applied cryptography - protocols, algorithms, and source code in c

If she does alice and bob will end up with different

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ent implementations have changed that. The point behind probabilistic encryption is to eliminate any information leaked with public-key cryptography. Because a cryptanalyst can always encrypt random messages with a public key, he can get some information. Assuming he has ciphertext C =EK(M) and is trying to recover plaintext message M, he can pick a random message M' and encrypt it: C' =EK(M'). If C'=C, then he guessed the correct plaintext. If it’s wrong, he just guesses again. Also, no partial information is leaked about the original message. With public-key cryptography, sometimes a cryptanalyst can learn things about the bits: The XOR of bits 5, 17, and 39 is 1, and so on. With probabilistic encryption, even this type of information remains hidden. Not a whole lot of information is to be gained here, but there are potential problems with allowing a cryptanalyst to encrypt random messages with your public key. Some information is being leaked to the cryptanalyst every time he encrypts a message. No one really knows how much. Probabilistic encryption tries to eliminate that leakage. The goal is that no computation on the ciphertext, or on any other trial plaintexts, can give the cryptanalyst any information about the corresponding plaintext. In probabilistic encryption, the encrypting algorithm is probabilistic rather than deterministic. In other words, a large number of ciphertexts will decrypt to a given plaintext, and the particular ciphertext used in any given encryption is randomly chosen. C1 = EK(M), C2 = EK(M), C3 = EK(M),..., Ci = EK(M) M = DK(C1) = DK(C2) = DK(C3) =...= DK(Ci) With probabilistic encryption, a cryptanalyst can no longer encrypt random plaintexts looking for the correct ciphertext. To illustrate, assume the cryptanalyst has ciphertext Ci =EK(M). Even if he guesses M correctly, when he encrypts EK(M), the result will be a completely different C: Cj. He cannot compare Ci and Cj, and so cannot know that he has guessed the message correctly. This is amazingly cool stuff. Even if a cryptanalyst has the public encryption key, the plaintext, and...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online