Secure Fixed-Length Encryption Scheme A pseudorandom generator provides a natural way to

construct a secure, fixed-length encryption scheme with a key shorter than the message. Recall that
in the one-time pad (see Section 2.2), encryption is done by XORing a random pad with the message.
The insight is that we can use a pseudorandom pad instead. Rather than sharing this long,
pseudorandom pad, however, the sender and receiver can instead share a seed which is used to
generate that pad when needed (see Figure 3.2); this seed will be shorter than the pad and hence
shorter than the message. As for security, the intuition is that a pseudorandom string “looks
random” to any polynomial-time adversary and so a computationally bounded eavesdropper cannot
distinguish between a message encrypted using the one-time pad or a message encrypted using this
“pseudo-”one-time pad encryption scheme. Private-Key Encryption 67 Ciphertext pad Plaintext XOR
Pseudorandom generator FIGURE 3.2: Encryption with a pseudorandom generator. The encryption
scheme. Fix some message length ` and let G be a pseudorandom generator with expansion factor `
(that is, |G(s)| = `(|s|)). Recall that an encryption scheme is defined by three algorithms: a key-
generation algorithm Gen, an encryption algorithm Enc, and a decryption algorithm Dec. The key-
generation algorithm is the trivial one: Gen(1n ) simply outputs a uniform key k of length n.
Encryption works by applying G to the key (which serves as a seed) in order to obtain a pad that is
then XORed with the plaintext. Decryption applies G to the key and XORs the resulting pad with the
ciphertext to recover the message. The scheme is described formally in Construction 3.17. In Section
3.6.1, we describe how stream ciphers are used to implement a variant of this scheme in practice.
CONSTRUCTION 3.17 Let G be a pseudorandom generator with expansion factor `. Define a private-
key encryption scheme for messages of length ` as follows: • Gen: on input 1n , choose uniform k ∈
{0, 1} n and output it as the key. • Enc: on input a key k ∈ {0, 1} n and a message m ∈ {0, 1} `(n) ,
output the ciphertext c := G(k) ⊕ m. • Dec: on input a key k ∈ {0, 1} n and a ciphertext c ∈ {0, 1} `(n) ,
output the message m := G(k) ⊕ c. A private-key encryption scheme based on any pseudorandom
generator. 68 Introduction to Modern Cryptography THEOREM 3.18 If G is a pseudorandom
generator, then Construction 3.17 is a fixed-length private-key encryption scheme that has
indistinguishable encryptions in the presence of an eavesdropper. PROOF Let Π denote Construction
3.17. We show that Π satisfies Definition 3.8. Namely, we show that for any probabilistic polynomial-
time adversary A there is a negligible function negl such that Pr PrivKeav A,Π(n) = 1 ≤ 1 2 + negl(n).
(3.2) The intuition is that if Π used a uniform pad in place of the pseudorandom pad G(k), then the
resulting scheme would be identical to the one-time pad encryption scheme and A would be unable
to correctly guess which message was encrypted with probability any better than 1/2. Thus, if
Equation (3.2) does not hold then A must implicitly be distinguishing the output of G from a random
string. We make this explicit by showing a reduction; namely, by showing how to use A to construct
an efficient distinguisher D, with the property that D’s ability to distinguish the output of G from a
uniform string is directly related to A’s ability to determine which message was encrypted by Π.
Security of G then implies security of Π. Let A be an arbitrary ppt adversary. We construct a
distinguisher D that takes a string w as input, and whose goal is to determine whether w was chosen
uniformly (i.e., w is a “random string”) or whether w was generated by choosing a uniform k and
computing w := G(k) (i.e., w is a “pseudorandom string”). We construct D so that it emulates the
eavesdropping experiment for A, as described below, and observes whether A succeeds or not. If A
succeeds then D guesses that w must be a pseudorandom string, while if A does not succeed then D
guesses that w is a random string. In detail: Distinguisher D: D is given as input a string w ∈ {0, 1}
`(n) . (We assume that n can be determined from `(n).) 1. Run A(1n) to obtain a pair of messages m0,
m1 ∈ {0, 1} `(n) . 2. Choose a uniform bit b ∈ {0, 1}. Set c := w ⊕ mb. 3. Give c to A and obtain output
b 0 . Output 1 if b 0 = b, and output 0 otherwise. D clearly runs in polynomial time (assuming A does).
Before analyzing the behavior of D, we define a modified encryption scheme Π = ( e Gen g, Enc g,
Dec g) that is exactly the one-time pad encryption scheme, except that we now incorporate a
security parameter that determines the length of the message to be encrypted. That is, Gen g(1n)
outputs a uniform key k of length `(n), and the encryption of message m ∈ 2 `(n) using key k ∈ {0, 1}
`(n) Private-Key Encryption 69 is the ciphertext c := k ⊕ m. (Decryption can be performed as usual,
but is inessential to what follows.) Perfect secrecy of the one-time pad implies Pr h PrivKeav A,Πe (n)
= 1i = 1 2 . (3.3) To analyze the behavior of D, the main observations are: 1. If w is chosen uniformly
from {0, 1} `(n) , then the view of A when run as a subroutine by D is distributed identically to the
view of A in experiment PrivKeav A,Πe (n). This is because when A is run as a subroutine by D(w) in
this case, A is given a ciphertext c = w⊕mb where w ∈ {0, 1} `(n) is uniform. Since D outputs 1
exactly when A succeeds in its eavesdropping experiment, we therefore have (cf. Equation (3.3))
Prw←{0,1}`(n) [D(w) = 1] = Pr h PrivKeav A,Πe (n) = 1i = 1 2 . (3.4) (The subscript on the first
probability just makes explicit that w is chosen uniformly from {0, 1} `(n) there.) 2. If w is instead
generated by choosing uniform k ∈ {0, 1} n and then setting w := G(k), the view of A when run as a
subroutine by D is distributed identically to the view of A in experiment PrivKeav A,Π(n). This is
because A, when run as a subroutine by D, is now given a ciphertext c = w ⊕ mb where w = G(k) for
a uniform k ∈ {0, 1} n. Thus, Prk←{0,1}n [D(G(k)) = 1] = Pr PrivKeav A,Π(n) = 1 . (3.5) Since G is a
pseudorandom generator (and since D runs in polynomial time), we know there is a negligible
function negl such that Prw←{0,1}`(n) [D(w) = 1] − Prk←{0,1}n [D(G(k)) = 1]
 ≤ negl(n). Using Equations (3.4) and (3.5), we thus see that 1 2 − Pr PrivKeav A,Π(n) = 1 ≤
negl(n), which implies Pr PrivKeav A,Π(n) = 1 ≤ 1 2 + negl(n). Since A was an arbitrary ppt adversary,
this completes the proof that Π has indistinguishable encryptions in the presence of an
eavesdropper. It is easy to get lost in the details of the proof and wonder whether anything has been
gained as compared to the one-time pad; after all, the one-time pad also encrypts an `-bit message
by XORing it with an `-bit string!