Unit 44 April 27, 2011 1 Semantic Security
Can we apply the ideas from the previous unit to public-key crypto?
Suppose we are using RSA to encrypt messages. Let us assume(!) that computing m from c = E(m) = me % n is intractable.
There are still problems using RSA
1. Small message space attacker can perform dictionary attack
c 2011 Clifford Bergman Unit 44 April 27, 2011 2
2. Hybrid encryption using RSA+AES
For Alice to encrypt message M and send to Bob: choose random AES key K ∈ B128 send hRSABob(K), AESK (M)i M can be obtained with 265 encryptions with probability .18
c 2011 Clifford Bergman Unit 44 April 27, 2011 3
What should we demand from a public-key cryptosystem to be assured of some level of security?
A public-key system is semantically secure if there is no algorithm A with advantage 2−128 in the following game: A: pick two plaintexts x1 6= x2 You: Pick i ∈ {1, 2} and compute y = E(xi ) A: Guesses value of i.
Such an algorithm A is called a ciphertext distinguisher
c 2011 Clifford Bergman Unit 44 April 27, 2011 4
Obviously no deterministic system can possibly be semantically secure
Obvious solution: add randomness to messages before encryption
Recall El Gamal. Suppose p is prime and g is primitive mod p. a is secret key, b = g a % p is public key
c 2011 Clifford Bergman Unit 44 April 27, 2011 5
E(m) = hg k , mbk i = hy, zi for k random