This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 8 Encryption: Semantic Security and Practical Issues 8.1 Semantic Security Recall that for informationtheoretic encryption, we had two definitions of security. Shannon secrecy focused on just two messages (much like indistinguishability we defined for publickey encryption), and perfect secrecy focused on obtaining information from encryption of a single messages drawn at random from some distribution. This section defines the analogue of perfect secrecy for publickey encryption. First of all, because we are interested in computational security, which is usually formulated in terms of asymptotics, we will have multiple distributions on the message spaceone for each value of the security parameter k (Shannon didnt have to do this and could consider a single fixed message space, because he had no computational hardness requirements; we can do the same if we formulate everything in terms of concrete security for a particular k , as explained in the lecture on defining nextbit unpredictability for pseudorandom generators). We will restrict messages to be of length polynomial in k , and, because encryption cannot hide length, we will provide the adversary with information on the length of the message chosen. Secondly, we cant require that there should be no information about the plaintext in the ciphertext (of course there will bein fact, the ciphertext, combined with the public key, uniquely determines the plaintext). Rather, we will say that this information is not usable in polynomial time: whatever function of the plaintext you can compute with the ciphertext you can also compute without it. An finally, we will give the adversary arbitrary auxiliary information it wants about the plaintext (this models information adversary could obtain by other means, such as observing the behavior of various parties, etc.). More precisely, let S be a randomized function that generates messages given the security parameter k ; we require that there exists some polynomial p such that  S ( k )  < p ( k ). Note that we do not require S to be efficiently computable, or even computable at all. This is meant to model the distribution of message that the encryptor wants to send. Let f,h : N { , 1 } * { , 1 } * be functions (not necessarily computable) that take the security parameter k and the message as inputs, and output some string whose length is polynomial in k (i.e., there must exist q such that  f ( k,m )  q ( k ) and  h ( k,m )  q ( k )). These are meant to model the information that the adversary is interested in, and the information that the adversary already has,...
View
Full
Document
 Spring '09

Click to edit the document details