This preview shows pages 1–2. Sign up to view the full content.
U.C. Berkeley — CS276: Cryptography
Lecture Date: 5 March 2002
Professors Luca Trevisan and David Wagner
Scribe: Samantha Riesenfeld
Lecture 13: Left or Right Security
The focus of this lecture is LeftorRight (LOR) security, which was deFned at the end
of the last lecture. We will discuss some of the implications of LOR security in terms of
other concepts of security, as well as some systems that are provably LOR secure. ±irst we
review the deFnition of LOR security:
Defnition 1 (LeFt or Right Security)
Let
§
i
(
x
0
,x
1
)=
x
i
. Thenane
c
ryp
t
ionsy
s
tem
E
is
(
t, q, μ, ±
)
secure in the LOR sense against CPA if for all adversaries
A
running in
time
t
and making
q
queries of total length at most
μ
,
±
±
±
Pr
i,k
[
A
E
k
◦§
0
=1
]
−
Pr
i,k
[
A
E
k
◦§
1
=1
]
±
±
±
≤
±.
Note that we require that

x

=

y

for oracle call
(
x, y
)
.
Informally, this deFnition means that
A
cannot tell, except with low probability, whether
on input (
x, y
), the oracle returns the ecryption of
x
or the encryption of
y
. LOR security is
a very strong notion of security. We will show that it implies security against key recovery
attacks and security against CPA.
Theorem 1
LOR security implies security against key recovery attacks.
Proof:
If
A
E
k
is a keyrecovery attack, we create
B
E
k
◦§
i
to be an LOR attack.
Let
O
=
E
k
◦§
i
. DeFne
B
O
as follows:
1. Let
k
0
←
A
f
where
f
(
m
)=
O
(
m, m
), so
k
0
is the decryption key.
2.Let
c
←O
(
R, R
0
)where
R, R
0
∈
R
M
, i.e.
R
and
R
0
are messages drawn at random
from the same message space
M
.
3. If
D
k
0
(
c
)=
R
, output 1; else output 0.
When
A
succeeds in recovering the correct key, then
B
almost always succeds in distin
guishing whether the left or right message is being encrypted by
O
. The only case when
B
may fail though
A
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview. Sign up
to
access the rest of the document.
This note was uploaded on 02/04/2008 for the course CS 276 taught by Professor Trevisan during the Spring '02 term at University of California, Berkeley.
 Spring '02
 Trevisan

Click to edit the document details