


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A portion of lecture notes from cs 120/csci e-177: introduction to cryptography, focusing on private-key encryption and computational security. The notes discuss the concept of computational indistinguishability, which is a stronger security requirement than statistical security. The document also covers the asymptotic and concrete formalizations of indistinguishable encryptions and provides examples of insecure schemes. Additionally, it introduces the concepts of guessing-indistinguishability and semantic security.
Typology: Study notes
1 / 4
This page cannot be seen from the preview
Don't miss anything!



CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Oct. 3, 2006
Recommended Reading.
| Pr [EK (m 0 ) ∈ T ] − Pr [EK (m 1 ) ∈ T ] | ≤ ε.
That is, there is no test T that distinguishes the encryptions of any pair of messages with probability better than ε.
Still requires |K| ≥ (1 − ε) · |P|.
Still restricted to one use and passive adversary.
n Pn.^ For example,^ Pn can be { 0 , 1 }, { 0 , 1 }n, { 0 , 1 }∗.
Denition 1 (indistinguishable encryptions (asymptotic version)) Let (G, E, D) be an en- cryption scheme over P =
n Pn^ where all messages in^ Pn^ have the same length.^ (G, E, D)^ has (computationally) indistinguishable encryptions if for every (nonuniform) PPT A, there is a negli- gible function ε such that for all m 0 , m 1 ∈ Pn,
|Pr [A(EK (m 0 )) = 1] − Pr [A(EK (m 1 )) = 1]| ≤ ε(n),
where the probabilities above are taken over K ←R G(1n), the coin tosses of EK , and the coin tosses of A.
In other words, no feasible algorithm/adversary can distinguish the encryptions of any pair of messages with nonnegligible probability (a.k.a. advantage).
Denition 2 (indistinguishable encryptions (concrete version)) Let (G, E, D) be an encryp- tion scheme over P where all messages in P have the same length. (G, E, D) is (t, ε)-secure if for every probabilistic algorithm A running in time t and for all m 0 , m 1 ∈ P,
|Pr [A(EK (m 0 )) = 1] − Pr [A(EK (m 1 )) = 1]| ≤ ε.
where the probabilities above are taken over K ←R G, the coin tosses of EK , and the coin tosses of A.
Theorem 6 An encryption scheme has indistinguishable encryptions if and only if it has semantic security.
Hence if we assume (or prove) indistinguishability (i.e. distinguishing encryptions is hard), then we can deduce semantic security (i.e. computing information about the message is hard).
Proof: We'll only prove that indistinguishable encryptions implies semantic security. Let A be any PPT adversary, M a distribution on Pn and f : Pn → { 0 , 1 }∗^ any function. Fix
any message m 0 ∈ P, and let A′(1n) be the algorithm that chooses k
R ← G(1n) and runs A(Ek(m 0 )). Then,
Pr [A(EK (M )) = f (M )] ≤ Pr [A(EK (m)) = f (M )] + neg(n) = Pr
A′(1n) = f (M )