Week 7 Flashcards
What is the ideal way to think about unpredictability that applies across cryptosystems?
Indistinguishability from Random
What does Indistinguishability from Radnom mean?
The adversary should not be able to tell the difference between the output of a PRG, and the output of a truly random source of randomness.
Explain the experiment for Indistinguishability from Random.
We have two boxes holding an n-bit string each.
One holds a string generated by a PRG using a seed sampled uniformly at random, one is a truly random string sampled uniformly at random from the set of all n-bit strings.
The truly random n-bit string comes from a set of 2n elements. The PRG produces a string from a smaller blue set which is a subset. It’s smaller because the PRG is deterministic and can’t produce any possible string.
Our adversary knows the function G() to produce the strings, so he wants to test it on all possible inputs to figure out all strings in the subset for the PRG so he can determine if some random string is in that set, or if it’s really a truly random string. BUT, he is computationally bounded and cannot calculate all of them.
So, indistinguishability basically asks if the adversary can determine if the string he is looking at is from the subset produced by the PRG, or from the complement (truly random).
What is the output of a statistical test when determining if a string is random?
Statistical tests here are some algorithm A that predicts whether a string is generated by a PRG or truly random.
They output 0 if they think the n-bit string is NOT random, and 1 if they think the string IS random.
What is an example of a statistical test for predicting whether a string is random or from a PRG?
A test that…
Outputs 1 IFF the absolute value of the number of 0’s - the number of 1’s is less than some value like 10 * sqrt(n).
This statistical test is useful because in general, we expecy that strings that are sampled uniformly will have roughly the same number of 0’s and 1’s. So, if a given output is very far away from that distribution, then the test will say that the string is not random.
See image for examples.
What is the downside of statistical tests?
They are not always right. They can be arbitrarily wrong.
These tests are written and customized for a specific generator.
How do we know if a statistical test is good? How do we measure goodness?
We measure goodness of a statistical test using the same advantage measurement from before.
How do we define advantage mathematically?
The advantage of the PRG distinguishing game, when we use the specific statistical test A for this specific PRG G, we say the advantage is equal to, the absolute value of the difference of the probability that the statistical test predicts that the output is random - the probability that the statistical test predicts that a uniformly sampled random string is random.
If you have a statistical test that always says everything is random, this difference will be 0.
How do we interpret the advantage we obtain from a given statistical test? When is it good? When is it bad?
If the advantage is close to 1, then the statistical test behaves differently when given pseudorandom input vs. random input. When the advantage is close to 1, we say it’s a GOOD statistical test.
When the advantage is close to 0, the test behaves basically the same for pseudorandom input as it does for truly random input. When the advantage is close to 0, we say that it’s a BAD statistical test.
Worked out example of calculating and interpreting advantage.
What is Computational Indistinguishability?
There are two types of indistinguishability. In statistical indistinguishability, the adversary can be computationally unbounded. He can run tests that take an arbitrary amount or time to run.
There is also computational indistinguishability in which we assume the adversary is computationally bounded and can only run statistical tests that run in polynomial time (even if it’s a crazy polynomial run time).
How do we apply the concept of computational indistinguishability to two distributions P1 and P2 which are distributions over the set of n-bit strings?
We can then say that they are computationally indistinguishable if for every possible efficient statistical test, the probability that the statistical test can tell whether the input comes from P1 or P2 is going to be negligible.
The two distributions are computationally indistinguishable if there doesn’t exist a statistical test that is efficient and can distinguish the two. The advantage is negligible.
How do we determine security in terms of indistinguishability for a PRG?
A PRG G is secure if the distribution that results from sampling k uniformly and then running G on (k) (creating a distribution since G() is a random variable) is indistinguishable from the uniform distribution {0,1}n.
So if the distribution that the PRG generates is indistinguishable from a uniform distribution by any efficient statistical test, then the PRG is secure. It’s as good as sampling uniformly from a uniform distribution.
What is Next-Bit-Unpredictability?
It is equivalent to indistinguishability from random.
If you have an algorithm that can predict the next bit, you can use it to predict a statistical test that can then distinguish between the PRG string and a random string. You do this by using your predictor to try and predict the next bit in the output string. If your predictor is right, then you have high probability that the output is from a PRG, if you’re wrong, then maybe it’s from a truly random sample.
A hardwe wat to do this is to use a statistical test to build a bit predictor.
What is Semantic Secrecy (SS)?
This is a notion of secrecy for modern Crypto Systems.
It means that given a ciphertext of a message m, no Probabilistic, Polynomial-time (PPT) Adversaries can determine any information about m with probabilityt non-negligible higher than all PPT adveraries that onlt have access to m’s length.
In other words, the adversary can’t learn anything other than the length of the message.
How does the IND-CPA security game work?
- The Challenger is an algorithm which outputs from one of the two distributions. We give the challenger an advantage which is that it is given a secret key sampled from the key space.
- Both the adversary and the challenger know the encryption and decryption function, and the key space, message space, and cipher space.
- The adversary then picks two messages he wants the challenger to encrypt from the message space (both of same length).
- Then a coin is flipped with outcome b. If b is 0, the challenger encrypts M0, if b is 1, the challenger encrypts M1. It encrypts with the hidden key.
- The encrypted message is then sent to the adversary. He must determine which of his messages was encrypted. If he guesses correctly, he wins.
When do we say a cipher is Semantically Secure?
If for all efficient adversaries, the advantage that the adversary has in the IND-CPA game is negligible. If it’s negligible, we say the adversary really can’t distinguish.
What is a Hash Function?
A function that maps from an arbitrarily large set to a fixed-size set.
The size of the large set we start with is of size * and the fixed-size set is of size N.
Because we are mapping to a smaller set, there will inevitably be collisions (by the pigeonhole principle).
