Why we need to consider a probability ensemble and not just a probability distribution in the definition of Security under Simulation?

Question

I'm currently reading this classic paper "How To Simulate It" and on most of the definitions it is using the term probability ensemble to represent the message space. From my understanding a probability ensemble is like a stochastic process and a probability distribution is an instance of a stochastic process. For example, if we have $\{X_n\}_{n \in \mathbb{N}}$ then we can consider it equivalent to $X(n)$ where $n \in \mathbb{N}$ and $X(5)$ for example is an instance of the probability ensemble, a probability distribution.

I'm kind of confused about why we need to consider this structure for the plaintext space. Actually, it would make more sense to me since we consider a non-uniform $PPT$ to consider this structure as the ciphertext space, but probably this isn't the case. Can you help me clarify this?

Answer 1

I don't understand your plaintext space/ciphertext space distinction here. Could you try to clarify that part of your question?

As for $\{X_n\}_n$ vs $X(n)$, I would just say one reason to not consider probability ensambles as stochastic processes is that there is no reason to expect $X(n)$ and $X(n-1)$ to be connected in some way (say be martingale, or have any other property a stochastic process might typically have). The main property you want from whatever way you formalize things as is a mapping from integers to probability distributions, so you can coherently use the notion of "negligible" functions (where $f(n)\in\mathsf{negl}(n)$ if $f(n) = n^{-\omega(1)}$), which are very useful for analysis. This is really only relevant for asymptotic security though, for concrete security you'll typically set $n = 128$, and not work with arbitrary neglible functions (such as $f_0(n) = 2^{-(\log n)^2}$), and instead work with explicit inverse exponential functions ($f_1(n) = 2^{-n}$).

Answer 2

It was explained by Rafael Pass and Abhi Shelat in "A Cource in Cryptography", [PS2010'Section 3.1: Computational Indistinguishability]

---

Answer 3

Your understanding of an ensemble in this context is incorrect. An ensemble in this context is a sequence of probability distributions.

Given two probability distributions $X, Y$, you can consider the best-possible distinguishing probability (for distinguishers running in some bounded time) between a random sample from $X$ and a random sample from $Y$. You will get a number, and that is fine for concrete security. But if you want to consider asymptotic security, then you need to consider two infinite sequences of probability distributions $\{X_i\}_{i =1, \ldots}, \{Y_i\}_{i =1, \ldots}$ where the distributions are indexed by the security parameter.

I suggest looking at Katz-Lindell, "Introduction to Modern Cryptography (3rd edition)." They discuss this issue in Section 3.1 and more formally in Chapter 8 (especially Section 8.8).