## Contents

| Header | Lecture |
|--------|---------|
| [Perfect secrecy](#Perfect-secrecy) | Week 1, lecture 6-7 |
| [Perfect indistinguishability](#Perfect-indistinguishability) | Week 2, lecture 2 |
| [Computational indistinguishability (concrete)](#Computational-indistinguishability-%28concrete%29) | Week 2, lecture 2
| [(Re)defining encryption](#%28Re%29defining-encryption) | Week 2, lecture 3
| [Computational indistinguishability (asymptotic)](#Computational-indistinguishability-%28asymptotic%29) | Week 2, lecture 3 |
| [Uniform distribution](#Uniform-distribution) | Week 2, lecture 4 |
| [Pseudorandomness (concrete)](#Pseudorandomness-%28concrete%29) | Week 2, lecture 4 |
| [Pseudorandomness (asymptotic)](#Pseudorandomness-%28asymptotic%29) | Week 2, lecture 4 |

### Perfect secrecy

Encryption scheme $(Gen, Enc, Dec)$ with message space $M$ and ciphertext space $C$ is _perfectly secret_ if for every distribution over $M$, every $m \in M$, and every $c \in C$ with $\Pr\left[C=c\right] \lt 0$, it holds that:

$$\Pr\left[M=m|C=c\right] = \Pr\left[M=m\right]$$

### Perfect indistinguishability

* Let $\Pi=(Gem, Enc, Dec)$ be an encryption scheme, and $A$ an adversary (eavesdropper).
* Define a randomized experiment $PrivK_{A, \Pi}$:
  1. $A$ outputs $m_{0}, m_{1} \in M$
  2. $k \leftarrow Gen, b \leftarrow \{0, 1\}, c \leftarrow Enk_{k}(m_{b})$
  3. $b' \leftarrow A(c)$; $A$ _succeeds_ if $b=b'$, and experiment evaluates to 1 in this case.
* $\Pi$ is _perfectly indistinguishable_ if for all attackers $A$, if it holds that:

$$\Pr\left[PrivK_{A,\Pi} = 1\right] = \frac 1 2$$

* __Claim__: $\Pi$ is perfectly indistinguishable if and only if it is perfectly secret. 

### Computational indistinguishability (concrete)

* $\Pi$ is $(t, \varepsilon)$-indistinguishable for attacker if for all attackers $A$ running in time at most $t$, it holds that $\Pr\left[PrivK_{A, \Pi} = 1\right] \leq \frac 1 2 + \varepsilon$

* Problems:
  * Does not lead to clean theory
  * Security is not adjustable

### (Re)defining encryption

* A _private-key encryption scheme_ is defined by three PPT algorithms $(Gen, Enc, Dec)$:
  * $Gen$: takes $1^n$; outputs key $k$ (assume $\lvert k \rvert \gt n$) 
  * $Enc$: takes $k$ an message $m \in \{0, 1\}^*$; outputs ciphertext $c$
  * $Dec$: takes $k$ and $c$ as input; outputs message $m$ or "error".

### Computational indistinguishability (asymptotic)

* Let $\Pi=(Gem, Enc, Dec)$ be an encryption scheme, and $A$ an adversary (eavesdropper).
* Define a randomized experiment $PrivK_{A, \Pi}$:
  1. $A(1^{n})$ outputs $m_{0}, m_{1} \in \{0, 1\}^*$ of equal length
  2. $k \leftarrow Gen(1^{n}), b \leftarrow \{0, 1\}, c \leftarrow Enk_{k}(m_{b})$
  3. $b' \leftarrow A(c)$; $A$ _succeeds_ if $b=b'$, and experiment evaluates to 1 in this case.
* $\Pi$ is _indistinguishable_ if for all PPT attackers $A$, there is negligible function $\varepsilon$ such that:

$$\Pr\left[PrivK_{A, \Pi}(n)=1\right] \leq \frac 1 2 + \varepsilon(n)$$

### Uniform distribution

* A distribution of $n$-bit strings is a function $D: \{1, 0\}^{n} \rightarrow \left[0, 1\right]$ such that $\sum_{x} D(x) = 1$
  * The uniform distribution of $n$-bit strings is the distribution $U_n$ where $U_{n}(x) = 2^{-n}$ for all $x \in \{0, 1\}^n$

### Pseudorandomness (concrete)

* Let $D$ be a distribution on n-bit strings.
* D is $(t, \varepsilon)$-pseudorandom if for all $A$ running in time $\leq t$, 

$$\lvert\Pr_{x \leftarrow D}\left[A(x)=1\right] - \Pr_{x \leftarrow U_{n}}\left[A(x)=1\right]\rvert \leq \varepsilon$$

### Pseudorandomness (asymptotic)

* Security parameter $n$, polynomal $p$.
* Let $D_n$ be a distribution over $p(n)$-bit strings.
* Pseudorandomness is a property of a _sequence_ of distributions $\{D_{n}\} = \{D_{1}, D_{2}, ... \}$
* $\{D_{n}\}$ is pseudorandom if for every probabalistic, polinomial-time $A$, there is a negligible function $\varepsilon$ such that:

$$\lvert\Pr_{x \leftarrow D_{n}}\left[A(x)=1\right] - \Pr_{x \leftarrow U_{p(n)}}\left[A(x)=1\right]\rvert \leq \varepsilon (n)$$

### Pseudorandom generator

* Pseudorandom generator (PRG) is an efficient, deterministic algorithm that expands a short, uniform seed into a longer, pseudorandom output.


* Let $G$ be a deterministic, poly-time algorithm.
* $G$ is expanding: $\lvert G(x) \rvert = p(\lvert x \rvert) > \lvert x \rvert$
* $G$ defines a sequence of distributions:
  * $D_n$ = the distribution on $p(n)$-bit strings defined by choosing $x \leftarrow U_n$ and outputting $G(x)$
  
$$\Pr_{D_n}\left[y\right] = \Pr_{U_n}\left[G(x) = y\right] = \sum_{x:G(x)=y}\Pr_{U_n}\left[x\right] = \sum_{x:G(x)=y} 2^{-n} = \frac{\lvert\{x:G(x)=y\}\rvert} {2^n}$$

* $G$ is PRG if  $\{D_{n}\}$ is pseudorandom, i.e. for all PPT attackers $A$ there is a negligible function $\varepsilon$ such that:

$$\lvert \Pr_{x \leftarrow U_{n}}\left[A(G(x))=1\right] - \Pr_{y \leftarrow U_{p(n)}} \left[A(y)=1\right] \rvert \leq \varepsilon(n)$$

### Pseudo one-time pad

* Let $G$ be a deterministic, poly-time algorithm.
* $G$ is expanding: $\lvert G(x) \rvert = p(\lvert x \rvert) > \lvert x \rvert$
* $Gen(1^n)$: output uniform n-bit key k
  * Security parameter $n \Rightarrow$ message space $\{0, 1\}^{p(n)}$
* $Enk_{k}(m)$: output $G(k) \oplus m$
* $Dec_{k}(c)$: output $G(k) \oplus c$

### CPA security

* Fix $\Pi, A$
* Define randomized experiment $PrivCPA_{A,\Pi}(n)$:
  1. $k \leftarrow Gen(1^{n})$
  2. $A(1^n)$ interacts with an encryption oracle $Enk_{k}(\cdot)$, and then outputs $m_0, m_1$ of the same length.
  3. $b \leftarrow \{0, 1\}, c \leftarrow Enk_{k}(m_b)$, give $c$ to $A$
  4. $A$ can continue to interact with $Enk_{k}(\cdot)$
  5. $A$ outputs $b'$; $A$ succeeds if $b=b'$, and experiment evaluates to 1 in this case