Introduction

7.1. In this chapter we solve the instance of our problem format (presented in paragraph 1.28) specified by the following instances of its parameters (Gaspar 2016, section 1, taken almost verbatim):

P1 = pseudorandom generator,

S1 = cryptographic security,

P2 = stream cipher,

S2 = indistinguishability from random,

T = transformation of a pseudorandom generator into its induced stream cipher.

As proof presentations, we

1. give a security proof of T using a schematic proof;

2. give another security proof of T using the wedding-cake notation;

3. “compress” nine analogous and verbose claims into a shorter presentation. As extras, we prove that indistinguishability from random implies

1. cryptographic security;

3. semantic security; 4. bit-recovery resistance; and we comment on

1. the reciprocal implications;

2. the role of length regularity of a stream cipher; for the last three implications.

7.2. Let us informally explain our instances of the parameters.

Pseudorandom generator It is a deterministic algorithm that outputs a stream of bits such as 001101100.

Cryptographic security It means that the stream output by the pseudorandom gen- erator looks random such as 0011011001 in contrast to 0101010101.

Stream cipher It is a cipher that mixes a plaintext such as 0000011111 with the stream output by a pseudorandom generator such as 0011011001 to create a ciphertext such as 0011000110.

Indistinguishability from random It means that for all plaintexts such as 0000011111 chosen by an adversary, the corresponding ciphertexts computed by the stream cipher look random such as 0011000110 in contrast to 0101010101.

Transformation It inputs a pseudorandom generator and outputs the stream cipher that creates a ciphertext by mixing a plaintext with the stream output by the pseudorandom generator.

7.3. In this chapter:

1. all theorems and proofs are ours;

2. the content of sections 7.2, 7.3 and 7.6 is based on an informal publication of ours (Gaspar 2016).

7.2

Transformation

7.4. Let us recall that a stream cipher C = (_{K, P, C, K, E, D) is length regular if} and only if it encrypts plaintexts of equal length into ciphertexts of equal length even under different keys, that is

∀k, k′ ∈ K ∀p, p′ ∈ P (|p| = |p′| ⇒ |E(k, p)| = |E(k′, p′)|).

We can think of length regularity as a modest security notion saying that the lengths of the ciphertexts alone do not reveal a difference between the plaintexts (but an analysis of the content of the plaintexts may reveal something). Or to rephrase things negatively and giving an example, if a stream cipher were not length regular

and would encrypt p := 0 as c := E(k, p) = 0 and p′ _{:= 1 as c}′ _{:= E(k, p}′_{) = 00}

(notice |p| = |p′_{| but |c| 6= |c}′_{|), and we were given one of the ciphertexts c and}

c′, then just looking at the length of the ciphertext we could deduce whether the corresponding plaintext is p or p′_.

Length regularity is a technical condition appearing often in definitions, theorems and propositions below. Since it is not of much interest on its own (because it is a modest security notion), we will treat it as a “second-class citizen” by mostly remitting it to remarks after the definitions, theorems and propositions.

7.5. Let us introduce, by an example, a construction of a stream cipher induced by a pseudorandom generator (a cipher which we could also call pseudo one-time pad because it is another cipher called one-time pad but with a random key replaced by a pseudorandom key).

For example if our plaintext is 0000011111 and our stream of the pseudorandom generator is 0011011001, then we can encrypt and get the ciphertext 0011000110 schematically calculated by xoring as

plaintext 0 0 0 0 0 1 1 1 1 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

stream 0 0 1 1 0 1 1 0 0 1

= = = = = = = = = =

0 0 1 1 0 0 0 1 1 0 ciphertext

and from the ciphertext 0011000110 and the same stream 0011011001 we can decrypt and recover our plaintext 0000011111 schematically by xoring again as

ciphertext 0 0 1 1 0 0 0 1 1 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

stream 0 0 1 1 0 1 1 0 0 1

= = = = = = = = = =

0 0 0 0 0 1 1 1 1 1 plaintext

Let us observe that the stream acts as a key to encrypt and decrypt. Also let us notice that the stream needs to be as long as the plaintext. So if the plaintext is very long, then it may be too onerous to store the entire stream (this is a well- known practical limitation of the one-time pad). Thus it is more practical to store the seed used by the pseudorandom generator to produce the stream as the key and to recreate the stream from the seed when necessary.

7.6. Informally, a stream cipher induced by a pseudorandom generator G is the cipher that inputs a key k and a plaintext p, passes k as seed to G to get a stream g := G(k, 1|p|_{) with the same length as p, encrypts p by xoring it g giving the}

ciphertext c := g ⊕ p, and decrypts c by xoring again with g giving the plain- text c_{⊕ g = p ⊕ g ⊕ g = p.}

Now we formally define the stream cipher induced by a pseudorandom generator. 7.7 Definition. The stream cipher CG= (K, P, C, K, EG, DG) induced by the pseu-

dorandom generator G (Katz and Lindell 2015, construction 3.17) is the stream cipher defined by

1. _{∀x ∈ {0, 1}}∗ _{K(x) := U} |x|;

2. _{∀k ∈ K ∀p ∈ P E}G(k, p) := G(k, 1|p|)⊕ p;

3. DG:= EG.

7.8 Remark. The stream cipher CG induced by the pseudorandom generator G is

length regular.

7.9. Now, to be sure, we explicitly state the transformation in question.

7.10 Definition. The transformation of a pseudorandom generator G into its in- duced stream cipher CG is G CG.

7.3

Security

7.11. Now we show that if the pseudorandom generator G is cryptographically secure, then its induced stream cipher CG is indistinguishable from random. Infor-

mally, this means that secure (in some sense) pseudorandom generators are trans- formed into secure (also in some sense) stream ciphers.

7.12 Theorem. For all pseudorandom generators G, if G is cryptographically se- cure, then CG is indistinguishable from random.

7.13 Proof. The pseudorandom generator G being cryptographically secure means that

∀A, A′ Pr A′(G(Un, 1|A(1

n_)1|

), 1n, A(1n)2)−

Pr A′(U_|G(Un,1|A(1n)1|)|, 1n, A(1n)2)∈ N ,

(7.1)

where A and A′_{range over the polynomial-time probabilistic algorithms. The stream}

cipher CG being indistinguishable from random means that

∀B, B′ Pr B′ EG(K(1n), B(1n)1), 1n, B(1n)2

− Pr B′(U_|E′ _G(K(1n_),B(1n_)1)|, 1n, B(1n)2)∈ N ,

(7.2)

where B and B′ _{range over the polynomial-time probabilistic algorithms.}

Taking A(x) := (B(x)1, B(x)) and A′(x, y, z) := B′(x⊕ z1, y, z2), which are

polynomial-time probabilistic algorithms because B and B′ are polynomial-time probabilistic algorithms and _·1, ·2, (·, ·) and ⊕ are polynomial-time computable, in

(7.1), we get ∀B, B′ Pr B′(G(Un, 1|B(1 n₎ 1|_{)⊕ B(1}n₎ 1, 1n, B(1n)2)− Pr B′(U_|G(Un,1|B(1n)1|)|⊕ B(1n)1, 1n, B(1n)2)∈ N . Substituting G(Un, 1|B(1 n_)1| )_{⊕ B(1}n₎ 1 by EG(Un, B(1n)1), by definition of EG, we get ∀B, B′ Pr B′ EG(Un, B(1n)1), 1n, B(1n)2
− Pr B′(U_|G(Un,1|B(1n)1|)|⊕ B(1n)1, 1n, B(1n)2)∈ N .

Substituting Un by K(1n), by definition of K, we get

∀B, B′ Pr B′ EG(K(1n), B(1n)1), 1n, B(1n)2
−

Pr B′(U|G(K(1n_),1|B(1n)1|)|⊕ B(1n)1, 1n, B(1n)2)∈ N .

Substituting U_|G(K(1n_),1|B(1n )1|)| ⊕ B(1n)1, which is a uniform random variable in

{0, 1}|G(K(1n_{),1|B(1n )1|)|}

because U|G(K(1n_{),1|B(1n )1|)|} and B(1n)₁ are independent since

the former only uses the length of the latter, by U′

|G(K(1n_),1|B(1n )1|)|, we get ∀B, B′ Pr B′ EG(K(1n), B(1n)1), 1n, B(1n)2
− Pr B′(U_|G(K(1′ n_),1|B(1n)1|)|, 1 n_{, B(1}n₎ 2)∈ N . Substituting_|G(K(1n_{), 1}|B(1n_)1| )_{| by |E}G(K(1n), B(1n)1)|, by definition of G and EG, we get (7.2).

7.14. It is worth remarking that the part “Substituting U|G(K(1n_),1|B(1n)1|)|⊕ B(1n)1,

which is a uniform random variable in_{{0, 1}}|G(K(1n_{),1|B(1n)1|)|}

because U_|G(K(1n_),1|B(1n)1|)|

and B(1n₎

1 are independent [ . . . ], by U_|G(K(1′ n_{),1|B(1n )1|)|}” of proof 7.13 uses a recur-

rent fact in cryptography: a uniform random variable Un in {0, 1}n xored with an

independent random variable Xn in {0, 1}n gives a uniform random variable Un′ in

{0, 1}n_{, or less precisely but more succinctly, U}

n ⊥ Xn ⇒ Un⊕ Xn= Un′.