Proofs of Security Theorems from Lecture IV
Semantic security of randomized CTR mode
Theorem 1. Let E be a block cipher over (K, X) that is ε-secure for some
negligible ε. Then for any fixed IV , the cipher ECTR is δ-semantically secure
for
δ = 2ε +
n2
2|X|
,
where n is the maximal number of blocks per message (i.e., M = X≤n
).
Setup Let δ > 0 be arbitrary, We prove the following: for any semantic
security adversary B which achieves advantage δ against ECTR, there exists a
PRP-adversary A which achieves advantage δ
2 − n2
4|X| against the block cipher E.
Hence, if all PRP-adversaries achieve advantage at most ε against E (i.e., if E is
an ε-secure block cipher), we know that there cannot be an adversary against
ECTR achieving advantage larger than δ = 2ε + n2
2|X| .
Constructing A using B Let B be a semantic security adversary and let δ
be its advantage against ECTR. We construct a PRP-adversary A as follows:
1. First, A samples a bit b from {0, 1} and a key k from K, both uniformly
at random. This is to simulate a semantic security attack game for B.
2. Then A queries B for its two messages m0 and m1 (we know that they
must be of the same length). Let
m0 = z0,1 || z0,2 || · · · || z0,n
m1 = z1,1 || z1,2 || · · · || z1,n,
where the zi,j are the individual message blocks.
3. A then outputs n as the number of rounds it is going to play the PRP
attack game. For each 1 ≤ i ≤ n it sets xi to [i]X , i.e. to a block containing
the binary representation of number i.
4. A proceeds to interact with its own challenger: in every round 1 ≤ i ≤ n
it sends out the block xi computed in the previous step and receives the
corresponding block yi.
1
5. After the final round, A computes the ciphertext c = zb,1 ⊕ y1 || zb,2 ⊕
y2 || · · · || zb,n ⊕ yn and gives c to B.
6. Finally, A observes B’s output. If the output matches b (i.e., if B wins the
game which A simulated for him), A outputs fake, otherwise it outputs
rand.
A’s advantage We now want to compute A’s advantage in its PRP attack
game. Let us briefly recall how this game proceeds. The challenger randomly
samples m ∈ {rand, fake}.
• If m = rand, the challenger chooses a permutation f ∈ Π(X) uniformly
at random.
• If m = fake, the challenger chooses a key k ∈ K uniformly at random and
sets f to E(k, ·), where E is the encryption function of the block cipher
E.
In both cases, the challenger then interacts with A in the n rounds as follows:
in every round i, upon receiving the block xi, it computes yi = f(xi) and sends
yi back to A.
For brevity, let us denote by Bw the event that B wins its simulated game
(i.e., correctly guesses A’s bit b) and by Bl the event that B loses. Similarly, let
us denote by Mf the event that m = fake and by Mr the event that m = rand.
The probability that A wins this attack game can be written, using the law of
total probability1
, as
P(A wins) = P(Mf ) · P(Bw | Mf ) + P(Mr) · P(Bl | Mr)
=
1
2
· P(Bw | Mf ) +
1
2
· P(Bl | Mr). (1)
Let us evaluate (or at least bound) each term in (1) individually.
Evaluating P(Bw | Mf ) Observe that if m = fake, then the sequence of
blocks y1 || y2 || · · · || yn produced by the interaction of A and its challenger is
really a keystream that would be produced by the counter mode of E when
using key k and IV equal to [1]X . Hence, in this case the message c is indeed an
encryption of mb produced by ECTR using these parameters. Hence, from B’s
point of view, the whole probabilistic experiment is really a semantic security
attack game against ECTR, in which he has, by our assumption, advantage δ.
Hence, the probability that he will win in this case equals
P(Bw | Mf ) =
1
2
+ δ. (2)
1https://en.wikipedia.org/wiki/Law_of_total_probability
2
Bounding P(Bl | Mr): Cheating game This part is trickier. First, let’s
have the following thought experiment: imagine that in the whole process, the
PRP challenger is cheating: if m = rand he will skip any random choice of
f ∈ Π(X). Instead, whenever the challenger a block xi from A, he will simply
sample a block yi uniformly at random from X and sends it back to A. Let us
call this altered game a cheating game and denote its accompanying probability
measure by Pch .
Observe that in the cheating game, if m = rand, then y1 || y2 || · · · || yn is
a keystream produced according to the perfectly secure one-time pad (OTP)
cipher. Hence, in this case, from B’s point of view the whole process is the
same as the semantic security attack game against OTP. Since OTP is perfectly
secure, any adversary, including B, has zero advantage against it. Hence,
Pch (Bw | Mr) =
1
2
(3)
and thus
Pch (Bl | Mr) = 1 − Pch (Bw | Mr) =
1
2
. (4)
Cheating vs. non-cheating game However, Pch (Bl | Mr) ̸= P(Bl | Mr)
since, Pch ̸= P. To see this, note that in the cheating game, if m = rand, it
is possible for the keystream to contain two occurrences of the same block, i.e.
yi = yj for some i ̸= j might happen with a positive probability. In the original
game, this cannot happen, since f is always chosen to be a permutation and the
blocks xi supplied by A are pairwise distinct (they form an increasing sequence
of binary-encoded values).
In essence, the cheating game can be viewed as a variant of the original
game in which, in the case m = rand, the challenger does not randomly sample
a permutation but an arbitrary (possibly non-injective) function of type X → X.
Sampling a random function allows, for each input block, to select the output
block uniformly at random from all possible blocks (even those that already
appeared before), which is exactly what happens in the cheating game. The
question of how this influences the probabilities of winning is addressed in what
follows.
Bounding P(Bl | Mr) Let C (short for “collision”) be the event that there are
1 ≤ i < j ≤ n such that yi = yj and let C be the event that no such collision
happens. By the law of total probability, we have:
Pch (Bw | Mr) = Pch (C | Mr)·Pch (Bw | Mr∧C)+Pch (C | Mr)·Pch (Bw | Mr∧C).
(5)
Noting that all the probabilities are non-negative, we can get rid of the first
term on the right-hand side of (5) to get
Pch (Bw | Mr) ≥ Pch (C | Mr) · Pch (Bw | Mr ∧ C). (6)
3
Now observe that if a collision does not happen in the cheating game, then
this game evolves in exactly the same way as the original game. The original
game is exactly the cheating game constrained by the condition that a collision
never happens in the case when m = rand. In particular, Pch (A | Mr ∧ C) =
P(A | Mr) for any event A.2
This can be plugged into (6) to get
Pch (Bw | Mr) ≥ Pch (C | Mr) · P(Bw | Mr).
By rearranging and using (3) we get
P(Bw | Mr) ≤
Pch (Bw | Mr)
Pch (C | Mr)
=
1
2 · Pch (C | Mr)
. (7)
Hence,
P(Bl | Mr) = 1 − P(Bw | Mr)
≥ 1 −
1
2 · Pch (C | Mr)
=
2 · Pch (C | Mr) − 1
2 · Pch (C | Mr)
≤1
≥
2 · Pch (C | Mr) − 1
2
= Pch (C | Mr)
=1−Pch (C|Mr)
−
1
2
=
1
2
− Pch (C | Mr).
Thus, we proved that
P(Bl | Mr) ≥
1
2
− Pch (C | Mr). (8)
To conclude our proof, it remains to bound the probability Pch (C | Mr) of a
collision happening in the cheating game.
Probability of collision Recall that a cheating game having a collision (in
the case when m = rand) means that there are two distinct block indices 1 ≤
i < j ≤ n such that yi = yj. For a given pair of distinct indices i, j we have
Pch (yi = yj | Mr) =
1
|X|
(the yi can be fixed arbitrarily but then yj, which is sampled uniformly from
X, must be sampled to the same value as yi). Using union bound 3
we get
2We do not prove this formally, but note that the probability of generating a concrete
keystream y1 || . . . || yn is the same under Pch (· | Mr ∧ C) and P(· | Mr) – this can be proved
directly using the definition of conditional probability. Since B’s decisions depend only on the
ciphertext he receives, and any difference in the ciphertexts he receives in the two games must
be caused by the difference of the keystream, the equality follows.
3https://en.wikipedia.org/wiki/Boole%27s_inequality
4
Pch (C | Mr) ≤
1≤i<j≤n
Pch (yi = yj | Mr) =
1≤i<j≤n
1
|X|
=
1
|X|
·
n−1
i=1
i
=
(n − 1)n
2|X|
≤
n2
2|X|
(9)
Completing the proof The bound on the collision probability (9) can be
plugged in the bound (8) on the probability of B when m = rand to get
P(Bl | Mr) ≥
1
2
−
n2
2|X|
. (10)
The bounds (10) and (2) can then be plugged into (1) to get
P(A wins) ≥
1
4
+
δ
2
+
1
4
−
n2
4|X|
=
1
2
+
δ
2
−
n2
4|X|
.
Hence, A achieves advantage δ
2 − n2
4|X| , as desired.
CPA security of randomized CTR mode
Theorem 2. Let E be an ε-secure block cipher over (K, X), with n being the
maximal number of blocks per message. Then the cipher EP
CTR is δ-secure against
all q-bounded adversaries, where
δ = 2ε +
q2
n
|X|
+
qn2
|X|
.
The line of reasoning behind the proof is very similar to the semantic security
case. Hence, we present only a sketch of the proof focusing on the differences
between the semantic security and CPA cases. We advise the reader to first
get the grasp of the semantic security proof and then try to generalize it to the
CPA security case as an exercise.
Setup We need to show that for each EP
CTR-adversary B achieving advantage
δ there is a E-adversary A achieving advantage at least δ
2 − q2
n
2|X| − qn2
2|X| .
Constructing A using B The adversary A will play the PRP attack game
while internally simulating a CPA attack game to its “black box” B. Formally:
1. First, A samples a bit b from {0, 1} and a key k from K, both uniformly
at random.
5
2. Then it queries B for the number of rounds q. In each round 1 ≤ k ≤ q it
proceeds as follows:
(a) It queries B for two messages mk
0 and mk
1. Let
mk
0 = zk
0,1 || zk
0,2 || · · · || zk
0,n
mk
1 = zk
1,1 || zk
1,2 || · · · || zk
1,n,
where the zk
i,j are the individual message blocks.
(b) A then randomly samples the initialization vector IV k
. For each
1 ≤ i ≤ n it sets xk
i to [IV + i − 1]X , i.e. to a block containing the
binary representation of number IV + i − 1.
(c) A proceeds to interact with its own challenger: for 1 ≤ i ≤ n it
sends out the block xk
i computed in the previous step and receives
the corresponding block yk
i .
(d) Then, A computes the ciphertext ck
= zk
b,1⊕yk
1 || zk
b,2⊕yk
2 || · · · || zk
b,n⊕
yk
n and gives ck
to B.
3. After the final round of the simulated CPA game, A observes B’s output.
If the output matches b (i.e., if B wins the game which A simulated for
him), A outputs fake, otherwise it outputs rand.
A’s advantage Equation (1) is derived in exactly the same way as in the
semantic security case. In what follows, we will use the same notation for
events as in the previous proof.
Evaluating P(Bw | Mf ) As before, in case that the challengers bit is fake,
then A truthfully simulates the CPA attack game against EP
CTR for B. Hence,
the probability of B winning is again 1
2 + δ, as in (2).
Bounding P(Bl | Mr) This is again the trickier part and we will again use a
concept of a cheating game. However, in this case the argument is a bit more
complex than in the semantic security case.
Recall that the purpose of the cheating game is to create a game in which B
clearly has zero advantage. We then analyze the “distance” between the original
game and the cheating game to bound B’s advantage in the original game.
To ensure that B has zero advantage, it suffices to ensure that the ciphertexts
ck
it receives are statistically independent of the messages mk
0, mk
1 it sends. This
would be the case, e.g., if A generated ck
in a completely random way. We
know that A is not doing that, but if we knew that each “masking” block yk
i
was generated uniformly at random, then the probability distribution over the
resulting ck’s would be the same as if ck
’s were generated uniformly at random:
let’s call such a process a cheating game and let Pch be the associated probability
measure.
6
Two types of collisions Let’s again discuss how the cheating game differs
from the original game, where yk
i ’s are computed by passing xk
i ’s through a
permutation f randomly sampled at the beginning of the game. There are two
types of events on which the two games differ: call them collision of type 1 and
2, respectively:
• Collision of type 1 (or C1 for short) is the event that there exist 1 ≤ i ≤
j ≤ n and 1 ≤ k ≤ q such that xk
i ̸= xk
j but yk
i = yk
j .
• Collision of type 2 (or C2 for short) is the event that there exist 1 ≤ i ≤
j ≤ n and 1 ≤ k < ℓ ≤ q such that xk
i = xℓ
j.
A collision (C) is an event that either C1 or C2 happens: C = C1 ∨ C2. We
claim that P(A | C) = Pch (A | C) for any event A. The idea is that collision of
type 1 can happen only in the cheating game, but not in the original game, since
f is always injective. Similarly, if collision of type 2 happens, then yk
i always
equals yℓ
j in the original game (since f is a function), but not necessarily in
the cheating game, where the yk
’s are sampled independently of xk
’s. However,
once we prohibit the two types of collisions from happening, the two games are
statistically indistinguishable.
Bounding B’s advantage Using the same computation as in the semantic
security case we derive
P(Bl | Mr) ≥
1
2
− Pch (C | Mr). (11)
It thus suffices to bound Pch (C | Mr). By union bound we get
Pch (C | Mr) ≤ Pch (C1 | Mr) + Pch (C2 | Mr).
First consider Pch (C1 | Mr). For each round k we can use the same argument
as in (9) to get the bound n2
2|X| on the probability of two y-blocks being equal
in that round. Since in total we perform q rounds, we get
Pch (C1 | Mr) ≤
qn2
2|X|
. (12)
Now consider Pch (C2 | Mr). Let us fix some k, ℓ such that k < ℓ. The
probability that xk
i = xℓ
j for some i, j ≤ n equals the probability that the
intervals [IV k
, IV k
+ n − 1] and [IV ℓ
, IV ℓ
+ n − 1] do overlap. The overlap
happens if and only if IV k
− n + 1 ≤ IV ℓ
≤ IV k
+ n − 1. Since the IV’s are
sampled uniformly from {0, 1, . . . , |X| − 1}, the probability that IV ℓ
falls into
the required interval is 2n−1
|X| ≤ 2n
|X| . This is a probability of type 2 collision
happening for a concrete choice of k, ℓ, so we need to sum it over all the possible
q(q−1)
2 ≤ q2
2 choices, yielding the bound
Pch (C2 | Mr) ≤
nq2
|X|
. (13)
7
Finishing the proof We proceed as in the semantic security case, but with
the collision bounds derived in the previous paragraph. Thus,
P(A wins) ≥
1
4
+
δ
2
+
1
4
−
qn2
4|X|
−
nq2
2|X|
,
and A achieves advantage at least δ
2 − qn2
4|X| − nq2
2|X| ≥ δ
2 − qn2
2|X| − nq2
2|X| as required.
8