cryptography scribe

8/9/2019 Cryptography Scribe

http://slidepdf.com/reader/full/cryptography-scribe 1/21

1

Submitted by: Praloy Kr. Bisaws (09CS7009)

What is Modern Cryptography all about?

Historically , Cryptography was a subject concerned about securecommunication of information so that only the intended recipients of the mes-sages can retrieve the information out of the massages received. Therefore,previously cryptography was regarded as more of a technique devised by thegroup of people involved in a secure communication and their only concern wasto make it as shrewd as possible in order to fool the adversary. It was not a sci-ence where there exists a xed formal approach to analyze the characteristics of the techniques used — say how secure or insecure is the scheme is under differentcontexts. Overall, essentially cryptography relied upon some ad hoc ingenuitiesfrom its designers rather upon a well dened methods to test, experiment andto some extent design such schemes.

As mostly is the fate of any ad hoc approaches, these sort of primitivecryptographic approaches have been proved to be useless. Almost all such tech-niques were proved to be vulnerable in one way or the other. Therefore, therewas a need to modernize the study of cryptography. Modern Cryptography,an outcome of more careful studies guided by scientic and formal arguments,deals with the constructions of schemes that can withstand any abuse. Here byany abuse meant that it should preserve or safeguard the desired functionality,even under the malicious attempts made to deviate them from their prescribedfunctionality. Note here the functionality can well be a secure transmission of messages from one place to other.

Nevertheless, the study of the formal approaches to Cryptography isa very practical one. By practical it’s meant that it is not that far formal asis the study of Pure Mathematics or formal logic, it essentially deals with thepractical context. To substantiate, say there exists an adversary not that muchpowerful – computationally of course — then the scheme need not be that farrigorous, but for a powerful adversary, one has to think otherwise. So the pointis, design of a Cryptographic scheme is essentially guided by its context andthus how to capture these contexts formally is also a concern of the study of Modern Cryptography.

So solving a cryptographic problem is two stage process consisting of a denitional stage and a constructive stage . First in the denitional stage, thefunctionality underlying the natural concern must be identied and an adequatecryptographic problem must be dened. Trying to list all undesired situationsis infeasible and prone to error. Instead one should dene the functionality interms of operation in an imaginary ideal model and then require a candidatesolution to emulate this operation in the real, clearly dened model. Oncedenitional stage is completed, one proceeds to construct a system that willsatisfy the denition. Such a construction may use some simple tools, and itssecurity is to be proved relying on the features of these tools. 1

1 O. Godreich, Vol I



2

0.1 Formal Notion of information

As is stated in the earlier section the problem of providing secret com-munication of information over an insecure media is the prime concern of Cryp-tography, thus it becomes absolutely necessary to understand how to capturethe intuitive notion of information through formal arguments or formal means.To this end, let’s rst site an example to clarify how the mathematical mea-sure of information conveyed by messages can be represented by a well studiedmathematical theory namely probability. Suppose a random variable X takeson the values 1, 2, 3, 4, 5 with equal probability. We ask how much informationis conveyed about the value of X by the statement that 1 ≤ X ≤ 2. Originally,if we try to guess the value of X, we have probability 1

5 of being correct. Af-ter we know that X is either 1 or 2 we have a higher probability of guessingthe right answer. In other words there is a less uncertainty about the secondsituation. Telling us 1 ≤ X ≤ 2 has reduced the uncertainty about the actualvalue of X. So roughly speaking, we can model the situation as if we have arepository of messages having pieces of information attached to them and thereis some probability attached to them for being sent through the channel. Owingto the same argument we can regard whole of the message space as a samplespace of all possible messages and can suitably dene a random variable uponit. Note that if the probability distribution over such sample space is anythingbut uniform, there will be some positive probabilistic bias for some messages,which may provide the adversary an added edge.

0.1.1 Notion of Security from Information theoretic sense

Well, as we have reasonably been able to formalize the notion of infor-mation, our next goal is to dene what is meant by security from informationtheoretic sense Before doing so, let’s clarify what is an encryption scheme insome depth.

Loosely speaking an encryption scheme is a protocol allowing the par-ties to communicate secretly with each other. It consists of a pair of algorithms.One algorithm called the encryption Enc , is applied by the sender , while theother algorithm, called the decryption Dec , is applied by the receiver. Hencein order to send a message the sender rst applies the encryption algorithm tothe message and then sends the result, called ciphertext over the channel. uponreceiving a ciphertext, the other party applies a decryption algorithm to it andretrieves the original message, the plaintext .

In order for this scheme to provide secret communication, the commu-nicating parties must know something that is not known to the adversary. This

extra knowledge may take the form of the decryption algorithm itself or someparameters and/or auxiliary inputs used by the decryption algorithm. We callthis extra knowledge the decryption key . We stress that the existence of suchkeys is merely a necessary condition for secret communication, but by no meansa sufficient one.

The essence of information-theoretic approach of security is that the ci-



3

phertext contains no information about the plaintext. If the ciphertext containsany information about the plaintext, then the encryption scheme is consideredto be insecure. To formalize the argument, let’s assume M be the message spaceand C be the cipher space in a particular encryption scheme. We say the schemeis perfectly secret if for any probability distribution over M, every message m M ,and every ciphertext c C for which P r [C = c] > 0 the following holds

Pr[M=m | C=c] = Pr[M=m]Well, if we now just multiply the both sides of the above equation by

P r [C = c]P r [M = m ] , from simple Bayes’s Rule we have the following

Pr[C = c | M=m] = Pr[C=c]From the above two arguments it is easy to confer that for a per-

fectly secure scheme the probability distribution over M and that of over Care independent. Let C(m) denotes the distribution of the ciphertext when themessage being encrypted is m. then the claim of perfect secrecy is that for any

m0 , m 1 M , the distribution C( m0) and C( m1) are identical. This formulationis justly referred to as perfect indistinguishability because it implies that it isimpossible to distinguish an encryption of m0 from an encryption of m1 .

Before we delve somewhat deeper in the consequences of the notion of perfect secrecy, it is worth to devote sometime to understand the importanceof key space (k). Is was argued earlier that to have a scheme to provide secretcommunication, the communicating parties should posses some shared informa-tion unknown to the adversary. A natural option may be to keep secret theencryption and the decryption algorithm themselves. However, it has some dis-advantages. Firstly, there is a high chance of leaking the details of an algorithm,since it can be learned by reverse engineering. Second, it seems difficult to keepthe secrecy of fairly big algorithm and moreover if some changes are to be donein the algorithm then those changes have to be communicated to all the valid

parties, which provides a high chance to the adversary to learn about the algo-rithms. Due to these facts in the late 19th century, Auguste Kerckhoffs gavethe following important design principle

Kerckhoffs’ priciple The cipher method must not be required to besecret, and it must be able to fall into the hands of the enemy without inconve-nience.

In other words, the design of the scheme should be such that encryptionand decryption algorithms should entail some parameters or inputs, typicallyknown as key, that is known to the valid parties and is secretive to the adversary.

The introduction of the concept of the key added two other advantages.Suppose in case the key got exposed then it will be much easier to change thekey rather than to change the algorithm. And in case many parties are involvedin the communication, then it will be signicantly easier for all parties to usethe same algorithms, but different keys, instead of using a different program.

Therefore we will incorporate another algorithm in the cryptographicscheme namely key generation algorithm Gen that will output a key k chosenaccording to some distribution that is determined by the scheme. The space of all such outputs is known as key space k.



4

Overall, a protocol of a private key secure communication involves thefollowing steps.

Step I : Gen will randomly generate a key say k. k ← Gen()Step II (At sender’s end) : Enc takes as input the key k and a

message to be transmitted say m and outputs a ciphertext say c.c ← Enc k (m)

Step III (At receiver’s end) : Dec takes the cipher c and the keyk as the input and outputs the message m.

m = Enc k (c)Here one thing needs to be noticed is that Gen has to be a randomized

algorithm and Enc may be randomized or deterministic. And Dec has to be adeterministic algorithm. By deterministic algorithm it is meant that for xedset of inputs it will always output a particular result, whereas in case of arandomized algorithm the output may vary even in case of xed input set. It isquite clear that Gen has to be a randomized algorithm, for in each execution, itwill output a different key having a particular probability of occurence and it’sthis probability space that constitutes the key space. For Dec , it’s completelyreverse way round, for a xed k and c, it needs to output the exact message mthat has been encrypted to c. It simply can’t output anything but m. For thetime being, this cursory comments about the classes of algorithms will suffice,we will return to an elaborate study of algorithms shortly afterwards.

0.1.2 Limitations of Perfect Secrecy

Suppose that |K| < |M| i.e. the size of the key space is less than the size of the message space. We can nd the set of all possible preimages of a particularcipher say c, which occurs with non-zero probability. Obviously the cardinality

of such a set will be less than or equal to the cardinality of K. That means thereexists a m M , which falls outside the set bacause |M| > |K|. Therefore givenC=c, Pr[M= m ]=0. Hence we have Pr[M= m | C=c] = 0 = Pr[M= m ], whichcontradicts the condition of Perfect Secrecy.

That means to achieve perfect secrecy the key space should be at least as large as the message space.

In around 1949, Claude Shannon provided a theorem along with aproof of it, which characterizes the condition for perfect secrecy.

Theorem [Shannon,1949] Let (Gen, Enc, Dec) be an encryption schemeover a message space M for which |M| = |K| = |C| . The scheme is perfectlysecret iff:

1. Every key k K is chosen with equal probability 1 / | K | by algorithmGen

2. For every m M and every c C, there exists a unique key k ksuch that Enc k (m) outputs c.

proof : If part: From the above argument it’s clear that for each mM and c C there exists at least one key k K s.t. Enc k =c. Now, if we take up



5

a particular message say m from M and encrypt that with various keys, thenthe size of such a set S= {Enc k (m) : k K} of all ciphers must be at least aslarge |C|. Because for any cryptosystem the encoding rule is injective. Andwe trivially have |S|≥| C| . Combining these two facts we have |S|= |C| and fromthe assumption of the theorem we have these two are eventually equal to |K| .Which in turn implies that if Enc is applied to a particular message with twodistinct keys, they will map to two distinct ciphers, proving part 1.

If the above argument can be furthered a little it can be said that for aparticular pair of message(m) and key(k), we can found a unique ciphertext orrather to get a particular cipher from any message say m i , there exists a uniquekey ki s.t. Enc k (m i =c holds. By Perfect secrecy we have

Pr[M=m i ] = Pr[M=m i | C=c] = P r [C = c|M = m i ]P r [M = m i ]P r [C = c] = P r [K = k i ]P r [M = m i ]

P r [C = c]By cancelling Pr[M= i ] from both sides, it can deduced Pr[K=k i ] = Pr[C=c].Since here i is arbitrary all keys are chosen with equal probability. That is for

every k, Pr[K=k] = 1/ |K| , thus proving part 2.Only if part: Assume every key is chosen with equal probability 1/ |K|

and that for every m M and c C there is a unique key k K s.t. Enc k (m) = c.This immediately implis that for every m and c,

Pr[C=c | M=m] = 1/ |K|irrespective of the probability distribution over M. Thus, for every probabil-

ity distribution over M, every m, m M and every c C we havePr[C=c | M=m] = 1

|K | = Pr[C=c | m=m]so the probability distribution over C have no bearing whatsoever with that

of M, they are independent. Hence the scheme is perfectly secure.

0.1.3 Notion of security from the perspective of Compu-

tational ComplexitySecurity through perfect secret scheme is the most robust way in a sense

that there the ciphertext simply doesn’t contain any information about theplaintext. However, it’s impractical. As was seen before. to achieve this thesize of the key space should be at least as large as the message space. That iswhy another approach was devised based on the concepts of computational com-plexity . Here it doesn’t matter whether the ciphertext contains any informationabout the plaintext or not, but what matters is whether or not this informationcan be effectively extracted. It deals with feasibility study rather the possibility.It turns out that the new approach offers security even if the key is much shorterthan the total length of the messages sent via the encryption scheme.

0.1.4 About the different kind of Algorithms and theirComplexity classes

Before we embark upon the actual business of building cryptographicschemes via this new approach, it is worth to spent some time to clear the



6

concepts about Algorithms, simply because these will be needed time and againwhile moving ahead.

Simply stated, an algorithm is a mechanical process - i.e. devoid of any human intervention - which provides some desired results in nite timeupon given an input. Evidently then for different kinds of problems, we aregoing to have different kinds of algorithms with their respective set of inputinstances and output instances. To formalize the study of algorithms, one needsto give it a formal representation. Turing Machine (TM) is such a kind of model, perhaps the most simple and more akin to the practical representationof algorithms. The basic form of it consists only a one-way innite tape, aread-write head capable of moving left-right and a control unit that dictates thetape movement and read-write processes upon the tape. Further it can movearound different states based upon the input. This movement is dictated bya transition function dened as T: {state, symbol }→ {state,symbol, direction }.Therefore, the specication of TM will have a set of alphabets those can bewritten to and read from the tape, and a set of symbols distinct from the set of alphabets, indicating the all possible states the machine can be in.

As is seen just now that the input to a TM has to be something inthe form of a string built up by the input alphabet that can be placed on thetape and processed by the head. Therefore the problem instance has to be givena string representation and such set of strings for which the TM outputs thedesired results constitute a language over the alphabet.

Deterministic Algorithm : This kind of algorithm, suitably representedby deterministic TM, always outputs a xed result for a particular input in-stance. Say for instance if a DTM which computes the summation of two pos-itive integers is provided with two unary encoded integers and asked for theirsummation, it will always give a xed output for a particular pair of inputs.

Upon considering the execution sequence of such machines for particular input,it will be noticed that it traces a particular execution path in stepwise man-ner. The number of steps required by a DTM to output a valid result for aninput is considered to be its complexity. And more precisely if we consider eachstep takes a unit amount of time, then we can dene an important property of algorithms, namely Time Complexity , dened below

Let M be a DTM that halts on all inputs. The time complexity of M is the function f:N →N, where f(n) is the maximum number of steps that Muses on any input of length n.

Moreover to study the time complexities of algorithms, a particularnotation, typically known as asymptotic big-O notation is of very importance.Let f and g be functions f,g:N → R+ . We say that f(n) = O(g(n)) if positiveintegers c and n 0 exist s.t. for every integer n ≥ n0 , f(n)≥ cg(n). That is g(n) is

an asymptotic upper bound for f(n).Tractability and Intractability : We say a problem is tractable if thereexists at least an algorithm or equivalently a DTM which when provided with ann-length input instance of the problem provides the output within polynomialtime complexity. By polynomial time complexity we mean that f(n) can berepresented by some polynomials in n. Such algorithms are aptly termed as



7

efficient algorithms. Otherwise, the problem is said to be intractable. We wouldlike to classify the problems based upon their tractability and intractability.

But before doing so we need to consider another kind of problemswhich may not be solvable in polynomial time but can be veried in poly-time.What is meant by verication can be suitable explained by an example. Saythe problem statement is: Given a directed graph, device an algorithm whichwill output a Hamiltonian cycle if it has, otherwise outputs ”no”. Despite mucheffort, no polynomial time algorithm has been found to solve it. However, if someone claims, showing a particular graph, that this graph has a Ham-cycle,and we challenge him on his claim, then to settle the matter we need to runsome super poly algorithm on the graph and wait for the result. But if thefellow provides us along with the graph an instance of a claimed-to-be Ham-cycle of the graph, then we can easily device an algorithm to verify that claim.If he is right, we lose, otherwise we win. Following quite the same argument,we dene another class of problems which may not be solved in poly-time byany algorithm but can be veried by a poly-time algorithm when provided witha suitable certicate certifying its possession of a particular property. Note,the length of the certicate has to be within some polynomial limit, since if itslength itself is something super-polynomial then there is no question of ndingany poly-time algorithm to verify it - it will take super-poly time only to readout the certicate. That is why such certicates are called succinct certicates .

This notion of veriability can be beautifully captured by a conceptknown as Nondeterministic Turing Machine (NTM) . To appreciate it, let’s tryto emulate a DTM for a particular problem instance. What it will do is to just starts from a particular point and move forward linearly, if it’s a wrongpath for the solution it has been following it will eventually reach a daedlock, itthen backtracks, may be one or several steps depending upon the strategy, and

then again starts moving along some different path. Going like this, if it cannd the solution it will provide that otherwise it will eventually workout all itsoptions and signals a negative answer. These kind of execution sequences can beneatly expressed with a tree like structure, where each node represents a decisionpoint and each edge is a step towards the expected solution. And certainly thesolution will lie in one or in several leaf nodes. Note that the number of stepsthis particular DTM has to take is more or less equivalent to the number of nodes present in such a tree, and which is exponential to the hight of the tree.Well, now say we are given with a succinct certicate. To validate it, a naturalway is just to start from the root and keep on picking out those branches thatmatch with the certicate and straightway ignore all other branches. If thisleads to a valid solution then the certicate is veried otherwise it’s a falseone. Note that for a problem, represented suitably as string, to register to a

language dened by a xed property, it will be well enough to have a singlevalid certicate. One valid certicate means it has the property. Now let’s lookit from outside and place yourself in any node from where there can be manypossible moves to choose to. Similarly a machine can be thought of which cantransit in several possible ways from a particular state. Now if in the back endthe certicate is there then it will as if due to some occult capability guess the



8

right moves. Such kind of machines which can behave likewise is called theNondeterministic Turing Machine . Note that the maximum number of steps itfollows is equivalent to the height of the tree. In the worst cases where the NTMhas to follow the longest path of the tree and DTM has to traverse the wholetree i.e. has to visit all the nodes, the relation between the time complexitiesof these two kind of machines can be thought of as the relation between theheight of a tree and the number of nodes present in a tree which is the later isexponential to the former. Therefore, whenever we will categorize the problemsamong the complexity classes we will consider only the worst case complexities.

Well, let’s now dene the major two complexity classes.P : The class of problems those posses at least a poly-time DTM to

decide them.NP : The class of problems those posses at least a poly-time NTM

to decide them.Here a question automatically props up is what does it mean by decid-

ing a problem by a TM. By and large, almost all the problems can be representedin the following manner

Given an input instance, suitably string encoded in the alphabetsof a TM, the question is to compute something out from it or look for whethera particular property is there in it or not.

If the TM has to compute something then it essentially represents analgorithm to do so, which presumes some denite characteristics from the part of the input. It simply can’t process any input string without such characteristics.And for property checker or property evaluator TM, rstly the input stringshould represent valid input instance then it has to have the desired property,if it doesn’t the TM will reply negatively otherwise it will give the appropriateoutput. Now, essentially a language is nothing but a set of strings possessing

some denite properties that provide the language its uniqueness. A TM iscalled a decider for the language if when given with a string from the languageit gives the correct output, but for anything outside of the language it responsesnegatively. Note both this results has to be given in nite amount of time.A intriguing query is, ”Does every language has a decider?” The answer is”No”. Alan Turing way back somewhere in 1930’s proved this claim by citing aproblem, the famous Halting Problem , that doesn’t posses any Turing decider.Anyway, decidability and undecidability are not our study of interest right now.

An important note : It is evident that P ⊆NP. Is it also true that NP ⊆P? That is is P = NP? This question is still waiting for an answer and we willsee that it has an enormous impact upon computational security.

Randomized Algorithm : The idea of randomized algorithms can bebest explained through two examples. One is Randomized Quick sort and theother is Min Cut Algorithm.

Randomized Quick Sort : The time complexity of the quick sort algo-rithm primarily depends upon the choice of the pivot element. Since this is thechoice which guides the divide and conquer path of QSort. Instead of always



9

choosing the pivot element from a xed place in the array, if we assume thereis some kind of random process available inside the algorithm, which randomlypicks up any element as the pivot, then the algorithm turns out to be somethingrandomized rather than deterministic. True, it will always output the correctanswer but with varying time complexities. Such kind of randomized algorithmswhich always gives the correct answer but varies in time complexities, is calledLas Vegas algorithm.

Min Cut Algorithm : Let G be a connected, undirected multi-graphwith n vertices. A cut in G is a set of edges whose removal in G results in Gbeing broken into two or more components. A min-cut is cut with minimumcardinality. We now study a simple algorithm to nd a min-cut of graph.

We repeat the following step: pick an edge uniformly at random andmerge its end vertices into one. If as a result there are several edges betweensome pairs of newly formed vertices retain them all. Edged between the verticesthat are merged are removed, so that there are never any self-loops. We refersuch process of merging two end vertices of an edge as the contraction of thatedge. With each contraction number of vertices in G decreases by one. Thecrucial observation is that the contraction doesn’t reduce the min-cut size in G.This is because every cut in the graph at any intermediate stage is a cut of theoriginal graph. The algorithm continues the contraction process until only twovertices remain; at this point, the set of edges between these two vertices is acut in G and is output as a candidate min-cut.

Does this algorithm always nd a min-cut? Let’s calculate a little.Suppose the number of vertices in G is n, the number of edges in G is e andthe degree of a vertex v, d(v), which is dened as the number of edges incidenton v. Further we assume that k be the min-cut size. We rst x our attentionon a particular min-cut with k edges of G, say C. From an well known graph

theoretic result we know that ∀v d(v) = 2e i.e. e = ∀ vd(v)

2 . Since k is thesize of a min-cut, we have k.n ≤

∀vd(v) that means e should be at least kn/2.

We strive to nd the probability that no edge of C is ever contacted during anexecution of the algorithm, so that the edges surviving till end are exactly theedges in C.

Let ξi denote the event of not picking an edge of C at the ith step, for1 ≤ i ≤ n − 2. The probability that the edge randomly chosen in the rst stepis in C is at most k/(nk/2) = 2/n, so that Pr[ ξ1] ≥ 1 − 2/n . Assuming thatξ1 has occurred we nd Pr[ ξ2 | ξ1] ≥ 1 − 2/ (n − 1), since now the number of remaining vertices is n-1. At ith step, the number of remaining vertices will ben-i+1 and the size of the min-cut is still k, so the graph has at least k(n-i+1)/2edges remaining at this step. Thus Prob[ ξi | ∩i−1

j =1 ξj ] ≥ 1 − 2/ (n − i + 1). So theprobability that no edge of C is ever picked in the process is

Pr[∩n −2j =1 ξj ] ≥ n −2i =1 (1 − 2n −i =1 ) = 2n (n −1)The probability of discovering a particular min-cut is larger than 2 /n 2 .

Thus our algorithm may err in deciding the cut it outputs to be min-cut. Sup-pose we were to repeat the algorithm n2 / 2 times, making independent randomchoices each time, the probability that a min-cut is not found in any of the n2 / 2



10

attempts is at most (1 − 2n 2 )n 2 / 2 < 1/e

By this process of repetition, we have managed to reduce the probabil-ity of failure from 1 - 2/ n2 to a more respectable 1/e. Further execution of thealgorithm will make the failure probability arbitrarily small-only considerationbeing that repetition increases the running time.

Note the extreme simplicity of the randomized algorithm we have stud-ied. In contrast most deterministic algorithms for this problem are based onnetwork ows and are considerable more complicated.

The gist of this part of discussion is that there exist another kindof randomized algorithm which may provide wrong solutions, however we willbe able to bound the probability of such an incorrect solution. This kind of algorithms are called Monte Carlo algorithm . Moreover, we observed a usefulproperty of such algorithm: if the algorithm is run repeatedly with independentrandom choices each time, the failure probability can be made arbitrarily small,at the expense of running time.

How to model such randomized algorithms : 2 As of now wehave built up a more or less clear idea about what a randomized algorithmis. In order to model these kind of algorithms, let’s at rst claim that anykind of random selection process can be conceived of as a collection of binaryselection process. Say one randomized algorithm A has several options to followto begin with. We denote these options as O1 , O2 ,...,O n . A can pick up eitherO1 or any one from rest of the options. If it picks up O1 we move to thenext phase where also it has several options to follow. Or else, it will followeither O2 or any one from the rest. Therefore it is clear that we can modelof such random choice of options by a binary decision model. Thus we canmodel a randomized algorithm by a Turing machine in which the transitionfunction maps pairs of the form ((state),(symbol)) to two possible triples of

the form ((state),(symbol),(direction)). The next step for such a machine isdetermined by a random choice of one of these triples i.e. it will move to one of these possible congurations by some binary random choice, typically termedas internal coin tosses of the machine and then move ahead. Note the output of such a probabilistic machine M on input x is not a string but a random variablethat assumes strings as possible values. This random variable denoted by M(x),is induced by the internal coin tosses of M. By Pr[M(x) = y] we mean theprobability that the machine M on input x will output y. the probability spaceis that of all possible outcomes for the internal coin tosses taken with uniform,probability distribution. Because we are going to consider only polynomial timemachines, we can assume without loss of generality, that the number of cointosses made by M on input x is independent of their outcome and is denotedby tM (x). We denote by M r (x) the output of M on input x when r is the

output of the internal coin tosses. Then Pr[M(x) = y] is merely the fraction of r {0, 1}t M (x ) for which M r (x) = y. Namely,Pr[M(x) = y] = |{r {0,1}t M ( x ) :M r (x )= y}|

2 t M ( x )

Bounded-Probability Polynomial Time, BPP :The basic thesis under-2 RANDOMIZED ALGORITHMS by R. Motwani, P. Raghaban



11

lying our discussion is the association of ”efficient” computations with prob-abilistic polynomial-time computations. That is we shall consider as efficientonly randomized algorithms (i.e. probabilistic Turing Machines) for which therunning time is bounded in the length of the input.

A complexity class capturing these computations is the class, denotedby BPP,of languages recognizable (with high probability) by Probabilistic Poly-nomial time Turing machines. The probability refers to the event in whichthe machine makes the correct verdict on string x. Further we say that L isrecognized by the PPT Tuing machine M if

for every x ∈L it holds that Pr[M(x) = 1] ≥ 2/3, andfor every x /∈L it holds that Pr[M(x) =0 ] ≥ 2/3.

The phrase bounded probability indicates that the success probabilityis bounded away from from 1/2. We conclude that languages in BPP canbe recognized by PPT algorithms with negligible error probability. We usenegligible to describe any function that decreases faster than the reciprocal of any polynomial. We can formally dene it as follows.

Negligible : we call a function µ : N → R negligible if for everypositive polynomial p(.) there exists an N s.t. for all n > N,µ (n) < 1/p (n).For example, 2 −√n and n− log n

Statistical tools to analyze randomized algorithms : To solve some prob-lem by randomized algorithm it is by now clear that we need to run it for severaltimes. The more we run it, more probable it becomes it will output the correctresult. However, with increasing iterations running will increase likewise. Wecan bind the expected running times of a randomized algorithm. While theexpectation of a random variable (such as running time) may be small, it mayfrequently assume values that are far higher. In analyzing the performance of a

randomized algorithm, we often like to show that the behavior of the algorithmis good almost all the time. For example it is more desirable to show that therunning time is small with high probability, not just it has a small expectation.There is a family of stochastic processes that is fundamental to the analysis of many randomized algorithms: these are called occupancy problems . This mo-tivates the study of general bounds on the probability that a random variabledeviates far from its expectation, enabling us to avoid custom made analysis.The probability that a random variable deviates by a given amount from itsexpectation is referred to as a trail probability for that deviation.

It is well known that making statements about the probability thata random variable deviates far from its expectation may involve a detailed,problem specic analysis. Say i case of several typical variants of balls and binsproblems or birthday problem. Often one can avoid such detailed analysis by

resorting to some general inequalities on such tail probabilities. We begin withthe Markov inequality.let X be a discrete random variable and f(X) be any real values function.

Then the expectation of f(X) is given by E[f(X)] = x f (X )P r [X = x]Markov Inequality : Let Y be random variable assuming only non-



12

negative values. then for all t ∈R+ , P r [Y ≥ t] ≤ E [Y ]t

We will omit the proof of it here, but note that it provides the highestpossible bound when we know only that Y is non-negative and has a givenexpectation. Unfortunately Markov inequality by itself is often too weak to yielduseful results, but it can be used to derive better bounds on the tail probabilityby using more information about the distribution of random variable. Therst of these is the Chebyshev bound , which is based on the knowledge of thevariance of the distribution. For a random variable X with the expectation µx ,its variance σ2

x is dened to be E [(X − µx )2]. The standard deviation of Xdenoted by σx , is the positive square root of σ2

x .Chebyshev’s Inequality : Let X be random variable with expectation

µx and standard deviation σx . Then for any t ∈R+ ,P r [| X − µx |≥ tσx ] ≤ 1

t 2

Comments on Chernoff Bound : We just dealt with the study of techniques for bounding the probability that a random variable deviates farfrom its expectation. Here we focus on techniques for obtaining considerablesharper bounds on such tail probabilities.

The random variable we will be most concerned with are sums of inde-pendent Bernoulli trials; for example the outcomes of tosses of coin. In designingand analyzing randomized algorithms in various settings, it is extremely usefulto have an understanding of the behavior of this sum. Let X 1 , X 2 , . . . , X n beindependent Bernoulli trials such that, for 1 ≤ i ≤ n, P r [X i = 1] = p andP r [X i = 0] = 1 − p. Let X = n

i =1 X i ; then X is said to have the binomial distribution . More generally, let X 1 , . . . , X n be independent coin tosses suchthat, for 1 ≤ i ≤ n, P r [X i = 1] = pi and P r [X i = 0] = 1 − pi . Such coin tossesare referred to as Poisson trials . Our discussion below will focus on the randomvariable X = n

i =1 X i , where the X i are poisson trials.

We consider two questions regarding the deviation of X from its ex-pectation µ = ni =1 pi . For a real number δ > 0, we might ask ”What is the

probability that X exceeds (1 + δ)µ ?” We thus seek a bound on the tail proba-bility of the sum of poisson trials. An answer to this type is useful in analyzingan algorithm, showing that the chance it fails to achieve a certain performanceis small. We face a different type of question in designing an algorithm: howlarge must δ be in order that the tail probability is less than a prescribed value?

Tight answers to such questions come from a technique as the Chernoff Bound .

Chernoff Bound : Let p ≤ 1/ 2, and let X 1 , . . . , X n be independent 0-1random variables, so that P r [X i = 1] = p for each i. Then for all ,0 < ≤ p(1 − p), we have

P r [|n

i =1 X i

n − p |> ] < 2.e−2

2 p (1 − p ) .n We shall usually applythe bound with a constant p 1/ 2. In this case the n independent samples givean approximation that deviates by from the expectation with the probabilityδ that is exponentially decreasing with 2n. Such an approximation is calledan ( , δ)-approximation and can be achieved using n = O( −2 .log(1/δ )) sample



13

points. It is important to remember that the sufficient number of sample pointsis polynomially related to

−1 and logarithmically related to δ−1 . So using

poly(n) many samples, the error probability (i.e. δ) can be made negligible as afunction in n, but the accuracy of the estimation (i.e. ) can be bounded aboveonly by any xed polynomial fraction.

To sum up whatever we just dealt in above, statistical tools give ussome means to derive some parameters of a randomized algorithm while con-straining the others. For instance if we restrict number of samples to be withina polynomial range then at what extent the accuracy should be hoped for. Wewill found these tools extremely important specially when analyzing one-way functions .

The concepts of problem reduction : Roughly speaking a reduction isway of converting one problem to another problem in such a way that a solutionto the second problem can be used to solve the rst problem. Such reducibilitiescome up often in everyday life, even if we don’t usually refer to them in thisway. For example, suppose that we want to nd our way around a new city. Weknow doing so would be easy if we had a map. Thus we can reduce the problemof nding our way around the city to the problem of obtaining a map of thecity.

Reducibility always involves, two problems, which we call A and B. If A reduces to B, we can use a solution to B to solve A. Note that reducibilitysays nothing about solving A or B alone, but only about the solvability of A inthe presence of a solution to B.

Polynomial time reducibility : We have seen that a problem can besuitable represented by some language. Language A is polynomial time reducibleto language B, written A ≤ p B , if a polynomial time computable functionf : ∗→ ∗exists, where for every w, w ∈A ⇐⇒ f (w) ∈B . The function f is called the polynomial time reduction of A to B.

It is clear that if A ≤ p B and B ∈P , then A ∈P .

Denition NP-complete : A language B is NP-complete if it satisestwo conditions:

1. B ∈NP , and2. every A ∈NP is polynomial time reducible to B.

Note NP-completeness is important in a sense that if we can show aproblem B is NP-complete and B ∈P , then we can claim that P = NP.

Note the beautiful power of the polynomial reducibility technique inproving some problems are indeed NP-complete. Say we know before hand thata problem say A is NP-complete. Then any problem (B) to which A can bepolynomially reduced is also has to be NP-complete. Because otherwise we willreach a contradiction as follows. Suppose there exists a deterministic algorithmsay ORACLE which can solve B in polynomial time. That is B ∈P . Then aswe can reduce the problem A to B in polynomial time and ORACLE can solveB in polynomial time, collectively it follows that A can be solved in polynomialtime. This contradicts the fact that A is NP-complete.



14

Actually NP-complete problems do exist and clearly if such is the casethen there has to be a problem which is to be proved to be NP-complete devoidof reducibility argument. Cook-Levinin did so when they showed that SAT isan NP-complete problem.

Reducibility arguments in context of randomized algorithm : The prob-lem with randomized algorithms is that we never know when it will provide usthe correct answer. We can only estimate its success probability. So here wedene a randomized Cook reduction of one computational problem A to an-other problem B, as a PPT ORACLE machine ( O1) that solves A while makingqueries to ORACLE( O2) for solving B. Note the number of queries O1 makesto O2 has to be limited within some polynomial range.

Later on we will nd such reducibility arguments are often crucial inproving important results.

0.1.5 Denition of security, particularly Computationalsecurity

People do not believe that mathematics is simple, it is only becausethey do not realize how complicated life is.

- J. V. Neumann

Here we are going to present two fundamental denitions of security,namely semantic security and message indistinguishability .

semantic security : It is the most natural one as it is the computa-tional complexity analogue of shannon’s denition of perfect secrecy. Looselyspeaking an encryption scheme is semantically secure if it is infeasible to learnanything about the plaintext from the ciphertext. Note the term impossibility in Shannon’s case has been replaced with infeasibility . However our aim to builtup a notion of a kind of security that doesn’t provide even a partial informationabout the plaintext, forget about the whole information. Since the schemesdeveloped based upon the denition of these kind of security should be used forthe cases while leaking out a partial information is also considered to be criti-cal. The question of which partial information will endanger the security of theapplication is hard to answer, thus we wish to design application independentencryption schemes. Moreover it may be the case that the distribution of themessage space is not uniform and some priory information regarding it may beavailable to the adversary. We thus require that secrecy of all partial informa-tion be preserved also in such cases. That is given any priory information aboutthe plaintext, it is infeasible to obtain any information of the plaintext from theciphertext. The denition of sematic security postulates all of this.

Semantic security claims whatever can be efficiently computed fromthe ciphertext and additional partial information about the plaintext can beefficiently computed given only the length of the plaintext and the same partial



15

information. In the denition that follows, the information regarding the plain-textthat the adversary tries to obtain is represented by the function f, whereasa priori partial information about the plaintext is represented by the functionh. The infeasibility of obtaining information about the plaintext is required tohold for any distribution of plaintexts, represented by the probability ensembleX n n∈N

Further note that security holds only for plaintext of length polynomialin the security parameter. This is captured in the following denition by therestriction | X n |≤ poly(n), wher poly represents an arbitrary polynomial. Notethat we can’t hope to provide computational security for plaintext of arbitrarylength or for plaintexts of length that is exponential in the security parameter.Likewise we restrict the functions f and h to be polynomially-bounded, that is,| f (z) |, | h(z) |≤ poly(| z |).

Denition (Semantic Security - private key) : An encryptionscheme (Gen, Enc, Dec) is semantically secure if for every probabilistic polyno-mial time (PPT) algorithm A there exists a PPT algorithm A s.t. for everyprobability ensemble {X n }n∈N with | X n |≤ poly(n), every pair of polynomiallybounded functions f, h: {0, 1}∗→ {0, 1}∗, every polynomial p and all sufficientlylarge n

P r [A(1n ,Enc Gen (1 n ) , 1|X n |, h(1n , X n )) = f (1n , X n )]< P r [A (1n , 1|X n |, h(1n , X n )) = f (1n , X n )] + 1

p(n )The probability in these terms is taken over X n as well as over the internal

coin tosses of either algorithms Gen, Enc and A or algorithm A .We stress that all the occurrences of X n in each of the probabilis-

tic expressions refer to the same random variable. The function h providesboth the algorithm with partial information regarding the plaintext X n . Thesealgorithms then try to guess the value f (1n , X n ); namely they try to infer in-

formation about the plaintext X n .Before using this denition of security in actual context, let’s clarifyfew things that at the rst glance may not seem that much obvious. First quarryis what’s n. If we just take Pr[] part of the rhs of the inequality equation tothe lhs, we see the essential claim of the denition is that the difference of thesetwo probabilities should be as small as possible. And since we have a positivepolynomial as the reciprocal at the right hand side of the inequality it is clearthat the larger will be the value of n, the difference will be much more smaller.And if this difference is much more smaller then we can more convincingly claimthat there are efficient algorithms by which f (1n , X n ) can be guessed as betteras by any algorithm which take the extra input of ciphertext. That is more thevalue of n, the more ciphertext looses its signicance hence the more secure thescheme is. That is n is acting as if a kind of security parameter . Now, is it sothat if we increase the length of the message then the difference between twoprobabilities diminishes ? Is it so that if we increase the length of the ciphertextthen the difference between two probabilities diminishes ? Not really, simplybecause if such were the case then one could have just encrypted messages of huge length and send. However, as we will study further we will learn that key



16

length is the appropriate candidate for it.While further trying to delve deeper into the above denition of secu-

rity, the second thing that struck us is why the algorithms A and A has to beprobabilistic in nature. To answer this let’s take a particular sample point fromthe probability ensemble {X n } which is supposed to embody the message space,and apply the Enc to it. Then let’s apply Enc to 1 n or any other arbitrary stringof length n. The claim is that these two ciphertexts along with some auxiliaryinformation are equally good enough to provide any desired information aboutthe plain text. Note that f (1n , X n ) is formal way to capture idea of any infor-mation about the plaintext, it doesn’t necessarily has to be some computablefunction. The algorithms involved are told to just to guess the value of it. Morenumber of times an algorithm guesses it correct, its success probability will behigher. And as we have seen a probabilistic algorithm is just the appropriatecandidate for such kind of works.

In order to fully appreciate how beautifully this denition of securitycaptures all most every aspect of the demands of a fairly good cryptographicscheme we need to know something about Non-uniform polynomial time ma-chines . Note in the above denition, we claim the PPT algorithm A and Awere given along with the input an extra information through the function hwhich acts as a kind of an advice for the random guesses of the algorithms in-volved. As we have already seen that if we found guidelines (as in case of usingvalid certicates), the complexity reduces. The claim is that even with suchguidelines, the scheme conforming the above denition of security is well suitedfor most of the cryptographic applications. However, to substantiate it throughformal means we have to model these kind of algorithms which can process theguidelines provided to it. This is exactly what is done through Non-uniformPolynomial Time Machines (NPTM). Loosely speaking an NPTM is pair (M,

a) where M is a two input polynomial-time Turing machine and a = a1 , a 2 , . . . isan innite sequence of strings s.t. | an |= poly(n). For every x, we consider thecomputation of machine M on input pairx, a|x |. Intuitively, an can be thoughtof as an extra advice supplied from outside. We stress that the machine M getsthe same advice on all inputs of the same length.

Non-uniform circuit families : A more convenient way of viewing non-uniform polynomial time is via non-uniform families of polynomial sized booleancircuits. A Boolean circuit is a directed acyclic graph with internal nodes markedby the elements ∧,∨, ¬ . Nodes with no in-going edges are called input nodes ,and nodes with no out-going edges are called output nodes . A node markedas ¬ can have only one child. Computation in the circuit begins with placinginput nodes (one bit per node) and proceeds as follows. If the children of anode of in-degree d marked ∧ have values v1 , v2 , . . . , v d , then the node gets

the value ∧

di =1 vi . Similarly for nodes marked ∨ and ¬ . The output of thecircuit is read from its output nodes. The size of a circuit is the number of its

edges. a polynomial-size circuit family is an innite sequence of Boolean circuitsC 1 , C 2 , . . . such that for every n, the circuit C n has n input nodes and size p(n),



17

where p(.) is a polynomial, xed for the entire family. 3

The computation of a Turing machine M on inputs of length n canbe simulated by a single circuit (with n input nodes) having size O(( | M |) + n + t()) 2), where t(n) is abound on the running time of M on inputs of length n. Thus a non-uniform sequence of polynomial-size machines can besimulated by a non-uniform family of polynomial circuits. The converse is alsotrue, because machines with polynomial description lengths can incorporatepolynomial-size circuits and simulate their computations in polynomial time.The thing that is nice about the circuit formulation is that there is no need torepeat the polynomiality requirement twice, once for size and once for time asin the rst formulation.

Indistinguishability of Encryptions - Message indistinguisha-bility : The following technical interpretation of security states that it is infea-sible to distinguish the encryptions of two plaintexts of same length.

Denition (Message indistinguishability - private key) : Anencryption scheme (Gen, Enc, Dec), has indistiguisable encryptions if for everyprobabilistic polynomial size circuit family C n , every positive polynomial p, allsufficiently large n, and every x, y ∈ {0, 1} poly (n ) (i.e. | x |= | y |),

| P r [C n (Enc Gen (1 n ) (x)) = 1] − P r [C n (Enc Gen (1 n ) (y)) = 1] |< 1 p(n )

The probability in this terms is taken over the internal coin tosses of algorithms Gen and Enc.

Note that the potential plaintext to be distinguished can be incorporatedinto the circuit C n . The circuit models both the adversary’s strategy and its apriory information.

Equivalence of security denitionsTheorem (equivalence of denitions) : A private-key encryption scheme

is semantically secure iff it has indistinguishable encryptions.Proposition 1 (indistinguishability implies security) : Suppose that

(Gen, Enc, Dec) is a cyphertext-indistinguishable private-key encryption scheme.then (Gen, Enc, Dec) is semantically secure.

Proof : Suppose that (Gen, Enc, Dec) has indistinguishable encryp-tions. We will show that (Gen, Enc, Dec) is semantically secure by constructing,for every probabilistic polynomial time algorithm A, a probabilistic polynomialtime algorithm A such that the condition in the denition of semantic securityholds.

Our construction of A consists of merely invoking A on input (1 n , 1|x n |, h(1n , X n ))and returning whatever A does. That is, A invokes A with a dummy encryptionrather than with an encryption of X n .

Construction of A : Let A be an algorithm that tries to infer the

partial information f (1n

, X n ) from encryption of the plaintext X n , when alsogiven 1n , 1|X n | and a priory information h(1n , X n ). Intuitively on input E (α )and (1 n , 1|α |, h(1n , α )), algorithm A tries to guess f (1n , α ). We construct a newalgorithm A , that performs essentially as well without getting the input E (α).

3 Foundations of Cryptography by O. Goldreich, Vol-I



18

Algorithm A :Input : (1n , 1|α |, h(1n , α ))Execution :1. A invokes the key generator Gen on input 1 n , and obtains an

encryption key e ← Gen (1n )2: A invokes the encryption algorithm with key e and ”dummy”

plaintext 1 |α |, obtaining a ciphertext β ← E e (1|α |).3. A invokes A on input (1 n , β, 1|α |, h(1n , α )), and outputs what-

ever A does.Well, now observe the construction in some details. A calls A only

once and in addition it invokes xed algorithms Gen, Enc. Furthermore theconstruction depends neither on the functions h and f nor on the distributionof plaintexts to be encrypted. Thus A is PPT whenever A is PPT.

Claim: Let A be as in the preceding construction. Then for every{X n }n∈N , h, and p as in denition and all sufficiently large n’s

P r [A(1n ,Enc Gen (1 n )( X n ) , 1|X n |, h(1n , X n ) = f (1n , X n ))]< P r [A (1n , 1|X n |, h(1n , X n )) = f (1n , X n )] + 1

p(n )

Proof: To simplify the notations, let us incorporate 1 |α | into hn (α) =h(1n , α ) and let f n (α) = f (1n , α ). Also we omit 1n from the inputs given to A.Using the denition of A we rewrite the claim as asserting

P r [A(Enc Gen (1 n ) (X n ), hn (X n )) = f n (X n )]< P r [A(Enc Gen (1 n ) (1|X n |)) , hn (X n )] + 1

p(n )Intuitively, the above follows from the indistinguishability of encryp-

tions. Otherwise by xing a violating value of X n and hardwiring the corre-sponding values of hn (X n ) and f n (X n ), we get a small circuit that distinguishesan encryption of this value of X n from an encryption of 1 |x n |. Details follow:

Assume towards contradiction that for some polynomial p and innitely manyn’s the above is violated then for each such n, we have the expectation of thestated probability difference as E [∆ n (X n )] > 1

p(n ) , where∆ n (x) = | P r [A(Enc Gen (1 n ) (x), hn (xn )) = f n (xn )]− P r [A(Enc Gen (1 n ) (1|X n |)) , h n (X n )] + 1

p(n )Note the quantity arising from the difference of two probabilities is

again a probabilistic one. We use an averaging argument to single out a stringxn in support of X n s.t. ∆ n (X n ) ≥ E [∆ n (X n )]: That is, let xn ∈ {0, 1} poly (n )

be a string for which the value of ∆( .) is maximum, and so ∆ n (xn ) > 1/p (n).Note that as soon as we x a particular xn the functions f n (xn ) and hn (xn )going to have xed values and thus these can be incorporated into a circuit C n .The circuit C n operates as follows. On input β = Enc (α), the circuit invokesA(β, h

n(x

n)) and outputs 1 iff A outputs the value of f

n(x

n). Otherwise, C

noutputs 0.This circuit is indeed of polynomial size because it merely incorpo-

rates strings of polynomial length and emulates a polynomial time computation.Clearly,



19

P r [C n (Enc Gen (1 n ) (α) ) = 1 ] = P r [A(Enc Gen (1 n ) (α ), hn (xn )) =f n (xn )]

Combining this with the denition of ∆ n (xn ), we get| P r [C n (Enc Gen (1 n ) (xn )) = 1] − P r [C n (Enc Gen (1 n ) (1|x n |)) = 1]= ∆ n (xn ) > 1

p(n )This contradicts our hypothesis that Enc has indistinguishable en-

cryptions, and the claim follows.

Proposition 2 (security implies indistinguishability) : Suppose that(Gen, Enc, Dec) is semantically secure public key encryption scheme. Then(Gen, Enc, Dec) has indistinguishable encryptions.

Proof : intuitively, indistinguishability of encryption is special caseof semantic security in which f indicates one of the plaintexts and h doesn’tdistingush them. The only issue to be addressed be the actual proof is thatsemantic security refers to uniform probabilistic polynomial time adversaries,whereas indistinguishability of encryption refers to non-uniform polynomial sizecircuits. The gap is bridged by using the function h to provide the algorithmsin the semantic security formulation with adequate non-uniform advice.

The actual proof is by reducibility argument. We show that if (Gen,Enc, Dec) has distinguishable encryptions, then it is not semantically secure.Towards this end, we assume that there exists a positive polynomial p and apolynomial size circuit family {C n }, such that for innitely many n’s there existsxn , yn ∈ {0, 1} poly (n ) so that

| P r [C n (Enc Gen (1 n ) (xn )) = 1] − P r [C n (Enc Gen 1 n (yn )) = 1] |> 1 p(n )

Using these sequences of C n ’s, xn ’s and yn ’s, we dene {X n }n∈N , f and h as follows:

♣ The probability ensemble {X n }n∈N is dened such that X n is

uniformly distributed over {xn , yn }.♣ The (Boolean) function f is dened such that f (1n , xn ) = 1 andf (1n , xn ) = 0, for every n. Note that f (1n , xn ) = 1 with probability 1/2 andequals 0 otherwise.

♣ The function h is dened such that h(1n , X n ) equals the descrip-tion of the circuit C n . Note that h(1n , X n ) = C n with probability 1, and thush(1n , X n ) reveals no information on the value of X n .

Note that xn , f and h satisfy the restriction stated in the furthermore-clause of the proposition. Intuitively the above inequality implies the violationof semantic security with respect to the X n , h and f. Indeed, we will presenta deterministic poly-time algorithm A that, given C n = h(1n , X n ), guesses thevalue of f (1n , X n ) from the encryption of X n , and does so with probabilitynon-negligibly greater than 1/2. This violates semantic security, because no

algorithm, regardless of its complexity, can guess f (1n

, X n ) with probabilitygreater than 1/2 when only given 1 |X n | (because given the constant values 1 |X n |and h(1n , X n ) is uniformly distributed over 0,1. Details follow.

Now let’s assume without loss of generality, that for innitely manyn’s



20

P r [C n (Enc Gen (1 n ) (xn )) = 1] > P r [C n (Enc Gen (1 n ) (yn )) = 1] + 1 p(n )

. . . ( )Claim : There exists a deterministic polynomial time algorithm A

such that for innitely many n’sP r [A(1n ,Enc Gen (1 n ) (X n ), 1|X n |, h (1n , X n )) = f (1n , X n ) = f (1n , X n )] >

12 + 1

2 p(n )Proof: The desired algorithm A merely uses C n = h(1n , X n ) to distin-

guish Enc (xn ) from Enc (yn ), and thus given Enc (X n ) it produces a guess forthe value of f (1n , X n ). Specically, on input β = Enc (α) (where α is in supportof X n ) and (1 n , 1|α |, h (1n , α )), algorithm A recovers C n = h(1n , α ), involves C non input β, and outputs 1 if C n outputs 1, otherwise 0.

It is left to analyze the success probability of A. Letting m = | xn |= |yn |, hn (α ) = h(1n , α ) and f n (α) = f (1n , α ), we have

P r [A(1n ,Enc Gen (1 n ) (X n ), 1|X n |, h n (X n )) = f n (X n )]

= 12 .P r [A(1n ,Enc Gen (1 n ) (X n ), 1|X n |, h (X n )) = f n (X n ) | X n = xn ] +12 .P r [A(1n ),Enc Gen (1 n ) (X n ), 1|X n |, h (X n )) = f n (X n ) | X n = yn ]

= 12 .P r [A(1n ,Enc Gen (1 n ) (X n ), 1|X n |, C n = 1]+ 1

2 .P r [A(1n ),Enc Gen (1 n ) (X n ), 1|X n |, C n ) =0]

= 12 .(P r [C n (Enc Gen (1 n ) (xn )) = 1] + 1 − P r [C n (Enc Gen (1 n ) (yn )) = 1])

Note: The above step is valid since A only invokes C n on the encryptedmessage. So the success probability will be same for both.

> 12 + 1

2 p(n )where the inequality is due to ( )

In contrast as aforementioned, no algorithm can guess f (1n , X n ) withsuccess probability above 1/2, when given only 1 |X n | and h(1n , X n ). That is wehave the following:

Fact: For every n and every algorithm AP r [A (1n , 1|X n |, h(1n , X n )) = f (1n , X n )] ≤ 1

2Proof: Just observe that the output of A , on its constant input values

1n , 1|X n | and h(1n , X n ), is stochastically independent of the random variablef (1n , X n ), which in turn is uniformly distributed in 0,1. So the above equationfollows and equality holds in case A always outputs a value in 0,1.

Combining Claim and the above Fact, we reach the contradiction tothe hypothesis that the scheme is secure. Thus the proposition follows.

Post-discussion regarding the proofs : Before concluding this section,please notice the use of reducibility arguments in proving the above proposi-tions. The general characteristic of any proof using reducibility argument is asfollows. If the thesis to be proved is ”if A holds then B also holds.”, then we willessentially prove its contrapositive argument that is ” ¬B ⇒ ¬ A”. Recall thecase when we proved one problem is NP-complete based on the assumption that



21

there exists another NP-complete problem and then reduces that problem to theformer one. Similarly, here also we will try to device some algorithm to solveA with all the required characteristics using the algorithm which is supposed tobe able to solve the problem B under given constraints and thus will be able toshow a contradiction. To formally state, let’s say we proved ” ¬B ⇒ ¬ A” thenif ¬B were true then so is ¬A, which in turn implies A is also false. But weeither knew or presume that A is true. That means ¬B has to be false so B hasto be true. Note here the crux of such kind of problem solving is how to use thealgorithm for B treated as a black box to solve the problem of A.

To be continued...

References used:1. Foundations of Cryptography Vol. I and II, by Oded Godreich

(Cambridge University Press)2. Introduction to Modern Cryptography, by J. katz and Y. Lindell

(Chapman & Hall/CRC)3. Randomized Algorithm, by Rajeev Motwani and Pravakar Raghavan

(Cambridge University Press)4. Introduction to the Theory of Computation, by Michael Sipser

(Thomson course technology)5. Information Theory, by Robert B. Ash (Dover)

cryptography scribe

Documents