notes-8 - Leo Reyzin. Notes for BU CAS CS 538. 1 8...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 8 Encryption: Semantic Security and Practical Issues 8.1 Semantic Security Recall that for information-theoretic encryption, we had two definitions of security. Shannon secrecy focused on just two messages (much like indistinguishability we defined for public-key encryption), and perfect secrecy focused on obtaining information from encryption of a single messages drawn at random from some distribution. This section defines the analogue of perfect secrecy for public-key encryption. First of all, because we are interested in computational security, which is usually formulated in terms of asymptotics, we will have multiple distributions on the message spaceone for each value of the security parameter k (Shannon didnt have to do this and could consider a single fixed message space, because he had no computational hardness requirements; we can do the same if we formulate everything in terms of concrete security for a particular k , as explained in the lecture on defining next-bit unpredictability for pseudorandom generators). We will restrict messages to be of length polynomial in k , and, because encryption cannot hide length, we will provide the adversary with information on the length of the message chosen. Secondly, we cant require that there should be no information about the plaintext in the ciphertext (of course there will bein fact, the ciphertext, combined with the public key, uniquely determines the plaintext). Rather, we will say that this information is not usable in polynomial time: whatever function of the plaintext you can compute with the ciphertext you can also compute without it. An finally, we will give the adversary arbitrary auxiliary information it wants about the plaintext (this models information adversary could obtain by other means, such as observing the behavior of various parties, etc.). More precisely, let S be a randomized function that generates messages given the security parameter k ; we require that there exists some polynomial p such that | S ( k ) | < p ( k ). Note that we do not require S to be efficiently computable, or even computable at all. This is meant to model the distribution of message that the encryptor wants to send. Let f,h : N { , 1 } * { , 1 } * be functions (not necessarily computable) that take the security parameter k and the message as inputs, and output some string whose length is polynomial in k (i.e., there must exist q such that | f ( k,m ) | q ( k ) and | h ( k,m ) | q ( k )). These are meant to model the information that the adversary is interested in, and the information that the adversary already has,...
View Full Document

Page1 / 3

notes-8 - Leo Reyzin. Notes for BU CAS CS 538. 1 8...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online