This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography April 13, 2004 Lecture 3: OneWay Encryption, RSA Example Lecturer: Stanislaw Jarecki 1 L ECTURE S UMMARY We look at a different security property one might require of encryption, namely oneway security . The notion is natural and seems like a minimal requirement on an encryption scheme. It makes sense for both symmetric and publickey encryption schemes. To make the discussion more concrete, we look at the socalled textbook variant of the RSA encryption, and see how to pick keys in relation to the security parameter so that the best algorithms that invert RSA are either inefficient or have only negligible advantage. We will also see that while the textbook RSA can plausibly be one way secure, it is definitely not secure in the sense of indistinguishabibility (this security property of encryption schemes was defined in the last class). This shows us that onewayness is a weaker notion than indistinguishability. 2 OneWay Security for Encryption In the last lecture we developed the computational version (relaxation) of the perfect secrecy security property for encryption schemes, which we called indistinguishability of encryption. This notion is pretty strong, and today well look at a weaker notion of security for encryption, namely oneway security . In essence, we say that an encryption scheme is oneway secure if it is infeasible to decrypt ciphertexts of random plaintexts (i.e. randomly chosen from a bigenough message space). Here is the formal definition, first for the case of symmetric encryption schemes: Definition 1 (oneway secure (symmetric) encryption) We call a (symmetric) encryption scheme = ( KGen,Enc,Dec ) oneway secure for (family of) message spaces {M } =1 , 2 ,... if for all PPT algorithms A , the following holds: Adv A ( ) = Prob [ A ( c ) = m  k KGen (1 ); m M ; c Enc ( k,m )] negl ( ) And here is the corresponding definition for publickey encryption schemes. The only real difference is that here the adversary sees the public key used to encrypt messages: Definition 2 (oneway secure (public key) encryption) We call a (publickey) encryption scheme = ( KGen,Enc,Dec ) oneway secure for (family of) message spaces {M } =1 , 2 ,... if for all PPT algorithms A , the following holds: Adv A ( ) = Prob [ A ( PK,c ) = m  ( SK,PK ) KGen (1 ); m M ; c Enc ( PK,m )] negl ( ) L31 Discussion. The onewayness of encryption seems to be a pretty minimal requirement needed of an encryption scheme. Suppose, on the contrary, that an encryption scheme is not oneway. This would mean that there exists an efficient algorithm A which has a nonnegligible chance of success in decrypting an encryption of a random message. Notice that in any application of an encryption scheme, the encryption/decryption keys are going to be picked by a (random) run of the KGen (1 ) algorithm, which is just like in the onewayness game the adversary plays with an encryption scheme...
View
Full
Document
This note was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details