1 Introduction

The problem of compression has been extensively studied in the field of information theory and, more recently, in computational complexity and cryptography [23, 27, 40, 42]. Informally, given a distribution \(X\), compression aims to efficiently encode samples from \(X\) as short strings while at the same time being able to efficiently recover these samples. While the typical information-theoretic study of compression considers the case of compressing multiple independent samples from the same source X, its study in computer science, and in particular in this work, considers the “single-shot” case. Compression in this setting is closely related to randomness condensers [18, 34, 38, 39] and resource-bounded Kolmogorov complexity [32, 33] – two well-studied problems in computational complexity. Randomness condensers, which relax randomness extractors, are functions that efficiently map an input distribution into an output distribution with a higher entropy rate. A randomness condenser can be viewed as an efficient compression algorithm, without a corresponding efficient decompression algorithm. The resource-bounded Kolmogorov complexity of a string is the smallest description length of an efficient program that outputs this string. This program description can be viewed as a compressed string, such that decoding is efficiently possible, while finding the compressed string may be inefficient.

An important property of efficient compression algorithms, which combines the efficiency features of randomness condensers and resource-bounded Kolmogorov complexity, is their ability to efficiently produce “random-looking” outputs while allowing the original input to be efficiently recovered. Despite the large body of work on compression and its computational variants, this fundamental property has, to our knowledge, never been the subject of a dedicated study. In this work, we fill this gap by initiating such a study. Before formalizing the problem, we give a simple motivating example.

Consider the goal of encrypting a sample x from a distribution X (say, a random 5-letter English word from the Merriam-Webster Dictionary) using a low-entropy secret key k. Applying a standard symmetric-key encryption scheme with a key derived from k gives rise to the following brute-force attack: Try to decrypt with different keys until obtaining \(x'\) in the support of X. In the typical case that wrong keys always lead to \(x'\) outside the support of X, this attack successfully recovers x. Variants of this attack arise in different scenarios, including password-authenticated key exchange [4], honey encryption [30], subliminal communication and steganography [26], and more. A natural solution is to use perfect compression: if x can be compressed to a uniformly random string \(\hat{x}\in \{0,1\}^n\) before being encrypted, it cannot be distinguished from another random string \(\hat{x}'\in \{0,1\}^n\) obtained by trying the wrong key. Note, however, that compression may be an overkill for this application. Instead, it suffices to efficiently encode x into a (possibly longer) pseudorandom string from which x can be efficiently decoded. This more general solution motivates the question we consider in this work.

Encoding into the Uniform Distribution. We initiate the study of encoding distributions into a random-looking distribution. Informally, we say that a distribution ensemble \(X_\lambda \) admits a pseudorandom encoding if there exist efficient encoding and decoding algorithms \((\mathsf {E}_{X}, \mathsf {D}_{X})\), where \(\mathsf {D}_{X}\) is deterministic, such that

$$\begin{aligned} \Pr \big [y\leftarrow X_\lambda :\mathsf {D}_{X}(\mathsf {E}_{X}(y))=y&\big ]\text { is overwhelming and} \end{aligned}$$
(1)
$$\begin{aligned} \big \{y\leftarrow X_\lambda :\mathsf {E}_{X}(y)&\big \}\approx U_{n(\lambda )}\text {.} \text {} \end{aligned}$$
(2)

Here, “\(\approx \)” denotes some notion of indistinguishability (we will consider both computational and statistical indistinguishability), and the probability is over the randomness of both \(\mathsf {E}_{X}\) and \(X_\lambda \). The polynomial \(n(\lambda )\) denotes the output length of the encoding algorithm \(\mathsf {E}_{X}\). We refer to Eq. (1) as correctness and to Eq. (2) as pseudorandomness. It will also be useful to consider distribution ensembles parameterized by an input m from a language \(L\). We say that such a distribution ensemble \((X_m)_{m\in L}\) admits a pseudorandom encoding if there exist efficient algorithms \((\mathsf {E}_{X}, \mathsf {D}_{X})\) as above satisfying correctness and pseudorandomness for all \(m\in L\), where \(\mathsf {E}_{X}\) and \(\mathsf {D}_{X}\) both additionally receive m as input. Note that we insist on the decoding algorithm being efficient. This is required for our motivating applications.Footnote 1 Note also that encoding and decoding above are keyless; that is, we want encoded samples to be close to uniform even though anyone can decode them. This is a crucial distinction from, for instance, encryption schemes with pseudorandom ciphertexts, which look uniformly distributed to everyone except the owner of the decryption key, and cannot be efficiently decrypted except by the owner of the decryption key. Here, we seek to simultaneously achieve pseudorandomness and correctness for all parties.

Our motivation for studying pseudorandom encodings stems from the fact that this very natural problem appears in a wide variety of – sometimes seemingly unrelated – problems in cryptography. We already mentioned steganography, honey encryption, and password-authenticated key exchange; we will cover more such connections in this work. Yet, this notion of encoding has to our knowledge never been studied systematically. In this work we study several natural flavors of this notion, obtain positive and negative results about realizing them, and map their connections with other problems in cryptography.

The main focus of this work is on the hypothesis that all efficiently samplable distributions admit a pseudorandom encoding. Henceforth, we refer to this hypothesis the pseudorandom encoding hypothesis \((\mathsf{PREH})\).

For describing our results, it will be convenient to use the following general notion of efficiently samplable distributions. A distribution family ensemble \((X_m)_{m\in L}\) (for some language \(L\subseteq \{0, 1\}^*\)) is efficiently samplable if there exists a probabilistic polynomial time (PPT) algorithm \(S\) such that \(S(m)\) is distributed according to \(X_m\) for every \(m\in L\). In case the distribution does not depend on additional inputs, \(L\) can be considered equal to \(\mathbb {N}\).

Overview of Contributions. Following is a brief summary of our main contributions. We will give an expanded overview of the contributions and the underlying techniques in the rest of this section.

  • We provide a unified study of different flavors of pseudorandom encodings (PRE) and identify computational, randomized PRE in the CRS model as a useful and achievable notion.

  • We establish a two-way relation between PRE and the previously studied notion of invertible sampling This reveals unexpected connections between seemingly unrelated problems in cryptography (e.g., between adaptively secure computation for general functionalities and “honey encryption”).

  • We bootstrap “adaptive PRE” from “static PRE” As a consequence, one can base succinct adaptively secure computation on standard \(\mathsf{iO}\) as opposed to subexponential \(\mathsf{iO}\) [15].

  • We use PRE to obtain a compiler from standard secure multiparty computation (MPC) protocols to covert MPC protocols.

1.1 Flavors of Pseudorandom Encoding

The notion of pseudorandom encoding has several natural flavors, depending on whether the encoding algorithm is allowed to use randomness or not, and whether the pseudorandomness property satisfies a computational or information-theoretic notion of indistinguishability. We denote the corresponding hypotheses that every efficiently samplable distribution can be pseudorandomly encoded according to the above variants as \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\), \(\mathsf{PREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{rand}}}\), \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) and \(\mathsf{PREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{det}}}\).Footnote 2

Further, we explore relaxations which rely on a trusted setup assumption: we consider the pseudorandom encoding hypothesis in the common reference string model, in which a common string sampled in a trusted way from some distribution is made available to the parties. This is the most common setup assumption in cryptography and it is standard to consider the feasibility of cryptographic primitives in this model to overcome limitations in the plain model. That is, we ask whether for every efficiently samplable distribution \(X\), there exists an efficiently samplable CRS distribution and efficient encoding and decoding algorithms \((\mathsf {E}_{X}, \mathsf {D}_{X})\) as above, such that correctness and pseudorandomness hold, where the encoding and decoding algorithm as well as the distinguisher receive the CRS as input, and the distributions in Eqs. (1) and (2) are additionally over the choice of the CRS.

Considering distributions which may depend on an input \(m\in L\) further entails two different flavors. On the one hand, we consider the notion where inputs m are chosen adversarially but statically (that is, independent of the CRS) and, on the other hand, we consider the stronger notion where inputs m are chosen adversarially and adaptively depending on the CRS. We henceforth denote these variants by the prefix “\(\mathsf {c}\)” and “\(\mathsf {ac}\)”, respectively.

Static-to-Adaptive Transformation. The adaptive notion, where inputs may be chosen depending on the CRS, is clearly stronger than the static notion. However, surprisingly, the very nature of pseudorandom encodings allows one to apply an indirection argument similar to the one used in [11, 12, 25], which yields a static-to-adaptive transformation.

Theorem

(informal). If all efficiently samplable distributions can be pseudorandomly encoded in the CRS model with a static choice of inputs, then all efficiently samplable distributions can be pseudorandomly encoded in the CRS model with an adaptive choice of inputs.

Static-to-adaptive transformations in cryptography are generally non-trivial, and often come at a big cost in security when they rely on a “complexity leveraging” technique. This connection and its application we will discuss below are a good demonstration of the usefulness of the notion of pseudorandom encodings.

Relaxing Compression. The notion of statistical deterministic pseudorandom encodings recovers the notion of optimal compression. Hence, this conflicts with the existence of one-way functions.Footnote 3 In our systematic study of pseudorandom encodings, we gradually relax perfect compression in several dimensions, while maintaining one crucial property – the indistinguishability of the encoded distribution from true randomness.

Example. To illustrate the importance of this property, we elaborate on the example we outline at the beginning of the introduction, focusing more specifically on password-authenticated key exchange (PAKE). A PAKE protocol allows two parties holding a (low entropy) common password to jointly and confidentially generate a (high entropy) secret key, such that the protocol is resilient against offline dictionary attacks, and no adversary can establish a shared key with a party if he does not know the matching password. A widely used PAKE protocol due to Bellovin and Merritt [4] has a very simple structure: the parties use their low-entropy password to encrypt the flows of a key-exchange protocol using a block cipher. When the block cipher is modeled as a random cipher, it has the property that decrypting a ciphertext (of an arbitrary plaintext) under an incorrect secret key yields a fresh random plaintext. Thus, Bellovin and Merritt point out that the security of their PAKE protocol requires that “the message to be encrypted by the password must be indistinguishable from a random number.” This is easy to achieve for Diffie-Hellman key exchange over the multiplicative group of integers modulo a prime p. However, for elliptic curve groups this is no longer the case, and one needs to resort to alternative techniques including nontrivial point compression algorithms that compress the representation of a random group element into a nearly uniform bitstring [6].

Clearly, our relaxation of compression does not preserve the useful property of obtaining outputs that are shorter than the inputs. However, the remaining pseudorandomness property is good enough for many applications.

In the following, we elaborate on our weakest notion of pseudorandom encodings, that is, pseudorandom encodings allowing the encoding algorithm to be randomized and providing a computational pseudorandomness guarantee. We defer the discussion on the stronger statistical or deterministic variants to Sect. 1.3, where we derive negative results for most of these stronger notions, which leaves computational randomized pseudorandom encodings as the “best possible” notion that can be realized for general distributions.

Randomized, Computational Pseudorandom Encodings. Computational randomized pseudorandom encodings allow the encoding algorithm to be randomized and require only computational pseudorandomness.

Relation to Invertible Sampling. We show a simple but unexpected connection with the notion of invertible sampling [9, 17, 22]. Informally, invertible sampling refers to the task of finding, given samples from a distribution, random coins that explain the sample. Invertible sampling allows to obliviously sample from distributions, that is, sampling from distributions without knowing the corresponding secrets. This can be useful for, e.g., sampling common reference strings without knowing the random coins or public keys without knowing the corresponding secret keys. A natural relaxation of this notion was systematically studied by Ishai, Kumarasubramanian, Orlandi and Sahai [29]. Concretely, a PPT sampler \(S\) is inverse samplable if there exists an alternative PPT sampler \(\overline{S}\) and a PPT inverse sampler \(\overline{S}^{-1}\) such that

$$\begin{aligned} \big \{y\leftarrow S(1^{\lambda }):y\big \}&\mathrel {\approx _{\mathsf{c}}}\big \{y\leftarrow \overline{S}(1^{\lambda }):y\big \}\text {,}\\ \big \{y\leftarrow \overline{S}(1^{\lambda }; r):(r, y)\big \}&\mathrel {\approx _{\mathsf{c}}}\big \{y\leftarrow \overline{S}(1^{\lambda }):(\overline{S}^{-1}(1^{\lambda }, y), y)\big \}\text {.} \end{aligned}$$

Note that the inverse sampling algorithm is only required to efficiently inverse-sample from another distribution \(\overline{S}\), but this distribution must be computationally close to the distribution induced by \(S\). The main question studied in [29] is whether every efficient sampler admits such an invertible sampler. They refer to this hypothesis as the invertible sampling hypothesis (ISH), and show that ISH is equivalent to adaptive MPC for general randomized functionalities that may hide their internal randomness. In this work, we show the following two-way relation with pseudorandom encoding.

Theorem

(informal). A distribution admits a pseudorandom encoding if and only if it admits invertible sampling.

Intuitively, the efficient encoding algorithm corresponds to the inverse sampling algorithm, and decoding an encoded string corresponds to sampling with the de-randomized alternative sampler \(\overline{S}\). This equivalence immediately extends to all variants of pseudorandom encodings and corresponding variants of invertible sampling we introduce in this work. Invertible sampling is itself connected to other useful cryptographic notions, such as oblivious sampling, trusted common reference string generations, and adaptively secure computation (which we will elaborate upon below).

Building on this connection, the impossibility result of [29] translates to our setting. On a high level, extractable one-way functions (EOWFs) conflict with invertible sampling because they allow to extract a “secret” (in this case a pre-image) from an image, independently of how it was computed. This conflicts with invertible sampling because invertible sampling is about sampling without knowing the secrets.

Theorem

(informal, [29]). Assuming the existence of extractable one-way functions (EOWF) and a non-interactive zero-knowledge proof system, \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) does not hold.

This suggests that towards a realizable notion of pseudorandom encodings, a further relaxation is due. Thus, we ask whether the above impossibility result extends to the CRS model. In the CRS model, the above intuition why ISH conflicts with EOWFs fails, because the CRS can contain an obfuscated program that samples an image using some secret, but does not output this secret.

Dachman-Soled, Katz, and Rao [16] (building on the universal deniable encryption construction of Sahai and Waters [35]) construct a so-called “explainability compiler” that implies \(\mathsf{cISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) based on indistinguishability obfuscationFootnote 4 (\(\mathsf{iO}\)). By our equivalence theorem above, this implies pseudorandom encodings for all efficiently samplable distributions in the CRS model, with static choice of inputs, from \(\mathsf{iO}\). Invoking the static-to-adaptive transformation detailed above, this also applies to the adaptive variant.

Theorem

(informal). Assuming the existence of (polynomially secure) indistinguishability obfuscation and one-way functions, \(\mathsf{acPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds.

Note that [29] claim that their impossibility result extends to the CRS model, whereas the above theorem seems to suggest the opposite. We show that technically the result of [29] does extend to the CRS model at the cost of assuming unbounded auxiliary-input extractable one-way functions, a strong flavor of EOWFs that seems very unlikely to exist but cannot be unconditionally ruled out.

Theorem

(informal). Assuming the existence of extractable one-way functions with unbounded common auxiliary input and a non-interactive zero-knowledge proof system, \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) does not hold.

In fact, this apparent contradiction has been the source of some confusion in previous works: the work of [29] makes an informal claim that their impossibility result for ISH extends to the CRS model. However, due to the connection between ISH and adaptively secure MPC (which we will discuss in more details later on), this claim was challenged in [16]: the authors achieve a construction of adaptively secure MPC for all functionalities assuming \(\mathsf{iO}\), which seemingly contradicts the claim of [29]. The authors of [16] therefore stated that the “impossibility result of Ishai et al. [...] does not hold in the CRS model.” Our extension clarifies that the distinction is in fact more subtle: the result of [29] does extend to the CRS model, but at the cost of assuming EOWF with unbounded auxiliary inputs. This does not contradict the constructions based on \(\mathsf{iO}\), because \(\mathsf{iO}\) and EOWF with unbounded auxiliary inputs are known to be contradictory [5].

Overview. In Fig. 1, we provide a general summary of the many flavors of the pseudorandom encoding hypothesis, and how they relate to a wide variety of other primitives.

Fig. 1.
figure 1

An overview of the relations between the pseudorandom encoding hypothesis and other fields of cryptography and computational complexity theory. For simplicity, our static-to-adaptive transformation only appears in the computational, randomized setting in this overview, but also applies to the other settings. (Since the deterministic variants of the pseudorandom encoding hypothesis are impossible for some pathologic samplers, the arrows between deterministic and randomized variants of the pseudorandom encoding hypothesis are to be read as if the deterministic variant is true for some sampler, then the corresponding randomized variant is true for that sampler.)

Full size image

Further Relaxation. We further study an additional relaxation of pseudorandom encodings, where we allow the encoding algorithm to run in super-polynomial time. We show that this relaxed variant can be achieved from cryptographic primitives similar to extremely lossy functions [45], which can be based on the exponential hardness of the decisional Diffie-Hellman problem – a strong assumption, but (still) more standard than indistinguishability obfuscation. However, the applicability of the resulting notion turns out to be rather restricted.

1.2 Implications and Applications of Our Results

In this section, we elaborate on the implications of the techniques we develop and the results we obtain for a variety of other cryptographic primitives.

New Results for Adaptively Secure Computation. As mentioned above, a sampler admits invertible sampling if and only if it can be pseudorandomly encoded. A two-way connection between invertible sampling and adaptively secure MPC for general randomized functionalities was established in [29]. An MPC protocol allows two or more parties to jointly evaluate a (possibly randomized) functionality \(\mathcal {F}\) on their inputs without revealing anything to each other except what follows from their inputs and outputs. This should hold even in the presence of an adversary who can corrupt any number of parties in an adaptive (sequential) fashion. When we write “adaptive MPC”, we mean adaptive MPC for all randomized functionalities. This should be contrasted with weaker notions of adaptive MPC for strict subsets of corrupted parties [3, 9, 20] or for adaptively well-formed functionalitiesFootnote 5 [10] which can both be done from mild assumptions. The connection from [29] shows that adaptive MPC for all randomized functions is possible if and only if every PPT sampler admits invertible sampling, i.e., the invertible sampling hypothesis is true.

We show that this result generalizes to the global CRS model. More precisely, we prove the adaptive variant of the pseudorandom encoding hypothesis in the CRS model \(\mathsf{acPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is equivalent to adaptive MPC in the global CRS model.Footnote 6

As detailed above, the static pseudorandom encoding hypothesis \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) in the CRS model follows from \(\mathsf{iO}\) (and one-way functions). Applying our static-to-adaptive transformation, the same holds for the adaptive variant. Thus, we obtain the first instantiation of an adaptive explainability compiler [16] without complexity leveraging and, hence, based only on polynomial hardness assumptions. The recent work of Cohen, shelat, and Wichs [15] uses such an adaptive explainability compiler to obtain succinct adaptive MPC, where “succinct” means that the communication complexity is sublinear in the complexity of the evaluated function. Due to our instantiation of \(\mathsf{acPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) from polynomial \(\mathsf{iO}\), we improve the results of [15] by relaxing the requirement for subexponentially secure \(\mathsf{iO}\) to polynomially secure \(\mathsf{iO}\) in a black-box way.

Corollary

(informal). Assuming the existence of polynomially secure indistinguishability obfuscation and the adaptive hardness of the learning with errors problem, then malicious, two-round, UC-secure adaptive MPC and sublinear communication complexity is possible (in the local CRS model, for all deterministic functionalities).

Steganography and Covert Multi-party Computation. We explore the connection of the pseudorandom encoding hypothesis to various flavors of steganography. The goal of steganography, informally, is to embed secret messages in distributions of natural-looking messages, in order to hide them from external observers. While the standard setting for steganography relies on shared secret keys to encode the messages, we show that pseudorandom encodings naturally give rise to a strong form of keyless steganography. Namely, one can rely on pseudorandom encodings to encode any message into an innocent-looking distribution, without truly hiding the message (since anyone can decode the stream), but providing plausible deniability, in the sense that, even with the decoded message, it is impossible to tell apart whether this message was indeed encoded by the sender, or whether it is simply the result of decoding the innocent distribution.

Corollary

(informal). Assuming pseudorandom encodings, then there exists a keyless steganographic protocol which provides plausible deniability.

Plausible deniability is an important security notion; in particular, an important cryptographic primitive in this area is the notion of (sender-)deniable encryption [8], which is known to exist assuming indistinguishability obfuscation [35]. Deniable encryption enables to “explain” ciphertexts produced for some message to any arbitrary other message by providing corresponding random coins for a faked encryption process. We view it as an interesting open problem to build deniable encryption under the pseudorandom encoding hypothesis together with more standard cryptographic primitives; we make a first step in this direction and show the following: the statistical variant of pseudorandom encodings, together with the existence of public-key encryption, implies deniable encryption. Interestingly, we also show that the computational randomized pseudorandom encoding hypothesis suffices to imply non-committing encryption, a weaker form of deniable encryption allowing to explain only simulated ciphertexts to arbitrary messages [9].

Covert Secure Computation. Covert MPC [13, 41] is an intriguing flavor of MPC that aims at achieving the following strong security guarantee: if the output of the protocol is not “favorable,” the transcript of the interaction should not leak any information to the parties parties, including whether any given party was actually taking part in the protocol. This strong form of MPC aims at providing security guarantees when the very act of starting a computation with other parties should remain hidden. As an example [41], suppose that a CIA agent who infiltrated a terrorist group wants to make a handshake with another individual to find out whether she is also a CIA agent. Here, we show that pseudorandom encodings give rise to a general compiler transforming a standard MPC protocol into a covert one, in a round-preserving way. The idea is to encode each round of the protocol such that encoded messages look random. Together with the equivalence between adaptively secure MPC and pseudorandom encodings, this gives a connection between two seemingly unrelated notions of secure computation.

Corollary

(informal). Assuming adaptively secure MPC for all functionalities, there exists a round-preserving compiler that transforms a large class of “natural” MPC protocols into covert MPC protocols (in the static, semi-honest setting).

Other Results. Due to our infeasibility results of \(\mathsf{PREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{rand}}}\), distribution transforming encoders (DTEs) for all efficiently samplable distributions are infeasible. Even the computational relaxation of DTEs is infeasible assuming extractable one-way functions. Since all currently known constructions of honey encryption rely on DTEs, we conditionally refute the existence of honey encryption based on the DTE-then-encrypt framework from [30]. On the positive side, due to our feasibility result of \(\mathsf{acPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\), computational honey encryption is feasible in the CRS model.

Theorem

(informal). Assuming \(\mathsf{acPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) and a suitable symmetric-key encryption scheme (modeled as a random cipher), computational honey encryption for all efficiently samplable distributions exists in the CRS model.

1.3 Negative Results for Stronger Notions of Pseudorandom Encodings

Below we describe how we gradually relax optimal compression via different notions of pseudorandom encodings and derive infeasibility results for all variants of pseudorandom encodings which restrict the encoding algorithm to be deterministic or require an information-theoretic pseudorandomness guarantee. This leaves computational randomized pseudorandom encodings as the best possible achievable notion.

Deterministic, Statistical Pseudorandom Encodings. The notion of pseudorandom encodings with a deterministic encoding algorithm and information-theoretic indistinguishability is perhaps the simplest notion one can consider. As we will prove in this paper, this notion recovers the notion of optimal compression: since the encoding algorithm for some source \(X\) is deterministic, it can be seen with an entropy argument that the output size of \(\mathsf {E}_{X}\) must be at most \(\mathrm {H}_{\infty }(X)\), the min-entropy of \(X\); otherwise, the distribution \(\{\mathsf {E}_{X}(X)\}\) can necessarily be distinguished from random with some statistically non-negligible advantage. Therefore, \(\mathsf {E}_{X}\) is an optimal and efficient compression algorithm for \(X\), with decompression algorithm \(\mathsf {D}_{X}\); this is true even for the relaxation in the CRS model. The existence of efficient compression algorithms for various categories of samplers was thoroughly studied [40]. In particular, the existence of compression algorithms for all efficiently samplable sources implies the inexistence of one-way functions (this is an observation attributed to Levin in [23]) since compressing the output of a pseudorandom generator to its entropy would distinguish it from a random string, and the existence of one-way functions implies the existence of pseudorandom generators [24]).

Theorem

(informal). Assuming the existence of one-way functions, neither \(\mathsf{PREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{det}}}\) nor \(\mathsf{cPREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{det}}}\) hold.

This is a strong impossibility result, as one-way functions dwell among the weakest assumptions in cryptography, [28]. One can circumvent this impossibility by studying whether compression can be achieved for more restricted classes of distributions, as was done e.g. in [40]. Our work can be seen as pursuing an orthogonal direction. We seek to determine whether a relaxed notion of compression can be achieved for all efficiently samplable distributions. The relaxations we consider comprise the possibility to use randomness in the encoding algorithm, and weakening the requirement on the encoded distribution to being only computationally indistinguishable from random. Clearly, these relaxations remove one of the most important features of compression algorithms, which is that their outputs are smaller than their inputs (i.e., they compress). Nevertheless, the indistinguishability of the encoded distribution from the uniform distribution is another crucial feature of optimal compression algorithms, which has independent applications.

Deterministic, Computational Pseudorandom Encodings. We now turn towards a relaxation where the encoded distribution is only required to be computationally indistinguishable from random, but the encoding algorithm is still required to be deterministic. This flavor is strongly connected to an important problem in cryptography: the problem of separating HILL entropy [24] from Yao entropy [44]. HILL and Yao entropy are different approaches of formalizing computational entropy, i.e., the amount of entropy a distribution appears to have from the viewpoint of a computationally bounded entity. Informally, a distribution has high HILL entropy if it is computationally close to a distribution with high min-entropy; a distribution has high Yao entropy if it cannot be compressed efficiently. Finding a distribution which, under standard cryptographic assumptions, has high Yao entropy, but low HILL entropy constitutes a long standing open problem in cryptography. Currently, only an oracle separation [42] and a separation for conditional distributions [27] are known. To establish the connection between \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) and this problem, we proceed as follows: informally, a deterministic pseudorandom encoding must necessarily compress its input to the HILL entropy of the distribution. That is, the output size of the encoding cannot be much larger than the HILL entropy of the distribution. This, in turn, implies that a distribution which admits such a pseudorandom encoding cannot have high Yao entropy.

In this work, we formalize the above argument, and show that the conditional separation of HILL and Yao entropy from [27] suffices to refute \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\). This separation holds under the assumption that non-interactive zero-knowledge proofs with some appropriate structural properties exist (which in turn can be based on standard assumptions such as the quadratic residuosity assumption). Thus, we obtain the following infeasibility result:

Theorem

(informal). If the quadratic residuosity assumption holds, then \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) does not hold.

Hence, we may conclude that towards a feasible variant of pseudorandom encodings for all efficiently samplable distributions, requiring the encoding algorithm to be deterministic poses a strong restriction.

Randomized, Statistical Pseudorandom Encodings. We now consider the relaxation of perfect compression by allowing the encoding algorithm to be randomized while still requiring information-theoretic indistinguishability from randomness. This flavor of pseudorandom encoding was used in the context of honey encryption [30]. Honey encryption is a cryptographic primitive which has been introduced to mitigate attacks on encryption schemes resulting from the use of low-entropy passwords. Honey encryption has the property that decrypting a ciphertext with an incorrect key always yields a valid-looking plaintext which seems to come from the expected distribution, thereby mitigating brute-force attacks. This is the same property that was useful in the previous PAKE example.

The study of honey encryption was initiated in [30], where it was shown that honey encryption can naturally be constructed by composing a block cipher (modeled as a random cipher) with a distribution transforming encoder (DTE), a notion which is equivalent to our notion of pseudorandom encoding with randomized encoding and statistical pseudorandomness. The focus of [30] was on obtaining such DTEs for simple and useful distributions. In contrast, we seek to understand the feasibility of this notion for arbitrary distributions. Intuitively, it is not straightforward to encode any efficient distribution into the uniform distribution; consider for example the distribution over RSA moduli, i.e., products of two random n-bit primes. Since no efficient algorithm is known to test membership in the support of this distribution, natural approaches seem to break down. In fact, we show in this work that this difficulty is inherent: building on techniques from [5, 29], we demonstrate the impossibility of (randomized, statistical) pseudorandom encodings for all efficiently samplable distributions, under a relatively standard cryptographic assumption.

Theorem

(informal). Assuming the sub-exponential hardness of the learning with errors (LWE) problem, \(\mathsf{PREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{rand}}}\) does not hold.

This result directly implies that under the same assumption, there exist efficiently samplable distributions (with input) for which no distribution transforming encoder exists. We view it as an interesting open problem whether this result can be extended to rule out the existence of honey encryption for arbitrary distributions under the same assumption.

1.4 Open Questions and Subsequent Work

The most intriguing question left open by our work is whether the weakest variant of the pseudorandom encoding hypothesis \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\), which is implied by \(\mathsf{iO}\), also implies \(\mathsf{iO}\). Very recently, this question was settled in the affirmative by Wee and Wichs [43] under the LWE assumption. More concretely, by modifying a heuristic \(\mathsf{iO}\) construction of Brakerski et al. [7], they show that \(\mathsf{iO}\) is implied by LWE if one is additionally given an oblivious LWE-sampler in the CRS model. Such a sampler, given a matrix \(\mathbf {A}\in \mathbb {Z}_q^{m\times n}\), generates outputs that are indistinguishable from LWE samples \(\mathbf {A}\cdot \mathbf {s}+\mathbf {e}\) without knowing the secrets \(\mathbf {s}\) or the noise \(\mathbf {e}\). The existence of an oblivious LWE sampler is nontrivial even under the LWE assumption, because \(\mathbf {A}\) can be such that \(\mathbf {A}\cdot \mathbf {s}+\mathbf {e}\) is not pseudorandom; however, such a sampler still follows from the invertible sampling hypothesis [29], which we show to be equivalent to the pseudorandom encoding hypothesis. By proposing an explicit heuristic construction of (a relaxed flavor of) an oblivious LWE sampler, the end result of [43] is a construction of \(\mathsf{iO}\) from a new “falsifiable” assumption.

Whether \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) implies \(\mathsf{iO}\) under weaker or different assumptions than LWE remains open. A potentially easier goal is using \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) to construct public-key encryption from one-way functions. This is related to the possibility of constructing oblivious transfer from any public-key encryption in which public keys and ciphertexts are obliviously samplable [19, 22], which is implied by public-key encryption and \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\). Here \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is used to bypass the black-box separation between public-key encryption and oblivious transfer [22].

Finally, there is a lot of room for relaxing the intractability assumptions we use to rule out the statistical (\(\mathsf{cPREH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{rand}}}\)) and deterministic (\(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\)) flavors of pseudorandom encodings.

Organization. In Sect. 2, we provide a technical overview of a selection of our results. In Sect. 3, we provide condensed definitions of pseudorandom encodings and invertible sampling and a formal proof of their equivalence and in Sect. 4 we describe the static-to-adaptive transformation. We refer the reader to the full version [1] for more details and for the other results we described.

2 Overview of Techniques

In this section, we elaborate on some of our technical results in more detail. In the following, we identify a PPT sampler \(S\) with the distribution (family) ensemble it induces.

The Relation to Invertible Sampling. A PPT sampler \(S\) is inverse samplable [17, 29], if there exists an alternative sampler \(\overline{S}\) inducing a distribution which is computationally indistinguishable to the distribution induced by \(S\) such that the computations of \(\overline{S}\) can be efficiently inverted. Efficiently inverting the computation of \(\overline{S}\) means that there exists an efficient inverse sampler \(\overline{S}^{-1}\) which, given an output of \(\overline{S}\), recovers a well-distributed random tape for \(\overline{S}\) to compute the given output in the following sense. The inverse sampled random tape is required to be computationally indistinguishable from the actually used random tape. More formally, a PPT sampler \(S\) is inverse samplable if there exists an efficient alternative sampler \(\overline{S}\) and an efficient inverse sampler \(\overline{S}^{-1}\) such that

$$\begin{aligned} \big \{y\leftarrow S(1^{\lambda }):y\big \}&\mathrel {\approx _{\mathsf{c}}}\big \{y\leftarrow \overline{S}(1^{\lambda }):y\big \}\text {,} \end{aligned}$$
(3)
$$\begin{aligned} \big \{y\leftarrow \overline{S}(1^{\lambda }; r):(r, y)\big \}&\mathrel {\approx _{\mathsf{c}}}\big \{y\leftarrow \overline{S}(1^{\lambda }):(\overline{S}^{-1}(1^{\lambda }, y), y)\big \}\text {.} \end{aligned}$$
(4)

We refer to Eq. (3) as closeness and to Eq. (4) as invertibility. If the sampler \(S\) admits an input m, the above is required to hold for all inputs m in the input space \(L\), where \(\overline{S}\) and \(\overline{S}^{-1}\) both additionally receive m as input. In accordance with [29], we refer to the hypothesis that all PPT algorithms with input are inverse samplable as the invertible sampling hypothesis. Restricting the invertible sampling hypothesis to algorithms which do not admit inputs is denoted the weak invertible sampling hypothesis.

The concepts of inverse samplability and pseudorandom encodings are tightly connected. Suppose a PPT algorithm \(S\) is inverse samplable. Then, there exists an alternative and an inverse sampler \((\overline{S}, \overline{S}^{-1})\) satisfying closeness and invertibility. Invertibility guarantees that the inverse sampler \(\overline{S}^{-1}\) on input of a sample y from \(\overline{S}(1^{\lambda })\), outputs a computationally well-distributed random tape r. Hence, with overwhelming probability over the choice of \(y\leftarrow \overline{S}(1^{\lambda })\) and \(r\leftarrow \overline{S}^{-1}(y)\), the alternative sampler on input of r, recovers y. In other words, the inverse sampler \(\overline{S}^{-1}\) can be seen as encoding a given sample y, whereas the de-randomized alternative sampler \(\overline{S}\) given this encoding as random tape, is able to recover y. Looking through the lens of pseudorandom encoding, this almost proves correctness except that y is sampled according to \(\overline{S}(1^{\lambda })\) instead of \(S(1^{\lambda })\). This difference can be bridged due to closeness. We now turn towards showing pseudorandomness of the encoded distribution. Due to closeness, the distributions \(\{y\leftarrow \overline{S}(1^{\lambda }):(\overline{S}^{-1}(1^{\lambda }, y), y)\}\) and \(\{y\leftarrow S(1^{\lambda }):(\overline{S}^{-1}(1^{\lambda }, y), y)\}\) are computationally indistinguishable. Invertibility guarantees that, given a sample y from \(\overline{S}(1^{\lambda })\), an encoding of y is indistinguishable to uniformly chosen randomness conditioned on the fact that decoding yields y. Removing y from this distribution, almost corresponds to pseudorandomness, except that y is sampled according to \(\overline{S}(1^{\lambda })\) instead of \(S(1^{\lambda })\). Again, we are able to bridge this gap due to closeness. Note that we crucially use the fact that the initial randomness used by \(\overline{S}\) resides outside of the view of an adversary. Summing up, if a PPT sampler \(S\) is inverse samplable, then it can be pseudorandomly encoded.

Interestingly, this connection turns out to be bidirectional. Suppose a PPT algorithm \(S\) can be pseudorandomly encoded. Then, there exists an efficient encoding algorithm \(\mathsf {E}_{S}\) and an efficient deterministic decoding algorithm \(\mathsf {D}_{S}\) satisfying correctness and pseudorandomness. Looking through the lens of invertible sampling, we identify the decoding algorithm to correspond to the alternative sampler (viewing the random tape of the alternative sampler as explicit input to \(\mathsf {D}_{S}\)) and the encoding algorithm to correspond to the inverse sampler. Pseudorandomness guarantees that \(\mathsf {E}_{S}(S(1^{\lambda }))\) is indistinguishable from uniform randomness. Hence, applying the decode algorithm \(\mathsf {D}_{S}\) on uniform randomness is indistinguishable from applying \(\mathsf {D}_{S}\) to outputs of \(\mathsf {E}_{S}(S(1^{\lambda }))\). Correctness guarantees that \(\mathsf {D}_{S}(\mathsf {E}_{S}(y))\) for y sampled according to \(S(1^{\lambda })\) recovers y with overwhelming probability. Thus, the distribution induced by applying \(\mathsf {D}_{S}\) on uniform randomness is computationally close to the distribution induced by \(S(1^{\lambda })\). This shows closeness. For the purpose of arguing about invertibility, consider the distribution \(A:=\{y\leftarrow \mathsf {D}_{S}(r):(r, y)\}\). Due to pseudorandomness r can be considered an encoded sample from \(S(1^{\lambda })\). Hence, A is indistinguishable to the distribution, where r is produced by \(\mathsf {E}_{S}(y')\) for some independent \(y'\leftarrow S(1^{\lambda })\), i.e.

$$\begin{aligned} \big \{y\leftarrow \mathsf {D}_{S}(r):(r, y)\big \}\mathrel {\approx _{\mathsf{c}}}\big \{y'\leftarrow S(1^{\lambda }), r\leftarrow \mathsf {E}_{S}(y'), y\leftarrow \mathsf {D}_{S}(r):(r, y)\big \}\text {.} \end{aligned}$$

Note that by correctness, y and \(y'\) are identical with overwhelming probability. Therefore, A is indistinguishable to \(\big \{y'\leftarrow S(1^{\lambda }), r\leftarrow \mathsf {E}_{S}(y'):(r, y')\big \}\text {.}\) Since sampling \(y'\) via \(\mathsf {D}_{S}\) applied on uniform randomness is computationally close to the above distribution due to closeness, invertibility follows. Summing up, a sampler \(S\) can be pseudorandomly encoded if and only if it is inverse samplable.

Likewise to the variations and relaxations described for pseudorandom encodings, we vary and relax the notion of invertible sampling. The inverse sampler can be required to be deterministic or allowed to be randomized. Further, closeness and invertibility can be required to hold information theoretically or computationally. We denote these variants as \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}, \mathsf{ISH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{rand}}}, \mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) and \(\mathsf{ISH}_{{\equiv _{\mathsf{s}}}}^{{\mathsf{det}}}\). To circumvent impossibilities in the plain model, we also define the relaxations in the common reference string model in static and adaptive flavors, denoted the prefix “\(\mathsf {c}\)” and “\(\mathsf {ac}\)”, respectively. The above equivalence extends to all introduced variations of the pseudorandom encoding and invertible sampling hypotheses.

The Static-to-Adaptive Transformation. The static variant of pseudorandom encodings in the CRS model only guarantees correctness and pseudorandomness as long as the input m for the sampler \(S\) is chosen independently of the CRS. The adaptive variant, on the other hand, provides correctness and pseudorandomness even for adaptive choices of inputs. Adaptive notions always imply their static analogues. Interestingly, for pseudorandom encodings, the opposite direction is true as well. The core idea is to use an indirection argument (similar to [11, 12, 25]) to delay CRS generation until during the actual encoding process. Thus, the advantage stemming from adaptively choosing the input is eliminated.

Suppose that the static variant of the pseudorandom encoding hypothesis in the CRS model is true and let \(S\) be some PPT sampler. Since \(S\) can be pseudorandomly encoded in the CRS model with static choice of inputs, there exist algorithms \((\mathsf{Setup}', \mathsf {E}_{}', \mathsf {D}_{}')\) such that static correctness and pseudorandomness hold. Further, the algorithm \(\mathsf{Setup}'\) can also be pseudorandomly encoded as above. Let \((\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}'')\) be the corresponding algorithms such that static correctness and pseudorandomness hold. Note that since the sampler \(\mathsf{Setup}'\) does not expect an input, static and adaptive guarantees are equivalent.

Then, the sampler \(S\) can be pseudorandomly encoded in the CRS model with adaptive choice of inputs as follows. Initially, we sample a common reference string \( crs ''\) via \(\mathsf{Setup}''(1^{\lambda })\) and make it available to the parties. Given \( crs ''\) and a sample y from \(S(m)\), adaptive encoding works in two phases. First, a fresh CRS \( crs '\) is sampled via \(\mathsf{Setup}'(1^{\lambda })\) and pseudorandomly encoded via \(r_1\leftarrow \mathsf {E}_{}''( crs '', crs ')\). Second, the given sample y is pseudorandomly encoded via \(r_2\leftarrow \mathsf {E}_{}'( crs ', m, y)\). The encoding of y then consists of \((r_1, r_2)\). To decode, the CRS \( crs '\) is restored via \(\mathsf {D}_{}''( crs '', r_1)\). Then, using \( crs '\), the original sample y is recovered via \(\mathsf {D}_{}'( crs ', m, r_2)\).

Since \( crs '\) is chosen freshly during the encoding process, the input m which may depend on \( crs ''\), cannot depend on \( crs '\). Further, the distribution \(\mathsf{Setup}''\) does not expect an input. Hence, static guarantees suffice.

To realize that adaptive pseudorandomness holds, consider the encoding of \(S(m)\) for some adaptively chosen message m. Since the view of \(\mathcal {A}\) when choosing the message m is independent of \( crs '\), static pseudorandomness can be applied to replace the distribution \(\mathsf {E}_{}'( crs ', m, S(m))\) with uniform randomness. Further, since the sampler \(\mathsf{Setup}'\) does not expect any input, static pseudorandomness suffices to replace the distribution \(\mathsf {E}_{}''( crs '', \mathsf{Setup}'(1^{\lambda }))\) with uniform randomness. This proves adaptive pseudorandomness.

The adaptive variant of correctness follows similarly from the static variant of correctness. Consider the distribution of decoding an encoded sample of \(S(m)\), where m is adaptively chosen. Since the sampler \(\mathsf{Setup}'\) does not expect an input, static correctness can be applied to replace decoding \(\mathsf {D}_{}''( crs '', r_1)\) with the \( crs '\) sampled during encoding. Again, since \( crs '\) does not lie in the view of the adversary when choosing the message m, static correctness guarantees that decoding succeeds with overwhelming probability. This proves adaptive correctness.

On Deterministic Pseudorandom Encoding and Compression. The notion of pseudorandom encoding is inspired by the notion of compression. A tuple of deterministic functions \((\mathsf {E}_{X}, \mathsf {D}_{X})\) is said to compress a source \(X_\lambda \) to length \(m(\lambda )\) with decoding error \(\epsilon (\lambda )\), if (i) \(\Pr [\mathsf {D}_{X}(\mathsf {E}_{X}(X_\lambda ))\ne X_\lambda ]\le \epsilon (\lambda )\) and (ii) \(\mathbb {E}[|\mathsf {E}_{X}(X_\lambda )|]\le m(\lambda )\), see [40, 42]. Pseudorandom encoding partially recovers the notion of compression if we require the encoding algorithm to be deterministic. If a source \(X_\lambda \) can be pseudorandomly encoded with a deterministic encoding algorithm having output length \(n(\lambda )\), then \(X_\lambda \) is compressible to length \(n(\lambda )\). Note, however, that the converse direction is not true. Compression and decompression algorithms for a compressible source do not necessarily encode that source pseudorandomly. The output of a compression algorithm is not required to look pseudorandom and, in some cases, admits a specific structure which makes it easily distinguishable from uniform randomness, e.g. instances using Levin search, [40].

Clearly, the requirement for correctness, poses a lower bound on the encoding length \(n(\lambda )\), [36]. Conversely, requiring the encoding algorithm \(\mathsf {E}_{X}\) to be deterministic means that the only source of entropy in the distribution \(\mathsf {E}_{X}(X_\lambda )\) originates from the source \(X_\lambda \) itself. Hence, for the distributions \(\mathsf {E}_{X}(X_\lambda )\) and the uniform distribution over \(\{0, 1\}^{n(\lambda )}\) to be indistinguishable, the encoding length \(n(\lambda )\) must be “sufficiently small”. We observe that correctness together with the fact that \(\mathsf {E}_{X}\) is deterministic implies that the event \(\mathsf {E}_{X}(\mathsf {D}_{X}(\mathsf {E}_{X}(X_\lambda )))=\mathsf {E}_{X}(X_\lambda )\) occurs with overwhelming probability. Applying pseudorandomness yields that \( \mathsf {E}_{X}(\mathsf {D}_{X}(U_{n(\lambda )}))=U_{n(\lambda )} \) holds with overwhelming probability, wherefore we can conclude that \(\mathsf {D}_{X}\) operates almost injectively on the set \(\{0, 1\}^{n(\lambda )}\). Hence, the (smooth) min-entropy of \(\mathsf {D}_{X}(U_{n(\lambda )})\) is at least \(n(\lambda )\).

Considering information theoretical pseudorandomness, the distributions \(\mathsf {D}_{X}(U_{n(\lambda )})\) and \(X_\lambda \) are statistically close. Hence, by the reasoning above, the encoding length \(n(\lambda )\) is upper bounded by the (smooth) min-entropy of the source \(X_\lambda \). In conclusion, if a distribution can be pseudorandomly encoded such that the encoding algorithm is deterministic satisfying statistical pseudorandomness, then this distribution is compressible to its (smooth) min-entropy. Using a technical “Splitting Lemma”, this extends to the relaxed variant of the pseudorandom encoding hypothesis in the CRS model.

Considering computational pseudorandomness, by a similar argument as above, we obtain that \(X_\lambda \) is computationally close to a distribution with min-entropy \(n(\lambda )\). This does not yield a relation between the encoding length and the min-entropy of the source. However, we do obtain relations to computational analogues of entropy. Computational entropy is the amount of entropy a distribution appears to have from the perspective of a computationally bounded entity. The notion of HILL entropy [24] is defined via the computational indistinguishability from a truly random distribution. More formally, a distribution \(X_\lambda \) has HILL entropy at least k, if there exists a distribution with min-entropy k which is computationally indistinguishable from \(X_\lambda \). Hence, the encoding length \(n(\lambda )\) is upper bounded by the HILL entropy of the source \(X_\lambda \). Another important notion of computational entropy is the notion of Yao entropy [44]. Yao entropy is defined via the incompressibility of a distribution. More precisely, a distribution \(X_\lambda \) has Yao entropy at least k if \(X_\lambda \) cannot be efficiently compressed to length less than k (and successfully decompressed). If a distribution can be pseudorandomly encoded with deterministic encoding, then it can be compressed to the encoding length \(n(\lambda )\). This poses an upper bound on the Yao entropy of the source. In summary, this yields

$$\begin{aligned} n(\lambda )\le \mathrm {H}^{\mathsf{HILL}}(X_\lambda )\quad \text {and}\quad \mathrm {H}^{\mathsf{Yao}}(X_\lambda )\le n(\lambda )\text {.} \end{aligned}$$
(5)

However, due to [27, 31], if the Quadratic Residuosity Assumption (QRA) is true, then there exist distributions which have low conditional HILL entropy while being conditionally incompressible, i.e. have high conditional Yao entropy.Footnote 7 The above observations, particularly Eq. (5), can be extended to conditional HILL and conditional Yao entropy, by considering \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) for PPT algorithms with input. Therefore, if the Quadratic Residuosity Assumption is true, \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{det}}}\) cannot be true for those distributions.

Unfortunately, we do not know whether this extends to the relaxed variants of the pseudorandom encoding hypothesis admitting access to a CRS. On a high level, the problem is that the HILL entropy, in contrast to the min-entropy, does not remain untouched when additionally conditioning on some common reference string distribution, even though the initial distribution is independent of the CRS. Hence, the splitting technique can not be applied here.

3 Pseudorandom Encodings and Invertible Sampling

In this section, we formally define pseudorandom encodings and invertible sampling. We will work with the hypothesis that every efficiently samplable distribution can be pseudorandomly encoded and invertible sampled and we refer to these hypotheses as the pseudorandom encoding hypothesis and the invertible sampling hypothesis, respectively. This section is a condensed and much less detailed version of [1].

Definition 1

(Pseudorandom encoding hypothesis, \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\)). For every PPT algorithm \(S\), there exist efficient algorithms \(\mathsf {E}_{S}\) (the encoding algorithm) with output length \(n(\lambda )\) and \(\mathsf {D}_{S}\) (the decoding algorithm), where \(\mathsf {D}_{S}\) is deterministic and \(\mathsf {E}_{S}\) is randomized satisfying the following two properties.

Correctness.:

For all inputs \(m\in L\), \(\epsilon _{\mathsf{dec-error}}(\lambda ):=\Pr \big [y\leftarrow S(m):\mathsf {D}_{S}(m, \mathsf {E}_{S}(m,y))\ne y\big ]\) is negligible.

Pseudorandomness.:

For all PPT adversaries \(\mathcal {A}\) and all inputs \(m\in L\),

where \( Exp ^{\mathsf{pre}}_{\mathcal {A}, m, 0}\) and \( Exp ^{\mathsf{pre}}_{\mathcal {A}, m, 1}\) are defined below.

figure a

Definition 2

(Invertible sampling hypothesis, \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\), [29]). For every PPT algorithm \(S\), there exists a PPT algorithm \(\overline{S}\) (the alternate sampler) with randomness space \(\{0, 1\}^{n(\lambda )}\) and an efficient randomized algorithm \(\overline{S}^{-1}\) (the inverse sampler), satisfying the following two properties.

Closeness.:

For all PPT adversaries \(\mathcal {A}\) and all inputs \(m\in L\),

where \( Exp ^{\mathsf{close}}_{\mathcal {A}, m, 0}\) and \( Exp ^{\mathsf{close}}_{\mathcal {A}, m, 1}\) are defined below.

Invertibility.:

For all PPT adversaries \(\mathcal {A}\) and all inputs \(m\in L\),

where \( Exp ^{\mathsf{inv}}_{\mathcal {A}, m, 0}\) and \( Exp ^{\mathsf{inv}}_{\mathcal {A}, m, 1}\) are defined below.

figure b

Theorem 1

\(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is true if and only if \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is true.

Lemma 1

If \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds, then \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds.

Proof

Assume \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds. Let \(S\) be a PPT algorithm. \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) implies that there exists an alternative sampler \(\overline{S}\) (with randomness space \(\{0, 1\}^{n(\lambda )}\)) and a corresponding inverse sampler \(\overline{S}^{-1}\) satisfying closeness and invertibility.

For \(m\in L, y\in \{0, 1\}^*, r\in \{0, 1\}^{n(\lambda )}\), we define the algorithms \(\mathsf {E}_{S}(m, y):=\overline{S}^{-1}(m, y)\) (potentially randomized) and \(\mathsf {D}_{S}(m, r):=\overline{S}(m; r)\) (deterministic).

Correctness. We consider a series of hybrids, see Fig. 2.

Fig. 2.
figure 2

Hybrids used in the proof of correctness.

Full size image

Game \(\mathbf{G}_0\) is identical to \( Exp ^{\mathsf{inv}}_{\mathcal {A}, m, 0}\) and game \(\mathbf{G}_1\) is identical to \( Exp ^{\mathsf{inv}}_{\mathcal {A}, m, 1}\). Hence, \(|\Pr [out_{1}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{inv}}_{\mathcal {A}, m}(\lambda )\).

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{2}=1]-\Pr [out_{1}=1]|\le Adv ^{\mathsf{close}}_{\overline{\mathcal {A}}, m}(\lambda )\).

Proof

Construct an adversary \(\overline{\mathcal {A}}\) on closeness. On input of (my), \(\overline{\mathcal {A}}\) computes \(\overline{r}\leftarrow \overline{S}^{-1}(m, y)\), calls \(\mathcal {A}\) on input of \((m, \overline{r}, y)\) and outputs the resulting output. If y is sampled using \(\overline{S}(m; r)\) (for \(r\leftarrow \{0, 1\}^{n(\lambda )}\)), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_1\) for \(\mathcal {A}\). If y is sampled using \(S(m; r)\) (for \(f\leftarrow \{0, 1\}^{p(\lambda )}\)), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_2\) for \(\mathcal {A}\). Therefore, \(\Pr [out_{1}=1]=\Pr [ Exp ^{\mathsf{close}}_{\overline{\mathcal {A}}, m, 1}(\lambda )=1]\) and \(\Pr [out_{2}=1]=\Pr [ Exp ^{\mathsf{close}}_{\overline{\mathcal {A}}, m, 0}(\lambda )=1]\). \(\square \)

Thus, we have that \(|\Pr [out_{2}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{close}}_{\overline{\mathcal {A}}, m}(\lambda )+ Adv ^{\mathsf{inv}}_{\overline{\mathcal {A}}', m}(\lambda )\) for some PPT adversaries \(\overline{\mathcal {A}}, \overline{\mathcal {A}}'\).

Consider the adversary \(\mathcal {A}\) distinguishing between game \(\mathbf{G}_0\) and game \(\mathbf{G}_2\) that on input of (mry), outputs 0 if \(\overline{S}(m; r)=y\) and outputs 1 otherwise. By definition, \(\mathcal {A}\) always outputs 0 in \(\mathbf{G}_0\). Hence, \(\epsilon _{\mathsf{dec-error}}(\lambda )=\Pr [y\leftarrow S(m):\overline{S}(m, \overline{S}^{-1}(m,y))\ne y]=\Pr [out_{2, \mathcal {A}}=1]=|\Pr [out_{2, \mathcal {A}}=1]-\Pr [out_{0, \mathcal {A}}=1]|\).

Pseudorandomness. We consider a sequence of hybrids starting from \( Exp ^{\mathsf{pre}}_{\mathcal {A}, m, 0}\) and concluding in \( Exp ^{\mathsf{pre}}_{\mathcal {A}, m, 1}\), see Fig. 3.

Fig. 3.
figure 3

Hybrids used in the proof of pseudorandomness.

Full size image

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{1}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{close}}_{\overline{\mathcal {A}}, m}(\lambda )\).

Proof

Construct a PPT adversary \(\overline{\mathcal {A}}\) on the closeness property as follows. On input of (my), \(\overline{\mathcal {A}}\) calls \({\mathcal {A}}\) on input of \((m, \overline{S}^{-1}(m, y))\) and outputs the resulting output.

If \(y\leftarrow S(m)\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_0\) for \(\mathcal {A}\), and if \(y\leftarrow \overline{S}(m)\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_1\) for \(\mathcal {A}\). Hence, \(\Pr [out_{0}=1]=\Pr [ Exp ^{\mathsf{close}}_{\overline{\mathcal {A}}, m, 0}(\lambda )=1]\) and \(\Pr [out_{1}=1]=\Pr [ Exp ^{\mathsf{close}}_{\overline{\mathcal {A}}, m, 1}(\lambda )=1]\). \(\square \)

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{2}=1]-\Pr [out_{1}=1]|\le Adv ^{\mathsf{inv}}_{\overline{\mathcal {A}}, m}(\lambda )\).

Proof

We construct a PPT adversary \(\overline{\mathcal {A}}\) on the invertibility property. On input of (mry), \(\overline{\mathcal {A}}\) calls \(\mathcal {A}\) on input of (mr) and outputs its output.

If \(r\leftarrow \overline{S}^{-1}(m, y)\) for \(y\leftarrow \overline{S}(m)\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_1\) for \(\mathcal {A}\). If \(r\leftarrow \{0, 1\}^{n(\lambda )}\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_2\) for \(\mathcal {A}\). Therefore, \(\Pr [out_{1}=1]=\Pr [ Exp ^{\mathsf{inv}}_{\overline{\mathcal {A}}, m, 0}(\lambda )=1]\) and \(\Pr [out_{2}=1]=\Pr [ Exp ^{\mathsf{inv}}_{\overline{\mathcal {A}}, m, 1}(\lambda )=1]\). \(\square \)

Hence, \( Adv ^{\mathsf{pre}}_{\mathcal {A}, m}(\lambda )=|\Pr [out_{2}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{close}}_{\overline{\mathcal {A}}, m}(\lambda ) + Adv ^{\mathsf{inv}}_{\overline{\mathcal {A}}', m}(\lambda )\) for some PPT adversaries \(\overline{\mathcal {A}}\) and \(\overline{\mathcal {A}}'\). \(\square \)

Lemma 2

If \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds, then \(\mathsf{ISH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds.

Proof

We prove the statement for the computational randomized case. The remaining cases are similar.

Assume \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) holds. Let \(S\) be a PPT algorithm. \(\mathsf{PREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\)implies that for \(S\) there exist efficient algorithms \(\mathsf {E}_{S}\) (potentially randomized) with output length \(n(\lambda )\) and \(\mathsf {D}_{S}\) (deterministic) satisfying correctness and pseudorandomness.

For \(m\in L, r\in \{0, 1\}^{n(\lambda )}, y\in \{0, 1\}^*\), we define the alternative sampler as \(\overline{S}(m; r):=\mathsf {D}_{S}(m, r)\) (randomized) and the corresponding inverse sampler \(\overline{S}^{-1}(m, y):=\mathsf {E}_{S}(m, y)\) (potentially randomized).

Fig. 4.
figure 4

Hybrids used in the proof of closeness.

Full size image

Closeness. Let \(\mathcal {A}\) be an adversary on closeness. We consider a sequence of games starting from \( Exp ^{\mathsf{close}}_{\mathcal {A}, m, 0}\) and concluding in \( Exp ^{\mathsf{close}}_{\mathcal {A}, m, 1}\), see Fig. 4.

The difference between game \(\mathbf{G}_0\) and game \(\mathbf{G}_1\) is only conceptional, hence, \(\Pr [out_{0}=1]=\Pr [out_{1}=1]\).

\(\mathbf{G}_1\) and \(\mathbf{G}_2\) proceed exactly identical if \(y_{S}=y_{D}\). More formally, let F be the event that \(y_{S}\ne y_{D}\). We have that \(out_{1}=1\wedge \lnot F\Leftrightarrow out_{2}\wedge \lnot F\). Hence, the Difference Lemma (due to Shoup, [37]) bounds \(|\Pr [out_{2}=1]-\Pr [out_{1}=1]|\le \Pr [F]\). Correctness guarantees that for all \(m\in L\), \(\Pr [F]=\Pr [y_{S}\leftarrow S(m):\mathsf {D}_{S}(m, \mathsf {E}_{S}(m, y_{S}))\ne y_{S}]=\epsilon _{\mathsf{dec-error}}(\lambda )\) is negligible.

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{3}=1]-\Pr [out_{2}=1]|\le Adv ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m}(\lambda )\).

Proof

Construct an adversary \(\overline{\mathcal {A}}\) on pseudorandomness as follows. On input of \((m, u=:r_{D})\), \(\overline{\mathcal {A}}\) calls \(\mathcal {A}\) on input \((m, \mathsf {D}_{S}(m, r_{D}))\) and outputs the resulting output. If \(u\leftarrow \mathsf {E}_{S}(m, y)\) for \(y\leftarrow S(m)\), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_2\) for \(\mathcal {A}\). Otherwise, if u is uniformly random over \(\{0, 1\}^{n(\lambda )}\), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_3\) for \(\mathcal {A}\). Hence, \(\Pr [out_{3}=1]=\Pr [ Exp ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m, 1}(\lambda )=1]\) and \(\Pr [out_{2}=1]=\Pr [ Exp ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m, 0}(\lambda )=1]\). \(\square \)

Hence, \( Adv ^{\mathsf{close}}_{\mathcal {A}, m}(\lambda )=|\Pr [out_{3}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m}(\lambda ) + \epsilon _{\mathsf{dec-error}}(\lambda )\) for some PPT adversary \(\overline{\mathcal {A}}\).

Invertibility. We consider a sequence of hybrids, see Fig. 5.

Fig. 5.
figure 5

Hybrids used in the proof of invertibility.

Full size image

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{1}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m}(\lambda ) + \epsilon _{\mathsf{dec-error}}(\lambda )\).

Proof

Let \(\mathcal {A}\) be an adversary distinguishing \(\mathbf{G}_0\) and \(\mathbf{G}_1\). Construct an adversary \(\overline{\mathcal {A}}\) on the closeness property. On input of (my), \(\overline{\mathcal {A}}\) computes \(\overline{r}\leftarrow \mathsf {E}_{S}(m, y)\) and calls \(\mathcal {A}\) on input \((m, \overline{r}, y)\). If \(y\leftarrow \overline{S}(m)\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_0\) for \(\mathcal {A}\). Else, if \(y\leftarrow S(m)\), \(\overline{\mathcal {A}}\) simulates game \(\mathbf{G}_1\) for \(\mathcal {A}\). Hence, \(|\Pr [out_{1}=1]-\Pr [out_{0}=1]|= Adv ^{\mathsf{close}}_{\overline{\mathcal {A}}, m}(\lambda )\). \(\square \)

The difference between \(\mathbf{G}_1\) and \(\mathbf{G}_2\) is purely conceptional. Hence, \(\Pr [out_{1}=1]=\Pr [out_{2}=1]\). \(\mathbf{G}_2\) and \(\mathbf{G}_3\) behave identical if \(y_D = y_S\). Let F denote the failure event \(y_D\ne y_S\). We have that \(out_{2}=1\wedge \lnot \Leftrightarrow out_{3}\wedge \lnot F\). The Difference Lemma (due to Shoup, [37]) bounds \(|\Pr [out_{3}=1]-\Pr [out_{2}=1]|\le \Pr [F]\). Due to correctness, for all \(m\in L\), \(\Pr [F]=\Pr [y_S\leftarrow S(m):\mathsf {D}_{S}(m, \mathsf {E}_{S}(m, y_S))\ne y_S]=\epsilon _{\mathsf{dec-error}}(\lambda )\) is negligible.

Claim

For all PPT adversaries \(\mathcal {A}\), for all \(m\in L\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{4}=1]-\Pr [out_{3}=1]|\le Adv ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m}(\lambda )\).

Proof

Construct a PPT adversary \(\overline{\mathcal {A}}\) on the pseudorandomness property. On input of (mu), \(\overline{\mathcal {A}}\) calls \(\mathcal {A}\) on input \((m, u=:r_D, \mathsf {D}_{S}(m, u)=:y_D)\) and outputs the resulting output. If \(u\leftarrow \mathsf {E}_{S}(m, y)\) for \(y\leftarrow S(m)\), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_3\) for \(\mathcal {A}\). Otherwise, if u is uniformly random over \(\{0, 1\}^{n(\lambda )}\), \(\overline{\mathcal {A}}\) perfectly simulates game \(\mathbf{G}_4\) for \(\mathcal {A}\). Hence, \(\Pr [out_{3}=1]=\Pr [ Exp ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m, 0}(\lambda )=1]\) and \(\Pr [out_{4}=1]=\Pr [ Exp ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m, 1}(\lambda )=1]\). \(\square \)

The difference between \(\mathbf{G}_4\) and \(\mathbf{G}_5\) is again only conceptional and \(\Pr [out_{4}=1]=\Pr [out_{5}=1]\). Hence, \(|\Pr [out_{5}=1]-\Pr [out_{0}=1]|\le 2\cdot Adv ^{\mathsf{pre}}_{\overline{\mathcal {A}}, m}(\lambda ) + 2\cdot \epsilon _{\mathsf{dec-error}}(\lambda )\) for some PPT adversary \(\overline{\mathcal {A}}\). \(\square \)

4 Static-to-Adaptive Transformation

We obtain a natural relaxation of the pseudorandom encoding hypothesis by introducing public parameters. That is, a distribution defined via \(S\) can be pseudorandomly encoded in this relaxed sense, if there exists a probabilistic setup algorithm \(\mathsf{Setup}_{S}\) and encode and decode algorithms as before such that for all \(m\in L\), the event \(\mathsf {D}_{S}( crs , \mathsf {E}_{S}( crs , S(m)))=S(m)\) occurs with overwhelming probability, where the probability is also over the choice of \( crs \), and the distribution \((\mathsf{Setup}_{S}(1^{\lambda }), \mathsf {E}_{S}(\mathsf{Setup}_S(1^{\lambda }), S(m)))\) is indistinguishable from the distribution \((\mathsf{Setup}_{S}(1^{\lambda }), U_{n(\lambda )})\). See the full version [1] for more details.

There are two variants of this definition. The input m can be required to be chosen independently of \( crs \) or allowed to be chosen depending on \( crs \). Clearly, the adaptive variant implies the non-adaptive (or static) variant. Interestingly, the opposite direction is true as well by an “indirection” argument similar to the one from the work on universal samplers [25]. A similar technique was used in the context of non-committing encryption [11] and adaptively secure MPC [12].

Theorem 2

Let \(\alpha \in \{\approx _{\mathsf{c}}, \equiv _{\mathsf{s}}\}\) and \(\beta \in \{\mathsf{rand}, \mathsf{det}\}\). If \(\mathsf{cPREH}_{{\alpha }}^{{\beta }}\) is true, then \(\mathsf{acPREH}_{{\alpha }}^{{\beta }}\) is true.

Proof

We prove the statement for the computational randomized case. A very similar proof applies to the remaining cases.

Let \(S\) be a PPT sampler with input space \(L\). Since \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is true, for the PPT sampler \(S\), there exist \((\mathsf{Setup}_{S}', \mathsf {E}_{S}', \mathsf {D}_{S}')\) with output length \(n'(\lambda )\) such that correctness and pseudorandomness hold (statically). Again, since \(\mathsf{cPREH}_{{\approx _{\mathsf{c}}}}^{{\mathsf{rand}}}\) is true, for the PPT sampler \(\mathsf{Setup}_{S}'\), there exist \((\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}'')\) with output length \(n''(\lambda )\) such that correctness and pseudorandomness hold (statically).Footnote 8 Note that \(\mathsf{Setup}_{S}'\) does not expect an input.

In Fig. 6, we define algorithms \((\mathsf{Setup}_S, \mathsf {E}_{S}, \mathsf {D}_{S})\) satisfying adaptive correctness and pseudorandomness.

Fig. 6.
figure 6

Adaptive pseudorandom encodings.

Full size image

On a high level, since \( crs '\) is chosen freshly and independently after the adversary fixes the message m, selective security suffices. Furthermore, since the distribution of \( crs '\) has no input, selective security is sufficient.

Fig. 7.
figure 7

Hybrid games for the proof of adaptive correctness.

Full size image

Adaptive correctness. We define a series of hybrid games to prove correctness, see Fig. 7. Game \(\mathbf{G}_0\) corresponds to encoding and subsequently decoding a sample y (for adaptively chosen input m) and game \(\mathbf{G}_1\) is simply a reordering of the commands of \(\mathbf{G}_0\). The game hop from \(\mathbf{G}_0\) to \(\mathbf{G}_1\) only conceptional and \(\Pr [out_{0}=1]=\Pr [out_{1}=1]\).

Claim

For all PPT adversaries \(\mathcal {A}\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{2}=1]-\Pr [out_{1}=1]|\le \epsilon ^{\mathsf{c-dec-error}}_{(\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}''), \overline{\mathcal {A}}}(\lambda )\).

Proof

The games \(\mathbf{G}_1\) and \(\mathbf{G}_2\) proceed exactly identically if \( crs '_D= crs '\). Let E be the event that \( crs '\ne crs '_D\). We have that \(out_{1}=1\wedge \lnot E\Leftrightarrow out_{2}\wedge \lnot E\). Due to correctness of \((\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}'')\),

$$\begin{aligned} \Pr \left[ \begin{array}{ccl} crs ''&{}\leftarrow &{}\mathsf{Setup}(1^{\lambda })\\ crs '&{}\leftarrow &{}\mathsf{Setup}_{S}'(1^{\lambda })\\ r_1&{}\leftarrow &{}\mathsf {E}_{}''( crs '', crs ')\\ crs '_D&{}:=&{}\mathsf {D}_{}''( crs '', r_1) \end{array} : crs '_D\ne crs ' \right] \end{aligned}$$

is negligible. Hence, the Difference Lemma (due to Shoup, [37]) upper bounds

$$\begin{aligned} |*|{\Pr [out_{2}=1]-\Pr [out_{1}=1]}\le \Pr [E]\text {.} \end{aligned}$$

   \(\square \)

The game hop from \(\mathbf{G}_2\) to \(\mathbf{G}_3\) only conceptional and \(\Pr [out_{2}=1]=\Pr [out_{3}=1]\).

Claim

For all PPT adversaries \(\mathcal {A}\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(\Pr [out_{3}=1]\ge 1-\epsilon ^{\mathsf{c-dec-error}}_{(\mathsf{Setup}_S', \mathsf {E}_{S}', \mathsf {D}_{S}'), \overline{\mathcal {A}}}(\lambda )\).

Proof

Due to correctness of \((\mathsf{Setup}_S', \mathsf {E}_{S}',\mathsf {D}_{S}')\), we have that for all PPT adversaries \(\overline{\mathcal {A}}\),

$$\begin{aligned} \Pr \left[ \begin{array}{ccl} m&{}\leftarrow &{}\overline{\mathcal {A}}(1^{\lambda })\\ crs '&{}\leftarrow &{}\mathsf{Setup}_S'(1^{\lambda })\\ y&{}\leftarrow &{}S(m)\\ r&{}\leftarrow &{}\mathsf {E}_{S}'( crs ', m, y)\\ y_D&{}:=&{}\mathsf {D}_{S}'( crs ', m, r) \end{array} :y=y_D\right] \end{aligned}$$

is overwhelming. Therefore, for all PPT adversaries \(\mathcal {A}\), \(\Pr [out_{3}=1]\) is overwhelming. \(\square \)

Adaptive Pseudorandomness. We define a series of hybrid games to prove pseudorandomness, see Fig. 8.

Fig. 8.
figure 8

Hybrid games for the proof of adaptive pseudorandomness.

Full size image

Game \(\mathbf{G}_0\) corresponds to the adaptive pseudorandomness game. That is, \(\mathbf{G}_0\) first samples \( crs ''\), the adversary \(\mathcal {A}\) chooses the message m adaptively depending on \( crs ''\), and \(\mathbf{G}_0\) then samples y using \(S(m)\), encodes that sample and gives the encoding to \(\mathcal {A}\).

Claim

For all PPT adversaries \(\mathcal {A}\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{1}=1]-\Pr [out_{0}=1]|\le Adv ^{\mathsf{crs-pre}}_{(\mathsf{Setup}_{S}', \mathsf {E}_{S}', \mathsf {D}_{S}'), \overline{\mathcal {A}}}(\lambda )\).

Proof

Construct an adversary \(\overline{\mathcal {A}}\) on static pseudorandomness relative to \((\mathsf{Setup}_{S}',\mathsf {E}_{S}',\mathsf {D}_{S}')\) as follows. On input of \(1^{\lambda }\), \(\overline{\mathcal {A}}\) samples \( crs ''\leftarrow \mathsf{Setup}''(1^{\lambda })\) calls \(\mathcal {A}\) on input of \( crs ''\), and outputs the message m produced by \(\mathcal {A}\). In return, \(\overline{\mathcal {A}}\) receives \( crs '\leftarrow \mathsf{Setup}_S'(1^{\lambda })\) and either \(u:=\mathsf {E}_{S}'( crs ', m, S(m))\) or a uniform random string \(u\leftarrow \{0, 1\}^{n'(\lambda )}\) from \( Exp ^{\mathsf{crs-pre}}_{(\mathsf{Setup}_{S}', \mathsf {E}_{S}', \mathsf {D}_{S}'), \mathcal {A},b}(\lambda )\). \(\overline{A}\) computes \(r_1\leftarrow \mathsf {E}_{}''( crs '', crs ')\), calls \(\mathcal {A}\) on input of \(( crs '', m, r_1\mathbin {\Vert }u)\) and returns \(\mathcal {A}\)’s output.

If \(\overline{\mathcal {A}}\) plays \( Exp ^{\mathsf{crs-pre}}_{(\mathsf{Setup}_{S}', \mathsf {E}_{S}', \mathsf {D}_{S}'),\overline{\mathcal {A}},0}(\lambda )\), then it perfectly simulates \(\mathbf{G}_0\). On the other hand, if \(\overline{\mathcal {A}}\) plays \( Exp ^{\mathsf{crs-pre}}_{(\mathsf{Setup}_{S}', \mathsf {E}_{S}', \mathsf {D}_{S}'), \overline{\mathcal {A}},1}(\lambda )\), then it perfectly simulates \(\mathbf{G}_1\).\(\square \)

The game hop from \(\mathbf{G}_1\) to \(\mathbf{G}_2\) is only conceptional and \(\Pr [out_{2}=1]=\Pr [out_{1}=1]\).

Claim

For all PPT adversaries \(\mathcal {A}\), there exists a PPT adversary \(\overline{\mathcal {A}}\), such that \(|\Pr [out_{3}=1]-\Pr [out_{2}=1]|\le Adv ^{\mathsf{crs-pre}}_{(\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}''), \overline{\mathcal {A}}}(\lambda )\).

Proof

Construct an adversary \(\overline{\mathcal {A}}\) on static pseudorandomness relative to \((\mathsf{Setup}'',\mathsf {E}_{}'',\mathsf {D}_{}'')\) as follows. On input of \(1^{\lambda }\), \(\overline{\mathcal {A}}\) returns \(\bot \) since the input space \(L\) of the sampler \(\mathsf{Setup}_{S}'(1^{\lambda })\) is empty. In return, \(\overline{\mathcal {A}}\) receives \( crs ''\) sampled via \(\mathsf{Setup}''(1^{\lambda })\) and u which is either produced via \(\mathsf {E}_{}''( crs '', \mathsf{Setup}'(1^{\lambda }))\) or via uniform sampling from \(\{0, 1\}^{n''(\lambda )}\). \(\overline{\mathcal {A}}\) calls \(\mathcal {A}\) on input of \( crs ''\) and receives a message m from \(\mathcal {A}\). Finally, \(\overline{\mathcal {A}}\) samples \(r_2\leftarrow \{0, 1\}^{n'(\lambda )}\), calls \(\mathcal {A}\) on input of \(( crs '', m, u\mathbin {\Vert }r_2)\) and outputs his output.

If \(\overline{\mathcal {A}}\) plays \( Exp ^{\mathsf{crs-pre}}_{(\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}''),\overline{\mathcal {A}},0}(\lambda )\), then it perfectly simulates \(\mathbf{G}_2\). On the other hand, if \(\overline{\mathcal {A}}\) plays \( Exp ^{\mathsf{crs-pre}}_{(\mathsf{Setup}'', \mathsf {E}_{}'', \mathsf {D}_{}''),\overline{\mathcal {A}},1}(\lambda )\), then it perfectly simulates \(\mathbf{G}_3\). \(\square \)

\(\square \)