University of Illinois, Urbana Champaign LECTURE

CS 598DK Special Topics in Cryptography

Instructor: Dakshita Khurana

Scribe: Aniket Murhekar, Rucha Kulkarni
Date: September 11, 2019 5
Private-Key and Public-Key Encryption

We discussed pseudo-random functions in the last lecture. In this lecture, we focus on

encryption schemes. Today we will cover the following topics.
• Define private-key and public-key encryption schemes and understand what it means
for them to be secure.
• Define and distinguish between single-message and multi-message encryption schemes.
• Construct a private-key encryption scheme using pseudo-random functions (PRFs)
and present a proof of its security.
• Show that a secure single-message public key encryption scheme is also a secure multi-
message encryption scheme.
• Describe a public key encryption scheme, El-Gamal.

5.1 Recap: Pseudo-random functions

Recall from the last lecture that a pseudo-random function is a family of functions which,
intuitively speaking, behaves like a randomly chosen function would behave.
More concretely, we say that a function family F : {0, 1}k × {0, 1}l → {0, 1}m is pseudo-
random if no efficient adversary A can distinguish the function F (s, ·) (for a uniformly
chosen s) from a function chosen uniformly at random from the set F of all functions
from {0, 1}l to {0, 1}m . Here our adversaries are non-uniform probabilistic polynomial-time
Turing machines with oracle access to either F (s, ·) or a function in F. Thus,

Definition 5.1. Pseudo-random function (PRF). A family of functions F : {0, 1}k ×

{0, 1}l → {0, 1}m is said to be pseudo-random if for all non-uniform probabilistic polynomial-
time oracle Turing machines A, we have that:
|Pr[AF (s,·) (1k ) = 1] − Pr[Af (1k ) = 1]| ≤ negl(k)
where the first probability is taken over the uniform choice of s ∈ {0, 1}k and the random-
ness of A, and the second probability is taken over the uniform choice of f ∈ F and the
randomness of A.
5.2 Encryption schemes and their security
We first define an encryption scheme. Informally, an encryption scheme should do the
following: generate a key (or a pair of keys), encrypt a plaintext message to produce a
ciphertext, and then decrypt a ciphertext using the key to recover the plaintext. Formally:

Definition 5.2. Encryption scheme. An encryption scheme is a tuple of probabilistic

polynomial-time (PPT) algorithms (KeyGen, Enc, Dec):
1. KeyGen : On input 1k , output two strings (ek, dk), using rkeygen as the randomness.
Here ek is the encryption key or public key and dk is the decryption or private key.
2. Enc : On input encryption key ek and plaintext m, output the ciphertext c, using renc
as the randomness.
3. Dec : On input decryption key dk and ciphertext c, output the plaintext m.

Note that Dec has to be a deterministic algorithm. Also note that the randomness renc
used in encryption is not necessarily given as input to Dec.
We also distinguish between private-key and public-key encryption. In the former, the
private key is shared between the two parties. We do not concern ourselves with how they
exchanged this key. In the latter, the encryption is key is public, but the decryption is
possible only with the knowledge of the private key.
We now discuss the properties that the algorithms should satisfy, namely, correctness
and security.
Correctness. This requires that the algorithm Dec correctly decrypts the ciphertext of
the message encrypted by the algorithm Enc:
Pr[Dec(dk, Enc(ek, m)) = m] = 1 − negl(k), (5.1)
where the probability is taken over the randomness used in the KeyGen and Enc al-
gorithms. The above notion is called statistical correctness. When the right-hand side is
exactly 1, we say the scheme satisfies perfect correctness.
Security. When can we say that the scheme is secure? Suppose the scheme does not reveal
the entire message m to adversaries who do not possess the decryption key. Can we call
this scheme “secure”? Even if the scheme does not reveal m entirely, it could reveal parts
of m, or maybe a function of the bits of m to adversaries, which itself is problematic and
could reveal information about m. So our security definition needs to be strengthened. For
this we consider a game between an adversary A and a challenger C:
1. A is given 1k and outputs two messages m0 and m1 of equal length.
2. C generates a key ek using KeyGen and randomness r, and chooses a bit b ∈ {0, 1}
uniformly at random. She sends c = Enc(ek, mb ) to A.
3. A tries to guess b and outputs b0 .
4. Set the variable GameA to 1 if and only if b = b0 .
We say that the scheme is secure if no non-uniform probabilistic polynomial-time (nuPPT)
Turing machine can correctly guess b with probability much better than 1/2, for every choice
of m0 and m1 . That is:
1
∀ nuPPT A, ∀m0 , m1 s.t. |m0 | = |m1 | = k : Pr[GameA = 1] = + negl(k). (5.2)
2

5-2
 A succinct way to put this is to say that the distributions Enc(ek, m0 ) and Enc(ek, m1 )
are computationally indistinguishable (a property hence forth also denoted by ≈c ) for all
messages m0 and m1 of equal length. Note that we impose the condition of equal length,
because the length of the message influences the length of the ciphertext.
Multi-message security. We extend the above definition of security to the setting when
multiple messages are to be encrypted. We want our schemes to be secure against adver-
saries who could potentially look at encryptions of multiple plaintexts to decrypt a given
ciphertext. For this, we define a game between an adversary A and challenger C, for a given
p ≤ poly(k), as follows:
1. A is given 1k and outputs two tuples of p messages each: M0 = (m01 , m02 , . . . , m0p )
and M1 = (m11 , m12 , . . . , m1p ).
2. C generates a key ek using KeyGen and randomness rkeygen , chooses a bit b ∈ {0, 1}
uniformly at random, encrypts all the messages in Mb using independent randomnesses
r1 , . . . , rp , and sends across Cb = (Enc(ek, mb1 ; r1 ), . . . , Enc(ek, mbp ; rp ))) to A.
3. A tries to guess b and outputs b0 .
4. Set the variable GameA,p to 1 if and only if b = b0 .
We say that the scheme is secure if no non-uniform probabilistic polynomial-time (nuPPT)
Turing machine can correctly guess b with probability much better than 1/2, for every pair
of p-tuples M0 and M1 , for every p ≤ poly(k). That is:
1
∀nuPPTA, ∀p ≤ poly(k), ∀M0 , M1 s.t. |M0 | = |M1 | : Pr[GameA,p = 1] = + negl(k).
2
Having formally defined what different types of security are, we now talk about the kind
of public key encryption schemes, and the kind of private key encryption schemes, that
will have both single and multi message security, and those that will only have one (single
message) type.
In a public key setting, any adversary has access to the public key, hence can generate
multiple ciphertexts of multiple messages by herself. If such a scheme is single message
secure, then it cannot become insecure for multi message transfers. Else even for single
messages, the adversary could generate encryptions of multiple messages, treat the single
message’s encryption as a part of a tuple of encryptions of multiple messages, use the algo-
rithm that breaks (that is, decrypts with non-negligible probability) multi message security
and decrypt with the same high probability the single message. This then contradicts single
message security. Thus, by contrapositivity, single message security for public encryptions
implies multi message security as well. This discussion is formalized in Section 5.4.
For private key encryption schemes however, guaranteeing multi message security re-
quires additional properties than single message security, which we now discuss in the fol-
lowing section.

5.3 Secure private-key encryption scheme

Having understood the definition of encryption schemes and their security, we now look at
examples. Recall the one-time pad (OTP) encryption scheme:
$
1. KeyGen(1k ) = ek ←
− {0, 1}k

5-3
 2. Enc(ek, m) = ek ⊕ m
3. Dec(ek, c) = ek ⊕ c
It is easy to see that this satisfies both the properties of correctness and security when only
one message is being encrypted. Thus in the single message setting, OTP is a perfectly
secure encryption scheme. However, OTP suffers from a few drawbacks: the size of the key
has to be equal to the size of the message, and the same key cannot be used to encrypt
multiple messages. If the same key encrypts two messages m and m0 , then an adversary
can compute m ⊕ m0 . Now an adversary can distinguish between the pairs (0m01 , 0m02 )
and (0m11 , 1m12 ) because the first bit of c1 ⊕ c2 = (0mb1 ⊕ k) ⊕ (bmb2 ⊕ k)) will be b,
where ∈ b{0, 1} is the choice of the challenger. Thus the adversary correctly guesses b with
probability 1, rendering the OTP scheme insecure for multiple messages.
We now describe a secure private-key encryption scheme using PRFs. As we will show,
this scheme is secure even in the multi-message setting. We first describe the scheme in the
single message setting. Let F : {0, 1}k × {0, 1}l → {0, 1}n be a PRF. Consider the scheme
Π = (KeyGen, Enc, Dec) given by:
$
1. KeyGen(1k ) = s ←
− {0, 1}k , the seed of the PRF
$
− {0, 1}l , and n = |m|
2. Enc(s, m; r) = hF (s, r) ⊕ m, ri, where r ←
3. Dec(s, hc1 , c2 i) = c1 ⊕ F (s, c2 )
Correctness: The correctness condition of Equation (5.1) can be re-phrased using the
notation used in defining the encryption scheme as:

Dec(dk, Enc(ek, m)) = Dec(s, hF (s, r) ⊕ m, ri) = (F (s, r) ⊕ m) ⊕ F (s, r) = m.

Thus, Equation (5.1) follows.

Security: In the following lemma, We will prove this scheme has single message security,
and then as a corollary we establish how multi message security also follows.

Lemma 5.3. For all messages m0 and m1 of equal length, the distributions Enc(ek, m0 )
and Enc(ek, m1 ) are computationally indistinguishable. Equivalently, the encryption scheme
defined above has single message security.

Proof. For a uniformly randomly chosen string r0 , we have from the definition of PRFs the
following computational indistinguishability relation.

Enc(ek = s, m0 ; r) ≡ (m0 ⊕ F (s, r), r) ≈c (m0 ⊕ r0 , r).

Now we can say (m0 ⊕ r0 , r) ≈c (r0 , r), for any r0 , r sampled uniformly at random. Thus
we get,

(m0 ⊕ r0 , r) ≈c (r0 , r) ≈c (m1 ⊕ r0 , r) ≈c (m1 ⊕ P RF (ek, r), r) ≡ Enc(ek, m1 ; r),

and the lemma follows.

Corollary 5.4. The encryption scheme Π described above has multi message security.

5-4
 Applying the same proof idea to tuples of encryptions,

Cb = (Enc(ek, mb1 ; r1 ), Enc(ek, mb2 ; r2 ), . . . , Enc(ek, mbp ; rp )), f or b ∈ {0, 1},

of two distinct long messages Mb = (mb1 , mb2 , . . . , mbp ), we show that for all i ∈ [p],
Enc(ek, mbi ; ri ) is computationally indistinguishable from its corresponding part in the
other message Enc(ek, m(1−b)i ; ri ). Thus, the entire messages are also indistinguishable
computationally, proving the corollary.

5.4 Secure public-key encryption scheme

We first prove the following theorem, which when combined with a single message secure
public key encryption (PKE) scheme will result in a multi message secure PKE.

Theorem 5.5. Single message PKE =⇒ Multi message PKE.

Proof. Recall the informal discussion that established this theorem from Section 5.2. We
formalize this now for two part messages.
Fix the messages as M0 = (m01 , m02 ) and M1 = (m11 , m12 ). We will prove their
encryptions Db = (ek, Enc(ek, mb1 ; r), Enc(ek, mb2 ; r0 )) for b ∈ {0, 1} are computationally
indistinguishable. By definition of multi-message security, the theorem then follows.
We define an intermediate distribution D00 = (ek, Enc(ek, m01 ; r), Enc(ek, m12 ; r0 )) to-
wards proving D0 ≈c D1 . We first prove by contradiction that D0 ≈c D00 . Suppose then,
that this claim is false, then there exists an adversary A such that
1
P r[A(ek, Enc(m01 ), Enc(m02 )) = 1] − P r[A(ek, Enc(m01 ), Enc(m12 )) = 1] = .
poly(k)
We can then construct a machine, which is commonly termed as a reduction, denoted by B,
that works as follows.
1. B first samples two messages m02 , m12 uniformly at random.
2. B then uses the public key ek, creates ciphertext ct and sends the messages (ek, Enc(mi2 , ct)),
for i ∈ {0, 1}.
3. It now runs the adversary’s algorithm A(ek, Enc(mi2 ), ct).
If A distinguishes between (ek, Enc(m02 ), ct) and (ek, Enc(m12 ), ct) with probability
1/poly(k), then B can distinguish between (ek, Enc(m02 )) and (ek, Enc(m12 )) with the
same non-negligible probability, breaking single message security, a contradiction.
Similarly, we can prove D00 ≈c D1 . Together with D0 ≈c D00 this establishes D0 ≈c D1 .
We can extend the proof to show the scheme has multi-message security for greater than
2 message parts, by creating the sequence of intermediate tuples

Di = (ek, Enc(ek, m01 ; r), . . . , Enc(ek, m0x ; r), Enc(ek, m1(x+1) ; r), . . . , Enc(ek, m1p ; r))

for all x in [p], whose initial parts are ciphertexts of message parts of the first message,
followed by ciphertexts of the second message. In a chain of relations we can prove they are
all computationally indistinguishable, thus proving the theorem.
In the final part of this lecture, we discuss a specific secure PKE scheme.

5-5
5.5 El Gamal: A special public key encryption scheme
We now look at a PKE scheme that assumes the hardness of deciphering certain properties
of cyclic groups for proving secure encryption. The different algorithms of the scheme are
as follows.
1. KeyGen(1k , r): A cyclic group G of order q is fixed. Then an arbitrary generator of G,
$
denoted by g, is picked. The algorithm then samples an element of the group x ←
− Zq
uniformly at random, and considers this as the private key. Let h = g x mod q. The
public key is the tuple ek = (G, q, g, h).
$
2. Enc(ek, m, r0 ): The encryption algorithm first picks y ← − Zq using r0 , and creates the
ciphertext consisting of two parts c = (c1 , c2 ) = (g , m · hy ).
y

3. Dec(x, c1 , c2 ) : The decryption algorithm outputs c2 · (cx1 )−1 .

The correctness of the scheme is immediate since

c2 · (cx1 )−1 = m · hy · ((g y )x )−1 = m · g xy · (g yx )−1 = m

Intuitively, the security of this protocol relies on the fact that given h = g x and g, the dis-
crete logarithm x is hard to compute. The Decisional Diffie-Hellman assumption is that the
distributions (G, q, g, g x , g y , g xy ) for x, y chosen uniformly at random, and (G, q, g, g x , g y , g z )
for x, y, z chosen uniformly at random are computationally indistinguishable. Under this
assumption, an efficient adversary who does not know the secret key, i.e., who does not
have knowledge of the discrete logarithm x , cannot distinguish between the encryption
m · hy = m · g xy , from the string m · g z , where z is chosen uniformly at random, with
non-negligible probability. A formal proof of security will construct a reduction (similar to
the proof of Theorem 5.5) that breaks the Decisional Diffie Hellman assumption, and hence
we skip it here.
In the next lecture, we will use these encryption schemes to design Oblivious Transfers,
which are protocols to securely transfer messages between two parties while guaranteeing
that both parties do not receive more information than what the sender intended.

Acknowledgement
These scribe notes were prepared by editing a light modification of the template designed
by Alexander Sherstov.

5-6