A Concrete Introduction to Higher Algebra, 2nd Edition

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
U.C. Berkeley — CS276: Cryptography Lecture Date: 5 March 2002 Professors Luca Trevisan and David Wagner Scribe: Samantha Riesenfeld Lecture 13: Left or Right Security The focus of this lecture is Left-or-Right (LOR) security, which was deFned at the end of the last lecture. We will discuss some of the implications of LOR security in terms of other concepts of security, as well as some systems that are provably LOR secure. ±irst we review the deFnition of LOR security: Defnition 1 (LeFt or Right Security) Let § i ( x 0 ,x 1 )= x i . Thenane c ryp t ionsy s tem E is ( t, q, μ, ± ) -secure in the LOR sense against CPA if for all adversaries A running in time t and making q queries of total length at most μ , ± ± ± Pr i,k [ A E k ◦§ 0 =1 ] Pr i,k [ A E k ◦§ 1 =1 ] ± ± ± ±. Note that we require that | x | = | y | for oracle call ( x, y ) . Informally, this deFnition means that A cannot tell, except with low probability, whether on input ( x, y ), the oracle returns the ecryption of x or the encryption of y . LOR security is a very strong notion of security. We will show that it implies security against key recovery attacks and security against CPA. Theorem 1 LOR security implies security against key recovery attacks. Proof: If A E k is a key-recovery attack, we create B E k ◦§ i to be an LOR attack. Let O = E k ◦§ i . DeFne B O as follows: 1. Let k 0 A f where f ( m )= O ( m, m ), so k 0 is the decryption key. 2.Let c ←O ( R, R 0 )where R, R 0 R M , i.e. R and R 0 are messages drawn at random from the same message space M . 3. If D k 0 ( c )= R , output 1; else output 0. When A succeeds in recovering the correct key, then B almost always succeds in distin- guishing whether the left or right message is being encrypted by O . The only case when B may fail though A
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/04/2008 for the course CS 276 taught by Professor Trevisan during the Spring '02 term at University of California, Berkeley.

Page1 / 4

Mar 05 notes - U.C Berkeley CS276 Cryptography Professors Luca Trevisan and David Wagner Lecture Date 5 March 2002 Scribe Samantha Riesenfeld

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online