Scribed by Manohar Jonnalagedda
Summary
Having introduced the notion of CPA security in the past lecture, we shall now see constructions that achieve it. Such constructions shall require either pseudorandom functions or pseudorandom permutations. We shall see later how to construct such objects.
1. Pseudorandom Functions
To understand the definition of a pseudorandom function, it’s good to think of it as a pseudorandom generator whose output is exponentially long, and such that each bit of the output is efficiently computable given the seed. The security is against efficient adversaries that are allowed to look at at any subset of the exponentially many output bits.
Definition 1 (Pseudorandom Function) A function
is a
-secure pseudorandom function if for every oracle algorithm
that has complexity at most
we have
-secure pseudorandom function if for every oracle algorithm 
we have![\displaystyle | \mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T^{F_K} () =1 ] - \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T^{R} () = 1] | \leq \epsilon](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%7C+%5Cmathop%7B%5Cmathbb+P%7D_%7BK+%5Cin+%5C%7B+0%2C1+%5C%7D%5Ek%7D+%5B+T%5E%7BF_K%7D+%28%29+%3D1+%5D+-+%5Cmathop%7B%5Cmathbb+P%7D_%7BR%3A+%5C%7B+0%2C1+%5C%7D%5Em+%5Crightarrow+%5C%7B+0%2C1+%5C%7D%5Em%7D+%5BT%5E%7BR%7D+%28%29+%3D+1%5D+%7C+%5Cleq+%5Cepsilon+&bg=ffffff&fg=000000&s=0 "\displaystyle | \mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T^{F_K} () =1 ] - \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T^{R} () = 1] | \leq \epsilon")
Intuitively, this means that an adversary wouldn’t be able to distinguish outputs from a purely random function and a pseudorandom function (upto a certain 
As usual, it is possible to give an asymptotic definition, in which 
2. Encryption Using Pseudorandom Functions
Suppose 
-
: pick a random
, output
-
: pick a random 
, output 
This construction achieves CPA security.
Theorem 2 Suppose
is a
secure pseudorandom function. Then the above scheme is
-secure against CPA.
-secure against CPA. The proof of Theorem 2 will introduce another key idea that will often reappear in this course: to first pretend that our pseudorandom object is truly random, and perform our analysis accordingly. Then extend the analysis from the pseudorandom case to the truly random case.
Let us therefore consider a modified scheme 
Lemma 3
is
CPA secure.
CPA secure. Proof:
In the computation 
Then we have
![\displaystyle \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(M)) = 1]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cmathop%7B%5Cmathbb+P%7D+%5B+T%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(M)) = 1]")
![\displaystyle = \mathop{\mathbb P}[T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge REP]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%3D+%5Cmathop%7B%5Cmathbb+P%7D%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1+%5Cwedge+REP%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle = \mathop{\mathbb P}[T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge REP]")
![\displaystyle + \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge \neg REP]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%2B+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1+%5Cwedge+%5Cneg+REP%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle + \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge \neg REP]")
similarly,
![\displaystyle \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(M')) = 1]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cmathop%7B%5Cmathbb+P%7D+%5B+T%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%27%29%29+%3D+1%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(M')) = 1]")
![\displaystyle = \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(K,M')) = 1 \wedge REP]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%3D+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28K%2CM%27%29%29+%3D+1+%5Cwedge+REP%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle = \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(K,M')) = 1 \wedge REP]")
![\displaystyle + \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge \neg REP]](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%2B+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%27%29%29+%3D+1+%5Cwedge+%5Cneg+REP%5D+&bg=ffffff&fg=000000&s=0 "\displaystyle + \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge \neg REP]")
so
![\displaystyle \left| \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(K,M)) = 1] - \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(K,M')) = 1] \right|](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cleft%7C+%5Cmathop%7B%5Cmathbb+P%7D+%5B+T%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28K%2CM%29%29+%3D+1%5D+-+%5Cmathop%7B%5Cmathbb+P%7D+%5B+T%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28K%2CM%27%29%29+%3D+1%5D+%5Cright%7C+&bg=ffffff&fg=000000&s=0 "\displaystyle \left| \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(K,M)) = 1] - \mathop{\mathbb P} [ T^{\overline{Enc}} (\overline{Enc}(K,M')) = 1] \right|")
![\displaystyle \leq \left| \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge REP] - \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge REP] \right|](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cleq+%5Cleft%7C+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1+%5Cwedge+REP%5D+-+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%27%29%29+%3D+1+%5Cwedge+REP%5D+%5Cright%7C+&bg=ffffff&fg=000000&s=0 "\displaystyle \leq \left| \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge REP] - \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge REP] \right|")
![\displaystyle + \left | \mathop{\mathbb P}[T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge \neg REP] - \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge \neg REP] \right|](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%2B+%5Cleft+%7C+%5Cmathop%7B%5Cmathbb+P%7D%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1+%5Cwedge+%5Cneg+REP%5D+-+%5Cmathop%7B%5Cmathbb+P%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%7D+%28%5Coverline%7BEnc%7D%28M%27%29%29+%3D+1+%5Cwedge+%5Cneg+REP%5D+%5Cright%7C+&bg=ffffff&fg=000000&s=0 "\displaystyle + \left | \mathop{\mathbb P}[T^{\overline{Enc}} (\overline{Enc}(M)) = 1 \wedge \neg REP] - \mathop{\mathbb P} [T^{\overline{Enc}} (\overline{Enc}(M')) = 1 \wedge \neg REP] \right|")
Now the first difference is the difference between two numbers which are both between 
![{\mathop{\mathbb P}[REP]}](http://s0.wp.com/latex.php?latex=%7B%5Cmathop%7B%5Cmathbb+P%7D%5BREP%5D%7D&bg=ffffff&fg=000000&s=0 "{\mathop{\mathbb P}[REP]}")
The second difference is zero, because with a purely random function there is a 1-1 mapping between every random choice (of 
We have shown that with a purely random function, the above encryption scheme is CPA-secure. We can now turn our eyes to the pseudorandom scheme 
Proof: Consider the following four probabilities, for messages 
![{\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ]}](http://s0.wp.com/latex.php?latex=%7B%5Cmathop%7B%5Cmathbb+P%7D_%7BK%7D+%5B+T%5E%7BEnc%28K%2C+%5Ccdot%29%7D+%28Enc%28K%2CM%29%29+%3D+1+%5D%7D&bg=ffffff&fg=000000&s=0 "{\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ]}")
![{\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M')) = 1 ]}](http://s0.wp.com/latex.php?latex=%7B%5Cmathop%7B%5Cmathbb+P%7D_%7BK%7D+%5B+T%5E%7BEnc%28K%2C+%5Ccdot%29%7D+%28Enc%28K%2CM%27%29%29+%3D+1+%5D%7D&bg=ffffff&fg=000000&s=0 "{\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M')) = 1 ]}")
![{\mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1]}](http://s0.wp.com/latex.php?latex=%7B%5Cmathop%7B%5Cmathbb+P%7D_%7BR%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%28%5Ccdot%29%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1%5D%7D&bg=ffffff&fg=000000&s=0 "{\mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1]}")
![{\mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M')) = 1]}](http://s0.wp.com/latex.php?latex=%7B%5Cmathop%7B%5Cmathbb+P%7D_%7BR%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%28%5Ccdot%29%7D+%28%5Coverline%7BEnc%7D%28M%27%29%29+%3D+1%5D%7D&bg=ffffff&fg=000000&s=0 "{\mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M')) = 1]}")
From the previous proof, we have 
So, it remains to show that
![\displaystyle |\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ] - \mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1]| \leq \epsilon \ \ \ \ \ (1)](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%7C%5Cmathop%7B%5Cmathbb+P%7D_%7BK%7D+%5B+T%5E%7BEnc%28K%2C+%5Ccdot%29%7D+%28Enc%28K%2CM%29%29+%3D+1+%5D+-+%5Cmathop%7B%5Cmathbb+P%7D_%7BR%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%28%5Ccdot%29%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1%5D%7C+%5Cleq+%5Cepsilon+%5C+%5C+%5C+%5C+%5C+%281%29&bg=ffffff&fg=000000&s=0 "\displaystyle |\mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ] - \mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1]| \leq \epsilon \ \ \ \ \ (1)")
Suppose, by contradiction, this is not the case. We will show that such a contradiction implies that 
For an oracle 
- pick a random
and compute
- simulate
; every time
makes an oracle query
, pick a random
and respond to the query with
; every time 
makes an oracle query 
, pick a random 
Note that if 
Thus, we have
![\displaystyle \mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T'^{F_K} () =1 ] = \mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ] \ \ \ \ \ (2)](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cmathop%7B%5Cmathbb+P%7D_%7BK+%5Cin+%5C%7B+0%2C1+%5C%7D%5Ek%7D+%5B+T%27%5E%7BF_K%7D+%28%29+%3D1+%5D+%3D+%5Cmathop%7B%5Cmathbb+P%7D_%7BK%7D+%5B+T%5E%7BEnc%28K%2C+%5Ccdot%29%7D+%28Enc%28K%2CM%29%29+%3D+1+%5D+%5C+%5C+%5C+%5C+%5C+%282%29&bg=ffffff&fg=000000&s=0 "\displaystyle \mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T'^{F_K} () =1 ] = \mathop{\mathbb P}_{K} [ T^{Enc(K, \cdot)} (Enc(K,M)) = 1 ] \ \ \ \ \ (2)")
![\displaystyle \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T'^{R} () = 1] = \mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1] \ \ \ \ \ (3)](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cmathop%7B%5Cmathbb+P%7D_%7BR%3A+%5C%7B+0%2C1+%5C%7D%5Em+%5Crightarrow+%5C%7B+0%2C1+%5C%7D%5Em%7D+%5BT%27%5E%7BR%7D+%28%29+%3D+1%5D+%3D+%5Cmathop%7B%5Cmathbb+P%7D_%7BR%7D+%5BT%5E%7B%5Coverline%7BEnc%7D%28%5Ccdot%29%7D+%28%5Coverline%7BEnc%7D%28M%29%29+%3D+1%5D+%5C+%5C+%5C+%5C+%5C+%283%29&bg=ffffff&fg=000000&s=0 "\displaystyle \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T'^{R} () = 1] = \mathop{\mathbb P}_{R} [T^{\overline{Enc}(\cdot)} (\overline{Enc}(M)) = 1] \ \ \ \ \ (3)")
which means that
![\displaystyle \left|\mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T'^{F_K} () =1 ] - \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T'^{R} () = 1]\right| > \epsilon \ \ \ \ \ (4)](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle+++%5Cleft%7C%5Cmathop%7B%5Cmathbb+P%7D_%7BK+%5Cin+%5C%7B+0%2C1+%5C%7D%5Ek%7D+%5B+T%27%5E%7BF_K%7D+%28%29+%3D1+%5D+-+%5Cmathop%7B%5Cmathbb+P%7D_%7BR%3A+%5C%7B+0%2C1+%5C%7D%5Em+%5Crightarrow+%5C%7B+0%2C1+%5C%7D%5Em%7D+%5BT%27%5E%7BR%7D+%28%29+%3D+1%5D%5Cright%7C+%3E+%5Cepsilon+%5C+%5C+%5C+%5C+%5C+%284%29&bg=ffffff&fg=000000&s=0 "\displaystyle \left|\mathop{\mathbb P}_{K \in \{ 0,1 \}^k} [ T'^{F_K} () =1 ] - \mathop{\mathbb P}_{R: \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m} [T'^{R} () = 1]\right| > \epsilon \ \ \ \ \ (4)")
The complexity of 
