Extracted from a working draft of Goldreich's FOUNDATIONS OF . See copyright notice.

Fragments of a chapter on Schemes

Extracts from Foundations of Cryptography in preparation

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

December

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

I

to Dana

c

Copyright by Oded Goldreich

Permission to make copies of part or all of this work for p ersonal or classro om use

is granted without fee provided that copies are not made or distributed for prot or

commercial advantage and that new copies b ear this notice and the full citation on the

rst page Abstracting with credit is p ermitted

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. II

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Preface

It is p ossible to build a cabin with no foundations

but not a lasting building

Eng Isidor Goldreich

Cryptography is concerned with the construction of schemes that withstand

any abuse Such schemes are constructed so to maintain a desired functional

ity even under malicious attempts aimed at making them deviate from their

prescrib ed functionality

The design of cryptography schemes is a very dicult task One cannot rely

on intuitions regarding the typical state of the environment in which the system

op erates For sure the adversary attacking the system will try to manipulate

the environment into untypical states Nor can one b e content with counter

measures designed to withstand sp ecic attacks since the adversary which acts

after the design of the system is completed will try to attack the schemes in

ways that are typically dierent from the ones the designer had envisioned The

validity of the ab ove assertions seems selfevident still some p eople hop e that in

practice ignoring these tautologies will not result in actual damage Exp erience

shows that these hop es rarely come true cryptographic schemes based on make

b elieve are broken typically so oner than later

In view of the ab ove we b elieve that it makes little sense to make assumptions

regarding the sp ecic strategy that the adversary may use The only assump

tions that can b e justied refer to the computational abilities of the adversary

Furthermore it is our opinion that the design of cryptographic systems has to

b e based on rm foundations whereas adho c approaches and heuristics are a

very dangerous way to go A heuristic may make sense when the designer has

a very go o d idea ab out the environment in which a scheme is to op erate yet

a cryptographic scheme has to op erate in a maliciously selected environment

which typically transcends the designers view

This b o ok is aimed at presenting rm foundations for cryptography The

foundations of cryptography are the paradigms approaches and techniques used

to conceptualize dene and provide solutions to natural security concerns

We will present some of these paradigms approaches and techniques as well

as some of the fundamental results obtained using them Our emphasis is on III

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

IV

the clarication of fundamental concepts and on demonstrating the feasibility of

solving several central cryptographic problems

Solving a cryptographic problem or addressing a security concern is a two

stage pro cess consisting of a denitional stage and a constructive stage First in

the denitional stage the functionality underlying the natural concern is to b e

identied and an adequate cryptographic problem has to b e dened Trying to

list all undesired situations is infeasible and prone to error Instead one should

dene the functionality in terms of op eration in an imaginary ideal mo del and

require a candidate solution to emulate this op eration in the real clearly dened

mo del which sp ecies the adversarys abilities Once the denitional stage is

completed one pro ceeds to construct a system that satises the denition Such

a construction may use some simpler to ols and its security is proven relying on

the features of these to ols In practice of course such a scheme may need to

satisfy also some sp ecic eciency requirements

This b o ok fo cuses on several archetypical cryptographic problems eg en

cryption and signature schemes and on several central to ols eg computa

tional diculty pseudorandomness and zeroknowledge pro ofs For each of

these problems resp to ols we start by presenting the natural concern un

derlying it resp its intuitive ob jective then dene the problem resp to ol

and nally demonstrate that the problem may b e solved resp the to ol can b e

constructed In the latter step our fo cus is on demonstrating the feasibility

of solving the problem not on providing a practical solution As a secondary

concern we typically discuss the level of practicality or impracticality of the

given or known solution

Computational Diculty

The sp ecic constructs mentioned ab ove as well as most constructs in this area

can exist only if some sort of computational hardness exists Sp ecically all these

problems and to ols require either explicitly or implicitly the ability to generate

instances of hard problems Such ability is captured in the denition of oneway

functions see further discussion in Section Thus oneway functions is the

very minimum needed for doing most sorts of cryptography As we shall see

they actually suce for doing much of cryptography and the rest can b e done by

augmentations and extensions of the assumption that oneway functions exist

Our current state of understanding of ecient computation do es not allow

us to prove that oneway functions exist In particular the existence of one

way functions implies that NP is not contained in BPP P not even on

the average which would resolve the most famous op en problem of computer

science Thus we have no choice at this stage of history but to assume that

oneway functions exist As justication to this assumption we may only oer

the combined b elieves of hundreds or thousands of researchers Furthermore

these b elieves concern a simply stated assumption and their validity follows

from several widely b elieved conjectures which are central to some elds eg

the conjecture that factoring integers is hard is central to computational number theory

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

V

As we need assumptions anyhow why not just assume what we want ie the

existence of a solution to some natural cryptographic problem Well rst we

need to know what we want as stated ab ove we must rst clarify what exactly

we want that is go through the typically complex denitional stage But once

this stage is completed can we just assume that the denition derived can b e

met Not really once a denition is derived how can we know that it can at all

b e met The way to demonstrate that a denition is viable and so the intuitive

security concern can b e satised at all is to construct a solution based on a better

understood assumption ie one that is more common and widely b elieved For

example lo oking at the denition of zeroknowledge pro ofs it is not apriori clear

that such pro ofs exist at all in a nontrivial sense The nontriviality of the

notion was rst demonstrated by presenting a zeroknowledge pro of system for

statements regarding Quadratic Residuosity which are b elieved to b e hard to

verify without extra information Furthermore in contrary to prior b eliefs it

was later shown in that the existence of oneway functions implies that any NP

statement can b e proven in zeroknowledge Thus facts which were not known

at all to hold and even b elieved to b e false where shown to hold by reduction

to widely b elieved assumptions without which most of mo dern cryptography

collapses anyhow To summarize not all assumptions are equal and so reducing

a complex new and doubtful assumption to a widelyb elieved simple or even

merely simpler assumption is of great value Furthermore reducing the solution

of a new task to the assumed security of a wellknown primitive typically means

providing a construction that using the known primitive solves the new task

This means that we do not only know or assume that the new task is solvable

but rather have a solution based on a primitive that b eing wellknown typically

has several candidate implementations

Structure and Prerequisites

Our aim is to present the basic concepts techniques and results in cryptography

As stated ab ove our emphasis is on the clarication of fundamental concepts

and the relationship among them This is done in a way indep endent of the

particularities of some p opular number theoretic examples These particular

examples played a central role in the development of the eld and still oer the

most practical implementations of all cryptographic primitives but this do es

not mean that the presentation has to b e linked to them On the contrary

we b elieve that concepts are b est claried when presented at an abstract level

decoupled from sp ecic implementations Thus the most relevant background

for this b o ok is provided by basic knowledge of algorithms including random

ized ones computability and elementary probability theory Background on

computational number theory which is required for sp ecic implementations

of certain constructs is not really required here yet a short app endix presenting

the most relevant facts is included in this volume so to supp ort the few examples

of implementations presented here

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

VI

Volume Introduction and Basic Tools

Chapter Introduction

Chapter Computational Diculty OneWay Functions

Chapter Pseudorandom Generators

Chapter ZeroKnowledge Pro ofs

Volume Basic Applications

Chapter Encryption Schemes

Chapter Signature Schemes

Chapter General Cryptographic Proto cols

Volume Beyond the Basics

Figure Organization of this b o ok

Organization of the b o ok The b o ok is organized in three parts see Fig

ure Basic Tools Basic Applications and Beyond the Basics The rst vol

ume contains an introductory chapter as well as the rst part Basic Tools This

part contains chapters on computational diculty oneway functions pseudo

randomness and zeroknowledge pro ofs These basic to ols will b e used for the

Basic Applications of the second part which consist of Encryption Signatures

and General Cryptographic Proto cols

The partition of the b o ok into three parts is a logical one Furthermore it

oers the advantage of publishing the rst part without waiting for the comple

tion of the other parts Similarly we hop e to complete the second part within a

couple years and publish it without waiting for the third part

The current manuscript The current manuscript consists of fragments of a

chapter on encryption schemes These fragments provide a draft of the rst three

sections of this chapter covering the basic setting denitions and constructions

Also included is a plan of the fourth section ie beyond eavesdropping security

fragments for the Miscellaneous section of this chapter the ab ove extracts from

the preface of Volume and a table of contents that includes Volume

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Contents

Preface III

Introduction

Cryptography Main Topics

Encryption Schemes

Pseudorandom Generators

Digital Signatures

FaultTolerant Proto cols and ZeroKnowledge Pro ofs

Some Background from Probability Theory

Notational Conventions

Three Inequalities

The Computational Mo del

P NP and NPcompleteness

Probabilistic PolynomialTime

Randomized algorithms an example

Randomized algorithms two p oints of view

Asso ciating ecient computations with BPP

Negligible function

NonUniform PolynomialTime

Intractability Assumptions

Oracle Machines

Motivation to the Rigorous Treatment

The Need for a Rigorous Treatment

Practical Consequences of the Rigorous Treatment

The Tendency to b e Conservative

Miscellaneous

Historical Notes

Suggestion for Further Reading

Op en Problems

Exercises VI I

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

VI I I CONTENTS

I Basic Tools

Computational Diculty

OneWay Functions Motivation

OneWay Functions Denitions

Strong OneWay Functions

Negligible probability

Weak OneWay Functions

Two Useful Length Conventions

Functions dened only for some lengths

Lengthregular and lengthpreserving functions

Candidates for OneWay Functions

Integer factorization

Deco ding of random linear co des

The subset sum problem

NonUniformly OneWay Functions

Weak OneWay Functions Imply Strong Ones

The Construction and its Analysis

Illustration by a toy example

Discussion

Reducibility arguments a digest

The information theoretic analogue

OWF weak versus strong a summary

OneWay Functions Variations

Universal OneWay Function

OneWay Functions as Collections

Examples of Oneway Collections RSA Factoring DLP

The RSA function

The Rabin function

The Factoring Permutations

Discrete Logarithms

Trapdo or oneway p ermutations

The Denition

The RSA or factoring Trapdo or

Clawfree Functions

The Denition

The DLP Clawfree Collection

The Factoring Clawfree Collection

On Prop osing Candidates

HardCore Predicates

Denition

HardCore Predicates for any OneWay Function

HardCore Functions

Ecient Amplication of Oneway Functions

Miscellaneous

Historical Notes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONTENTS IX

Suggestion for Further Reading

Op en Problems

Exercises

Pseudorandom Generators

Motivating Discussion

Computational Approaches to Randomness

A Rigorous Approach to Pseudorandom Generators

Computational Indistinguishability

Denition

Relation to Statistical Closeness

Indistinguishability by Rep eated Exp eriments

The hybrid technique a digest

Indistinguishability by Circuits

Pseudorandom Ensembles

Denitions of Pseudorandom Generators

Standard Denition of Pseudorandom Generators

Increasing the Expansion Factor

The Applicability of Pseudorandom Generators

Pseudorandomness and unpredictability

Pseudorandom Generators imply OneWay Functions

Constructions based on OneWay Permutations

Construction based on a Single Permutation

The preferred presentation

An alternative presentation

Construction based on Collections of Permutations

An abstract presentation

Concrete instantiations

Using HardCore Functions rather than Predicates

Constructions based on OneWay Functions

Using OneWay Functions

Using Regular OneWay Functions

Going b eyond Regular OneWay Functions

Pseudorandom Functions

Denitions

Construction

Applications A general metho dology

Pseudorandom Permutations

Denitions

Construction

Miscellaneous

Historical Notes

Suggestion for Further Reading

Op en Problems

Exercises

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

X CONTENTS

ZeroKnowledge Pro of Systems

ZeroKnowledge Pro ofs Motivation

The Notion of a Pro of

A static ob ject versus an interactive pro cess

Prover and Verier

Completeness and Soundness

Gaining Knowledge

Knowledge versus information

Interactive Pro of Systems

Denition

Interaction

Conventions regarding interactive machines

Pro of systems

An Example Graph NonIsomorphism in IP

The Structure of the Class IP

Augmentation to the Mo del

ZeroKnowledge Pro ofs Denitions

Perfect and Computational ZeroKnowledge

The simulation paradigm

Perfect ZeroKnowledge

Computational ZeroKnowledge

An alternative formulation of zeroknowledge

AlmostPerfect Statistical ZeroKnowledge

Complexity classes based on ZeroKnowledge

Exp ected p olynomialtime simulators

Honestverier zeroknowledge

An Example Graph Isomorphism in PZK

ZeroKnowledge wrt Auxiliary Inputs

Sequential Comp osition of ZeroKnowledge Pro ofs

What ab out parallel comp osition

ZeroKnowledge Pro ofs for NP

Commitment Schemes

Denition

Construction based on any oneway p ermutation

Construction based on any oneway function

Extensions

ZeroKnowledge Pro of of Graph Coloring

Motivating discussion

The interactive pro of

The simulator

Concluding remarks

The General Result and Some Applications

Second Level Considerations

Standard eciency measures

Knowledge Tightness

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONTENTS XI

Negative Results

On the imp ortance of interaction and randomness

Limitations of unconditional results

Limitations of Statistical ZK pro ofs

ZeroKnowledge and Parallel Comp osition

Failure of the Parallel Comp osition Conjecture

Problems with natural candidates

Witness Indistinguishability and Hiding

Denitions

Witness indistinguishability

Witness hiding

Parallel Comp osition

Constructions

Constructions of witness indistinguishable pro ofs

Constructions of witness hiding pro ofs

Applications

Pro ofs of Knowledge

Denition

A motivating discussion

Technical preliminaries

Knowledge veriers

Discussion

Reducing the knowledge error

ZeroKnowledge Pro ofs of Knowledge for NP

Applications

Nonoblivious commitment schemes

Protecting against chosen message attacks

A zeroknowledge pro of system for GNI

Pro ofs of Identity Identication schemes

Denition

Identication schemes and pro ofs of knowledge

Identication schemes and pro ofs of ability

Strong Pro ofs of Knowledge

Strong ZK pro ofs of knowledge for NP

ComputationallySound Pro ofs Arguments

Denition

PerfectlyHiding Commitment Schemes

Denition

Construction based on oneway p ermutations

Construction based on clawfree collections

Nonuniform computational unambiguity

Commitment Schemes with a p osteriori secrecy

Perfect ZeroKnowledge Arguments for NP

ZK Pro ofs vs PerfectZK Arguments which to prefer

ZK Arguments of Polylogarithmic Eciency

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

XI I CONTENTS

ConstantRound ZeroKnowledge Pro ofs

Using commitment schemes with p erfect secrecy

Bounding the p ower of cheating provers

Nonoblivious commitment schemes

Mo difying Construction

An alternative construction

Commitment schemes with trap do or

NonInteractive ZeroKnowledge Pro ofs

Basic Denitions

Constructions

The Hidden Bits Mo del

Emulating the Hidden Bits Mo del

Hidden Bits pro ofs for NP

Extensions

Proving many assertions of varying length

Adaptive zeroknowledge

MultiProver ZeroKnowledge Pro ofs

Denitions

The twopartner mo del

Twoprover interactive pro ofs

TwoSenders Commitment Schemes

A Denition

A Construction

Perfect ZeroKnowledge for NP

Applications

Miscellaneous

Historical Notes

Suggestion for Further Reading

Op en Problems

Exercises

II Basic Applications

Encryption Schemes

The Basic Setting

Overview

A Formulation of Encryption Schemes

Denitions of Security

Discussion of some denitional choices

Indistinguishability of

Equivalence of the Security Denitions

Multiple Messages

Denitions

In the public mo del

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONTENTS XI I I

In the privatekey mo del

A uniformcomplexity treatment

The denitions

Equivalence of the multiplemessage denitions

Singlemessage versus multiplemessage

The gain of a uniform treatment

Constructions of Secure Encryption Schemes

Probabilistic Encryption

StreamCiphers

Preliminaries Blo ckCiphers

Privatekey encryption schemes

Publickey encryption schemes

Simple schemes

An alternative scheme

Beyond eavesdropping security

Adaptive but passive attacks

Chosen plaintext attack

Chosen attack

Nonmalleable encryption schemes

Miscellaneous

Historical Notes

Suggestion for Further Reading

Op en Problems

Exercises

A Background in Computational Number Theory

A Prime Numbers

A Quadratic residues mo dulo a prime

A Extracting square ro ots mo dulo a prime

A Primality testers

A On uniform selection of primes

A Comp osite Numbers

A Quadratic residues mo dulo a comp osite

A Extracting square ro ots mo dulo a comp osite

A The Legendre and Jacobi Symbols

A Blum Integers and their quadratic residue structure

B Brief Outline of Volume

B Encryption Brief Summary

B Denitions

B Constructions

B Privatekey schemes

B Publickey schemes

B Beyond eavesdropping security

B Some Suggestions

B Suggestions for Further Reading

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

XIV CONTENTS

B Suggestions for Teaching

B Signatures Brief Summary

B Denitions

B Constructions

B Message authentication

B Signature schemes

B Some Suggestions

B Suggestions for Further Reading

B Suggestions for Teaching

B Cryptographic Proto cols Brief Summary

B Denitions

B Computations with honest ma jority

B Twoparty computations allowing ab ort

B Constructions

B Some Suggestions

B Suggestions for Further Reading

B Suggestions for Teaching

Bibliography

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

List of Figures

Organization of this b o ok VI

Cryptography p oints of view

The naive view versus the actual pro of of Prop osition

The essence of Construction

n

Construction as op erating on seed s f g

n

Construction as op erating on seed s f g

Construction for n

The highlevel structure of the DES

The advanced sections of this chapter

The dep endency structure of this chapter

B The BlumGoldwasser PublicKey Encryption Scheme

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

LIST OF FIGURES

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Part II

Basic Applications Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Chapter

Encryption Schemes

Upto the s Cryptography was understo o d as the art of building encryption

schemes Since then other tasks have b een recorgnized as at least as central to

Cryptography Yet the construction of encryption schemes remains and is likely

to remain a central enterprise of Cryptography

In this chapter we review the wellknown notions of privatekey and public

key encryption schemes More imp ortantly we dene what is meant by saying

that such schemes are secure It turns out that using randomness throughout the

encryption pro cess ie not only during keygeneration is essential to security

We present some basic constructions of secure encryption schemes Finally we

discuss dynamic notions of security culminating in robustness against chosen

ciphertext attacks and nonmalleability

Authors Note Currently the writeup contains only a rough draft for

the rst sections of this chapter

The Basic Setting

Lo osely sp eaking encryption schemes are supp osed to enable private communi

cation b etween parties that communicate over an insecure channel Thus the

basic setting consists of a sender a receiver and an insecure channel that may

b e tapp ed by an adversary The goal is to allow the sender to transfer infor

mation to the receiver over the insecure channel without letting the adversary

gure out this information Thus we distinguish b etween the actual secret

information that the receiver wishes to transmit and the messages sent over the

insecure communication channel The former is called the plaintext whereas

the latter is called the ciphertext Clearly the ciphertext must dier from the

plaintext or else the adversary can easily obtain the plaintext by tapping the

channel Thus the sender must transform the plaintext into a ciphertext so

that the receiver can retreive the plaintext from the ciphertext but the adver

sary cannot do so Clearly something must distinguish the receiver who is able

to retreive the plaintext from the corresp onding ciphertext from the adversary

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

who cannot do so Sp ecically the receiver know something that the adversary

do es not know This thing is called a key

An encryption scheme consists of a metho d of transforming plaintexts to ci

phertexts and vice versa using adequate keys These keys are essential to the

ability to eect these transformations We stress that the encryption scheme it

self ie the encryptiondecryption algorithms may b e known to the adversary

and its security relies on the hypothesis that the adversary do es not know the

keys Formally we need to consider a third algorithm namely a probabilistic

algorithm used to generate keys This algorithm must b e probabilistic or else

by invoking it the adversary obtains the very same key used by the receiver

Overview

In accordance with the ab ove an encryption scheme consists of three algorithms

These algorithms are public ie known to all parties The obvious algorithms

are the encryption algorithm which transforms plaintexts to and

the decryption algorithm which transforms ciphertexts to plaintexts By the

discussion ab ove it is clear that the decription algorithm must employ a key

that is known to the receiver but is not known to the adversary This key is

generated using a third algorithm called the key generator Furthermore it is

not hard to see that the encryption pro cess must also dep end on the key or

else messages sent to one party can b e read by a dierent party who is also

a p otential receiver Thus the keygeneration algorithm is used to pro duce a

pair of related keys one for encryption and one for decryption The encryption

algorithm given an encryption key and a plaintext pro duces a plaintext which

when fed to the decryption algorithm with the corresp onding decryption key

returns the original plaintext We stress that knowledge of the decryption key

is essential for the latter transformation

A fundamental distiction b etween encryption schemes refers to the relation

b etween the two keys mentioned ab ove The simpler and older notion as

sumes that the encryption key equals the decryption key Such schemes are

called privatekey or symmetric To use a privatekey scheme the legitimate

parties must rst agree on the secret key This can b e done by having one

party generate the key at random and send it to the other party using a channel

that is assumed to b e secure A crucial p oint is that the key is generated inde

p endently of the plaintext and so it can b e generated and exchanged prior to

the plaintext even b eing determined Thus privatekey encryption is a way of

extending a private channel over time If the parties can use a private channel

to day eg they are currently in the same physical lo cation but not tommorow

then they can use the private channel to day to exchange a secret key that they

may use tomorrow for secret communication A simple example of a privatekey

encryption scheme is the onetime pad The secret key is merely a uniformly

chosen sequence of n bits and an nbit long ciphertext is pro duced by XORing

the plaintext bitbybit with the key The plaintext is recovered from the ci

phertext in the same way Clearly the onetime pad provides absolute security

However its usage of the key is inecient or put in other words it requires

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

THE BASIC SETTING

keys of length comparable to the total length of data communicated In the rest

of this chapter we will only discuss encryption schemes where nbit long keys

allow to communicated data of length greater than n but still p olynomial in n

A new type of encryption schemes has emerged in the s In these

schemes called publickey or asymmetric the decryption key diers from the

encryption key Furthermore it is infeasible to nd the decryption key given the

encryption key These schemes enable secure communication without ever using

a Instead each party applies the keygeneration algorithm to

pro duce a pair of keys The party called P keeps the decryption key denoted

d secret and publishes the encryption key denoted e Now any party can

P P

send P private messages by encrypting them using the encryption key e Party

P

P can decrypt these messages by using the decryption key d but nob o dy else

P

can do so

A Formulation of Encryption Schemes

We start by dening the basic mechanism of encryption schemes This denition

says nothing ab out the security of the scheme which is the sub ject of the next

section

Denition encryption scheme An encryption scheme is a triple G E D

of probabilistic polynomialtime algorithms satisfying the fol lowing two condi

tions

n

On input algorithm G called the key generator outputs a pair of bit

strings

n

For every pair e d in the range of G and for every f g

algorithms E encryption and D decryption satisfy

Pr D d E e

where the probability is over the internal coin tosses of algorithms E and

D

The integer n serves as the security parameter of the scheme Each e d in

n

the range of G consitutes a pair of corresponding encryptiondecryption

keys The string E e is the encryption of the plaintext f g using the

encryption key e whereas D d is the decryption of the ciphertext using

the decryption key d

Observe that Denition do es not distinguish privatekey encryption schemes

from publickey ones The dierence b etween the two types is introduced in the

security denitions In a publickey scheme the breaking algorithm gets the

encryption key ie e as an additional input and thus e d follows while

in privatekey schemes e is not given to the breaking algorithm and thus one

may assume without loss of generality that e d

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

We stress that the ab ove denition requires the scheme to op erate for every

plaintext and sp ecically for plaintext of length exceeding the length of the en

cryption key This rules out the information theoretic secure scheme mentioned

ab ove

Notation In the rest of this b o ok we write E instead of E e and

e

D instead of D d Whenever there is little risk of confusion we drop

d

n n

these subscripts Also we let G resp G denote the rst resp

n n n n

second element in the pair G That is G G G

Comments The ab ove denition may b e relaxed in several ways without

signicantly harming its usefulness For example we may relax Condition

n

and allow a negligible decryption error eg Pr D E Al

d e

ternatively one may p ostulate that Condition holds for all but a negligible

n

measure of the keypairs generated by G At least one of these relaxations

is essential for all p opular suggestions of encryption schemes

Another relaxation consists of restricting the domain of p ossible plaintexts

and ciphertexts For example one may restrict Condition to s of length

n where N N is some xed function Given a scheme of the latter type

with plaintext length we may construct a scheme as in Denition by

breaking plaintexts into blo cks of length n and applying the restricted scheme

separetly to each blo ck For more details see Section

Denitions of Security

In this section we present two fundamental denitions of security and prove

their equivalence The rst denition called semantic security is the most

natural one Semantic security is a computational complexity analogue of Shan

nons denition of p erfect privacy Lo osely sp eaking an encryption scheme is

semantically secure if the encryption of a message do es not yield any informa

tion on the message to an adversary that is computationally restricted eg to

p olynomialtime The second denition has a more technical avour It in

terprets security as the infeasibility of distinguishing b etween encryptions of a

given pair of messages This denition is useful in demonstrating the security

of a prop osed encryption scheme and for arguments concerning prop erties of

cryptographic proto cols that utilize an encryption scheme

We stress that the denitions presented b elow go way b eyond saying that it

is infeasible to recover the plaintext from the ciphertext The latter statement

is indeed a minimal requirement from a secure encryption scheme but we claim

that it is way to o weak a requirement An encryption scheme is typically used in

applications where obtaining sp ecic partial information on the plaintext endan

gers the security of the application When designing an applicationindep endent

encryption scheme we do not know which partial information endangers the

application and which do es not Furthermore even if one wants to design an

encryption scheme tailored to ones own sp ecic applications it is rare to say

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

the least that one has a precise characterization of all p ossible partial informa

tion that endanger these applications Thus we require that it is infeasible to

obtain any information ab out the plaintext from the ciphertext Furthermore

in most applications the plaintext may not b e uniformly distributed and some

apriori information regarding it is available to the adversary We require that

the secrecy of all partial information is preserved also in such a case That is

even in presence of apriori information on the plaintext it is infeasible to obtain

any new information ab out the plaintext from the ciphertext b eyond what is

feasible to obtain from the apriori information on the plaintext The denition

of semantic security p ostulates all of this

To simplify the exp osition we adopt a nonuniform formulation Namely in

the security denitions we expand the domain of ecient adversariesalgorithms

to include p olynomialsize circuits rather than only probabilistic p olynomial

time machines Likewise we make no computation restriction regarding the

probability distribution from which messages are taken nor regarding the a

priori information available on these messages We note that employing such a

nonuniform formulation rather than a uniform one may only strengthen the

denitions yet it do es weaken the implications proven b etween the denitions

since these simpler pro ofs make free usage of nonuniformity

Semantic Security

Lo osely sp eaking semantic security means that whatever can b e eciently com

puted from the ciphertext can b e eciently computed also without the cipher

text Thus an adversary gains nothing by intercepting ciphertexts sent b etween

communicating parties who use a semantically secure encryption scheme since

it could have obtained the same without intercepting these ciphertexts Indeed

this formulation follows the simulation paradigm lack of gain is captured by

asserting that whatever is learnt from the ciphertext can b e learnt within related

complextity also without the ciphertext

To b e somewhat more accurate semantic security means that whatever can

b e eciently computed from the ciphertext can b e eciently computed given

only the length of the plaintext Note that this formulation do es not role out the

p ossibility that the length of the plaintext can b e inferred from the ciphertext

Indeed some information ab out the length of the plaintext must b e revealed by

the ciphertext see Exercise We stress that other than information ab out

the length of the plaintext the ciphertext is required to yield nothing ab out the

plaintext

We augment this formulation by requiring that the ab ove remains valid even

in presence of auxiliary partial information ab out the plaintext Namely what

ever can b e eciently computed from the ciphertext and additional partial in

formation ab out the plaintext can b e eciently computed given only the length

of the plaintext and the same partial information In the actual denition the

information regarding the plaintext that the adversary tries to obtain is captured

by the function f whereas the apriori partial information ab out the plaintext

is captured by the function h The ab ove is required to hold for any distribution

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

of plaintexts captured by the probability ensemble fX g

n

nN

Secrurity holds only for plaintexts of length p olynomial in the security pa

rameter This is captured b elow by the restriction jX j p oly n Note that

n

we cannot hop e to provide computational security for plaintexts of unbounded

length in the security parameter see Exercise Likewise we restrict the func

tions f and h to b e polynomiallybounded that is jf xj jhxj p oly jxj

The dierence b etween privatekey and publickey encryption schemes is

manisfested in the denition of security In the latter the adversary trying

to obtain information on the plaintext is given the encryption key whereas in

the former it is not Thus the dierence b etween these schemes amounts to a

dierence in the adversary mo del considered in the denition of security We

start by presenting the denition for privatekey encryption schemes

Denition semantic security privatekey An encryption scheme

G E D is semantically secure in the privatekey mo del if for every polynomial

size circuit family fC g there exists a polynomialsize circuit family fC g so

n

nN

N

that for every ensemble fX g with jX j p oly n every pair of polynomially

n n

nN

bounded functions f h f g f g every polynomial p and al l su

ciently large n

h i

jX j

n

n

Pr C E X hX f X

n n n n

G

1

h i

jX j

n

Pr C hX f X

n n

n

pn

The probability in the above terms is taken over X as wel l as over the internal

n

coin tosses of algorithms G and E

Furthermore we require that the latter circuit family is eciently constructable

from the former one That is we require the existence of a probabilistic polynomial

time transformation T that for every n given the description of C returns a

n

is a T C for every n In case C as above ie C description of C

n

n n n

random variable the probability in Eq is also taken over its distribution

The function h provides b oth algorithms with partial information on the plain

text X In addition b oth algorithms get the length of X These algorithms

n n

then try to guess the value f X namely they try to infer information ab out

n

the plaintext X Lo osely sp eaking in semantically secure encryption scheme

n

the ciphertext do es not help in this inference task That is the success proba

bility of any ecient algorithm ie the circuit family fC g that is given the

n

ciphertext can b e matched upto a negligible fraction by the success probabil

ity of an ecient algorithm ie the circuit family fC g that is not given the

n

ciphertext at all The extra requirement that C can b e eciently transformed

n

into C makes the denition stronger and is done out of philosophical reasons

n

see discussion b elow

Denition refers to privatekey encryption schemes To derive a def

inition of security for publickey encryption schemes the encryptionkey ie

n

G should b e given to the adversaries as an additional input That is

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Denition semantic security publickey An encryption scheme G E D

is semantically secure in the publickey mo del if there exists a polynomialtime

transformation T so that for every polynomialsize circuit family fC g and

n

for every fX g f h p and n as in Denition

n

nN

h i

n jX j

n

n

Pr C G E X hX f X

n n n n

G

1

h i

n jX j

n

Pr C G hX f X

n n

n

pn

def

T C where C

n

n

We comment that the encryptionkey can b e omitted from the input to C since

n

may generate it by itself C

n

Terminology For sake of simplicity we refer to an encryption scheme that is

semantically secure in the privatekey resp publickey mo del as to a semantically

secure privatekey resp publickey encryption scheme

The reader may note that a semanticallysecure publickey encryption scheme

cannot employ a deterministic encryption algorithm that is E x must b e a

e

random variable rather than a xed string This is more evident with resp ect to

the equivalent Denition b elow See further discussion following Deni

tion

Discussion of some denitional choices

We discuss some subtle issues regarding Denitions and The rst

comment is imp ortant the others can b e skipp ed with little loss The interested

reader is also referred to Exercises and that discuss additional variants of

the denition of semantic security

Eecient transformation of adversaries Our denitions require that ad

versaries capturing what can b e inferred from the ciphertext b e eectively trans

formed into equivalent adversaries that op erate without b eing given the cipher

text This is stronger than only requiring that corresp onding equivalent ad

versaries exist The strenthening seems esp ecially appropriate since we are using

a nonuniform mo del of adversary strategies Merely saying that p olynomialsize

circuits that op erate without b eing given the ciphertext do exist is not reassuring

enough since they may b e hard to nd whereas circuits that op erate while b eing

given the ciphertext may b e easy to nd The extra requirement guarantess that

this cannot b e the case if circuits that op erates on the ciphertext are easy to

nd then so are the equivalent circuits that op erate without the ciphertext

Deterministic versus randomized adversaries Our denitions refer im

plicitly to deterministic adversaries mo delled by nonuniform families of circuits

which are typically assumed to b e deterministic This is in accordance with the

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

general thesis by which the harm of nonuniform adversaries may b e maximized

by deterministic ones ie by xing the worst coinsequence However we

need to verify that a transformation of adversaries as discussed ab ove referring

to deterministic adversaries can b e extended to randomized ones This is indeed

the case see Exercise

We comment that the ab ove nonuniform formulation is equivalent to a uni

form formulation in which the adversaries are given identical auxiliary input

See Exercise

Lack of restrictions on the functions f and g We do not require that

these functions are even computable This seems strange at rst glance How

ever as we shall see in the sequel see also Exercise the meaning of semantic

jX j

n

security is essentially that the distribution ensembles E X hX and

n n

jX j jX j

n n

E hX are computationally indistinguishable and so whatever

n

C can compute can b e computed by C

n

n

Other mo dications of no impact Actually inclusion of apriori infor

mation captured by the function h do es not aect the denition of semantic

security Denition remains intact if we omit h from the formulation or

consider a constant function This can b e shown in various ways eg see

Exercise Also the function f can b e restricted to b e a Bo olean function

having p olynomialsize circuits and the random variable X may b e restricted

n

to b e very dull eg have only two strings in its supp ort See pro of of The

orem

Indistinguishability of Encryptions

The following technical interpratation of security states that it is infeasible to

distinguish the encryptions of two plaintexts of the same length That is such

ciphertexts are computationally indistinguishable as dened in Denition

Again we start with the privatekey variant

Denition indistinguishability of encryptions privatekey An en

cryption scheme G E D has indistinguishable encryptions in the privatekey

mo del if for every polynomialsize circuit family fC g every polynomial p al l

n

p olyn

suciently large n and every x y f g ie jxj jy j

n n

jPr C E x Pr C E y j

n n

G G

1 1

pn

The probability in the above terms is taken over the internal coin tosses of algo

rithms G and E

Note that the p otential plaintexts to b e distinguished can b e incorp orated into

the circuit C Thus the circuit mo dels b oth the adversarys strategy and its

n

apriori information See Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Again the security denition for publickey encryption schemes can b e de

n

rived by adding the encryptionkey ie G as an additional input to the

algorithm That is

Denition indistinguishability of encryptions publickey An encryp

tion scheme G E D has indistinguishable encryptions in the publickey mo del

if for every polynomialsize circuit family fC g and every p n x and y as

n

in Denition

n n

n n

jPr C G E x Pr C G E y j

n n

G G

1 1

pn

Terminology For sake of simplicity we refer to an encryption scheme that has

indistinguishable encryptions in the privatekey resp publickey mo del as to

a ciphertextindistinguishable privatekey resp publickey encryption scheme

The reader may note that a semanticallysecure publickey encryption scheme

cannot employ a deterministic encryption algorithm that is E x must b e a

e

random variable rather than a xed string

A ciphertextindistinguishable publickey encryption scheme cannot employ

a deterministic encryption algorithm ie E x cannot b e a xed string For

e

a publickey encryption scheme with a deterministic encryption algorithm E

given an encryptionkey e and a pair of candidate plaintexts x y one can

easily distinguish E x from E y by merely applying E to x and comparing

e e e

the result to the given ciphertext In contrast in case the encryption algorithm

itself is randomized the same plaintext can b e encrypted in exp onentially many

dierent ways under the same encryption key Furthermore the probability that

applying E twice to the same message while using indep endent randomization

e

in E results in the same ciphertext may b e exp onentially vanishing Indeed as

e

shown b elow publickey encryption scheme having indistinguishable encryptions

can b e constructed based on any trap do or p ermutations and these schemes

employ randomized encryption algorithms

Equivalence of the Security Denitions

The following theorem is stated and proven for privatekey encryption schemes

Similar results hold for publickey encryption schemes see Exercise

Theorem equivalence of denitions privatekey A privatekey en

cryption scheme is semantically secure if and only if it has indistinguishable

encryptions

Let G E D b e an encryption scheme We formulate a prop osition for each of

the two directions of the ab ove theorem Both prop ositions are in fact stronger

than the corresp onding direction stated in Theorem The more useful di

rection is stated rst it asserts that the technical interpration of security in

terms of ciphertextindistinguishability implies the natural notion of sematic

security Thus the following prop osition yields a metho dology for designing

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

sematically secure encryption schemes design and prove your scheme to b e

ciphertextindistinguishable and conclude by the following that it is semati

cally secure The opp osite direction of Theorem establish the complete

ness of the latter metho dology and more generally assert that requiring an

encryption scheme to b e ciphertextindistinguishable do es not rule out schemes

that are sematically secure

Prop osition useful direction indistinguishability implies security

Suppose that G E D is a ciphertextindistinguishable privatekey encryption

scheme Then G E D is semanticallysecure Furthermore the circuit C

n

produced by the transformation T captures the computation of a probabilistic

polynomialtime oracle machine that is given oracle access to C

n

Prop osition opp osite direction security implies indistinguishabil

ity Suppose that G E D is a semantically secure privatekey encryption

scheme Then G E D has indistinguishable encryptions Furthermore the

conclusion holds even if the denition of semantic security is restricted to the

special case where h is a constant function X is uniformly distributed over a

n

set containing two strings the function f is Boolean and the transformation T

is not even required to be computable

Pro of of Prop osition Supp ose that G E D has indistinguishable

encryptions We show that G E D is semantically secure by constructing

for every p olynomialsize circuit family fC g a p olynomialsize circuit family

n

fC g so that for every fX g f and h the circuit C guesses f X from

n n

nN

n n

jX j jX j

n n

hX essentially as go o d as C guesses f X from E X hX

n n n n n

Let C b e a circuit that tries to infer partial information ie the value

n

jX j

n

f X from the encryption of the message X when also given and a

n n

jj

priori information hX Namely on input E and h the circuit

n

C tries to guess f We construct a new circuit C that p erforms as well

n

n

without getting the input E The new circuit consists of invoking C on input

n

jj jj

n

in E and h and outputs whatever C do es That is C

n

G

n

1

n n

vokes the keygenerator G on input obtains an encryptionkey e G

jj

invokes the encryption algorithm with key e and dummy plaintext ob

jj

taining a ciphertext that it feeds to C together with the inputs h

n

Observe that C can b e eciently computed from C ie by augmenting C

n n

n

with the uniform circuit for computing algorithms G and E

Indistinguishability of encryptions will b e used to prove that C p erforms

n

essentially as well as C Note that the construction of C do es not dep end

n

n

on the functions h and f or on the distribution of messages to b e encrypted

Furthermore C consists of a probabilistic p olynomialtime machine that uses

n

C as a blackbox

n

Claim Let fC g b e as ab ove Then for any p olynomial p and all

n

suciently large ns

h i

jX j

n

n

Pr C E X hX f X

n n n n

G 1

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

h i

jX j

n

Pr C hX f X

n n

n

pn

jj

Pro of To simplify the notations let us incorp orate into h Using the

denition of C we can rewritten the claim as asserting

n

n

Pr C E X hX f X

n n n n

G

1

h i

jX j

n

n

Pr C E hX f X

n n n

G

1

pn

Assume to the contradiction that for some p olynomial p and innitely many

ns the ab ove inequality is violated Then for each such n we have EX

n

pn where

h i

def

jxj

n n

x Pr C E x hx f x Pr C E hx f x

n n

G G

1 1

p olyn

We now use an averaging argument Let x f g b e a string for which

n

x is maximum and so x pn Using this x we introduce a new

n n

circuit D which incorp orates f x and hx and op erates as follows On

n n n

input E the circuit D invokes C hx and outputs if and only

n n n

if C outputs the value f x Otherwise D outputs Clearly

n n n

n n

Pr D E Pr C E hx f x

n n n n

G G

1 1

Combining Eq with the denition of x we get

n

h i

jx j

n

n n

Pr D E x Pr D E x

n n n n

G G

1 1

pn

in contradiction to our hypothesis that E has indistinguisahble encryptions

Thus the claim follows 2

Prop osition follows

Discussion The fact that we deal with a nonuniform mo del of computation

allows the ab ove pro of to pro ceed regardless of the complexity of f and h All

that our pro of requires is the values of f and h on a single string and such

values can b e incorp orated in the description of the circuit D

n

Pro of of Prop osition We now show that if G E D has distinguish

able encryptions then it is not semantically secure not even in the restricted

sense mentioned in the furthermoreclause of the prop osition Towards this

end we assume that there exists a p olynomial p a p olynomialsize circuit fam

p olyn

ily fD g such that for innitely many ns there exists x y f g so

n n n

that

n n

Pr D E x Pr D E y

n n n n

G G

1 1

pn

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

We dene a random variable X which is uniformly distributed over fx y g

n n n

and f f g f g so that f x and f y Note that f X

n n n

with probability and is otherwise The function h is dened as a constant

function

We will show that D can b e transformed into a p olynomialsize circuit

n

C that guesses the value of f X from the encryption of X and do es so

n n n

signicantly b etter that with probability This violates even the restricted

form of semantic security since no circuit regardless of its size can guess

jX j

n

f X b etter than with probability when only given since given the

n

jX j

n

constant value the value of f X is uniformly distributed over f g

n

Let us assume without loss of generality that for innitely many ns

n n

Pr D E x Pr D E y

n n n n

G G

1 1

pn

Claim There exists a p olynomialsize circuit family fC g so that for

n

innitely many ns

n

Pr C E X f X

n n n

G

1

pn

Pro of The circuit C uses D in a straightforward manner On input

n n

E the new circuit C feeds D with input and outputs if D outputs

n n n

otherwise C outputs

n

It is left to analyze the success probability of C

n

n

Pr C E X f X

n n n

G

1

n

Pr C E X f X j X x

n n n n n

G

1

n

Pr C E X f X j X y

n n n n n

G

1

n n

Pr C E x Pr C E y

n n n n

G G

1 1

n n

Pr C E x Pr C E y

n n n n

G G

1 1

pn

where the inequality is due to Eq 2

In contrast as observed ab ove no circuit regardless of its size can guess

jX j

n

f X with success probability ab ove when given only and hX

n n

We comment that the output by D is an indication that is more likely to b e x

n n

whereas the output of C is a guess of f This p oint may b e b etter stressed by redening

n

def

f so that f x x and f x y if x x and having C output x if C outputs

n n n n n n n

and output y otherwise n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

which are b oth xed strings that can b e incorp orated in the circuit Thus we

have

Fact For every n and every circuit C

n

h i

jX j

n

Pr C hX f X

n n

n

Combining Claim and Fact we reach a contradiction to the hy

p othesis that the scheme is semantically secure even in the restricted sense

mentioned in the furthermoreclause of the prop osition Thus the prop osition

follows

Comment When proving the publickey analogue of Prop osition the

circuit C just passes the encryptionkey given as part of its input to the circuit

n

D The rest of the pro of remains intact

n

Multiple Messages

The ab ove denitions only refer to the security of a scheme that is used to encrypt

a single plaintext p er key generated Since the plaintext may b e longer than

the key these denitions are already nontrivial and a scheme satisfying them

even in the privatekey mo del implies the existence of oneway functions see

Exercise Still in reality we want to use encryption schemes to encrypt many

messages with the same key We show that in the publickey mo del security

in the singlemessage setting discussed ab ove implies security in the multiple

message setting dened b elow This is not necessarily true for the privatekey

mo del

Denitions

t

x x x we let E x denote the concatanation of the results of ap For

e

t t

E x E x E x plying the randomized pro cess E to x x That is

e e e e

We stress that in each of the t invocations E utilizes indep endently chosen ran

e

dom coins

Denition semantic security mulitple messages

For privatekey An encryption scheme G E D is semantically secure for

multiple messages in the privatekey mo del if there exists a polynomialtime

transformation T so that for every polynomial t and every polynomial

tn

size circuit family fC g for every ensemble f g X X X

n n

n n

nN

i

with jX j p oly n every pair of functions f h f g f g every

n

polynomial p and al l suciently large n

i h

jX j

n

n

E X hX f X Pr C

n n n n

G

1

h i

j X j

n

Pr C hX f X

n n

n

pn

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

def

where C T C

n

n

For publickey An encryption scheme G E D is semantically secure for

multiple messages in the publickey mo del if for t fC g fC g fX g

n n

nN

n

f h p and n as above

h i

n j X j

n

n

Pr C G E X X f X h

n n n n

G

1

i h

X j n j

n

X f X h Pr C G

n n

n

pn

X are not necessarily indep endent they may We stress that the elements of

n

dep end on one another Note that the ab ove denition also cover the case where

the adversary obtains some of the plaintexts themselves In this case it is still

infeasible for himher to obtain infromation ab out the missing plaintexts see

Exercise

Denition indistinguishability of encryptions mulitple messages

For privatekey An encryption scheme G E D has indistinguishable en

cryptions for multiple messages in the privatekey mo del if for every poly

nomial t every polynomialsize circuit family fC g every polynomial p

n

p olyn

al l suciently large n and every x x y y f g

tn tn

n n

E x Pr C E y j jPr C

n n

G G

1 1

pn

where x x x and y y y

tn tn

For publickey An encryption scheme G E D has indistinguishable encryp

tions for multiple messages in the publickey mo del if for t fC g p n

n

and x x y y as above

tn tn

n n

n n

E x Pr C G E y j C G jPr

n n

G G

1 1

pn

The equivalence of Denitions and can b e established analogously to

the pro of of Theorem

Theorem equivalence of denitions multiple messages A private

key resp publickey encryption scheme is semantically secure for multiple mes

sages if and only if it has indistinguishable encryptions for multiple messages

Thus proving that singlemessage security implies multiplemessage security for

one denition of security yields the same for the other We may thus concentrate

on the ciphertextindistinguishability denitions

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

In the publickey mo del

We rst consider publickey encryption schemes

Theorem singlemessage security implies multiplemessage security

A publickey encryption scheme has indistinguishable encryptions for multiple

messages ie satises Denition in the publickey model if and only if

it has indistinguishable encryptions for a single message ie satises Deni

tion

Pro of Clearly multiplemessage security implies singlemessage security as a

sp ecial case The other direction follows by adapting the pro of of Theorem

to the current setting

Supp ose towards the contradiction that there exist a p olynomial t a

p olynomialsize circuit family fC g and a p olynomial p such that for innitely

n

p olyn

many ns there exists x x y y f g so that

tn tn

n n

n n

E x Pr C G E y Pr C G

n n

G G

1 1

pn

where x x x and y y y Let us consider such a generic n

tn tn

and the corresp onding sequences x x and y y We use a hybrid

tn tn

argument dene

def

i

x x y y h

i i

tn

def

i i n

n

E h and H G

G

n

1

tn

n n

n n

Since H G E y and H G E x it follows

n n

G G

1 1

that there exists an i f tn g so that

h i h i

i i

Pr C H Pr C H

n n

n n

tn pn

We now construct a circuit D that on input e and op erates as follows

n

For every j i the circuit D generates an encryption of x using the en

n j

cryption key e Similarly for every j i the circuit D generates an

n

encryption of y using the encryption key e Let us denote the resulting ci

j

phertexts by Finally D invokes C on input e and

i i n n

tn

and outputs whatever C do es

i i n

tn

Now supp ose that is a random encryption of x with key e that is

i

i

i

where X Y means E x Then D e C e h C H

n

e i n n n

that the random variables X and Y are identically distributed Similarly for

i

i

E y we have D e C e h C H Thus by Eq

n

e i n n n

The construction relies on D s knowledge of the encryptionkey and hence the publickey

n

mo del is essential for it

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

we have

n

n

Pr D G E y

n i

G

1

n

n

Pr D G E x

n i

G

1

tn pn

in contradiction to our hypothesis that G E D is a ciphertextindistinguishable

publickey encryption scheme in the single message sense The theorem follows

Discussion The fact that we are in the publickey mo del is essential to the

ab ove pro of It allows the circuit D to form encryptions relative to the same

n

encryptionkey used in the ciphertext given to it In fact as stated ab ove the

analogous result do es not hold in the privatekey mo del

In the privatekey mo del

In contrary to Theorem in the privatekey model ciphertextindistinguishability

for a single message do es not necessarily imply ciphertextindistinguishability

for multiple messages

Prop osition Suppose that there exist pseudorandom generators robust

against p olynomialsize circuits Then there exists a privatekey encryption

scheme that satises Denition but does not satisfy Denition

Pro of We start with the construction of the privatekey encryption scheme

The encryptiondecryption key for security parameter n is a uniformly dis

tributed nbit long string denoted s To encrypt a ciphertext x the encryption

algorithm uses the key s as a seed for a pseudorandom generator denoted g

that stretches seeds of length n into sequences of length jxj The ciphertext is

obtained by a bitbybit exclusiveor of x and g s Decryption is done in an

analogous manner

We rst show that this encryption scheme satises Denition Intu

itively this follow from the hypothesis that g is a pseudorandom generator and

jxj

the fact that x U is uniformly distributed over f g Sp ecically supp ose

jxj

towards the contradiction that for some p olynomialsize circuit family fC g a

n

p olynomial p and innitely many ns

jPr C x g U Pr C y g U j

n n n n

pn

n

where U is uniformly distributed over f g and jxj jy j m p oly n On

n

the other hand

Pr C x U Pr C y U

n m n m

Thus without loss of generality

jPr C x g U Pr C x U j

n n n m

pn

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Incorp orating x into the circuit C we obtain a circuit that distinguishes U

n m

from g U in contradiction to our hypothesis regarding the pseudorandomness

n

of g

Next we observe that the ab ove encryption scheme do es not satisfy Deni

tion Sp ecically given the ciphertexts of two plaintexts one may easily

retreive the exclusiveor of the corresp onding plaintexts That is

E x E x x g s x g s x x

s s

This clearly violates Denition eg consider f x x x x as well

as Denition eg consider any x x x and y y y such that

x x y y Viewed in a dierent way note that any plaintextciphertext

pair yields a corresp onding prex of the pseudorandom sequence and knowledge

of this prex violates the security of additional plaintexts That is given the

encryption of a known plaintext x along with the encryption of an unknown

plaintext x we can retreive x On input the ciphertexts knowing that

the rst plaintext is x rst retreives the pseudorandom sequence ie it is just

def

r x and next retreives the second plaintext ie by computing r

Discussion The singlemessage security of the ab ove scheme was proven by

considering an ideal version of the scheme in which the pseudorandom sequence

is replaced by a truely random sequence The latter scheme is secure in an

information theoretic sense and the security of the actual scheme followed by

the indistinguishability of the two sequences As we show b elow the ab ove

construction can b e mo died to yield a privatekey streamcipher that is secure

for multiple message encryptions All that is needed is to make sure that the

same part of the pseudorandom sequence is never used twice

A uniformcomplexity treatment

As stated at the b eginning of this section the nonuniform formulation was

adopted here for sake of simplicity In this subsection we sketch a uniform

complexity denitional treatment of security We stress that by uniform or non

uniform complexity treatment of cryptographic primitives we merely refer to the

mo delling of the adversary The honest legitimate parties are always mo delled

by uniform complexity classes most commonly probabilistic p olynomialtime

The notion of eciently constructible ensembles dened in Section is

centeral to the uniformcomplexity treatment Recall that an ensemble X

fX g is said to b e p olynomialtime constructible if there exists a probabilistic

n

nN

n

p olynomial time algorithm S so that for every n the random variables S

and X are identically distributed n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

The denitions

We present only the denitions of security for multiple messages the single

message variant can b e easily obtained by setting the p olynomial t b elow to b e

identically Likewise we present the publickey version and the privatekey

n

analogous can b e obtained by omitting G from the inputs to the various

algorithms

Denition semantic security uniformcomplexity version An en

cryption scheme G E D is uniformly semantically secure in the publickey

mo del if for every probabilistic polynomialtime algorithm A there exists a prob

abilistic polynomialtime algorithm A so that for every polynomial t every

tn i

polynomialtime constructible ensemble f X X X g with jX j

n n n

n

nN

p oly n every polynomialtime computable h f g f g every f

f g f g every positive polynomial p and al l suciently large ns

i h

j n X j

n

n

E X X f X Pr AG h

n n n

G

1

i h

X j j

n

X f X h Pr A

n n

pn

def

tn

where E x E x E x is as in Denition

n n

e n e e

X is a sequence of random variables which may dep end Again we stress that

n

n

on one another Also the encryptionkey G was omitted from the input of

A since the latter may generate it by itself We stress that even here ie in

the uniform complexity setting no computational limitation are placed on the

function f

Denition indistinguishability of encryptions uniformcomplexity ver

sion An encryption scheme G E D has uniformly indistinguishable encryp

tions in the publickey mo del if for every polynomial t every probabilistic polynomial

def

T fT time algorithm D every polynomialtime constructible ensemble

n

tn tn i

X Y Z g with X X Y Y X Y and jX j

n n n n n

n n n n n

nN

i

jY j p oly n

n

n

n

E X jPr D Z G

n n

G

1

n

n

Pr D Z G E Y j

n n

G

1

pn

for every positive polynomial p and al l suciently large ns

The random variable Z captures apriori information ab out the plaintexts for

n

which encryptions should b e distinguished A sp ecial case of interest is when

Z X Y

n n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Equivalence of the multiplemessage denitions

We prove the equivalence of the uniformcomplexity denitions presented ab ove

for multiplemessage security

Theorem equivalence of denitions uniform treatment A public

key encryption scheme satises Denition if and only if it satises Def

inition Furthermore this holds also if Denition is restricted to

X Y and Denition is restricted to the the special case where Z

n n n

special case where f is polynomialtime computable

An analogous result holds for the privatekey mo del The imp ortant direction of

the theorem holds also for the singlemessage version this is quite obvious from

the pro of b elow In the other direction we seem to use the multiplemessage

version conventions of semantic security in order to account for auxiliary in

formation required in ciphertextindistinguishability

Pro of Sketch Again we start with the more imp ortant direction that is

assuming that G E D has uniformly indistinguishable encryptions in the

sp ecial case where Z X Y we show that it is uniformly semantically

n n n

secure Our construction of algorithm A is analogous to the construction used

j j

n

in the nonuniform treatment Sp ecically on input h algorithm

n

j j

n

A generates a random encryption of a dummy sequence of message ie

feeds it to A and outputs whatever A do es That is

j j j j j n j

n n n

n

h h A AG E

n n

G

As in the nonuniform case the analysis of algorithm A reduces to the following

claim

X g Claim For every p olynomialtime constructible ensemble f

n

nN

tn i

X X X and jX j p oly n every p olynomialtime com with

n n n

n

putable h every p ositive p olynomial p and all suciently large ns

n

n

AG Pr E X hX f X

n n n

G

1

h i

n j X j

n

n

Pr AG E X f X h

n n

G

1

pn

Pro of sketch Again assuming towards the contradiction that the claim do es

not hold yields an algorithm that distinguishes encryptions of X from encryp

n

j X j

n

tions of This algorithm will use auxiliary information hX which is

n

jX j

n

eciently computable from Z X Thus we derive contradiction to

n n

Denition even under the sp ecial case p ostulated in the theorem

The actual pro of is quite simple in case the function f is also p olynomial

time computable which is not the case in general In this sp ecial case on

xj j

the new algorithm computes u h E where z x x input e z

e

xj j

u v and v f x invokes A and outputs if and only if Ae E e

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

The pro of b ecomes more involved in case f is not p olynomialtime computable

Again the solution is in realizing that indistinguishability of encryption p ostu

lates a similar output prole in b oth cases and in particular no value can o ccur

nonnegligiblly more in one case than in the other To clarify the p oint we de

n

n

ne x to b e the dierence b etween Pr AG E x hx v

v n n n

G

1

jx j n

n

n

E hx v We know that E X and Pr AG

n n

G

1

f X

n

pn but given x we cannot evaluate x since we do not have f x

n n n

f x

n

def

x max f x g Again EX pn yet given Instead we let

n v v n n

x we can approximate x in p olynomialtime Furthermore we may nd a

n n

n

value v so that x x pn with probability at least

v n n

jxj

Thus on input e z E where z x the new algorithm denoted D

e

x estimates x and nds a v as ab ove This is done rst computes u h

obliviously of the ciphertext E which is only used next Next algorithm

e

jxj

E u v D invokes A and outputs if and only if Ae

e

Let V x b e the value found in the rst stage of algorithm A ie obliviously

E The reader can easily verify that of the ciphertext

e

h i

n X n

n

n n

E X Pr D G Z E Pr D G Z

n n n

G G

1 1

i h

X E

n

X V

n

n n

E X

n

pn

E X

n

pn

and the claim follows 2

Having established the imp ortant direction we now turn to the opp osite

one That is we assume that G E D is uniformly semantically secure and

prove that it has uniformly indistinguishable encryptions Again the pro of is

by contradiction Supp ose without loss of generality that there exists a proba

bilistic p olynomialtime algorithm D a p olynomialtime constructible ensemble

def

f T T X Y Z g as in Denition a p ositive p olynomial p and

n n n n

nN

innitely many ns so that

n

n

E X Pr D Z G

n n

G

1

n

n

Pr D Z G E Y j

n n

G

1

pn

def

X j We dene an Assume without loss of generality that m jZ j j

n n

def

auxiliary p olynomialtime constructible ensemble Q fQ g so that

nN

n

m

X Y with probability Z

n n n

Q

n

m

Y X with probability Z

n n n

Unlike in the nonuniform treatment here we cannot hardwire values such as the values

0

of h and f on go o d sequences into the algorithm D which is required to b e uniform

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Q contains Z X Y in addition to a bit provided in the mbit long That is

n n n

n

prex indicating whether the order of X and Y is switched or not We dene

n n

the function f so that to equal this switch indicator bit and the function h

to provide all information in Q except this switch bit Sp ecically dene f

n

m

f g f g so that f returns the rst bit of its input that it f abc

m

for a b c f g Dene h f g f g so that h provides the information

m

in the sux without yielding information on the prex that is h abc abc

m

Q Z X Y We stress if and h abc acb otherwise Thus h

n n n

n

that b oth h and f are p olynomialtime computable

We will show that D can b e transformed into a p olynomialsize algorithm

Q from the encryption of Q and hQ A that guesses the value of f

n n n

and do es so signicantly b etter that with probability This violates semantic

Q security since no algorithm regardless of its runningtime can guess f

n

jQ j

n

b etter than with probability when only given h Q and since given

n

j Q j

n

Q and Q is uniformly distributed over f g h the value of f

n n

jj m m

On input e E z x y where abc equals either z x y or

e

m

y x algorithm A rst extracts x y and z out of h z x y and approxi z

mates

def

n n

n n

x y Pr D z G E x Pr D z G E y z

G G

1 1

e

Let z x y denote this approximation and assume the parameters are such

n

e

that jz x y z x y j pn with probability at least Algo

e e

rithm A sets if z x y pn sets if z x y pn

and sets otherwise ie the estimate is in b etween In case al

gorithm A halts with an arbitrary reasonable guess say a randomly selected

E which is only used next bit This is done obliviously of the ciphertext

e

Next algorithm A extracts the last blo ck of ciphertexts ie E c out of

e

m

E E abc and invokes D on input z e E c In case algo

e e e

rithm A outputs if and only if the output of D is In case algorithm

A outputs if and only if the output of D is

Claim Let p Q h f and A b e as ab ove

n

n

n

E Q hQ f Q Pr AG

G

n n n

1

pn

Pro of sketch We fo cus on the case in which the approximation of Z X X

n n n

provided by A is within pn of the correct value Thus in case the

X X It follows that for every sign of concurs with the sign of Z

n n n

p ossible z x y so that it holds that z y x and

n

n

E Q hQ f Q j Z X X z x y Pr AG

n n n

G

n n n

1

m m n

n

z z E x y h x y AG Pr

G

1

n m m

n

Pr AG E z y x h z y x

G

1

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

n

n

E y Pr D z G

G

1

n

n

E x Pr D z G

G

1

y x z

Similarly for every p ossible z x y so that it holds that z y x

and

n

n

E Q hQ f Q j Z X X z x y Pr AG

n n n

G

n n n

1

n

n

Pr D z G E y

G

1

n

n

E x Pr D z G

G

1

y x z

Thus in b oth cases where algorithm A succeeds with probability

y x j and in case it succeeds with probability Also if jz

Z X X X X then Recalling that EZ

n n n n n n

pn pn

by Thus the overall success X X we lower b ound Pr Z

n n n

pn pn

probability of algorithm A is at least

pn

pn pn

and the claim follows 2

This completes the pro of of the opp osite direction

Singlemessage versus multiplemessage denitions

As in the nonuniform case for the publickey mo del singlemessage security

implies multiplemessage security Again this implication do es not hold in the

privatekey mo del The pro ofs of b oth statements are analogous to the pro ofs

provided in the nonuniform case Sp ecically

For the publickey mo del singlemessage uniformindistinguishability of

encryptions imply multiplemessage uniformindistinguishability of encryp

tions which in turn implies multiplemessage uniformsemantic security

In the pro of of this result we use the fact that all hybrids are p olynomial

time constructible and that we may select a random pair of neighboring

hybrids cf the pro of of Theorem We also use the fact that an

tn

ensemble of triplets f T X Y Z g with X X X

n n

n n n n

nN

n

tn

Y Y Y as in Denition induces an ensemble of

n n

n

triplets fT X Y Z g for the case t Sp ecically we shall

n n n n

nN

i i

X Y Z i where i is uniformly and Z Y Y use X X

n n

n n n n n

n

distributed in f tng

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

For the privatekey mo del singlemessage uniformindistinguishability of

encryptions do es not imply multiplemessage uniformindistinguishability

of encryptions The pro of is exactly as in the nonunform case

The gain of a uniform treatment

Supp ose that one is content with the uniformcomplexity level of security which

is what we advocate b elow Then the gain in using the uniformcomplexity

treatment is that a uniformcomplexity level of security can b e obtained using

only uniform complexity assumptions rather than nonuniform complexity as

sumptions Sp ecically the results presented in the next section are based on

nonuniform assumptions such as the existence of functions that cannot b e in

verted by p olynomialsize circuits rather than by probabilistic p olynomialtime

algorithms These nonuniform assumption are used in order to satisfy the

nonuniform denitions presented in the main text ab ove Using any of these

constructions while making the analogous uniform assumptions yields encryp

tion schemes with the analogous uniformcomplexity security We stress that

this is no coincidence but is rather an artifact of these results b eing proven by

a uniform reducibility argument

However something is lost when relying on these seemingly weaker uniform

complexity assumptions Namely the security we obtain is only against the

seemingly weaker uniform adversaries We b elieve that this loss in security

is immaterial Our b elief is based on the thesis that uniform complexity is the

right mo del of real world cryptography We b elieve that it is reasonable to

consider only ob jects ie inputs generated by uniform and ecient pro cedures

and the eect that these ob jects have on uniformly and ecient observers ie

adversaries In particular schemes secure against probabilistic p olynomialtime

adversaries can b e used in any setting consisting of probabilistic p olynomialtime

machines with inputs generated by probabilistic p olynomialtime pro cedures

We b elieve that the cryptographic setting is such a case

Constructions of Secure Encryption Schemes

In this subsection we present constructions of secure privatekey and public

key encryption schemes Here and throughout this section security means se

mantic security in the multiplemessage setting Recall that this is equivalent

to ciphertextindistinguishability in the multiplemessage setting Also recall

that for publickey schemes it suces to prove ciphertextindistinguishability in

the singlemessage setting The main results of this section are

Using any nonuniformly robust pseudorandom function one can con

struct secure privatekey encryption schemes Recall that the former can

b e constructed using any nonuniformly strong oneway function

Using any nonuniform strong trap do or oneway p ermutation one can

construct secure publickey encryption schemes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

In addition we review some p opular suggestions for privatekey and publickey

encryption schemes

Probabilistic Encryption Before starting we recall that a secure publickey

encryption scheme must employ a probabilistic ie randomized encryption al

gorithm Otherwise given the encryptionkey as additional input it is easy

to distinguish the encryption of the allzero message from the encryption of the

allones message The same holds for privatekey encryption schemes when con

sidering the multimessage setting For example using a deterministic private

key encryption algorithm allows the adversary to distinguish two encryptions

of the same message from the encryptions of a pair of dierent messages Thus

the common practice of using pseudorandom p ermutations as blo ckciphers

see denition b elow is not secure again one can distinguish two encryptions

of the same message from encryptions of two dierent messages This explains

the linkage b etween the ab ove robust security denitions and randomized aka

probabilistic encryption schemes Indeed all our encryption schemes will em

ploy randomized encryption algorithms

StreamCiphers

It is common practice to use pseudorandom generators as a basis for private

key stream ciphers We stress that this is a very dangerous practice when the

pseudorandom generator is easy to predict such as the linear congruential

generator or some mo dications of it which output a constant fraction of the

bits of each resulting number However this common practice b ecomes sound

provided one uses pseudorandom generators as dened in Section Thus

we obtain a privatekey that allows to encrypt a stream of plain

text bits Note that such a stream cipher do es not conform with our formulation

of an encryption scheme since for encrypting several messages one is required

to maintain a counter In other words we obtain a encryption scheme with a

variable state that is mo died after the encryption of each message To obtain

a stateless encryption scheme as in our denitions ab ove we may use a pseu

dorandom function see b elow But b efore doing so let us formalize the ab ove

discussion

Authors Note DO IT ie formalize the ab ove discussion

We note that the ab ove do es not hold with resp ect to privatekey schemes in the single

message setting Hint the privatekey can b e augmented to include a seed for a pseudorandom

generator the output of which can b e used to eliminate randomness from the encryption

algorithm Question why do es the argument fail in the multimessage privatekey setting

Same for the publickey setting

The privatekey streamciphers discussed b elow are an execption but as we p oint out

they do not adherse to our formulation of encryption schemes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Preliminaries Blo ckCiphers

Many encryption schemes are more conveniently presented by rst presenting a

restricted type of encryption scheme that we call a blockcipher In contrast

to encryption schemes as dened in Denition blo ckciphers dened

b elow are only required to op erate on plaintext of a sp ecic length which is a

function of the security parameter As we shall see given a secure blo ckcipher

we can easily construct a general secure encryption scheme

Denition blo ckcipher A blo ckcipher is a triple G E D of prob

abilistic polynomialtime algorithms satisfying the fol lowing two conditions

n

On input algorithm G outputs a pair of bit strings

There exists a polynomiallybounded function N N called the blo ck

n

length so that for every pair e d in the range of G and for each

n

f g algorithms E and D satisfy

Pr D E

d e

Al l conventions are as in Denition

Typically we use either n n or n Analogously to Deni

tion the ab ove denition do es not distinguish privatekey encryption schemes

from publickey ones The dierence b etween the two types is captured in the

security denitions which remain as they were ab ove with the mo dication that

we only consider plaintexts of length n For example the analogue of Deni

tion reads

Denition semantic security privatekey blo ckciphers A blockcipher

G E D with block length is semantically secure in the privatekey mo del if

there exists a polynomailtime transformation T so that for every polynomial

size circuit family fC g for every ensemble fX g with jX j n and

n n n

nN

f h p and n as in Denition

h i

jX j

n

n

Pr C E X hX f X

n n n n

G

1

h i

jX j

n

Pr C hX f X

n n

n

pn

def

where C T C is the circuit produced by T on input C

n n

n

There are several obvious ways of transforming a blo ckcipher into a general

encryption scheme The basic idea is to break the plaintexts for the resulting

scheme into blo cks and enco de each blo ck separately by using the blo ckcipher

Doing so we abuse standard terminology by which a blo ckcipher must in addition to

op erating on plaintext of sp ecic length pro duce ciphertexts equal in length to the length of

the corresp onding plaintexts

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Thus the security of the blo ckcipher in the multiplemessage settings implies

the security of the resulting encryption scheme The only technicality we need

to deal with is how to encrypt plaintexts of length that is not an integer multiple

of the blo cklength ie n This is easily resolved by padding the last blo ck

Construction from blo ckciphers to general encryption schemes Let

G E D be a blockcipher with block length function We construct an en

cryption scheme G E D as fol lows The keygeneration algorithm G is

identical to G To encrypt a message with encryption key e generated under

security parameter n we break it into consequetive blocks of length n while

possibly augmenting the last block Let be the resulting blocks Then

t

def

jj

E E E

e e t

e

m

To decrypt the ciphertext with decryption key d we let

t i

D for i t and let the plaintext be the mbit long prex of the con

d i

catanated string

t

The ab ove construction yields ciphertexts which reveal the exact length of the

plaintext Recall that this is not prohibited by the denitions of security and

that we cannot hop e to entirely hide the length However we can easily construct

encryption schemes that hide some information ab out the length of the plaintext

see examples in Exercise Also note that the ab ove construction applies even

to the sp ecial case where is identically

Theorem Let G E D and G E D be as in Contruction Sup

pose that the former a secure privatekey resp publickey blockcipher Then

the latter is a secure privatekey resp publickey encryption scheme

Pro of Assuming towards the contradiction that the encryption scheme G E D

is not secure we obtain conclude that neither is G E D contradicting our hy

p othesis Note that in case the security of G E D is violated via tn mes

sages of length Ln the security of G E D is violated by tn dLnne

Also the argument may utilize any of the two notions of security ie semantic

security or ciphertextindistinguishability

Privatekey encryption schemes

Secure privatekey encryption schemes can b e easily constructed using any e

ciently computable pseudorandom function ensemble see Section Sp eci

cally we present a blo ck cipher with blo ck length n n The key generation

algorithm consists of selecting a seed denoted s for such a function denoted

n

f To encrypt a message x f g using key s the encryption algorithm

s

n

uniformly selects a string r f g and pro duces the ciphertext r x f r

s

To decrypt the ciphertext r y using key s the decryption algorithm just

computes y f r Formally we have s

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Construction a privatekey blo ckcipher based on pseudorandom func

tions Let F fF g be an eciently computable function ensemble and let I

n

n

and V be the algorithms associated with it That is I selects a function with

distribution F and V i x returns f x where f is the function associated with

n i i

the string i We dene a privatekey G E D with block length

n n as fol lows

n n

keygeneration G i i where i I

n

encrypting plaintext x f g E x r V i r x where r is uniformly

i

n

chosen in f g

decrypting ciphertext r y D r y V i r y

i

Below we assume that F is pseudorandom with respect to polynomailsize cir

cuits meaning that no p olynomialsize circuit having oracle gates can distin

guish the case the answers are provided by a random function from the case in

which the answers are provided by a function in F Alternatively one may con

sider probabilistic p olynomialtime orcale machines that obtain a nonuniform

p oly nlong auxiliary input That is

for every probabilistic polynomialtime oracle machine M for every

pair of positive polynomial p and q for al l suciently large ns and

pn

al l z f g

n

f f

I (1 )

Pr M z Pr M z

q n

n n

where f is a uniformly selected function mapping f g to f g

Recall that such nonuniformly strong pseudorandom functions can b e con

structed using any nonuniformly strong oneway function

Theorem Let F and G E D be as in Contruction and suppose

that F is pseudorandom with respect to polynomailsize circuits Then G E D

is secure

Pro of The pro of consists of two steps suggested as a general metho dology in

Section

Prove that an idealized version of the scheme in which one uses a uniformly

n n

selected function f f g f g rather than the pseudorandom func

tion f is secure in the sense of ciphertextindistinguishability

s

Conclude that the real scheme as presented ab ove is secure since other

wise one could distinguish a pseudorandom function from a truly random one

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Sp ecically in the ideal version the messages x x are encrypted by r f r

t

x r f r x where the r s are indep endently and uniformly selected

t t i

n

and f is a random function Thus with probability greater than t

the r s are all distinct and so the f r x s are indep endently and uniformly

i i i

distributed regardless of the x s Now if the actual scheme is not ciphertext

i

indistinguishable then for some sequence of distinct r s a p olynomialsize circuit

i

can distinguish the f r x s from the f r x s where f is random and

i i s i i

f is pseudorandom But this contradicts the hypothesis that p olynomialsize

s

circuits cannot distinguish b etween the two

Comments Note that we could have gotten rid of the randomization if we

had allowed the encryption algorithm to b e history dep endent as discussed

ab ove Sp ecically in such a case we could have used a counter in the role

of r Furthermore if the encryption scheme is used for fifo communication

b etween the parties and b oth can maintain the counter value then there is no

need for the sender to send the counter value

On the other hand recall that the common practice of using pseudoran

dom p ermutations as blo ckciphers is not secure eg one can distinguish two

encryptions of the same message from encryptions of two dierent messages

Publickey encryption schemes

As mentioned ab ove randomization during the encryption pro cess can b e avoided

in privatekey encryption schemes that employ a varying state not allowed in our

basic Denition In case of publickey encryption schemes randomization

during the encryption pro cess is essential even if the encryption scheme employs

a varying state Thus in a sense the randomized encryption paradigm plays

an even more pivotal role in the construction of publickey encryption scheme

To demonstrate this paradigm we start with a very simple and quite wasteful

construction

All our constructions employ a collection of trap do or p ermutations as in

Denition Recall that such a collection fp g comes with four proba

bilistic p olynomialtime algorithms denoted here by I S F and B for index

sample forward and backward so that

n

I selects a random nbit long index of a p ermutation p along with

a corresp onding trap do or

S randomly samples the domain of p returning a random element in

it

For x in the domain of p given and x algorithm F returns p x ie

F x p x

n

For y in the range of p if is a p ossible output of I then given

and y algorithm B returns p y ie B y p y

That is letting E x p x where p is the p erumtation asso ciated with the string i

i i i

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

n n

Let I denote the rst element in the output of I ie the index It is

guaranteed that for every p olynomialsize circuit family fC g every p olynomial

n

p and all suciently large ns

n n n

n

Pr C I p S I S I

n

I

1

pn

That is C fails to invert p on p x wheren and x are selected by I and

n

S as ab ove Recall the ab ove collection can b e easily mo died to have a hard

core predicate cf Theorem For simplicity we continue to refer to the

collection as fp g and let b denote the corresp onding hardcore predicate

Simple schemes

We are now ready to present a very simple alas quite wasteful construction of

a secure publickey encryption scheme It is a blo ckcipher with

Construction a simple publickey blo ckcipher scheme Let fp g I S F B

and b be as above

keygeneration The key generation algorithm consists of selecting at random

a permutation p together with a trapdoor for it The permutation or

rather its description serves as the publickey whereas the trapdoor serves

n n

as the privatekey That is G I which means that the index

trapdoor pair generated by I is associated with the keypair of G

encryption To encrypt a bit using the encryptionkey the encryption

algorithm randomly selects an element r in the domain of p and produces

the ciphertext p r br That is E F r br where

r S

decryption To decrypt the ciphertext y using the decryptionkey the de

cryption algorithm just computes bp y where the inverse is com

puted using the trapdoor of p That is D y bB y

Clearly for every p ossible output of G it holds that

D E bB F S bS

bS bS

The security of the ab ove publickey encryption scheme follows from the non

uniform oneway feature of the collection fp g We comment that the pro of

of Theorem implies that the corresp onding hardcore predicate is non

uniformly strong that is for randomly chosen and r no p olynomialsize

circuit can predict br given p r and nonnegligiblly b etter than with

success probability

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Prop osition Suppose that b is a nonuniformly strong hardcore of the

collection fp g Then Construction constitute a secure publickey block

cipher with blocklength

Pro of Recall that by the equivalence theorems ie Theorems and

it suces to show singlemessage ciphertextindistinguishability Furthermore

by Prop osition and the fact that here there are only two plaintexts it

suces to show that one cannot predict which of the two plaintexts is b e

ing encrypted signicantly b etter than by a random guess We conclude by

noting that a guess for the plaintext given the ciphertext E

f r br yields a guess br for br given f r The

latter guess is correct with probability equal the probability that and so

the prop osition follows

As admitted ab ove Construction is quite wasteful Sp ecically it is waste

ful in bandwidth that is the relation b etween the length of the plaintext and the

length of the ciphertext In Construction the relation b etween these lengths

equals the security parameter ie n However the idea underlying Construc

tion can yield ecient publickey schemes provided we use trap do or p er

mutations having hardcore functions with large range see Section To

demonstrate the p oint we use the following assumption relating to the RSA

collection of trap do or p ermutations cf Subsections and

Large hardcore conjecture for RSA The rst n least signicant bits

of the argument constitute a nonuniformly strong hardcore function of RSA

with nbit long moduli

We stress that the conjecture is not know to follow from the assumption that

the RSA collection is nonuniformly hard to invert What can b e proved under

the latter assumption is only that the rst O log n least signicant bits of the

argument constitute a nonuniformly strong hardcore function of RSA with

nbit long mo duli Still the ab ove conjecture implies that the common practice

of randomly padding messages using padding equal in length to the message

b efore encrypting them using RSA results in a secure publickey encryption

scheme That is we consider the following

Construction Randomized RSA a publickey blo ckcipher scheme

This scheme employs the RSA collection of trapdoor permutations cf Subsec

tions and The fol lowing description is however selfcontained

keygeneration The key generation algorithm consists of selecting at random two

nbit primes P and Q setting N P Q and selecting at random a pair

e d so that e d mo d P Q That is N e N d

n

G where N e and d are as specied above

Note that N is nbit long

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

encryption To encrypt an nbit string using the encryptionkey N e the

encryption algorithm randomly selects an element r f N g and

e

produces the ciphertext r mo d N lsbr where lsbr denotes the

e

n least signicant bits of r That is E r mo d N lsbr

N e

decryption To decrypt the ciphertext y using the decryptionkey N d

d

the decryption algorithm just computes lsby mo d N where lsb

d

is as above That is D y lsby mo d N

N d

The bandwidth of the ab ove scheme is much b etter than in Construction

a plaintext of length n is encrypted via a ciphertext of length n Clearly for

every p ossible N e N d output of G it holds that

e d

D E lsbr lsbr mo d N mo d N

N d N e

ed

lsbr lsbr mo d N

The security of the ab ove publickey encryption scheme follows from the large

hardcore conjecture for RSA analogously to the pro of of Prop osition

Prop osition Suppose that the large hardcore conjecture for RSA does

hold Then Construction constitute a secure publickey blockcipher with

blocklength n n

Pro of Recall that by the equivalence theorems ie Theorems and

it suces to show singlemessage ciphertextindistinguishability Considering

e

any two strings x and y we need to show that r mo d N x lsbr and

e

r mo d N y lsbr are indistinguishable where N e and r are selected at

random as in the construction It suces to show that for every x the distribu

e e

tions r mo d N x lsbr and r mo d N x s are indistinguishable where

n

s f g is uniformly distributed indep endently of anything else The latter

claim follows from the hypothesis that the n least signicant bits are a hardcore

function for RSA with mo duli of length n

Discussion We wish to stress that encrypting messages by merely applying

the RSA function to them without randomization yields an insecure encryption

scheme This is a sp ecial case of the fact that no publickey encryption scheme

that employs a deterministic encryption algorithm may b e secure We warn

that the fact that in such deterministic encryption schemes one can distinguish

encryptions of two sp ecic messages eg the allzero message and the allone

message is not merely of theoretical concern it may seriously endanger some

applications

An alternative scheme

An alternative construction of a publickey encryption scheme is presented b e

low Rather than encrypting each plaintext bit by an indep endently selected ele

ment in the domain of the trap do or p ermutation as done in Construction

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

we select only one such element p er a plaintext string and provide an additional

bit p er each bit of the plaintext These bits are determine by successive ap

plications of the trap do or p ermutation and only the last result is included in

the ciphertext In a sense the construction of the encryption scheme b elow

augments the construction of a pseudorandom generator based on oneway p er

mutations ie Construction

Construction a publickey encryption scheme Let fp g I S F B

i i

and b be as in Construction We use the notation p x p p x

i

i

x p p x and p

keygeneration The keygeneration algorithm consists of selecting at random a

permutation p together with a trapdoor exactly as in Construction

n n

That is G I which means that the indextrapdoor pair generated

by I is associated with the keypair of G

encryption To encrypt a string using the encryptionkey the encryption

algorithm randomly selects an element r in the domain of p and produces

j j

r G r where the ciphertext p

def

j j

G r br bp r bp r

j j

That is E p S G S

decryption To decrypt the ciphertext y using the decryptionkey the

j j

decryption algorithm just computes G p y where the inverse is

j j

computed using the trapdoor of p That is D y G p y

We stress that the ab ove encryption scheme is a fulledged one rather than a

blo ckcipher Its bandwidth tends to with the length of the plaintext that is

a plaintext of length p oly n is encrypted via a ciphertext of length n

Clearly for every p ossible output of G it holds that D E

The security of the ab ove publickey encryption scheme follows from the non

uniform oneway feature of the collection fp g but here we restrict the sampling

algorithm S to pro duce almost uniform distribution over the domain

Prop osition Suppose that b is a nonuniformly strong hardcore of

the trapdoor collection fp g Furthermore suppose that this trapdoor collection

utilizes a domain samplying algorithm S so that the statistical dierence between

S and the uniform distribution over the domain of p is negligible in terms of

jj Then Construction constitute a secure publickey encryption scheme

Pro of Again we prove singlemessage ciphertextindistinguishability As in the

pro of of Prop osition it suces to show that for every the distributions

j j j j

S s are indistinguishable where S G S and p p

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

j j

s f g is uniformly distributed indep endently of anything else The latter

claim holds by a minor extention to Prop osition the latter refers to the

case S is uniform over the domain of p but can b e extended to the case in

which there is a negligible statistical dierence b etween the distributions The

prop osition follows

An instantiation Assuming that factoring Blum Integers ie pro ducts of

two primes each congruent to mo d is hard one may use the mo dular

squaring function in role of the trap do or p ermutation ab ove see Section

This yields a secure publickey encryption scheme presented b elow with ef

ciency comparable to that of RSA Recall that RSA itself is not secure as

it employs a deterministic encryption algorithm whereas Randomized RSA

dened ab ove is not known to b e secure under standard assumption such as

intractability of factoring or of inverting the RSA function

Construction The BlumGoldwasser PublicKey Encryption Scheme

For simplicity we present a blockcipher with arbitrary blocklength n

p oly n

keygeneration The key generation algorithm consists of selecting at random

two nbit primes P and Q each congruent to mod and outputing the

pair N P Q where N P Q

Actually for sake of eciency the keygenerator also computes d

P

n n

P mo d P d Q mo d Q c Q

Q P

Q mo d P and c P P mo d Q It outputs the pair N T

Q

where N serves as the encryptionkey and T P Q N c d c d

P P Q Q

serves as decryptionkey

n

encryption To encrypt the message f g using encryptionkey N

Uniformly select s f N g

For i n compute s s mo d N and b lsbs

i i i

i

where lsbs is the least signicant bit of s

The ciphertext is s where b b b

n n

decryption To decrypt of the ciphertext r using decryptionkey T P Q N c d c d

P P Q Q

one rst retreives s and then computes the b s as above Instead of ex

i

n

tracting modular square roots successively n times we extract the

th root which can be done as eciently as extracting a single square root

d d

Q P

mo d Q mo d P and s r Let s r

Let s c s c s mo d N

P Q

Recall that Randomized RSA is secure assuming that the n least signicant bits con

stitute a hardcore function for nbit RSA mo duli We only know that the O log n least

signicant bits constitute a hardcore function for nbit mo duli

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

mo d N For i n compute b lsbs and s s

i i i

i

The plaintext is b b b

n

Again one can easily verify that the ab ove construction constitutes an encryp

tion scheme the main fact to verify is that the value of s as reconstructed in

the decryption stage equals the value used in the encryption stage This fol

lows by combining the Chinese Reminder Theorem with the fact that for every

d

P

mo d P and quadratic residue s mo d N it holds that s s mo d N

d

Q

mo d Q Encryption amounts to n mo dular similarly s s mo d N

multiplications whereas decryption amounts to n such multiplications

and mo dular exp onentiations relative to halfsized mo duli For comparison

to Randomized RSA consider the setting n n The security of the ab ove

scheme follows immediately from Prop osition and the fact that lsb is a

hardcore for the mo dular squaring function and that inverting the latter is

computationally equivalent to factoring Thus we get

Corollary Suppose that factoring is infeasible in the sense that for every

polynomialsize circuit fC g every positive polynomial p and al l succiently large

n

ns

Pr C P Q P

n n n n

pn

where P and Q are uniformly distributed nbit long primes Then Construc

n n

tion consititutes a secure publickey encryption scheme

Beyond eavesdropping security

Authors Note The following text includes an introduction that is

repro duced with little change from App endix B and a plan

The ab ove denitions refer only to a passive attack in which the adversary

merely eavesdrops on the line over which ciphertexts are b eing sent Stronger

types of attacks culminating in the socalled Chosen Ciphertext Attack may b e

p ossible in various applications Sp ecically in some settings it is feasible for the

adversary to make the sender encrypt a message of the adversarys choice and

in some settings the adversary may even make the receiver decrypt a ciphertext

of the adversarys choice This gives rise to chosen message attacks and to cho

sen ciphertext attacks resp ectively which are not covered by the ab ove security

denitions Thus our main goal in this section is to provide a treatment to such

types of attacks Furthermore the ab ove denitions refer to an adversary that

tries to extract explicit information ab out the plaintext A less explicit attempt

captured by the socalled notion of mal leability is to generate an encryption of

a related plaintext p ossibly without learning anything ab out the original plain

text Thus we have a matrix of adversaries with one dimention parameter

b eing the type of attack and the second b eing its purpose

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BEYOND EAVESDROPPING SECURITY

Types of attacks The following minitaxonomy of attacks is certainly not

exhaustive

Passive attacks as captured in the denitions ab ove In case of publickey

schemes we distinguish two subcases

a A keyoblivious passive attack as captured in the denitions ab ove

By keyobliviousness we refer to the fact that the choice of plaintext

do es not dep end on the publickey

b A keydependent passive attack in which the choice of plaintext may

dep end on the publickey

In Denition the choice of plaintext means the random variable X

n

whereas in Denition it means the pair of sequences x y

n

n

Chosen Plaintext Attacks Here the attacker may obtain the encryption of

any plaintext of its choice under the key b eing attacked Such an attack

do es not add p ower in case of publickey schemes

Chosen Ciphertext Attacks Here the attacker may obtain the decryption

of any ciphertext of its choice under the key b eing attacked That is the

attacker is given oracle access to the decryption function corresp onding to

the decryptionkey in use We distinguish two types of such attacks

a In an apriori chosen ciphertext attack the attacker is given this

oracle access prior to b eing presented the ciphertext that it should

attack ie the ciphertext for which it has to learn partial information

or form a related ciphertext That is the attack consists of two

stages in the rst stage the attacker is given the ab ove oracle access

and in the second stage the oracle is removed and the attacker is given

a test ciphertext ie a target to b e learned or mo died in violation

of nonmalleablity

b In an aposteriori chosen ciphertext attack the attacker is given the

target ciphertext rst but its access to the oracle is restricted in that

it is not allowed to make a query equal to the target ciphertext

In b oth cases the adversary may make queries that do not corresp ond to

a legitimate ciphertext and the answer will b e accordingly ie a sp ecial

failure symbol

Formal denitions of all types of attacks listed ab ove as well as the purp oses

listed b elow will follow

Purp ose of attacks Again the following is not claimed to b e exhaustive

Standard security the infeasibility of obtaining information regarding the

plaintext As dened ab ove such information must b e a function or a

randomized pro cess applied to the bare plaintext and may not dep end

on the encryption or decryption key

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

In contrast the notion of nonmal leability refers to generating a string de

p ending on b oth the plaintext and the current encryptionkey Sp ecically

one requires that it should b e infeasible for an adversary given a cipher

text to pro duce a valid ciphertext for a related plaintext For example

given a ciphertext of a plaintext of the form x it should b e infeasible to

pro duce a ciphertext to the plaintext x

We shall show b elow that with the exception of passive attacks on privatekey

schemes nonmalleability always implies security against attempts to obtain in

formation on the plaintext We shall also show that security and nonmalleability

are equivalent under ap osteriori chosen ciphertext attack

Some known constructions Before presenting the actual denitions let us

provide an overview on the known results As in the basic case the strongly

secure privatekey encryption schemes can b e constructed based on the exis

tence of oneway functions whereas the strongly secure publickey encryption

schemes are based on the existence of trap do or p ermutations

Privatekey schemes The privatekey encryption scheme based on pseudo

random functions ie Construction is secure also against apriori

chosen ciphertext attacks

It is easy to turn any passively secure privatekey encryption scheme into

a scheme secure under ap osteriori chosen ciphertext attacks by using a

message authentication scheme on top of the basic encryption

Publickey schemes Publickey encryption schemes secure against apriori

chosen ciphertext attacks can b e constructed assuming the existence of

trap do or p ermutations and utilizing noninteractive zeroknowledge pro ofs

Recall that the latter pro of systems can b e constructed under the former

assumption

Publickey encryption schemes secure against ap osteriori chosen cipher

text attacks can also b e constructed under the same assumption but this

construction is even more complex

Keydep endent passive attacks

Authors Note Applicable only to publickey schemes

Authors Note Plan dene and show that ab ove constructions sat

isfy the denition

Note that this scheme is not secure under an ap osteriori chosen ciphertext attack on

0 0

input a ciphertext r x f r we obtain f r by making the query r y where y

s s

0 0 0

x f r This query is answered with x so that y x f r

s s

See denition in Section B

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Chosen plaintext attack

Authors Note No aect in case of publickey schemes

Authors Note Plan dene and show that ab ove constructions sat

isfy the denition

Chosen ciphertext attack

Authors Note For privatekey refer also to a combined plaintextciphertext

attack

Authors Note Plan

Dene the two types

Prove that the PRFbased privatekey scheme remains secure

under apriori CMA

Discuss the NIZK construction for apriori CMA

Postpone construction of ap osteriori CMA to next subsection

Nonmalleable encryption schemes

Authors Note Plan

discuss and dene

prove that

a with the exception of passive attacks on privatekey schemes

nonmalleability always implies security against attempts to

obtain information on the plaintext

b security and nonmalleability are equivalent under ap osteriori

chosen ciphertext attack

Present and analyze the construction for privatekey secure un

der ap osteriori CMA

Sketch the solution for publickey following DDNAmit

Miscellaneous

Authors Note The entire section is fragmented and tentative

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Historical Notes

The notion of privatekey encryption scheme seems almost as ancient as the al

phab et itself Furthermore it seems that the development of encryption metho ds

went along with the development of communication media As the amounts of

communication grow more ecient and sophisticated encryption metho ds were

required Computational complexity considerations were explicitly introduced

into the arena by Shannon In his work Shannon considered the classi

cal setting where no computational considerations are present He showed that

in this information theoretic setting secure communication of information was

p ossible only as long as its entropy is lower than the entropy of the key He thus

concluded that if one wishes to have an encryption scheme which is capable of

handling messages with total entropy exceeding the length of the key then one

must settle for a computational relaxion of the secrecy condition That is rather

than requiring that the ciphertext yields no information on the plaintext one

has to require that such information cannot b e eciently computed from the

ciphertext The latter requirement indeed coincides with the ab ove denition of

semantic security

The notion of publickey encryption scheme was introduced by Die and

Hellman First concrete candidates were suggested by Rivest Shamir and

Adleman and by Merkle and Hellman However satisfactory de

nitions of security were presented only a few years afterwards by Goldwasser

and Micali The two denitions presented in Section originate in

where it was shown that ciphertextindistinguishability implies semantic secu

rity The converse direction is due to

Regarding the seminal pap er of Goldwasser and Micali a few additional

comments are due Arguably this pap er is the basis of the entire rigorous

approach to cryptography presented in the current b o ok It introduced general

notions such as computational indistinguishability denitioanl approaches such

as the simulation paradigm and techniques such as the hybrid argument The

pap ers title Probabilistic Encryption is due to the authors realization that

publickey encryption schemes in which the encryption algorithm is deterministic

cannot b e secure in the sense dened in their pap er Indeed this led the authors

to explicitly introduce and justify the paradigm of randomizing the plaintext

as part of the encryption pro cess Technically sp eaking the pap er only presents

security denitions for publickey encryption schemes and furthermore some

of these denitions are syntactically dierent from the ones we have presented

ab ove yet all these denitions are equivalent Finaly the term ciphertext

indistinguishability used here replaces the generic term p olynomialsecurity

used in Some of our mo dications have already app eared in which is

also the main source of our uniformcomplexity treatment

The rst construction of a secure publickey encryption scheme based on a

simple complexity assumption was given by Goldwasser and Micali Sp ecif

ically they constructed a publickey encryption scheme assuming that deciding

Quadratic Residiousity mo dulo comp osite numbers is intractable The condition

was weaken by Yao who prove that any trap do or p ermutation will do The

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

ecient publickey encryption scheme of Construction is due to Blum and

Goldwasser The security is based on the fact that the least signicant bit of

the mo dular squaring function is a hardcore predicate provided that factoring

is intractable a result mostly due to

For decades it has b een common practice to use pseudorandom generators

in the design of stream ciphers As p ointed out by Blum and Micali this

practice is sound provided that one uses pseudorandom generators as dened

in Chapter The construction of privatekey encryption schemes based on

pseudorandom functions is due to

Authors Note The rest of this subsection is yet to b e written The

following paragraphs are merely placeholders

Publickey encryption schemes secure against apriori Chosen Ciphertext

Attacks can b e constructed assuming the existence of trap do or p ermutations

and utilizing noninteractive zeroknowledge pro ofs which can b e con

structed under this assumption

The study of nonmal leability of the encryption schemes was initiated

in Nonmalleable publickey encryption schemes are known to exist assum

ing the existence of trap do or p ermutation Security and nonmalleability

are equivalent under ap osteriori chosen ciphertext attack cf

Suggestion for Further Reading

Authors Note This subsection is yet to b e written The following

paragraphs are merely placeholders

For discussion of NonMalleable Cryptography which actually transcends

the domain of encryption see

For a detailed discussion of the relationship among the various notions

of secure publickey encryption the reader is referred to

Op en Problems

Authors Note Incorp orate the following text

Both constructions of publickey encryption schemes secure against chosen

ciphertext attacks mentioned ab ove are to b e considered as plausibility results

which also oer some useful construction paradigms Presenting reasonablly

ecient publickey encryption schemes that are secure against ap osteriori

chosen ciphertext attacks under widely b elieved assumptions is an imp ortant

op en problem We comment that the reasonabllyecient scheme of

is based on a very strong assumption regarding the DieHel lman Key Ex

change Sp ecically it is assumed that for a prime P and primitive element

x y z

g given P g g mo d P g mo d P g mo d P it is infeasible to decide

whether z xy mo d P

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Exercises

Authors Note The following are but a tentative collection of exercises

that o ccurred to me while writing the main text

Exercise Encryption schemes imply oneway function Show that the

existence of a secure privatekey encryption scheme ie as in Deni

tion implies the existence of oneway functions

Guideline Recall that by Exercise of Chapter it suces to prove

that the former implies the existence of a pair of p olynomialtime con

structible probability ensembles that are statistically far apart and still

are computationally indistinguishable To prove the existence of such en

sembles consider the encryption of n bit plaintexts relative to a ran

dom nbit long key denoted K Sp ecically let the rst ensemble b e

n

x and the second ensem fU E U g where E x E

n n

K

n

n2N

ble b e fU E U g where U and U are indep endently

n n n n

n2N

distributed It is easy to show that these ensembles are computationally

indistinguishable and are b oth p olynomialtime constructible The more

interesting part is to show that these ensembles are statistically far apart

To prove this fact assume towards the contradiction that for all but a negli

n

gible fraction of the p ossible xs the distribution of E x is statistically

close to a single distribution Y and show that this do es not allow correct

n

decryption since there are only p ossible keys

Exercise Encryption schemes with unboundedlength plaintext Supp ose that

the denition of semantic security is mo died so that no b ound is placed

on the length of plaintexts Prove that in such a case there exists no

sematically secure publickey encryption scheme Hint A plaintext of length

exp onential in the security parameter allows the adversary to nd the decryption key

by exhuastive search

Exercise Encryption schemes must leak information about the length of the

plaintext Supp ose that the denition of semantic security is mo died so

that the algorithms are not given the length of the plaintext Prove that

in such a case there exists no sematically secure encryption scheme

n

Guideline First show that for some p olynomial p jE j pn

pn

whereas for some x f g it holds that Pr jE xj pn

Exercise Deterministic encryption schemes Prove that in order to b e se

matically secure a publickey encryption scheme must have a probabilistic

encryption algorithm Hint Otherwise one can distinguish the encryptions of

two candidate plaintexts by computing the unique ciphertext for each of them

Exercise Prove that the following denition in which we use probabilistic

p olynomialtime algorithms with auxiliary inputs rather than p olynomial

size nonuniform circuits is equivalent to Denition

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

For every probabilistic p olynomialtime algorithm A there ex

ists a probabilistic p olynomialtime algorithm B so that for

every ensemble fX g with jX j p oly n every pair of

n n

nN

p olynomiallyb ounded functions f h f g f g every

pn

p olynomial p all suciently large n and every z f g

h i

jX j

n

n

Pr Az E X hX f X

n n n

G

1

h i

jX j

n

Pr B z hX f X

n n

pn

Same for publickey encryption

Guideline The alternative view of nonuniformity discussed in Sec

tion is useful here That is we can view a circuit family as a sequence

of advices given to a universal machine Thus the original denition states

that advices for a machine that gets the ciphertext can b e eciently trans

formed into advices for a machine that do es not get the ciphertext However

we can incorp orate the transformation program into the second universal

algorithm and so the advices are identical for b oth machines and can b e

viewed as the auxiliary string z in the new formulation Thus the original

denition is implied by the new denition To close the gap b etween the two

denitions one only needs to observe that it suces to consider one xed

universal machine A in the new denition as any adversarial strategy can

b e co ded in the auxiliary input to this universal machine

Exercise Prove that a sematicallysecure privatekey encryption scheme

satises the same requirements with resp ect to randomized circuits That

is there exists a p olynomailtime transformation T so that for every

p olynomialsize randomized circuit family fC g for every ensemble fX g

n n

nN

with jX j p oly n every pair of p olynomiallyb ounded functions f h

n

f g f g every p olynomial p and all suciently large n

h i

jX j

n

n

Pr C E X hX f X

n n n n

G

1

h i

jX j

n

Pr C hX f X

n n

n

pn

def

where C T C is the circuit pro duced by T on input C Same for

n n

n

publickey encryption

Guideline Given a randomized family fC g as ab ove consider all p ossi

n

ble families of deterministic circuits derived by xing a sequence of coins for

each C Note that you should provide one family of randomized circuits

n

0

fC g to match the randomized family fC g The alternative formulation

n

n

of Exercise is useful here as one may incorp orate and extract the coin

sequence in the auxiliary input

Exercise Prove that Denition remains unchanged when supplying the

circuit with auxiliaryinput That is an encryption scheme satises De

nition if and only if

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

for every p olynomialsize circuit family fC g every p olynomial

n

p olyn

p all suciently large n and every x y f g ie jxj

p olyn

jy j and z f g

n n

jPr C z E x Pr C z E y j

n n

G G

1 1

pn

Hint incorp orate z in the circuit C

n

Exercise Equivalence of the security denitions in the publickey model

Prove that a publickey encryption scheme is semantically secure if and

only if it has indistinguishable encryptions

Exercise The technical contents of semantic security The following explains

the lack of computational requirements regarding the function f in De

nition Prove that an encryption scheme G E D is semantically

secure in the privatekey mo del if and only if the following holds

There exists a p olynomailtime transformation T so that for

every p olynomialsize circuit family fC g for every ensemble

n

fX g with jX j p olyn and every p olynomiallyb ounded

n n

nN

function h f g f g the following two ensembles are

computationally indistinguishable

jX j

n

n

fC E X hX g

n n n

G

nN

1

jX j

n

fC hX g where C T C

n n

nN

n n

Formulate and prove an analogous claim for the publickey mo del

Guideline We care mainly ab out the easy to establish fact by which

the ab ove implies semantic security The other direction can b e proven

analogously to the pro of of Prop osition

Exercise A variant on Exercise The current exercise shows that we

may drop the auxiliary information provided by the function h without

weakeening the denition Prove that an encryption scheme G E D is

semantically secure in the privatekey mo del if and only if the following

holds

There exists a p olynomailtime transformation T so that for

every p olynomialsize circuit family fC g for every ensemble

n

fX g with jX j p oly n the following two ensembles are

n n

nN

computationally indistinguishable

jX j

n

n

fC E X g

n n

G

nN

1

jX j

n

fC g where C T C

n

nN

n n

Formulate and prove an analogous claim for the publickey mo del

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Guideline Again we care mainly ab out the easier to establish fact by

which the ab ove implies semantic security The easiest pro of of this direc

tion is by applying Prop ositions and A more interesting pro of is

obtained by combining Exercises and Starting from the ab ove formula

tion and using the alternative presentation of Exercise we establish the

formulation of Exercise for the sp ecial case in which h is constant on X

n

The general case follows since otherwise using an averaging argument

we derive a contradiction in one of the residual probability spaces dened

by conditioning on hX ie X jhX v for some v

n n n

Exercise Another equivalent denition of security The following exercise

is interesting mainly for historical reasons In the denition of semantic

security app earing in the term max fPr f X v jhX ug

uv n n

jX j

n

app ears instead of the term Pr C hX f X That is it is

n n

n

required that

for every p olynomialsize circuit family fC g every ensem

n

nN

ble fX g with jX j p oly n every pair of p olynomially

n n

nN

b ounded functions f h f g f g every p olynomial p

and all suciently large n

h i

jX j

n

n

Pr C E X hX f X

n n n n

G

1

max fPr f X v jhX ug

n n

uv

pn

Prove that the ab ove formulation is in fact equivalent to Denition

Guideline First note that the ab ove denition implies Denition

0 n

since max fPr f X v jhX ug Pr C hX jX j f X

uv n n n n n

n

0

for every circuit C Next note that in the special case in which X sat

n

n

ises Pr f X jhX u Pr f X jhX u for all us

n n n n

0

the ab ove terms are equal since C can easily achieve success probability

n

by simply always outputting Finally combining Prop ositions

and infer that it suces to consider only the latter sp ecial case

Exercise Yet another equivalent denition of security The following syn

tactic strengthening of semantic security is imp ortant in some applications

Its essence is in considering information related to the plaintext in the

form of a related random variable rather than partial information ab out

the plaintext in the form of a function of it Prove that an encryption

scheme G E D is semantically secure in the privatekey mo del if

and only if the following holds

There exists a p olynomialtime transformation T so that for ev

ery p olynomialsize circuit family fC g for every fX Z g

n n n

nN

where Z may dep endent arbitrarily on X and f p and n

n n

as in Denition

h i

jX j

n

n

Pr C E X Z f X

n n n n

G 1

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

h i

jX j

n

Pr C Z f X

n n

n

pn

def

where C T C

n

n

That is the auxiliary input hX of Denition is replaced by the

n

random variable Z Formulate and prove an analogous claim for the

n

publickey mo del

Guideline Denition is clearly a sp ecial case of the ab ove On

the other hand the pro of of Prop osition extends easily to the ab ove

seemingly stronger formulation of semantic security

Exercise Hiding partial information about the length of the plaintext Using

an arbitrary blo ck cipher construct an encryption scheme that

Hides the length of the plaintext upto a factor of

Hides the length of the plaintext upto an additive term of n

Prove that the resulting encryption scheme inherents the security of the

original blo ckcipher

Hint Just use an adequate padding convention making sure that it always yields

correct deco ding

Exercise Known plaintext attacks Lo osely sp eaking in a known palintext

attack on a privatekey resp publickey encryption scheme the adver

sary is given some plaintextciphertext pairs in addition to some extra

ciphertexts without corresp onding plaintexts Semantic security in this

setting means that whatever can b e eciently computed ab out the missing

plaintexts can b e also eciently computed given only the length of these

plaintexts

Provide formal denitions of security for privatekeypublickey in

b oth the singlemessage and multiplemessage settings

Prove that any secure publickey encryption scheme is also secure in

the presence of known plaintext attack

Prove that any privatekey encryption scheme that is secure in the

multiplemessage setting is also secure in the presence of known plain

text attack

Exercise Length parameters Assuming the existence of a secure public

key resp privatekey encryption scheme prove the existence of such

scheme in which the length of keys equal the security parameter Show

that the length of ciphertexts may b e a xed p olynomial in the length of

the plaintext

Authors Note First draft written mainly in Ma jor revision

completed in Dec