Constructing Secure Encryption Schemes

We now turn to the problem of constructing encryption schemes that are provably secure in the presence of an eavesdropper. Our goal is to build schemes whose ciphertexts reveal no information about the plaintext beyond its length, under standard computational assumptions.

A Secure Fixed-Length Encryption Scheme

We begin by constructing a fixed-length private-key encryption scheme that achieves indistinguishable encryptions in the presence of an eavesdropper.

The construction closely mirrors the one-time pad. The essential difference is that instead of using a truly random pad, we generate a pseudorandom pad from a short secret key.

key k
  |
  v
pseudorandom generator
  |
  v
pseudorandom pad
  |
  v
plaintext ⊕ pad = ciphertext
    

This idea allows us to encrypt long messages using short keys, while maintaining computational security.

The Encryption Scheme

Let G be a pseudorandom generator with expansion factor ℓ, meaning that |G(s)| = ℓ(|s|).

The encryption scheme consists of three algorithms:

• Gen: a key-generation algorithm,
• Enc: an encryption algorithm,
• Dec: a decryption algorithm.

Encryption proceeds by applying the pseudorandom generator to the secret key (which serves as the seed) in order to obtain a long pseudorandom pad. This pad is then XOR-ed with the plaintext.

Construction 3.15 (PRG-Based Encryption)

Let G be a pseudorandom generator with expansion factor ℓ. Define a private-key encryption scheme Π = (Gen, Enc, Dec) for messages of length ℓ(n) as follows:

• Gen: On input 1ⁿ, choose k ← {0,1}ⁿ uniformly at random and output k.
• Enc: On input a key k ∈ {0,1}ⁿ and a message m ∈ {0,1}^{ℓ(n)}, output the ciphertext c := G(k) ⊕ m.
• Dec: On input a key k and a ciphertext c, output m := G(k) ⊕ c.

Correctness follows immediately from the fact that XOR is its own inverse.

Theorem. If G is a pseudorandom generator, then this scheme has indistinguishable encryptions in the presence of an eavesdropper.

The proof proceeds by reduction: any adversary that distinguishes ciphertexts can be used to distinguish the output of G from true randomness.

Handling Variable-Length Messages

The construction above assumes that all messages have fixed length. This limitation can be overcome by using a variable-output-length pseudorandom generator.

Informally, we want a generator that can output a pseudorandom string of any desired length.

More precisely, the generator G receives two inputs:

• a seed s, and
• a desired output length ℓ, given in unary.

The unary encoding prevents an adversary from requesting exponentially long outputs in polynomial time.

Formal Definition

• For any string s and integer ℓ > 0, G(s, 1^ℓ) outputs a string of length ℓ.
• For all s and all ℓ < ℓ', G(s, 1^ℓ) is a prefix of G(s, 1^{ℓ'}).
• Define G_ℓ(s) := G(s, 1^{ℓ(|s|)}). For every polynomial ℓ(·), G_ℓ is a pseudorandom generator with expansion factor ℓ.

Stream Ciphers

A stream cipher is an algorithm that generates a pseudorandom stream. A secure stream cipher must therefore satisfy the definition of a variable-output-length pseudorandom generator.

A stream cipher is not an encryption scheme per se, but rather a tool for constructing encryption schemes.

Historically, RC4 was widely deployed and believed to be secure. It is now considered weak due to statistical biases in its output, which enabled attacks such as the break of WEP encryption.

Linear Feedback Shift Registers (LFSRs) have also been popular, though they are insufficient on their own for cryptographic security. Modern practice strongly favors constructions based on block ciphers.

Multiple Encryptions

So far, we have considered the case where an adversary observes a single ciphertext. In practice, an eavesdropper can observe many encryptions under the same key.

This motivates the notion of indistinguishability under multiple encryptions.

Definition. A private-key encryption scheme has indistinguishable multiple encryptions if no probabilistic polynomial-time adversary can distinguish between encryptions of multiple message vectors, except with negligible advantage.

It is important to note that some schemes secure for single encryptions fail in this stronger setting.

Theorem. Any private-key encryption scheme whose encryption algorithm is deterministic does not have indistinguishable multiple encryptions.

A tragic and common mistake is encrypting multiple plaintexts using a stream cipher in its naive form, thereby reusing the same keystream.

Secure constructions for multiple encryptions require careful randomization and will be discussed separately.

References

• Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, 2nd Edition, Chapman & Hall/CRC, 2014.
• Oded Goldreich, Foundations of Cryptography, Volume 1, Cambridge University Press, 2001.