Lecture 4:One-Way Encryption vs. Indistinguishability

Lecture 4:One-Way Encryption vs. Indistinguishability - ICS...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 180: Introduction to Cryptography April 15, 2004 Lecture 4: One-Way Encryption vs. Indistinguishability Lecturer: Stanislaw Jarecki 1 L ECTURE S UMMARY Last time we saw an example of an encryption scheme, the “textbook RSA” scheme, which can be one-way secure (that’s exactly the belief expressed in the “RSA assumption”) but is not secure in the sense of indistinguishability. Now we’ll see that any one-way encryption might have some bad characteristics that make it not indistinguishably secure. With these arguments we’ll try to convince you that the one-way security requirement on encryption is in fact not enough in practice. 2 One-Way Secure Encryption Can Leak Some Messages We’ll first show that an encryption scheme can be one-way secure and yet it can totally leak some messages. In fact, if an encryption scheme is one-way secure on some reasonable message space, for example M τ = { , 1 } τ where τ is the security parameter, then it can very well be that there is a polynomially-sized subset M ′ τ ⊂ { , 1 } τ of messages (i.e. |M ′ τ | ≤ p ( τ ) for some polynomial p ( · ) ) 1 , s.t. when the encryption scheme is applied to any message m ∈ M ′ τ , the adversary can immediately recover m from the ciphertext. You might be tempted to think that since the size of this bad-message space M ′ is negligible compared to M τ , because M ′ τ / M τ = p ( τ ) / 2 τ < negl ( τ ) , maybe it follows that one is unlikely to encounter any m in this subset M ′ τ ? But that’s not the right argument, because this encryption scheme can be bad for any set M ′ τ ⊂ { , 1 } τ , including the set of messages which are in fact the most likely ones that will get encrypted in a given application. For example, M ′ τ can contain “yes”, “no”, “nothing new”, etc, and these might be what someone often wants to send....
View Full Document

This note was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.

Page1 / 3

Lecture 4:One-Way Encryption vs. Indistinguishability - ICS...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online