Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example - ICS 180:...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 180: Introduction to Cryptography April 13, 2004 Lecture 3: One-Way Encryption, RSA Example Lecturer: Stanislaw Jarecki 1 L ECTURE S UMMARY We look at a different security property one might require of encryption, namely one-way security . The notion is natural and seems like a minimal requirement on an encryption scheme. It makes sense for both symmetric and public-key encryption schemes. To make the discussion more concrete, we look at the so-called textbook variant of the RSA encryption, and see how to pick keys in relation to the security parameter so that the best algorithms that invert RSA are either inefficient or have only negligible advantage. We will also see that while the textbook RSA can plausibly be one- way secure, it is definitely not secure in the sense of indistinguishabibility (this security property of encryption schemes was defined in the last class). This shows us that one-wayness is a weaker notion than indistinguishability. 2 One-Way Security for Encryption In the last lecture we developed the computational version (relaxation) of the perfect secrecy security property for encryption schemes, which we called indistinguishability of encryption. This notion is pretty strong, and today well look at a weaker notion of security for encryption, namely one-way security . In essence, we say that an encryption scheme is one-way secure if it is infeasible to decrypt ciphertexts of random plaintexts (i.e. randomly chosen from a big-enough message space). Here is the formal definition, first for the case of symmetric encryption schemes: Definition 1 (one-way secure (symmetric) encryption) We call a (symmetric) encryption scheme = ( KGen,Enc,Dec ) one-way secure for (family of) message spaces {M } =1 , 2 ,... if for all PPT algorithms A , the following holds: Adv A ( ) = Prob [ A ( c ) = m | k KGen (1 ); m M ; c Enc ( k,m )] negl ( ) And here is the corresponding definition for public-key encryption schemes. The only real difference is that here the adversary sees the public key used to encrypt messages: Definition 2 (one-way secure (public key) encryption) We call a (public-key) encryption scheme = ( KGen,Enc,Dec ) one-way secure for (family of) message spaces {M } =1 , 2 ,... if for all PPT algorithms A , the following holds: Adv A ( ) = Prob [ A ( PK,c ) = m | ( SK,PK ) KGen (1 ); m M ; c Enc ( PK,m )] negl ( ) L3-1 Discussion. The one-wayness of encryption seems to be a pretty minimal requirement needed of an encryption scheme. Suppose, on the contrary, that an encryption scheme is not one-way. This would mean that there exists an efficient algorithm A which has a non-negligible chance of success in decrypting an encryption of a random message. Notice that in any application of an encryption scheme, the encryption/decryption keys are going to be picked by a (random) run of the KGen (1 ) algorithm, which is just like in the one-wayness game the adversary plays with an encryption scheme...
View Full Document

This note was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.

Page1 / 5

Lecture 3: One-Way Encryption, RSA Example - ICS 180:...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online