U.C. Berkeley — CS276: Cryptography
Lecture Date: 5 March 2002
Professors Luca Trevisan and David Wagner
Scribe: Samantha Riesenfeld
Lecture 13: Left or Right Security
The focus of this lecture is LeftorRight (LOR) security, which was defined at the end
of the last lecture. We will discuss some of the implications of LOR security in terms of
other concepts of security, as well as some systems that are provably LOR secure. First we
review the definition of LOR security:
Definition 1 (Left or Right Security)
Let
§
i
(
x
0
, x
1
) =
x
i
.
Then an ecryption system
E
is
(
t, q, μ,
)
secure in the LOR sense against CPA if for all adversaries
A
running in
time
t
and making
q
queries of total length at most
μ
,
Pr
i,k
[
A
E
k
◦§
0
= 1]
−
Pr
i,k
[
A
E
k
◦§
1
= 1]
≤
.
Note that we require that

x

=

y

for oracle call
(
x, y
)
.
Informally, this definition means that
A
cannot tell, except with low probability, whether
on input (
x, y
), the oracle returns the ecryption of
x
or the encryption of
y
. LOR security is
a very strong notion of security. We will show that it implies security against key recovery
attacks and security against CPA.
Theorem 1
LOR security implies security against key recovery attacks.
Proof:
If
A
E
k
is a keyrecovery attack, we create
B
E
k
◦§
i
to be an LOR attack.
Let
O
=
E
k
◦ §
i
. Define
B
O
as follows:
1. Let
k
←
A
f
where
f
(
m
) =
O
(
m, m
), so
k
is the decryption key.
2.Let
c
← O
(
R, R
) where
R, R
∈
R
M
, i.e.
R
and
R
are messages drawn at random
from the same message space
M
.
3. If
D
k
(
c
) =
R
, output 1; else output 0.
When
A
succeeds in recovering the correct key, then
B
almost always succeds in distin
guishing whether the left or right message is being encrypted by
O
. The only case when
B
may fail though
A
is successful is when
R
=
R
. A big enough message space eliminates
this problem.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '02
 Trevisan
 Cryptography, Encryption, FK, random function, LOR security

Click to edit the document details