This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography April 15, 2004 Lecture 4: OneWay Encryption vs. Indistinguishability Lecturer: Stanislaw Jarecki 1 L ECTURE S UMMARY Last time we saw an example of an encryption scheme, the “textbook RSA” scheme, which can be oneway secure (that’s exactly the belief expressed in the “RSA assumption”) but is not secure in the sense of indistinguishability. Now we’ll see that any oneway encryption might have some bad characteristics that make it not indistinguishably secure. With these arguments we’ll try to convince you that the oneway security requirement on encryption is in fact not enough in practice. 2 OneWay Secure Encryption Can Leak Some Messages We’ll first show that an encryption scheme can be oneway secure and yet it can totally leak some messages. In fact, if an encryption scheme is oneway secure on some reasonable message space, for example M τ = { , 1 } τ where τ is the security parameter, then it can very well be that there is a polynomiallysized subset M ′ τ ⊂ { , 1 } τ of messages (i.e. M ′ τ  ≤ p ( τ ) for some polynomial p ( · ) ) 1 , s.t. when the encryption scheme is applied to any message m ∈ M ′ τ , the adversary can immediately recover m from the ciphertext. You might be tempted to think that since the size of this badmessage space M ′ is negligible compared to M τ , because M ′ τ / M τ = p ( τ ) / 2 τ < negl ( τ ) , maybe it follows that one is unlikely to encounter any m in this subset M ′ τ ? But that’s not the right argument, because this encryption scheme can be bad for any set M ′ τ ⊂ { , 1 } τ , including the set of messages which are in fact the most likely ones that will get encrypted in a given application. For example, M ′ τ can contain “yes”, “no”, “nothing new”, etc, and these might be what someone often wants to send....
View
Full
Document
This note was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details