Efficient Steganography with Provable Security Guarantees Aggelos Kiayias? , Yona Raekow, and Alexander Russell?? University of Connecticut, Storrs, CT

Abstract. We provide a new provably-secure steganographic encryption protocol that is proven secure in the complexity-theoretic framework of Hopper et al. The fundamental building block of our steganographic encryption protocol is a “one-time stegosystem” that allows two parties to transmit one-time steganographic messages of length shorter than the shared key with information-theoretic security guarantees. The employment of a pseudorandom number generator (PRNG) allows the transmission of longer messages in the same way that such a generator allows the use of one-time pad encryption for messages longer than the key in symmetric encryption. The advantage of our construction compared to that of Hopper et al. is that it avoids the use of a pseudorandom function family and instead relies (directly) on a PRNG in a way that provides a linear versus constant improvement in the number of applications of the underlying (say) one-way permutation per bit transmitted. This advantageous trade-off is achieved by substituting the pseudorandom function family employed in the previous construction with an appropriate combinatorial construction that has been used extensively in derandomization, namely almost t-wise independent function families.

1

Introduction

In steganography, Alice and Bob wish to communicate securely in the presence of an adversary called the “Warden” that monitors whether they exchange “conspicuous” messages. In particular Alice and Bob may exchange messages that adhere to a certain channel distribution that represents “inconspicuous” communication. By controlling the kind of messages that are transmitted over such a channel (that is assumed to have sufficient entropy) Alice and Bob may exchange messages that cannot be detected by the Warden. There have been two approaches in formalizing Steganography, one based on information theory [1–3] and one based on complexity theory [4]. The latter approach is more specific and has the potential of allowing more efficient constructions. Most steganographic constructions that come with provable security guarantees are instantiations of the following basic procedure (which has been also called “rejection-sampling”): ? ??

Supported by NSF CAREER grant CCR-0447808. Supported by NSF CAREER grant CCR-0093065, and NSF grants CCR-0121277, CCR-0220264, CCR-0311368, and EIA-0218443.

there is a family (or channel distribution) that provides a number of possible options for a so-called “covertext” to be transmitted. The sender and the receiver possess some sort of function that is private (e.g. a keyed hash function, MAC, or other similar function) that maps to a single bit or a short sequence of bits. The sender applies the function to the covertext and checks whether it happens to produce the stegotext it wishes to transmit. If this is the case, the covertext is transmitted. In case of failure, a second covertext is drawn, etc. While this is a fairly specific procedure, there are a number of choices to be made and these are of both practical and theoretical concern. From the security viewpoint one is primarily interested in the choice of the function that is shared between the sender and the receiver. From a practical viewpoint one would be interested in how the channel is implemented and whether it conforms to the various constraints that are imposed on it by the steganographic protocol specifications (e.g., are independent draws from the channel allowed? does the channel remember previous draws? etc.). As mentioned above, the security of a stegosystem can be naturally phrased in information-theoretic terms (cf. [1]) or in complexity-theoretic terms [4]. Informally, the latter approach considers the following experiment for the warden-adversary: the adversary selects a message (or messages) to be embedded and receives either the covertexts that embed the stegotexts or covertexts simply drawn from the channel distribution (without any embedding). The adversary is then asked to distinguish between the two cases. Clearly, if the probability of success is very close to 1/2 it is natural to claim that the stegosystem provides security against such (eavesdropping) adversarial activity. Formulation of stronger attacks such as active attacks is also possible. Given the above framework, Hopper et al. [4] provided a provably secure stegosystem that pairs rejection sampling with a pseudorandom function family. Given that rejection sampling, when implemented properly and paired with a truly random function, is indistinguishable from the channel distribution, the security of their construction followed from the pseudorandom function family assumption. From the efficiency viewpoint this construction required about 2 evaluations of the pseudorandom function per bit transmission. Constructing efficient pseudorandom functions is possible either generically [5] or, more efficiently, based on specific number-theoretic assumptions [6]. Nevertheless, pseudorandom function families are a conceptually complex and fairly expensive cryptographic primitive. For example, the evaluation of the Naor-Reingold pseudorandom function on an input x requires O(|x|) modular exponentiations. Similarly, the generic construction [5] requires O(k) PRNG doublings of the input string where k is the length of the key. In this article we take an alternative approach to the design of provably secure stegosystems. Our main contribution is the design of a building block that we call a one-time stegosystem: this is a steganographic protocol that is meant to be used for a single message transmission and is proven secure in the information-theoretic sense provided that the key that is shared between the sender and the receiver is of sufficient length (this length analysis is part of our result). In particular we show that we can securely transmit ν bits with a key of length O(`(ν) + log |Σ|) where `(·) is the stretching function of

an appropriate error-correcting code and Σ is the size of the channel alphabet (see Section 3.4 for more details regarding the exact formulation). Our basic building block is a natural analogue of a one time-pad for steganography. It is based on the rejection sampling technique outlined above in combination with a combinatorial construction that is a function family that is almost t-wise independent [7]. We note that such combinatorial constructions have been extremely useful for derandomization methods and here, to the best of our knowledge, are employed for the first time in the design of steganographic protocols. Given a one-time stegosystem, it is fairly straightforward to construct provably secure steganographic encryption for longer messages by using a pseudorandom number generator (PRNG) to stretch a random seed that is shared by the sender and the receiver to sufficient length. The resulting stegosystem is provably secure in the computational sense of Hopper et al. [4] and is in fact much more efficient: in particular, while the Hopper, et al. stegosystem requires 2 evaluations per bit of a pseudorandom function, amounting to a linear (in the key-size) number of applications of the underlying PRNG (in the standard construction for pseudorandom functions of [5]), in our stegosystem we require per bit a constant amount of PRNG applications. The reason for this improvement is that in our case we do not perform per bit pseudorandom function evaluations because we rely on the combinatorial constructions of function families with good randomization properties that are extremely efficient.

2

Definitions and Tools

The channel which will be used for transmission of data is abstracted as a family of probability distributions {Ch }h∈Σ ∗ with support Σ = {c1 , c2 , . . . , cn }. A communication according to Ch can be viewed as drawing elements (we call them covertexts) from Σ for a history h. Definition 1. Let M = {0, 1}ν be the message space, i.e., all bit strings of size ν. A one-time stegosystem consists of three probabilistic time algorithms S = (SK, SE, SD), where: – SK is the key generation algorithm; it has as input the parameter ν and outputs a key k of length κ (with κ a function of ν). – SE is the embedding procedure, which can access the channel; its input is the security parameter κ, the key k, the message m ∈ M to be embedded, and the history h of previously drawn covertexts. The output is the stegotext s ∈ Σ λ (note that `(ν) = λ will be the stretching of an appropriate error-correcting code). – SD is the extracting procedure; its input is κ, k, and some c ∈ Σ ∗ . The output is a message m ∈ M or fail. A function µ : N → R is called negligible if for every positive polynomial p(. ) 1 . A stegosystem (SK, SE, SD) there exists an N s.t., for all n > N , µ(n) < p(n) is correct, provided that ∀m ∈ M, Pr[SD(1κ , k, SE(1κ , k, h, m)) 6= m | k ← SK(1ν )] = negligible(κ) .

One-time stegosystem security is based on the indistinguishability between a transmission that contains a steganographically embedded message and a transmission that contains no embedded messages. An adversary A against a one-time stegosystem S = (SK, SE, SD) is a pair of algorithms A = (SA1 , SA2 ), that plays the following game, denoted as GA (1κ ) 1. A key k is generated by SK(1ν ). 2. Algorithm SA1 gets as input κ the security parameter and public history h and outputs a message (m∗ , s, hc ) ∈ M × {0, 1}∗ , where s is some additional information. SA1 can access C, via an oracle O(h), which takes the history h as input. O(h) is defined as follows: – it gets a request of SA1 that includes a suggested h. r – it samples c ← Ch . – it returns c to SA1 . 3. A bit b is chosen uniformly at random. – If b = 0 let c∗ ← SE(1κ , k, m∗ , hc ), so c∗ is a stegotext. r – If b = 1 let c∗ = c1 || . . . ||cλ where ci ← Chc ||c1 ||...||ci−1 . κ ∗ 4. The input for SA2 is 1 , c and s. SA2 outputs a bit b0 . If b0 = b then output success else fail. The advantage of the adversary A over a stegosystem S is defined as:   1 A κ κ AdvS (G(1 )) = Pr G(1 ) = success − . 2 The probability includes the coin tosses of A and SE, as well as the coin tosses of G(1κ ). The (information-theoretic) insecurity of the stegosystem is defined as κ InSecS (ν) = max{AdvA S (G(1 ))} . A

The maximum above is quantified over all (time unbounded) adversaries A. 2.1

Error-correcting Codes

Definition 2. Let E = (Enc, Dec) be an error-correcting code for error rate α, where Enc(m) : {0, 1}ν 7→ {0, 1}`(ν) is the encoding function and Dec(m) ¯ : {0, 1}`(ν) 7→ {0, 1}ν the corresponding decoding function. Specifically, we say that E is a (ν, `(ν), α, )-code if Pr[Dec(Enc(m) ⊕ e) = m] ≥ 1 −  where e = (e1 , . . . , e`(ν) ) and each ei is independently distributed in {0, 1} so that Pr[ei = 1] ≤ α. The error correcting code is said to incur a stretching of `(ν) = λ. We remark that the error model adopted above is that of a binary symmetric channel with transition probability 3/8. For such channels, there are constant rate codes for which the probability of error decays exponentially in the length of the codeword. See, e.g., [8, 9] for a discussion of error-correcting coding over binary symmetric channels.

2.2

Function Families and Almost t-wise Independence

In this article, a function family will be a collection of functions from {0, 1}n → {0, 1} denoted as Fκ . We treat such families as indexed by a key k. In particular, Fκ = {fk | k ∈ {0, 1}κ }; note |Fκ | = 2κ . We will employ the notion of (almost) t-wise independent function families (cf. [7], [10]). Definition 3. The family Fκ of Boolean functions on {0, 1}n is said to be away from t-wise independent or (n, t, )-independent if for any t distinct domain elements q1 , q2 , . . . , qt we have X Pr[fk (q1 )fk (q2 ) . . . fk (qt ) = α] − 1 ≤  (1) fk t 2 t α∈{0,1}

where fk chosen uniformly from Fκ . The above is equivalent to the following formulation that is quantified over all computationally unbounded adversaries A: Af [t] κ Af [t] κ [G (1 ) = 1] − Pr [G (1 ) = 1] (2) Pr ≤ r r f ←Fκ

f ←R

where R is the collection of all functions from {0, 1}n to {0, 1} and Af [t] is an unbounded adversary that is allowed to determine up to t queries to the function f before he outputs his bit. We employ the construction of almost t-wise independent sample spaces given by [10], [7]. n on {0, 1}n that are Theorem 1. There exist families of Boolean functions Ft, -away from t-wise independent, are indexed by keys of length κ = 2( 2t + log n + log 1/), and are computable in polynomial time.

2.3

Rejection Sampling

A common method used in steganography employing a channel distribution is that of rejection sampling (cf. [1, 4]). Assuming that one wishes to transmit a single bit m and employs a random function f : {0, 1}d × Σ → {0, 1} that is secret from the adversary he performs the following “rejection sampling” process: rejsamf,i h (m) r c ← Ch if f (i, c) 6= m r then c ← Ch Output: c Here Σ denotes the output alphabet of the channel, h denotes the history of the channel data at the start of the process, and Ch denotes the distribution on Σ given by the channel after history h. The receiver (that is also privy to the function f ) applies the function to the received message c ∈ Σ and recovers

m with probability higher than 1/2. The sender and the receiver may employ a joint state denoted by i in the above process (e.g., a counter), that need not be secret from the adversary. Note that the above process performs only two draws from the channel with the same history (more draws could, in principle, be performed). These draws are typically assumed to be independent. One basic property of rejection sampling that we use is: Lemma 1. If f is drawn uniformly at random from the collection of all functions R = {f : {0, 1}d × Σ → {0, 1} } and all Ch have at least one bit of min-entropy, then for all i ∈ [1, 2d ] and all h, Pr [f (i, rejsamf,i h (mi )) = mi ] ≥

f ←R

5 . 8

See Appendix A for a proof.

3

The construction

In this section we outline our construction for a one-time stegosystem as an interaction between Alice (the sender) and Bob (the receiver). Alice and Bob wish to communicate over a channel with distribution C.nWe assume ofor all h ∈ Σ ∗ that C has a minimum entropy of H∞ (Ch ) = min log2 Pr 1 [x] ≥ 1. Ch

Without loss of generality we assume that the support of Ch is of size |Σ| = 2b . 3.1

A one-time stegosystem

Fixing a message length ν and an alphabet Σ for the channel, Alice and Bob agree on the following: An error-correcting code. Let E = (Enc, Dec) be a (ν, λ = `(ν), 3/8, enc )error-correcting code; A pseudorandom function family. Let Fκ be a function family that is (log λ + log |Σ|, 2λ, F )-independent. Note that each element of the family Fκ is a function fk : {0, . . . , λ − 1} × Σ → {0, 1} and that, in light of Theorem 1, such a function can be expressed with keys of length 2λ + 2(log λ + log |Σ| + log 1/F ). By the Shannon coding theorem, we may take λ = O(ν); thus the coin tosses for the SK algorithm consist of O(ν + log |Σ| + log(1/F )) bits. Alice and Bob communicate using the algorithm SE for embedding and SD for extracting described in Figure 1. In SE, after applying the error-correcting code E, we use rejsamfhk ,i (m) to obtain an element of the channel, denoted as ci . We repeat this procedure for each bit mi to obtain the complete embedding of the message, the stegotext, denoted as cstego . In SD we parse the received stegotext block by block. Again the function fk (the same one as used in SE) is queried with a block and the current counter and a message bit is received. After performing this for each received block, a message of size

PROCEDURE SE: Input: Key k, hidden text m0 , history h let m = Enc(m0 ) parse m as m = m0 ||m1 || . . . ||mλ−1 for i = 0 to λ − 1 { i,f ci =rejsamh k (mi ) set h ← h||ci } Output: cstego = c0 , c1 , . . . , cλ−1 ∈ Σ λ

PROCEDURE SD: Input: Key k, stegotext c

parse cstego as c = c0 , c1 , . . . , cλ−1 for i = 0 to λ − 1 { set m ¯ i = fk (i, ci ) let m ¯ =m ¯ 0, m ¯ 1, . . . , m ¯ λ−1 } Output: Dec(m) ¯

Fig. 1. Encryption and Decryption algorithms for the one-time stegosystem of 3.1.

λ = `(ν) is received; by decoding the error-correcting code; we then obtain the original message size ν. Note that we sample at most twice from the channel for each bit we wish to send. The error-correcting code is needed to recover from the errors introduced by this process. The detailed security and correctness analysis follow in the next two sections. 3.2

Correctness

We focus on the mapping between {0, 1}λ and Σ λ (λ = `(ν)) that is performed within the SE procedure of the one-time stegosystem of the previous section. In particular, for an initial history h and a function f : {0, . . . , λ − 1} × Σ → {0, 1}, consider the following: Recall that the key k determines a function fk

Pfh : {0, 1}λ → Σ λ

input: h, m1 , . . . , mλ ∈ {0, 1} for i = 0 to λ − 1 ci =rejsami,f h (mi ) h ← h||ci output: c1 , . . . , cλ ∈ Σ

for which the covertext of the message m is P fk (m) = Phfk (m), where h is the initial history. We remark now that the procedure defining P f samples f at no more than 2λ points and that the family F used in SE is in fact F -away from 2λ-wise independent. For a string c = c1 , . . . , cλ ∈ Σ λ and a function f , let Rf (c) = (f (0, c1 ), . . . , f (λ − 1, cλ )) ∈ {0, 1}λ . By Lemma 1 above, each bit is independently recovered by this process with probability at least 5/8. As E is an (ν, λ, 3/8, enc )-error-correcting code, we conclude that Pr [Rf (Phf (m)) = m] ≥ 1 − enc .

f ←R

This is a restatement of the correctness analysis of Hopper, et al [4]. Note, however, that the procedure defining Rf (Phf (·)) involves no more than 2λ samples

of f , and thus by the condition (2) following Definition 3, Pr [Rf (Phf (m)) = m] ≥ 1 − enc − F

f ←F

(3)

so long as F is (log λ+log |Σ|, 2λ, F )-independent. (We remark that as described above, the procedure Phf depends on the behavior of channel; note, however, that if there were a sequence of channel distributions which violated (3) then there would be a fixed sequence of channel responses, and thus a deterministic process P f , which also violated (3).) To summarize Lemma 2. With SE and SD described as above, the probability that a message m is recovered from the stegosystem is at least 1 − enc − F . 3.3

Security

In this section we argue about the security of our one-time stegosystem. First we will show that the output of the rejection sampling function rejsamf,i h , as employed here, is indistinguishable from the channel distribution Ch , if we use a truly random function f . (This is a folklore result implicit in previous work.) In the second part we show that when we use fk ∈ Fκ , a function, that is F away from 2λ-wise independent, the advantage of an adversary A to distinguish between the output of the protocol and Ch is bounded by . Let R = {f | {0, 1}d+b → {0, 1}}, where d is the size of the counter and b = log |Σ| is the number of bits required to express a channel element. First we characterize the probability distribution of the rejection sampling function: Proposition 1. The function rejsamf,i h (m) is random variable with probability distribution expressed by the following function: Let c ∈ Σ and m ∈ {0, 1}. Denote the failure probability as fail = Prc0 ←Ch [f (i, c0 ) 6= m]. It holds that ( Prc0 ←Ch [c0 = c] · (1 + fail) if f (i, c) = m , f,i Pr[rejsamh (m) = c] = Prc0 ←Ch [c0 = c] · fail if f (i, c) 6= m . Lemma 3. For any h, i, m, the random variable rejsamf,i h (m) is perfectly indistinguishable from the channel distribution Ch when f is drawn uniformly at random from the space of all functions R. The proofs these statements appear in Appendix A. Having established the behavior of the rejection sampling function when a truly random function is used, we proceed to examine the behavior of rejection sampling in our setting where the function is drawn from a function family that is -away from 2λ-wise independence. In particular we will show that the insecurity of the defined stegosystem is characterized as follows: Theorem 2. The insecurity of the stegosystem S of section 3.1 is bound by , i.e., InSecS (ν) ≤ , where  is the bias of the almost 2λ-wise independent function family employed; recall that λ = `(ν) is the stretching of the input incurred due to the error-correcting code. The proof appears in Appendix A.

3.4

Putting it all together

Let us now turn to the following question: suppose that we want to transmit a number of bits ν so that the probability of transmission error is err and the statistical distance from uniform we are willing to tolerate is sec . How long must be the key used in the one-time stegosystem? Below we establish that we need 2`(ν) + 2 log |Σ| + polylog(ν) bits where `(·) is the stretch due to error correction. Theorem 3. In order to transmit ν bits with transmission error err and statistical distance from uniform sec using the one-time stegosystem of section 3.1 over a covertext channel that has a support set Σ and using an error-correcting code that requires stretching `(·) and decoding error of ecc the sender and the receiver need to share a key of length
2 `(ν) + log `(ν) + log |Σ| + ln(err − ecc )−1 + log −1 . sec Note that if a key of length `(ν)+log |Σ|+polylog(ν) is used, then the insecurity of the system is a negligible function of `(ν). We remark that selecting ecc , err , sec to be small constants (e.g. 2−80 ) is sufficient for correctness and security in practice.

4

A provably secure stegosystem for longer messages

In this section we show how to apply the “one-time” stegosystem of Section 3.1 together with a pseudorandom number generator so that longer messages can be transmitted. Definition 4. Let Ul denote the uniform distribution over {0, 1}l . A polynomial time deterministic program G is a pseudorandom generator (PRNG) if the following conditions are satisfied: 1. Variable output: For all seeds x ∈ {0, 1}∗ and y ∈ N, it holds that |G(x, 1y )| = y and G(x, 1y ) is a prefix of G(x, 1y+1 ). 2. Pseudorandomness: For every polynomial p the set of random variables {G(Ul , 1p(l) )}l∈N is computationally indistinguishable from the uniform distribution Up(l) . 0

Note that there is a procedure G0 that if z = G(x, 1y ) it holds that G(x, 1y+y ) = 0 G0 (x, z, 1y ) (i.e., if one maintains z, one can extract the y 0 bits that follow the first y bits without starting from the beginning). For a PRNG G, if A is some statistical test, then we define the advantage of A over the PRNG as follows: AdvA Pr [A(ˆl) = 1] − Pr [A(ˆl) = 1] G (l) = ˆl←G(Ul ,1p(l) ) ˆ l←Up(l) The insecurity of the PRNG G is then defined RN G InSecP (l) = maxA {AdvA G G (l)} .

Note that typically in PRNGs there is a procedure G0 as well as the process G(x, 1y ) produces some auxiliary data auxy of small length so that the right0 0 most y 0 bits of G(x, 1y+y ) may be sampled directly as G0 (x, 1y , auxy ). Consider 0 0 0 now the following stegosystem S = (SE , SD ) that can be used for arbitrary many and long messages and employs a PRNG G and the one-time stegosystem (SK, SE, SD) of Section 3.1. The two players Alice and Bob, share a key of length l denoted by x. They also maintain a state N that holds the number of bits that have been transmitted already as well the auxiliary information auxN (initially empty). The function SE 0 is given input N, auxN , x, m ∈ {0, 1}ν where m is the message to be transmitted. SE 0 in turn employs the PRNG G to extract a number of bits κ as follows k = G0 (x, 1κ , auxN ). The length κ is selected to match the number of key bits that are required to transmit the message m using the one-time stegosystem of section 3.1. Once the key k is produced by the PRNG the procedure SE 0 invokes the one-time stegosystem on input k, m, h. After the transmission is completed the history h, the count N , as well as the auxiliary PRNG information auxN are updated accordingly. The function SD0 is defined in a straightforward way based on SD. Theorem 4. The stegosystem S 0 = (SE 0 , SD0 ) is provably secure in the model of [4] (universally steganographically secret against chosen hiddentext attacks); P RN G in particular InSecSS (t + γ(`(l)), `(l) + polylog(l)) (where S 0 (t, q, l) ≤ InSec t is the time required by the adversary, q is the number of chosen hiddentext queries it makes, l is the total number of bits across all queries and γ(v) is the time required to simulate the SE 0 oracle for v bits).

4.1

Performance Comparison of the Stegosystem S 0 and the Hopper, Langford, von Ahn System

Let us fix an (ν, λ, 3/8, enc )-error-correcting code E. Then the system of Hopper, et al. [4] correctly decodes a given message with probability at least enc and makes no more than 2λ calls to a pseudorandom function family. Were one to use the pseudorandom function family of Goldreich, Goldwasser, and Micali [5], then this involves production of Θ(λ · k · (log(|Σ|) + log λ)) pseudorandom bits, where k is the security parameter of the pseudorandom function family. Of course, the security of the system depends on the security of the underlying pseudorandom generator. On the other hand, with the same error-correcting code, the steganographic system described above utilizes O(λ+log |Σ|+log(1/F )) pseudorandom bits, correctly decodes a given message with probability enc + F , and possesses insecurity no more than F . In order to compare the two schemes, note that by selecting F = 2−k , both the decoding error and the security of the two systems differ by at most 2−k , a negligible function in terms of the security parameter k. (Note also that pseudorandom functions utilized in the above scheme have security no better than 2−k with security parameter k.) In this case our system uses Θ(λ + log |Σ| + k) (pseudorandom) bits, a dramatic improvement over the Θ(λk log(|Σ|λ)) bits of the scheme above.

References 1. Cachin, C.: An information-theoretic model for steganography. In: Information Hiding. (1998) 306–318 2. Z¨ ollner, J., Federrath, H., Klimant, H., Pfitzmann, A., Piotraschke, R., Westfeld, A., Wicke, G., Wolf, G.: Modeling the security of steganographic systems. In: Information Hiding. (1998) 344–354 3. Mittelholzer, T.: An information-theoretic approach to steganography and watermarking. In: Information Hiding. (1999) 1–16 4. Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: CRYPTO. (2002) 77–92 5. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33 (1986) 792–807 6. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51 (2004) 231–262 7. Alon, N., Goldreich, O., H˚ astad, J., Peralta, R.: Simple construction of almost kwise independent random variables. Random Struct. Algorithms 3 (1992) 289–304 8. van Lint, J.: Introduction to Coding Theory. 3rd edition edn. Number 86 in Graduate Texts in Mathematics. Springer-Verlag (1998) 9. Gallager, R.G.: A simple derivation of the coding theorem and some applications. IEEE Transactions on Information Theory IT-11 (1965) 3–18 10. Naor, J., Naor, M.: Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput. 22 (1993) 838–856

A

Proofs

Proof (of Lemma 1). To ease the notation let f = fk . The event Ei can be defined as:  [f (i, c1 ) = mi ] ∨ Ei = [f (i, c1 ) 6= mi ∧ f (i, c2 ) = mi ] where c1 , c2 are two independent random variables distributed according to the channel distribution Ch . Recall that Σ = {c0 , c1 , . . . cn } is the support of the channel and each element ci ∈ Σ has assigned a probability pi . We define two events: – D: This is the event that two different symbols are drawn from the channel, i.e. c1 6= c2 ¯ This event describes that twice the same symbol is drawn, i.e. c1 = c2 – D: It follows easily that Pr[Ei = 1] = Pr[f (i, c1 ) = mi ] + Pr[(f (i, c1 ) 6= mi ) ∧ (f (i, c2 ) = mi )] . Now observe that Pr[f (i, c1 ) = mi ] = 21 , since it holds that f was selected uniformly at random from R. For the second summand let the event A be f (i, c1 ) 6= mi ) ∧ (f (i, c2 ) = mi . Now we have ¯ Pr[D] ¯ . Pr[A] = Pr[A|D]Pr[D] + Pr[A|D]

¯ ¯ = 0. Also, In this equation we see that the second addend Pr[A|D]Pr[ D] Pr[A|D]Pr[D] =

1 · Pr[D] , 4

since f is drawn uniformly at random from R . So we get: Pr[Ei = 1] =

1 1 + · Pr[D] . 2 4

To obtain Pr[D], let ci be the symbol with the highest probability pi , i.e. ∀j pj ≤ pi , then ¯ = p2 + p2 + · · · + p2n ≤ pi (p0 + p1 + · · · + pn ) Pr[D] 0 1 = pi Therefore Pr[D] ≥ 1 − pi and Pr[Ei = 1] ≥

1 1 + · (1 − pi ) . 2 4

Since we assume H∞ (C) ≥ 1, we must have pi ≤ Pr[Ei = 1] ≥ > =

1 2 1 2 5 8

+ + .

1 4 1 8

1 2

so the success probability is

· (1 − pi )

t u Proof (of Proposition 1). Let c1 and c2 be the two (independent) samples drawn from Ch during rejection sampling. (For simplicity, we treat the process as having drawn two samples even in the case where it succeeds on the first draw.) Let pc = Prc0 ←Ch [c0 = c]. Note, now, that in the case where f (i, c) 6= m, the value c is the result of the rejection sampling process precisely when f (i, c1 ) 6= m and c2 = c; as these samples are independent, this occurs with probability fail · pc . In the case where f (i, c) = m, however, we observe c whenever c1 = c or f (i, c1 ) 6= m and c2 = c. As these events are disjoint, their union occurs with probability pc · (fail + 1), as desired. t u Proof (of Lemma 3). Let f be a random function, as described in the statement of the lemma. Fixing the elements i, c, and m, we condition on the event E6= , that f (i, c) 6= m. In light of Proposition 1, for any f drawn under this conditioning we shall have that Pr[rejsamf,i h (m) = c] is equal to Pr [c0 = c] · failf = pc · failf ,

c0 ←Ch

where we have written failf = Prc0 ←Ch [f (i, c0 ) 6= m] and pc = Prc0 ←Ch [c0 = c]. Conditioned on E6= , then, the probability of observing c is   1 Ef [pc · failf | E6= ] = pc pc + (1 − pc ) . 2

Letting E= be the event that f (i, c) = m, we similarly compute   1 Ef [pc · failf | E= ] = pc 1 + (1 − pc ) . 2 As Pr[E= ] = Pr[E6= ] = 1/2, we conclude that the probability of observing c is exactly      1 1 − pc 1 − pc p c pc + + pc 1 + = pc , 2 2 2 t u

as desired.

Proof (of Theorem 2). Let us play the following game G(1κ ) with the adversary A A: In each round we either select GA 1 or G2 : κ GA 1 (1 ) 1. k ← {0, 1}κ O(h) 2. (m∗ , s) ← SA1 (1κ , h), m∗ ∈ {0, 1}ν r 3. b ← {0,  1} k c0 , c1 , . . . cλ−1 ci = rejsami,f h (mi ), h = h||c 4. c∗ = from the channel 5. b∗ ← SA2 (c∗ , s) 6. if b = b∗ then success κ GA 2 (1 ) 1. f ←R O(h) 2. (m∗ , s) ← SA1 (1κ , h), m∗ ∈ {0, 1}ν r 3. b ← {0,  1} k c0 , c1 , . . . cλ−1 ci = rejsami,f h (mi ), h = h||c 4. c∗ = from the channel 5. b∗ ← SA2 (c∗ , s) 6. if b = b∗ then success

if b = 0 if b = 1

if b = 0 if b = 1

∗ κ O(h),c∗ ←SE(k,. ,. ,. ) = 1] − Pr[AO(h),c ←Ch = 1] AdvA S (G(1 )) = Pr[A = Pr [G(1κ ) = 1] − Pr [G(1κ ) = 1] ≤  f ←Fκ

f ←R

And the lemma follows by the definition of insecurity.

t u