n
• Def: We say that P1 and P2 are computationally indistinguishable
  • denoted as $P_1{\approx }_p{p}_2$
  • means in polynomial time, P1 cannot be distinguished from P2
  • if $\forall$ “eff” statistical tests A,
    • $|P{r}_{x\leftarrow P_1}[A(x)=1]-P{r}_{x\leftarrow P_2}[A(x)=1]|$ is negligible
• 之前讲的定理是均匀分布上的一个特例
  

1.5.2 Semantic Security

接下来：
证明if we use a secure PRG, we will get a secure stream cipher
所以，首先要定义sccure stream cipher。

What is a secure cipher?

• Attacker’s abilities:
  • obtains one ciphertext
    • because 流密码的key只使用一次
• Possible security requirements:
  • attempt #1: attacker cannot recover secret key
    • given the cipher text, you shouldn’t be able to recover the secret
    • But is is a a terrible difinition:
      • think about the following brilliant cipher
        • E(k,m) = m
        • it does not do anything
      • 不是一个secure cipher! 但given the cipher text, the attacker cannot recover secret key
  • attempt #2: attacker cannot recover all of plaintext
    • also does not work
      • think about the following example
      • $E(k,m_0||m_1)=m_0||E(k,m_1)$
      • attacker cannot decrypt the entire $(m_0,m_1)$ 但显然也不是安全的(because we just leaked half of the plain text m0)
  • Recall Shannon’s idea:
    • Ciphertext should reveal no “info” about PT
      • 无法推断出一点关于PT的信息

Recall Shannon’s perfect secrecy

• Let (E,D) be a cipher over (K,M,C)

(E,D) has perfect secrecy if $\forall m_0,m_1\in M$ ($|m_0|=|m_1|$)
The distribution of { E ( k , m 0 ) } \{E(k,m_0)\} {E(k,m0​)} = The distribution of { E ( k , m 1 ) } \{E(k,m_1)\} {E(k,m1​)}, where $k\leftarrow K$

• 根据密文，Attacker 无法分辨它来自对M1加密后的分布还是来自对M0加密后的分布
• But the difinition is too strong
  • need len(key) $\ge$ len(msg)

try to weaken the difinition:

(E,D) has perfect secrecy if $\forall m_0,m_1\in M$ ($|m_0|=|m_1|$)
The distribution of { E ( k , m 0 ) } \{E(k,m_0)\} {E(k,m0​)} ${\approx }_p$ The distribution of { E ( k , m 1 ) } \{E(k,m_1)\} {E(k,m1​)}, where $k\leftarrow K$

• means the two distributions just be computationally indistinguishable
  • 即只需要Efficient attackers cannot distinguish the two distributions 即可！即便两个分布事实上非常不同也没关系！
  • just given a sample from one distribution, and given a sample from another distribution, 攻击者无法分辨这两个samples来自不同的distribution
  • The difinition is almost right, 但还是a little too strong, 仍旧难以满足
  • 需要添加约束: also need adversary to exhibit $m_0,m_1\in M$ explicitly
    • 见下文

Semantic Security (one-time key)

For $b=0,1$, define experiments EXP(0) and EXP(1) as:

• For b=0,1, $W_b:=$[event that EXP(b)=1]
  • Wb: events that an experiment B where the adversary output one
• $Ad{v}_{SS}[A,E]:=|Pr[W_0]-Pr[W_1]|\in [0,1]$
  • the advantage of this adversary
  • the semantics security advantage of the adversary A against the Scheme E
    • means: whether the adversary behaves differently when he was given the encryption of m0 from when he was given the encryption of m1;
    • 若adversary无法区分两次输入，说明加密是安全的
      • the result is close to zero；
    • 否则，如何adversary有很大把握区分两个明文，说明加密是不安全的！
      • the result is close to one

Def: E is semantically secure if for all efficient A,
都有$Ad{v}_{SS}[A,E]$ is negligible
where $Ad{v}_{SS}[A,E]:=|Pr[W_0]-Pr[W_1]|\in [0,1]$

• $\Rightarrow$ for all explicit $m_0,m_1\in M:$ The distribution of { E ( k , m 0 ) } \{E(k,m_0)\} {E(k,m0​)} ${\approx }_p$ The distribution of { E ( k , m 1 ) } \{E(k,m_1)\} {E(k,m1​)}, where $k\leftarrow K$
  • exhibit: 意思是adversary 能够exhibit的明文对

接下来，通过展示some implications and examples of　this definition

来show that it is a very elegant definition

Example: Not semantically secure

• Suppose efficient A can always deduce (推断，演绎) LSB of PT from CT
  • 从密文中推断出明文的LSB
    • least siginicant bit
  • that’s a terrible encryption scheme:
    • because it basically leaks the LSB of the PT
• $\Rightarrow \mathbb{E}=(E,D)$ is not semantically secure
  • show that the adversary can distinguish experiment 0 from experiment 1
  • The semantic security实验如下：

• 1st step: Chal. choose k
  • Chal: challenger
• 2nd step: adversary construct $m_0,LSB(m_0)=0$ and $m_1,LSB(m_1)=1$, and send them to Chal.
• 3rd step: Chal. encrypt $m_b$ and transfer it to Adv.
• Adv. guesses $m_b$
  • given the ciphertext, adv.能够得到LSB($m_b$)
  • 该信息足以让adv.确定是$m_0$还是$m_1$
  • therefore, $Ad{v}_{SS}[A,E]:=|Pr[W_0]-Pr[W_1]|=|0-1|=1$
• means that the adversary completely broke the system

可见，
any information about the plaintext would mean that the system is not semantically secure
basically, if the cipher is semantically secure, then no information is revealed to an efficient adversary!

Example: OTP is semantically secure

• For all A: $Ad{v}_{SS}[A,E]=|Pr[A(k⨁m_0)=1]-Pr[A(k⨁m_1)=1]|=0$
  • 根据XOR的性质：任何序列 XOR 随机序列后都是uniform distribution
    • 故$k⨁m_0$ is distributed identically to $k⨁m_1$
    • 即these distributions are absolutely identical distributions
  • means OTP is semantically safe!

至此，we have completed our deifnition of semantic security;
下一步：prove the secure PRG
进而表明 the stream cipher is semantically secure

1.5.3 Stream ciphers are semantically secure

The goal for this segment:
show that “a stream cipher with a secure PRG is semantically secure”

Stream ciphers are semantically secure

Thm: G : K → { 0 , 1 } n G:K\rightarrow \{0,1\}^{n} G:K→{0,1}n is a secure PRG $\Rightarrow$
stream cipher E defived from G is semantically secure!

• Review:

  • G : K → { 0 , 1 } n G:K\rightarrow \{0,1\}^{n} G:K→{0,1}n is a secure PRG:

    • Def: We say that G: $K\to {0,1}^n$ is a secure PRG if:
      $\forall$ “eff” statistical tests A, the $Ad{v}_{PRG}[A,G]$ is “negligible”
      (where A d v P R G [ A , G ] : = ∣ P r k → R K [ A ( G ( k ) ) = 1 ] − P r r → R { 0 , 1 } n [ A ( r ) = 1 ] ∣ Adv_{PRG}[A,G] := |Pr_{k\rightarrow^R \mathcal{K}}[A(G(k))=1] - Pr_{r\rightarrow^R \{0,1\}^n}[A(r)=1]| AdvPRG​[A,G]:=∣Prk→RK​[A(G(k))=1]−Prr→R{0,1}n​[A(r)=1]∣)

  • cipher E is semantically secure:

    • Def: E is semantically secure if for all efficient A,
      都有$Ad{v}_{SS}[A,E]$ is negligible
      (where $Ad{v}_{SS}[A,E]:=|Pr[W_0]-Pr[W_1]|\in [0,1])$

• emphasize:

  • No hope of proving a theorem like this for perfect secrecy!
  • Because PRG has short keys
  • while perfect secrecy requires the keys to be as long as the messages

• This is the first example:

  • we are able to prove that a cipher with short keys has security!
  • we will use semantical security throughout the course!

• Proof:

  • 证明下述statement即可证明"stream cipher E defived from G is semantically secure":

    • G : K → { 0 , 1 } n G:K\rightarrow \{0,1\}^{n} G:K→{0,1}n is a secure PRG, $\forall$ semantical;y secure adversary A, $\exists$ a PRG adversary B, s.t.
      $Ad{v}_{SS}[A,E]\le 2\cdot Ad{v}_{PRG}[B,G]$

  • 解释：对任何一个语义安全的adversary A,
    • what we will do is to build PRG adversary B, 来满足$Ad{v}_{SS}[A,E]\le 2\cdot Ad{v}_{PRG}[B,G]$
  • 为什么证明上述命题即可证明E的语义安全?
    • we know: if B is an efficient adversary, then since G is a secure generator, $Ad{v}_{PRG}[B,G]$ is negiligible;
      • a secure generator has a negligible advantage against any efficient statistical test
    • so, the right hand side ==> negligible
    • then, if the above statement ( $Ad{v}_{SS}[A,E]\le 2\cdot Ad{v}_{PRG}[B,G]$)is true, the left side is negligible
    • 即stream cipher E defived from G is semantically secure!
  • 开始证明:
    • all we have to do is given A, we have to build B

• Proof (直觉上证明):

• Let A be a semantically secure adversary

原始的操作过程

• Step1: make the challenger also choose a random string r
  • the adversary does not care what the challenger does internally
  • The challenger never uses r in this step, so this does not affect the adversary’s advantage at all
• Step2: (trick) encrypting using r, instead of G(K)
  • essentially, 这是在changing the challenger, so now the challenge cipher text由随机串r加密！而不是之前的伪随机串G(k)
  • 由于这个PRG是安全的，因此看起来就和真随机数一样，所以the adversary cannot tell we switched from a pseudorandom string to a truerandom string
• Step3: Now, this game is a truly OTP game!
  • 所以目前的game显然是语义安全的！(还是理论安全的)
  • 因为adversary不能区分真随机伪随机，而且真随机是语义安全的，所以假随机也是语义安全的！

• Proof (严格证明):
• 依旧是上述的思路，上述思路共产生了4个事件：
  • For b=0,1: $W_b:$ = [event that b’ = 1]
    • $Ad{v}_{SS}[A,E]=|Pr[W_0]-Pr[W_1]|$
  • For b=0,1: $R_b:$ = [event that b’ = 1]
• 下面look at relations between these variables:
  • Claim 1: | Pr[R_0]- Pr[R_1]| = $Ad{v}_{SS}(A,OTP)=0$
  • 下面证明 Pr[W_0]和Pr[W_1]都与Pr[R_b]离得很近, 因此| Pr[W_0]- Pr[W_1]|很小
  • Claim 2: $\exists B:$ | Pr[W_b]- Pr[R_b]| = $Ad{v}_{PRG}(B,G)$ for b=0,1
    • 也就是说，存在B, 使得$ | Pr[W_0]- Pr[R_b]| \leq Adv_{PRG}(B,G) $ 且 $ | Pr[R_b]- Pr[W_1]| \leq Adv_{PRG}(B,G) $
    • 从而证明 $Ad{v}_{SS}[A,E]\le 2\cdot Ad{v}_{PRG}[B,G]$

接下来，只需证明claim 2即可

• What claim 2 means?
  • it is basically captures the question of (what happens in Experiment 0)
  • 当把$G_k$替换成R的时候究竟发生了什么
    • 我们想要证明：因为是个PRG，所以当把pRG替换成TR的时候，adversary无法发现。
  • 下面进行证明

Proof of claim 2: $\exists B:$ | Pr[W_0]- Pr[R_b]| = $Ad{v}_{PRG}(B,G)$ for b=0,1

• step1: The given adv A output m0 and m1
• Step2: 构造一个B，使得The built adv B :
  • respond c = m0 XOR y

• 因此:
  • A d v P R G [ B , G ] = ∣ P r k → R K [ B ( G ( k ) ) = 1 ] − P r r → R { 0 , 1 } n [ B ( r ) = 1 ] ∣ Adv_{PRG}[B,G]=|Pr_{k\rightarrow^R \mathcal{K}}[B(G(k))=1] - Pr_{r\rightarrow^R \{0,1\}^n}[B(r)=1]| AdvPRG​[B,G]=∣Prk→RK​[B(G(k))=1]−Prr→R{0,1}n​[B(r)=1]∣ = | Pr[W_0]- Pr[R_b]|
  • 证毕

这样就证明了
“a stream cipher with a secure PRG is semantically secure”