Fragments of a Chapter on Encryption Schemes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Fragments of a chapter on Encryption Schemes

Extracts from Foundations of Cryptography in preparation

revised second p osted version

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

June

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

to Dana

Permission to make copies of part or all of this work for p ersonal or classro om use

is granted without fee provided that copies are not made or distributed for prot or

commercial advantage and that new copies b ear this notice and the full citation on the

rst page Abstracting with credit is p ermitted

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. II

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Preface

The current manuscript consists of fragments of a chapter on encryption schemes

which is supp ose to b e Chapter of the threevolume work Foundations of Cryp

tography These fragments provide a draft of the rst three sections of this chap

ter covering the basic setting denitions and constructions Also included is a

plan of the fourth section ie beyond eavesdropping security and fragments for

the Miscellaneous section of this chapter This manuscript subsumes a previous

version p osted in Dec

The bigger picture The current manuscript consists of fragments of a chap

ter on encryption schemes which is supp ose to constitute Chapter of the

threepart work Foundations of Cryptography see Figure The three parts

of this work are Basic Tools Basic Applications and Beyond the Basics The

rst part containing Chapters has b een published by Cambridge University

Press in June The second part consists of Chapters regarding En

cryptioni Schemes Signatures Schemes and General Cryptographic Proto cols

resp ectively We hop e to publish the second part with Cambridge University

Press within a few years

Part Introduction and Basic Tools

Chapter Introduction

Chapter Computational Diculty OneWay Functions

Chapter Pseudorandom Generators

Chapter ZeroKnowledge Pro ofs

Part Basic Applications

Chapter Encryption Schemes

Chapter Signature Schemes

Chapter General Cryptographic Proto cols

Part Beyond the Basics

Figure Organization of this work III

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

The partition of the work into three parts is a logical one Furthermore it

oers the advantage of publishing the rst part without waiting for the comple

tion of the other parts Similarly we hop e to complete the second part within a

couple of years and publish it without waiting for the third part

Prerequisites The most relevant background for this text is provided by

basic knowledge of algorithms including randomized ones computability and

elementary probability theory Background on computational number theory

which is required for sp ecic implementations of certain constructs is not really

required here

Using this text The text is intended as part of a work that is aimed to serve

b oth as a textb o ok and a reference text That is it is aimed at serving b oth the

b eginner and the exp ert In order to achieve this aim the presentation of the

basic material is very detailed so to allow a typical CSundergraduate to follow

it An advanced student and certainly an exp ert will nd the pace in these

parts way to o slow However an attempt was made to allow the latter reader

to easily skip details obvious to himher In particular pro ofs are typically

presented in a mo dular way We start with a highlevel sketch of the main ideas

and only later pass to the technical details Passage from highlevel descriptions

to lower level details is typically marked by phrases such as details fol low

In a few places we provide straightforward but tedious details in in

dented paragraphs as this one In some other even fewer places such

paragraphs provide technical pro ofs of claims that are of marginal rele

vance to the topic of the b o ok

More advanced material is typically presented at a faster pace and with less

details Thus we hop e that the attempt to satisfy a wide range of readers will

not harm any of them

Teaching The material presented in the full threevolume work is on one

hand way b eyond what one may want to cover in a course and on the other

hand falls very short of what one may want to know ab out Cryptography in

general To assist these conicting needs we make a distinction b etween basic

and advanced material and provide suggestions for further reading in the last

section of each chapter In particular sections subsections and subsubsections

marked by an asterisk are intended for advanced reading

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Table of Contets

Preface III

Encryption Schemes

The Basic Setting

PrivateKey versus PublicKey Schemes

The Syntax of Encryption Schemes

Denitions of Security

Semantic Security

The actual denitions

Further discussion of some denitional choices

Indistinguishability of Encryptions

Equivalence of the Security Denitions

Pro of of Prop osition

Multiple Messages

Denitions

The eect on the publickey mo del

The eect on the privatekey mo del

A uniformcomplexity treatment

The denitions

Equivalence of the multiplemessage denitions

Singlemessage versus multiplemessage

The gain of a uniform treatment

Constructions of Secure Encryption Schemes

Probabilistic Encryption

StreamCiphers

Preliminaries Blo ckCiphers

Privatekey encryption schemes

Publickey encryption schemes

Simple schemes

An alternative scheme

Beyond eavesdropping security

Keydep endent passive attacks

Chosen plaintext attack V

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Chosen ciphertext attack

Nonmalleable encryption schemes

Miscellaneous

Historical Notes

Suggestion for Further Reading

Op en Problems

Exercises

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Part II

Basic Applications Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Chapter

Encryption Schemes

Upto the s Cryptography was understo o d as the art of building encryption

schemes that is the art of constructing schemes allowing secret data exchange

over insecure channels Since the s other tasks eg signature schemes

have b een recognized as falling within the domain of Cryptography and even as

b eing at least as central to Cryptography Yet the construction of encryption

schemes remains and is likely to remain a central enterprise of Cryptography

In this chapter we review the wellknown notions of privatekey and public

key encryption schemes More imp ortantly we dene what is meant by saying

that such schemes are secure It turns out that using randomness throughout

the encryption pro cess ie not only at the keygeneration phase is essential to

security We present some basic constructions of secure privatekey and public

key encryption schemes Finally we discuss dynamic notions of security

culminating in robustness against chosen ciphertext attacks

Authors Note Currently the writeup contains only a rough draft for

the rst sections of this chapter Furthermore this writeup was

NOT carefully pro ofread and may contain various hop efully minor

errors

Teaching Tip We assume that the reader is familiar with the material in

previous chapters and sp ecically with Sections and

This familiarity is imp ortant not only b ecause we use some of the notions and

results presented in these sections but rather b ecause we use similar pro of tech

niques and do it while assuming that this is not the readers rst encounter

with these techniques

The Basic Setting

Lo osely sp eaking encryption schemes are supp osed to enable private communi

cation b etween parties that communicate over an insecure channel Thus the

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

basic setting consists of a sender a receiver and an insecure channel that may

b e tapp ed by an adversary The goal is to allow the sender to transfer infor

mation to the receiver over the insecure channel without letting the adversary

gure out this information Thus we distinguish b etween the actual secret

information that the receiver wishes to transmit and the messages sent over the

insecure communication channel The former is called the plaintext whereas

the latter is called the ciphertext Clearly the ciphertext must dier from the

plaintext or else the adversary can easily obtain the plaintext by tapping the

channel Thus the sender must transform the plaintext into a ciphertext so

that the receiver can retrieve the plaintext from the ciphertext but the adver

sary cannot do so Clearly something must distinguish the receiver who is able

to retrieve the plaintext from the corresp onding ciphertext from the adversary

who cannot do so Sp ecically the receiver know something that the adversary

do es not know This thing is called a key

An encryption scheme consists of a metho d of transforming plaintexts to ci

phertexts and vice versa using adequate keys These keys are essential to the

ability to eect these transformations We stress that the encryption scheme it

self ie the encryptiondecryption algorithms may b e known to the adversary

and its security relies on the hypothesis that the adversary do es not know the

keys Formally we need to consider a third algorithm namely a probabilistic

algorithm used to generate keys This algorithm must b e probabilistic or else

by invoking it the adversary obtains the very same key used by the receiver

In accordance with the ab ove an encryption scheme consists of three algo

rithms These algorithms are public ie known to all parties The obvious

algorithms are the encryption algorithm which transforms plaintexts to cipher

texts and the decryption algorithm which transforms ciphertexts to plaintexts

By the discussion ab ove it is clear that the description algorithm must employ

a key that is known to the receiver but is not known to the adversary This

key is generated using a third algorithm called the key generator Furthermore

it is not hard to see that the encryption pro cess must also dep end on the key

or else messages sent to one party can b e read by a dierent party who is also

a p otential receiver Thus the keygeneration algorithm is used to pro duce a

pair of related keys one for encryption and one for decryption The encryption

algorithm given an encryption key and a plaintext pro duces a plaintext that

when fed to the decryption algorithm with the corresp onding decryption key

returns the original plaintext We stress that knowledge of the decryption key

is essential for the latter transformation

PrivateKey versus PublicKey Schemes

A fundamental distinction b etween encryption schemes refers to the relation b e

tween the two keys mentioned ab ove The simpler and older notion assumes

that the encryption key equals the decryption key Such schemes are called

In fact in many cases the legitimate interest may b e served b est by publicizing the

scheme itself In our opinion this is the b est way to obtain an unbiased exp ert evaluation

of the security of the scheme

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

THE BASIC SETTING

privatekey or symmetric To use a privatekey scheme the legitimate parties

must rst agree on the secret key This can b e done by having one party generate

the key at random and send it to the other party using a channel that is assumed

to b e secure A crucial p oint is that the key is generated indep endently of the

plaintext and so it can b e generated and exchanged prior to the plaintext even

b eing determined Thus privatekey encryption is a way of extending a private

channel over time If the parties can use a private channel to day eg they are

currently in the same physical lo cation but not tomorrow then they can use

the private channel to day to exchange a secret key that they may use tomorrow

for secret communication A simple example of a privatekey encryption scheme

is the onetime pad The secret key is merely a uniformly chosen sequence of

n bits and an nbit long ciphertext is pro duced by XORing the plaintext bit

bybit with the key The plaintext is recovered from the ciphertext in the same

way Clearly the onetime pad provides absolute security However its usage

of the key is inecient or put in other words it requires keys of length com

parable to the total length of data communicated In the rest of this chapter

we will only discuss encryption schemes where nbit long keys allow to securely

communicated data of length greater than n but still p olynomial in n

A new type of encryption schemes has emerged in the s In these

schemes called publickey or asymmetric the decryption key diers from the

encryption key Furthermore it is infeasible to nd the decryption key given the

encryption key These schemes enable secure communication without ever using

a secure channel Instead each party applies the keygeneration algorithm to

pro duce a pair of keys The party called P keeps the decryption key denoted

d secret and publishes the encryption key denoted e Now any party can

P P

send P private messages by encrypting them using the encryption key e Party

P can decrypt these messages by using the decryption key d but nob o dy else

can do so

The Syntax of Encryption Schemes

We start by dening the basic mechanism of encryption schemes This denition

says nothing ab out the security of the scheme which is the sub ject of the next

section

Denition encryption scheme An encryption scheme is a triple G E D

of probabilistic polynomialtime algorithms satisfying the fol lowing two condi

tions

On input algorithm G called the key generator outputs a pair of bit

strings

For every pair e d in the range of G and for every f g

algorithms E encryption and D decryption satisfy

Pr D d E e

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

where the probability is taken over the internal coin tosses of algorithms E

and D

The integer n serves as the security parameter of the scheme Each e d in

the range of G constitutes a pair of corresponding encryptiondecryption

keys The string E e is the encryption of the plaintext f g using the

encryption key e whereas D d is the decryption of the ciphertext using

the decryption key d

We stress that Denition says nothing ab out security and so trivial in

def def

and D d Fur secure algorithms may satisfy it eg E e

thermore Denition do es not distinguish privatekey encryption schemes

from publickey ones The dierence b etween the two types is introduced in the

security denitions In a publickey scheme the breaking algorithm gets the

encryption key ie e as an additional input and thus e d follows while

in privatekey schemes e is not given to the breaking algorithm and thus one

may assume without loss of generality that e d

We stress that the ab ove denition requires the scheme to op erate for every

plaintext and sp ecically for plaintext of length exceeding the length of the

encryption key This rules out the information theoretic secure onetime pad

scheme mentioned ab ove

Notation In the rest of this text we write E instead of E e and D

e d

instead of D d Sometimes when there is little risk of confusion we drop

n n

these subscripts Also we let G resp G denote the rst resp

n n n n

second element in the pair G That is G G G Without

n n

loss of generality we may assume that jG j and jG j are p olynomially

related to n and that each of these integers can b e eciently computed from

n n

the other In fact we may even assume that jG j jG j n see

Exercise

Comments Denition may b e relaxed in several ways without signif

icantly harming its usefulness For example we may relax Condition and

allow a negligible decryption error eg Pr D E Alterna

d e

tively one may p ostulate that Condition holds for all but a negligible measure

of the keypairs generated by G At least one of these relaxations is essential

for each of the p opular suggestions of encryption schemes

Another relaxation consists of restricting the domain of p ossible plaintexts

and ciphertexts For example one may restrict Condition to s of length

n where N N is some xed function Given a scheme of the latter type

with plaintext length we may construct a scheme as in Denition by

breaking plaintexts into blo cks of length n and applying the restricted scheme

separately to each blo ck For more details see Sections and

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Denitions of Security

In this section we present two fundamental denitions of security and prove their

equivalence The rst denition called semantic security is the most natural

one Semantic security is a computational complexity analogue of Shannons

denition of p erfect privacy which requires that the ciphertext yields no in

formation regarding the plaintext Lo osely sp eaking an encryption scheme is

semantically secure if it is infeasible to learn anything ab out the plaintext from

the ciphertext ie imp ossibility is replaced by infeasibility The second def

inition has a more technical avor It interprets security as the infeasibility of

distinguishing b etween encryptions of a given pair of messages This denition

is useful in demonstrating the security of a prop osed encryption scheme and for

the analysis of cryptographic proto cols that utilize an encryption scheme

We stress that the denitions presented b elow go way b eyond saying that it

is infeasible to recover the plaintext from the ciphertext The latter statement

is indeed a minimal requirement from a secure encryption scheme but we claim

that it is way to o weak a requirement An encryption scheme is typically used in

applications where obtaining sp ecic partial information on the plaintext endan

gers the security of the application When designing an applicationindep endent

encryption scheme we do not know which partial information endangers the

application and which do es not Furthermore even if one wants to design an

encryption scheme tailored to ones own sp ecic applications it is rare to say

the least that one has a precise characterization of all p ossible partial informa

tion that endanger these applications Thus we require that it is infeasible to

obtain any information ab out the plaintext from the ciphertext Furthermore

in most applications the plaintext may not b e uniformly distributed and some

apriori information regarding it is available to the adversary We require that

the secrecy of all partial information is preserved also in such a case That is

even in presence of apriori information on the plaintext it is infeasible to obtain

any new information ab out the plaintext from the ciphertext b eyond what is

feasible to obtain from the apriori information on the plaintext The denition

of semantic security p ostulates all of this

To simplify the exp osition we adopt a nonuniform formulation Namely in

the security denitions we expand the domain of ecient adversariesalgorithms

to include p olynomialsize circuits rather than only probabilistic p olynomial

time machines Likewise we make no computation restriction regarding the

probability distribution from which messages are taken nor regarding the a

priori information available on these messages We note that employing such a

nonuniform formulation rather than a uniform one may only strengthen the

denitions yet it do es weaken the implications proven b etween the denitions

since these simpler pro ofs make free usage of nonuniformity

Semantic Security

Lo osely sp eaking semantic security means that whatever can b e eciently com

puted from the ciphertext can b e eciently computed also without the cipher

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

text Thus an adversary gains nothing by intercepting ciphertexts sent b etween

communicating parties who use a semantically secure encryption scheme since

it could have obtained the same without intercepting these ciphertexts Indeed

this formulation follows the simulation paradigm lack of gain is captured by

asserting that whatever is learned from the ciphertext can b e learned within

related complexity also without the ciphertext

The actual denitions

To b e somewhat more accurate semantic security means that whatever can b e

eciently computed from the ciphertext can b e eciently computed when given

only the length of the plaintext Note that this formulation do es not rule out the

p ossibility that the length of the plaintext can b e inferred from the ciphertext

Indeed some information ab out the length of the plaintext must b e revealed by

the ciphertext see Exercise We stress that other than information ab out

the length of the plaintext the ciphertext is required to yield nothing ab out the

plaintext

In the actual denitions we consider only information regarding the plaintext

rather than anything which can b e obtained from the ciphertext Furthermore

we restrict our attention to functions applied to the plaintext We do so b ecause

of the intuitive app eal of this sp ecial case and are comfortable doing so b e

cause this sp ecial case implies the general one cf Exercise We augment

this formulation by requiring that the ab ove remains valid even in presence of

auxiliary partial information ab out the plaintext Namely whatever can b e e

ciently computed from the ciphertext and additional partial information ab out

the plaintext can b e eciently computed given only the length of the plain

text and the same partial information In the actual denition the information

regarding the plaintext that the adversary tries to obtain is captured by the

function f whereas the apriori partial information ab out the plaintext is cap

tured by the function h The ab ove is required to hold for any distribution of

plaintexts captured by the probability ensemble fX g

Security holds only for plaintexts of length p olynomial in the security pa

rameter This is captured b elow by the restriction jX j p oly n Note that

we cannot hop e to provide computational security for plaintexts of unbounded

length in the security parameter see Exercise Likewise we restrict the func

tions f and h to b e polynomiallybounded that is jf xj jhxj p oly jxj

The dierence b etween privatekey and publickey encryption schemes is

manifested in the denition of security In the latter the adversary which

is trying to obtain information on the plaintext is given the encryption key

whereas in the former it is not Thus the dierence b etween these schemes

amounts to a dierence in the adversary mo del considered in the denition

of security We start by presenting the denition for privatekey encryption

schemes

Denition semantic security privatekey An encryption scheme

G E D is semantically secure in the privatekey mo del if for every proba

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

bilistic polynomialtime algorithm A there exists a probabilistic polynomialtime

algorithm A so that for every ensemble fX g with jX j p oly n every

n n

pair of polynomiallybounded functions f h f g f g every polynomial

p and al l suciently large n

h i

jX j

Pr AE X hX f X

n n n

h i

jX j

Pr A hX f X

n n

The probability in the above terms is taken over X as wel l as over the internal

coin tosses of algorithms G E and either A or A

The function h provides b oth algorithms with partial information regarding the

plaintext X Furthermore h also makes the denition implicitly nonuniform

see further discussion b elow In addition b oth algorithms get the length of X

These algorithms then try to guess the value f X namely they try to infer

information ab out the plaintext X Lo osely sp eaking in semantically secure

encryption scheme the ciphertext do es not help in this inference task That

is the success probability of any ecient algorithm ie algorithm A that is

given the ciphertext can b e matched upto a negligible fraction by the success

probability of an ecient algorithm ie algorithm A that is not given the

ciphertext at all

Denition refers to privatekey encryption schemes To derive a def

inition of security for publickey encryption schemes the encryptionkey ie

G should b e given to the adversaries as an additional input That is

Denition semantic security publickey An encryption scheme G E D

is semantically secure in the publickey mo del if for every probabilistic polynomial

time algorithm A there exists a probabilistic polynomialtime algorithm A such

that for every fX g f h p and n as in Denition

h i

n jX j

Pr AG E X hX f X

n n n

h i

n jX j

Pr A G hX f X

n n

We comment that the encryptionkey can b e omitted from the input to A since

A may generate it by itself

Terminology For sake of simplicity we refer to an encryption scheme that is

semantically secure in the privatekey resp publickey mo del as to a semantically

secure privatekey resp publickey encryption scheme

The reader may note that a semanticallysecure publickey encryption scheme

cannot employ a deterministic encryption algorithm that is E x must b e a

random variable rather than a xed string This is more evident with resp ect to

the equivalent Denition b elow See further discussion following Deni

tion

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Further discussion of some denitional choices

We discuss several secondary issues regarding Denitions and The

interested reader is also referred to Exercises and that present additional

variants of the denition of semantic security

Implicit nonuniformity of the denitions The fact that h is not required

to b e computable makes the ab ove denitions nonuniform This is the case b e

cause b oth algorithms are given hX as auxiliary input and this may account

for arbitrary p olynomiallyb ounded advise For example letting hx a

jxj

means that b oth algorithms are supplied with nonuniform advice as in one of

the p ossible formulations of nonuniform p olynomialtime see Section In

general the function h can co de b oth information regarding its input and non

uniform advice dep ending on its input length ie hx h x a Thus

jxj

the ab ove denitions are equivalent to allowing A and A b e related families of

nonuniform circuits where by related we mean that the circuits in the family

g can b e eciently computed from the corresp onding circuits in A fA

the family A fA g For further discussion see Exercise

Lack of computational restrictions regarding the function f We do

not require that the function f is even computable This seems strange at

rst glance b ecause unlike the situation wrt h which co des apriori infor

mation given to the algorithms the algorithms are asked to guess the value

of f on a plaintext implicit in the ciphertext given only to A However as

we shall see in the sequel see also Exercise the meaning of semantic se

jX j

curity is essentially that the distribution ensembles E X hX and

n n

jX j jX j

n n

E hX are computationally indistinguishable and so whatever

A can compute can b e computed by A

Other mo dications of no impact Actually inclusion of apriori informa

tion regarding the plaintext captured by the function h do es not aect the

denition of semantic security Denition remains intact if we restrict h

to only dep end on the length of the plaintext and so only provide nonuniform

advice This can b e shown in various ways eg see Exercise Also the

function f can b e restricted to b e a Bo olean function having p olynomialsize cir

cuits and the random variable X may b e restricted to b e very dull eg have

only two strings in its supp ort See pro of of Theorem On the other hand

Denition implies stronger forms discussed in Exercises and

Indistinguishability of Encryptions

The following technical interpretation of security states that it is infeasible to

distinguish the encryptions of two plaintexts of the same length That is such

ciphertexts are computationally indistinguishable as dened in Denition

Again we start with the privatekey variant

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Denition indistinguishability of encryptions privatekey An en

cryption scheme G E D has indistinguishable encryptions in the privatekey

mo del if for every polynomialsize circuit family fC g every polynomial p al l

p olyn

suciently large n and every x y f g ie jxj jy j

n n

jPr C E x Pr C E y j

n n

G G

1 1

The probability in the above terms is taken over the internal coin tosses of algo

rithms G and E

Note that the p otential plaintexts to b e distinguished can b e incorp orated into

the circuit C Thus the circuit mo dels b oth the adversarys strategy and its

apriori information See Exercise

Again the security denition for publickey encryption schemes can b e de

rived by adding the encryptionkey ie G as an additional input to the

algorithm That is

Denition indistinguishability of encryptions publickey An encryp

tion scheme G E D has indistinguishable encryptions in the publickey mo del

if for every polynomialsize circuit family fC g and every p n x and y as

in Denition

n n

jPr C G E x Pr C G E y j

n n

G G

1 1

Terminology For sake of simplicity we refer to an encryption scheme that has

indistinguishable encryptions in the privatekey resp publickey mo del as to

a ciphertextindistinguishable privatekey resp publickey encryption scheme

Failure of deterministic encryption algorithms A ciphertextindistinguishable

publickey encryption scheme cannot employ a deterministic encryption algo

rithm ie E x cannot b e a xed string For a publickey encryption scheme

with a deterministic encryption algorithm E given an encryptionkey e and a

pair of candidate plaintexts x y one can easily distinguish E x from E y

e e

by merely applying E to x and comparing the result to the given cipher

text In contrast in case the encryption algorithm itself is randomized the

same plaintext can b e encrypted in exp onentially many dierent ways under

the same encryption key Furthermore the probability that applying E twice

to the same message while using indep endent randomization in E results in

the same ciphertext may b e exp onentially vanishing Indeed as shown b e

low publickey encryption scheme having indistinguishable encryptions can b e

constructed based on any trap do or p ermutations and these schemes employ

randomized encryption algorithms

Equivalence of the Security Denitions

The following theorem is stated and proven for privatekey encryption schemes

A similar result holds for publickey encryption schemes see Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Theorem equivalence of denitions privatekey A privatekey en

cryption scheme is semantically secure if and only if it has indistinguishable

encryptions

Let G E D b e an encryption scheme We formulate a prop osition for each of

the two directions of the ab ove theorem Each prop osition is in fact stronger

than the corresp onding direction stated in Theorem The more useful

direction is stated rst it asserts that the technical interpretation of security in

terms of ciphertextindistinguishability implies the natural notion of semantic

security Thus the following prop osition yields a metho dology for designing

semantically secure encryption schemes design and prove your scheme to b e

ciphertextindistinguishable and conclude by applying the prop osition that

it is semantically secure The opp osite direction of Theorem establish

the completeness of the latter metho dology and more generally assert that

requiring an encryption scheme to b e ciphertextindistinguishable do es not rule

out schemes that are semantically secure

Prop osition useful direction indistinguishability implies security

Suppose that G E D is a ciphertextindistinguishable privatekey encryption

scheme Then G E D is semanticallysecure Furthermore the simulating

algorithm A which is used to establish semanticsecurity captures the com

putation of a probabilistic polynomialtime oracle machine that is given oracle

access to original adversary algorithm A

Prop osition opp osite direction security implies indistinguishabil

ity Suppose that G E D is a semantically secure privatekey encryption

scheme Then G E D has indistinguishable encryptions Furthermore the

conclusion holds even if the denition of semantic security is restricted to the

special case satisfying the fol lowing four conditions

the random variable X is uniformly distributed over a set containing two

strings

the value of h depends only on the length of its input ie hx h jxj

the function f is Boolean and is computable by a polynomialsize circuit

the algorithm A is deterministic

In addition no computational restrictions are placed on algorithm A and it can

be replaced by any function which may depend on fX g h f and A

Observe that the ab ove four itemized conditions limit the scop e of the four

universal quantiers in Denition whereas the last sentence removes a

restriction on the existential quantier ie removes the complexity b ound on

A and allows the latter to dep end on all universal quantiers Each of these

mo dications makes the resulting denition p otentially weaker Still combining

Prop ositions and it follows that a weak version of Denition

implies an even stronger version than the one stated in Denition

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Pro of of Prop osition

Supp ose that G E D has indistinguishable encryptions We show that G E D

is semantically secure by constructing for every probabilistic p olynomialtime

algorithm A a probabilistic p olynomialtime algorithm A such that the fol

lowing holds for every fX g f and h algorithm A guesses f X from

n n

jX j jX j

n n

hX essential ly as good as A guesses f X from E X hX

n n n n

jX j jX j

n n

Algorithm A merely invokes A on input E hX and returns

whatever A do es Intuitively the indistinguishability of encryptions implies that

A b ehaves as well when invoked by A and given a dummy encryption as when

given the encryption of X Details follow

Let A b e an algorithm that tries to infer partial information ie the value

jX j

f X from the encryption of the message X when also given and a

n n

priori information hX Namely on input E and h algorithm

A tries to guess f We construct a new algorithm A that p erforms as well

without getting the input E The new algorithm consists of invoking A on

jj jj

input E and h and outputting whatever A do es That is

on input h algorithm A pro ceeds as follows

A invokes the keygenerator G on input and obtains an encryption

key e G

A invokes the encryption algorithm with key e and dummy plaintext

jj jj

obtaining a ciphertext E

A invokes A on input h and outputs whatever A do es

Observe that A is describ ed in terms of an oracle machine that makes a single

oracle call to any given A in addition to invoking the xed algorithms G

and E Furthermore the construction of A do es not dep end on the functions

h and f or on the distribution of messages to b e encrypted represented by

the probability ensembles fX g Thus A is probabilistic p olynomialtime

whenever A is probabilistic p olynomialtime and regardless of the complexity

of h f and fX g

Indistinguishability of encryptions will b e used to prove that A p erforms

essentially as well as A Sp ecically the pro of will use a reducibility argument

Claim Let A b e as ab ove Then for every fX g f h and p as in

Denition and all suciently large ns

h i

jX j

Pr AE X hX f X

n n n

h i

jX j

Pr A hX f X

n n

Pro of To simplify the notations let us incorp orate into h Using the

denition of A we can rewritten the claim as asserting

Pr AE X hX f X

n n n

h i

jX j

Pr AE hX f X

n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Intuitively this follows by the indistinguishability of encryptions by xing a

violating value of X and incorp orating the corresp onding values of hX and

n n

f X in a description of a circuit which will distinguish an encryption of this

jX j

value of X from an encryption of Details follow

Assume towards the contradiction that for some p olynomial p and innitely

many ns the ab ove inequality is violated Then for each such n we have

EX pn where

h i

def

jxj

n n

x Pr AE x hx f x Pr AE hx f x

G G

1 1

We use an averaging argument to single out a string x in the supp ort of X

n n

p olyn

such that x X That is let x f g b e a string for which

n n n

the value of is maximum and so x pn Using this x we

n n

introduce a circuit C which incorp orates the xed values f x and hx

n n n

jx j

and distinguishes the encryption of x from the encryption of The circuit

C op erates as follows On input E the circuit C invokes A hx

n n n

and outputs if and only if A outputs the value f x Otherwise C outputs

n n

The ab ove circuit is indeed of p olynomialsize b ecause it merely incorp orates

strings of p olynomial length ie f x and hx and emulates a p olynomial

n n

time computation ie of A Note that the circuit family fC g is indeed

nonuniform since its denition is based on a nonuniform selection of x s as

well as on a hardwiring of p ossibly uncomputable corresp onding strings hx

and f x Clearly

n n

Pr C E Pr AE hx f x

n n n

G G

1 1

Combining Eq with the denition of x we get

h i

jx j

n n

x Pr C E x Pr C E

n n n n

G G

1 1

This contradicts our hypothesis that E has indistinguishable encryptions and

the claim follows 2

We have just shown that A p erforms essentially as well as A and so Prop osition

follows

Comments The fact that we deal with a nonuniform mo del of computation

allows the ab ove pro of to pro ceed regardless of the complexity of f and h All

that our denition of C requires is the hardwiring of the values of f and h on

a single string and this can b e done regardless of the complexity of f and h

provided that they are b oth p olynomiallyb ounded

When proving the publickey analogue of Prop osition algorithm A is

dened so that it generates an encryption of relative to the encryptionkey

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

given to it as input rather than relative to an encryptionkey that it generates

by itself as done ab ove In addition the distinguishing circuit considered in

the analysis of the p erformance of A obtains the encryptionkey as part of its

input and passes it to algorithm A up on invoking it

Pro of of Prop osition

Here the entire pro of is by a reducibility argument We show that if G E D

has distinguishable encryptions then it is not semantically secure not even in

the restricted sense mentioned in the furthermoreclause of the prop osition

Towards this end we assume that there exists a p olynomial p a p olynomial

size circuit family fC g such that for innitely many ns there exists x y

n n n

p olyn

f g so that

n n

Pr C E x Pr C E y

n n n n

G G

1 1

Using this sequence of C s x s and y s we dene fX g f and h referred

n n n n

to in Denition as follows

The probability ensembles fX g is dened such that X is uniformly

n n

distributed over fx y g

n n

The function f f g f g is dened such that f x and f y

n n

for every n Note that f X with probability and is otherwise

The function h is dened such that hX equals the description of the

circuit C Note that hX C with probability and thus reveals no

n n n

information on the value of X In the sequel we write hX h n

n n

Note that X f and h satisfy the restrictions stated in the furthermoreclause

of the prop osition

We will present a deterministic p olynomialtime algorithm A that given

C hX guesses the value of f X from the encryption of X and do es

n n n n

so signicantly b etter that with probability This violates even the restricted

form of semantic security since no algorithm regardless of its complexity can

jX j

guess f X b etter than with probability when only given b ecause

jX j

given the constant values and hX the value of f X is uniformly

n n

distributed over f g Details follow

Let us assume without loss of generality that for innitely many ns

n n

Pr C E x Pr C E y

n n n n

G G

1 1

Claim There exists a deterministic p olynomialtime algorithm A such

that for innitely many ns

h i

jX j

Pr AE X hX f X

n n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Pro of Algorithm A uses C hX in a straightforward manner On input

n n

E where is in the supp ort of X and h algorithm A

recovers C h n h invokes C on input and outputs if C outputs

n n n

otherwise C outputs

It is left to analyze the success probability of A Letting m jx j jy j we

n n

have

h i

jX j

Pr AE X hX f X

n n n

i h

jX j

Pr AE X hX f X j X x

n n n n n

i h

jX j

Pr AE X hX f X j X y

n n n n n

m m

n n

Pr AE x C Pr AE y C

n n n n

G G

1 1

n n

Pr C E x Pr C E y

n n n n

G G

1 1

where the inequality is due to Eq 2

In contrast as observed ab ove no algorithm regardless of its complexity

jX j

can guess f X with success probability ab ove when given only and

hX That is we have

Fact For every n and every algorithm A

h i

jX j

Pr A hX f X

n n

jX j

Pro of Just observe that the output of A on its constant input values

and hX is sto chastically indep endent of the random variable f X which

n n

in turn is uniformly distributed in f g Eq follows and equality holds

in case A always outputs a value in f g 2

Combining Claim and Fact we reach a contradiction to the

hypothesis that the scheme is semantically secure even in the restricted sense

mentioned in the furthermoreclause of the prop osition Thus the prop osition

follows

Comment When proving the publickey analogue of Prop osition algo

rithm A is dened as ab ove except that it passes the encryptionkey given to it

as part of its input to the circuit C The rest of the pro of remains intact

We comment that the output by C is an indication that is more likely to b e x

n n

whereas the output of A is a guess of f This p oint may b e b etter stressed by redening f

def

so that f x x and f x y if x x and having A output x if C outputs and

n n n n n n

output y otherwise n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Multiple Messages

The ab ove denitions only refer to the security of an encryption scheme that

is used to encrypt a single plaintext p er a generated key Since the plain

text may b e longer than the key these denitions are already nontrivial and

an encryption scheme satisfying them even in the privatekey mo del implies

the existence of oneway functions see Exercise Still in many cases it is

desirable to encrypt many plaintexts using the same encryption key Lo osely

sp eaking an encryption scheme is secure in the multiplemessage setting if anal

ogous denitions to the ab ove hold also when p olynomiallymany plaintexts

are encrypted using the same encryption key

We show that in the publickey model security in the singlemessage set

ting discussed ab ove implies security in the multiplemessage setting dened

b elow We stress that this is not necessarily true for the privatekey model

Denitions

For a sequence of strings x x x we let E x denote the sequence

of the t results that are obtained by applying the randomized pro cess E to the

t t

E x E x E x We t strings x x resp ectively That is

e e e

stress that in each of these t invocations the randomized pro cess E utilizes

indep endently chosen random coins For sake of simplicity we consider the en

cryption of p olynomially many strings of the same p olynomial length rather

than the encryption of strings of various lengths as discussed in Exercise

Denition semantic security multiple messages

For privatekey An encryption scheme G E D is semantically secure for

multiple messages in the privatekey mo del if for every polynomial t

and every probabilistic polynomialtime algorithm A there exists a proba

bilistic polynomialtime algorithm A such that for every ensemble f X

tn i

X X g with jX j p oly n every pair of functions f h

n n n

f g f g every polynomial p and al l suciently large n

h i

j X j

Pr A E X X f X h

n n n

h i

X j j

h Pr A X f X

n n

For publickey An encryption scheme G E D is semantically secure for

multiple messages in the publickey mo del if for t A A fX g

f h p and n as above

h i

n j X j

Pr AG E X X f X h

n n n

h i

n j X j

Pr A G X f X h

n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

X are not necessarily indep endent they may We stress that the elements of

dep end on one another Note that the ab ove denition also cover the case where

the adversary obtains some of the plaintexts themselves In this case it is still

infeasible for himher to obtain information ab out the missing plaintexts see

Exercise

Denition indistinguishability of encryptions multiple messages

For privatekey An encryption scheme G E D has indistinguishable en

cryptions for multiple messages in the privatekey mo del if for every poly

nomial t every polynomialsize circuit family fC g every polynomial p

p olyn

al l suciently large n and every x x y y f g

tn tn

n n

jPr C E x Pr C E y j

n n

G G

1 1

where x x x and y y y

tn tn

For publickey An encryption scheme G E D has indistinguishable encryp

tions for multiple messages in the publickey mo del if for t fC g p n

and x x y y as above

tn tn

n n

E x Pr C G E y j jPr C G

n n

G G

1 1

The equivalence of Denitions and can b e established analogously to

the pro of of Theorem

Theorem equivalence of denitions multiple messages A private

key resp publickey encryption scheme is semantically secure for multiple mes

sages if and only if it has indistinguishable encryptions for multiple messages

Thus proving that singlemessage security implies multiplemessage security for

one denition of security yields the same for the other We may thus concentrate

on the ciphertextindistinguishability denitions

The eect on the publickey mo del

We rst consider publickey encryption schemes

Theorem singlemessage security implies multiplemessage security

A publickey encryption scheme has indistinguishable encryptions for multiple

messages ie satises Denition in the publickey model if and only if

it has indistinguishable encryptions for a single message ie satises Deni

tion

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Pro of Clearly multiplemessage security implies singlemessage security as a

sp ecial case The other direction follows by adapting the pro of of Theorem

to the current setting

Supp ose towards the contradiction that there exist a p olynomial t a

p olynomialsize circuit family fC g and a p olynomial p such that for innitely

p olyn

many ns there exists x x y y f g so that

tn tn

n n

Pr C G E x Pr C G E y

n n

G G

1 1

where x x x and y y y Let us consider such a generic n

tn tn

and the corresp onding sequences x x and y y We use a hybrid

tn tn

argument dene

def

h x x y y

i i

def

n i i

G and H E h

n n

E y and H G E x it follows Since H G

n n

G G

1 1

that there exists an i f tn g so that

h i h i

i i

Pr C H Pr C H

n n

tn pn

We show that Eq yields a p olynomialsize circuit that distinguishes the

encryption of x from the encryption of y and thus derive a contradic

i i

tion to security in the singlemessage setting Sp ecically we construct a cir

cuit D that incorp orates the circuit C as well as the index i and the strings

n n

x x y y On input an encryptionkey e and corresp onding

i i

ciphertext the circuit D op erates as follows

For every j i the circuit D generates an encryption of x using the

n j

encryption key e Similarly for every j i the circuit D generates

an encryption of y using the encryption key e

Let us denote the resulting ciphertexts by That is

i i

E x for j i and E y for j i

j e j j e j

Finally D invokes C on input the encryption key e and the sequence of

n n

ciphertexts and outputs whatever C do es

i i n

We stress that the construction of D relies in an essential way on the fact that

the encryptionkey is given to it as input

We now turn to the analysis of the circuit D Supp ose that is a ran

dom encryption of x with key e that is E x Then D e

i e i n

C e E h C H where X Y means that the random vari

n e n

ables X and Y are identically distributed Similarly for E y we have

e i

Thus by Eq we have D e C e E h C H

n n e n

D G E y Pr

n i

Pr D G E x

n i

tn pn

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

in contradiction to our hypothesis that G E D is a ciphertextindistinguishable

publickey encryption scheme in the single message sense The theorem follows

Discussion The fact that we are in the publickey mo del is essential to the

ab ove pro of It allows the circuit D to form encryptions relative to the same

encryptionkey used in the ciphertext given to it In fact as stated ab ove and

proven next the analogous result do es not hold in the privatekey mo del

The eect on the privatekey mo del

In contrary to Theorem in the privatekey model ciphertextindistinguishability

for a single message do es not necessarily imply ciphertextindistinguishability

for multiple messages

Prop osition Suppose that there exist pseudorandom generators robust

against p olynomialsize circuits Then there exists a privatekey encryption

scheme that satises Denition but does not satisfy Denition

Pro of We start with the construction of the privatekey encryption scheme

The encryptiondecryption key for security parameter n is a uniformly dis

tributed nbit long string denoted s To encrypt a ciphertext x the encryption

algorithm uses the key s as a seed for a pseudorandom generator denoted g

that stretches seeds of length n into sequences of length jxj The ciphertext is

obtained by a bitbybit exclusiveor of x and g s Decryption is done in an

analogous manner

We rst show that this encryption scheme satises Denition Intu

itively this follow from the hypothesis that g is a pseudorandom generator and

jxj

the fact that x U is uniformly distributed over f g Sp ecically supp ose

jxj

towards the contradiction that for some p olynomialsize circuit family fC g a

p olynomial p and innitely many ns

jPr C x g U Pr C y g U j

n n n n

where U is uniformly distributed over f g and jxj jy j m p oly n On

the other hand

Pr C x U Pr C y U

n m n m

Thus without loss of generality

jPr C x g U Pr C x U j

n n n m

Incorp orating x into the circuit C we obtain a circuit that distinguishes U

n m

from g U in contradiction to our hypothesis regarding the pseudorandomness

of g

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

Next we observe that the ab ove encryption scheme do es not satisfy Deni

tion Sp ecically given the ciphertexts of two plaintexts one may easily

retrieve the exclusiveor of the corresp onding plaintexts That is

E x E x x g s x g s x x

s s

This clearly violates Denition eg consider f x x x x as well

as Denition eg consider any x x x and y y y such that

x x y y Viewed in a dierent way note that any plaintextciphertext

pair yields a corresp onding prex of the pseudorandom sequence and knowledge

of this prex violates the security of additional plaintexts That is given the

encryption of a known plaintext x along with the encryption of an unknown

plaintext x we can retrieve x On input the ciphertexts knowing that

the rst plaintext is x rst retrieves the pseudorandom sequence ie it is just

def

r x and next retrieves the second plaintext ie by computing r

Discussion The singlemessage security of the ab ove scheme was proven by

considering an ideal version of the scheme in which the pseudorandom sequence

is replaced by a truly random sequence The latter scheme is secure in an in

formation theoretic sense and the security of the actual scheme followed by the

indistinguishability of the two sequences As we show in Section b elow

the ab ove construction can b e mo died to yield a privatekey streamcipher

that is secure for multiple message encryptions All that is needed is to make

sure that as opp osed to the construction ab ove the same p ortion of the pseu

dorandom sequence is never used twice

A uniformcomplexity treatment

As stated at the b eginning of this section the nonuniform formulation was

adopted here for sake of simplicity In this subsection we sketch a uniform

complexity denitional treatment of security We stress that by uniform or non

uniform complexity treatment of cryptographic primitives we merely refer to the

mo deling of the adversary The honest legitimate parties are always mo deled

by uniform complexity classes most commonly probabilistic p olynomialtime

The notion of eciently constructible ensembles dened in Section

is central to the uniformcomplexity treatment Recall that an ensemble X

fX g is said to b e p olynomialtime constructible if there exists a probabilistic

p olynomial time algorithm S so that for every n the random variables S

and X are identically distributed

The denitions

We present only the denitions of security for multiple messages the single

message variant can b e easily obtained by setting the p olynomial t b elow to b e

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

identically Likewise we present the publickey version and the privatekey

analogous can b e obtained by omitting G from the inputs to the various

algorithms

The uniformity of the following denitions is reected in the complexity of

the inputs given to the algorithms Sp ecically the plaintexts are taken from

p olynomialtime constructible ensembles and so are the auxiliary inputs given to

the algorithms For example in the following denition we require the ensemble

X g to b e p olynomialtime constructible and the function h to b e p olynomial f

time computable

Denition semantic security uniformcomplexity version An en

cryption scheme G E D is uniformly semantically secure in the publickey

mo del if for every polynomial t and every probabilistic polynomialtime algo

rithm A there exists a probabilistic polynomialtime algorithm A such that for ev

ery polynomialtime constructible ensemble f X X X g with

n n

jX j p oly n every polynomialtime computable h f g f g every

f f g f g every positive polynomial p and al l suciently large ns

h i

X j n j

h Pr AG E X X f X

n n n

i h

X j j

X f X h Pr A

n n

def

tn tn

for is as in Def E x x E x E x x x where

n n n n

e e n e

inition

Again we stress that X is a sequence of random variables which may dep end

on one another Also the encryptionkey G was omitted from the input of

A since the latter may generate it by itself We stress that even here ie in

the uniform complexity setting no computational limitation are placed on the

function f

Denition indistinguishability of encryptions uniformcomplexity ver

sion An encryption scheme G E D has uniformly indistinguishable encryp

tions in the publickey mo del if for every polynomial t every probabilistic polynomial

def

T fT time algorithm D every polynomialtime constructible ensemble

tn tn i

X Y Z g with X X X Y Y Y and jX j

n n n n n

j p oly n jY

E X jPr D Z G

n n

Pr D Z G E Y j

n n

for every positive polynomial p and al l suciently large ns

The random variable Z captures apriori information ab out the plaintexts for

which encryptions should b e distinguished A sp ecial case of interest is when

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

X Y Uniformity is captured in the requirement that D is a probabilistic Z

n n n

p olynomialtime algorithm rather than a family of p olynomialsize circuits and

that the ensemble f T X Y Z g b e p olynomialtime constructible

n n n n

Equivalence of the multiplemessage denitions

We prove the equivalence of the uniformcomplexity denitions presented ab ove

for multiplemessage security

Theorem equivalence of denitions uniform treatment A public

key encryption scheme satises Denition if and only if it satises Def

inition Furthermore this holds even if Denition is restricted to

X Y and even if Denition is restricted to the special case where Z

n n n

the special case where f is polynomialtime computable

An analogous result holds for the privatekey mo del The imp ortant direction of

the theorem holds also for the singlemessage version this is quite obvious from

the pro of b elow In the other direction we seem to use the multiplemessage

version of semantic security in an essential way

Pro of Sketch Again we start with the more imp ortant direction that is

assuming that G E D has uniformly indistinguishable encryptions in the

X Y we show that it is uniformly semantically sp ecial case where Z

n n n

secure Our construction of algorithm A is analogous to the construction used

j j

in the nonuniform treatment Sp ecically on input algorithm h

j j

A generates a random encryption of a dummy sequence of message ie

feeds it to A and outputs whatever A do es That is

n j j j j j j

n n n

AG E h h A

n n

As in the nonuniform case the analysis of algorithm A reduces to the following

claim

Claim For every p olynomialtime constructible ensemble f X g

tn i

X X X and jX j p oly n every p olynomialtime com with

n n n

putable h every p ositive p olynomial p and all suciently large ns

Pr AG E X hX f X

n n n

i h

X j j n

h E X f X Pr AG

n n

Pro of sketch Analogously to the nonuniform case assuming towards the con

tradiction that the claim do es not hold yields an algorithm that distinguishes

jX j

X from encryptions of Y when getting auxiliary in encryptions of

n n

jX j

formation Z X Y X Thus we derive contradiction to Deni

n n n n

tion even under the sp ecial case p ostulated in the theorem

We note that the auxiliary information that is given to the distinguishing

algorithm replaces the hardwiring of auxiliary information that was used in

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

the nonuniform case and is not p ossible in the uniform complexity mo del

Sp ecically rather than using a hardwired value of h at some nonuniformly

xed sequence the distinguishing algorithm will use the auxiliary information

jX j

X in order to compute hX which it will pass to A Indeed we Z

n n n

rely on the hypothesis that h is eciently computable

The actual pro of is quite simple in case the function f is also p olynomial

time computable which is not the case in general In this sp ecial case on input

jxj jxj

e z E where z x and fx g the distinguishing algorithm

computes u hx and v f x invokes A and outputs if and only if

jxj

E u v Ae

xj j

We comment that in case we actually mean that is a

sequence of tn strings of the form where t and are as in x

tn n tn

x x f g

The pro of b ecomes more involved in case f is not p olynomialtime computable

Again the solution is in realizing that indistinguishability of encryption p ostu

lates a similar output prole in b oth cases and in particular no value can o ccur

nonnegligibly more in one case than in the other To clarify the p oint we de

x to b e the dierence b etween Pr AG E x hx v ne

n n n v

jx j n

E hx v We know that E X and Pr AG

n n

f X

pn but given x we cannot evaluate x since we do not have

n n

f x

def

x Instead we let x max f x g and observe that EX f

n n v v n n

E X pn Furthermore given x we can approximate x

n n n

X f

in p olynomialtime and can nd in p olynomialtime a value v such that

x x pn with probability at least

v n n

x etc By invoking algorithm A on O n pn sam On approximating

n n j x j

n n

ples of the distributions G E x hx and G E x h

n n n

G G

1 1

we obtain implicitly an approximation of all x s upto an additive

v n

deviation of pn with error probability at most The approxima

x denoted x is merely the dierence b etween the frac tion to

n v n v

tion of samples from b oth distributions on which algorithm A returned

Indeed most x s are approximated by but some x s

v n v n

may approximated by nonzero values We just output v for which the

x is largest Thus if for some v it holds that approximated value

n v

x x then with probability at least we output v such

v n n

that

x x pn

n v n v

x pn

v n

x pn pn

v n

x x pn Thus

n n v

Unlike in the nonuniform treatment here we cannot hardwire values such as the values

of h and f on go o d sequences into the algorithm D which is required to b e uniform

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

jxj

E where z x the new algorithm denoted D Thus on input e z

op erates in two stages

In the rst stage D ignores the ciphertext E Using z algorithm D

recovers x and computes u hx Using x and u algorithm D estimates

x and nds a v as ab ove

In the second stage using u and v found in the rst stage algorithm D

jxj

invokes A and outputs if and only if Ae E u v

x b e the value found in the rst stage of algorithm A ie obliviously of Let V

the ciphertext E The reader can easily verify that

h i

n n X

n n

E X Pr D G Z E Pr D G Z

n n n

G G

1 1

h i

E X

X V

n n

X E

E X

pn pn

Thus we have derived a probabilistic p olynomialtime algorithm ie D that

jX j

distinguishes encryptions of X from encryptions of Y when getting

n n

j X j

X X g is p olynomialtime By hypothesis f auxiliary information Z

n n n

constructible and it follows that so is fX Y Z g Thus we derive contradiction

n n n

to Denition even under the sp ecial case p ostulated in the theorem and

the claim follows 2

Having established the imp ortant direction we now turn to the opp osite

one That is we assume that G E D is uniformly semantically secure and

prove that it has uniformly indistinguishable encryptions Again the pro of is

by contradiction Supp ose without loss of generality that there exists a proba

bilistic p olynomialtime algorithm D a p olynomialtime constructible ensemble

def

T fT X Y Z g as in Denition a p ositive p olynomial p and

n n n n

innitely many ns so that

Pr D Z G E X

n n

Pr D Z G E Y j

n n

X resp Y consists of tn strings each Let tn and n b e such that

n n

of length n Supp ose without loss of generality that jZ j mn n

n mn

and parse Z into Z Z Z f g such that Z

n n

n n n

Z Z We dene an auxiliary p olynomialtime constructible ensemble

n n

def

Q fQ g so that

Z X Y with probability

n n n

Z Y X with probability

n n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Q is a sequence of mn tn strings each of length n that That is

contains Z X Y in addition to a bit provided in the nbit long prex

n n n

indicating whether the order of X and Y is switched or not We dene the

n n

function f so that to equal this switch indicator bit and the function h to

provide all information in Q except this switch bit That is we dene f and h

as follows

The function f f g f g is dened so that f returns the rst bit of

n ln mntn

its input that is f abc for a b c f g

The function h f g f g is dened so that h provides the in

formation in the sux without yielding information on the prex that

n n

is h abc abc if and h abc acb otherwise Thus

Q Z X Y that is it returns T to its original order undoing the h

n n n n

p ossible switch employed in Q

We stress that b oth h and f are p olynomialtime computable

We will show that the distinguishing algorithm D which distinguishes E X

from E Y when also given Z Z can b e transformed into a p olynomial

n n n

size algorithm A that guesses the value of f Q from the encryption of Q

n n

Q and do es so signicantly b etter than with proba and the value of h

This violates semantic security since no algorithm regardless of its bility

runningtime can guess f Q b etter than with probability when only given

Q j Q j j j

n n

h since given h the value of f Q and Q and Q is uniformly

n n n

distributed over f g

j n ln mntn j

On input e E where abc f g h

n n

equals either z x y or z y x algorithm A pro ceeds in two stages

E It rst extracts In the rst stage algorithm A ignores the ciphertext

x y and z ov z out of h z x y and approximates z x y which

is dened to equal

n n

Pr D z G E x Pr D z G E y

G G

1 1

Sp ecically using O n pn samples algorithm A obtains an approx

e e

x y such that j z x y z x y j pn imation denoted z

with probability at least

e e

Algorithm A sets if z x y pn sets if z x y

pn and sets otherwise ie jz x y j pn

In case algorithm A halts with an arbitrary reasonable guess say a

randomly selected bit We stress that all this is done obliviously of the

E which is only used next ciphertext

In the second stage algorithm A extracts the last blo ck of ciphertexts ie

E c out of E E abc and invokes D on input z e E c

e e e e

where z is as extracted in the rst stage Using the value of as determined

in the rst stage algorithm A decides as follows

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

DEFINITIONS OF SECURITY

In case algorithm A outputs if and only if the output of D

Q h f and A b e as ab ove Claim Let p

E Q hQ f Q Pr AG

n n n

x y Pro of sketch We fo cus on the case in which the approximation of z

computed by the rst stage of A is within pn of the correct value Thus

in case the sign of concurs with the sign of z x y It follows that

x y such that it holds that z x y and the for every p ossible z

following holds

Pr AG E Q hQ f Q j Z X X z x y

n n n

i h

n n n

E z x y h z x y Pr AG

i h

n n n

E z y x h z y x Pr AG

E y Pr D z G

E x Pr D z G

x y z

Similarly for every p ossible z x y such that it holds that z x y

and the following holds

Pr AG E Q hQ f Q j Z X X z x y

n n n

i h

n n n

E z x y h z x y AG Pr

i h

n n n

E z y x h z y x Pr AG

E y Pr D z G

E x Pr D z G

x y z

Thus in b oth cases where algorithm A succeeds with probability

z x y x y j jz

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

x y and in case it succeeds with probability Recall that if z

X Y then Using the contradiction hypothesis that asserts that EZ

n n n

we lower b ound Pr Z by Thus the overall suc X X

n n n

pn pn pn

cess probability of algorithm A is at least

pn pn pn

and the claim follows 2

This completes the pro of of the opp osite direction

Discussion The pro of of the rst ie imp ortant direction holds also in the

singlemessage setting In general for any function t in order to prove that

semantic security holds with resp ect to tlong sequences of ciphertexts we just

use the hypothesis that tlong messagesequences have indistinguishable encryp

tions In contrast the pro of of the second ie opp osite direction makes an

essential use of the multiplemessage setting In particular in order to prove

that tlong messagesequences have indistinguishable encryptions we use the

hypothesis that semantic security holds with resp ect to m tlong se

quences of ciphertexts where m dep ends on the length of the auxiliary input in

the claim of ciphertextindistinguishability Thus even if we only want to es

tablish ciphertextindistinguishability in the singlemessage setting we do so by

using semantic security in the multiplemessage setting Furthermore we use the

fact that given a sequence of ciphertexts we can extract a certain subsequence

of ciphertexts

Singlemessage versus multiplemessage denitions

As in the nonuniform case for the publickey mo del singlemessage security

implies multiplemessage security Again this implication do es not hold in the

privatekey mo del The pro ofs of b oth statements are analogous to the pro ofs

provided in the nonuniform case Sp ecically

For the publickey mo del singlemessage uniformindistinguishability of

encryptions imply multiplemessage uniformindistinguishability of encryp

tions which in turn implies multiplemessage uniformsemantic security

In the pro of of this result we use the fact that all hybrids are p olynomial

time constructible and that we may select a random pair of neighboring

hybrids cf the pro of of Theorem We also use the fact that an

ensemble of triplets f T X Y Z g with X X X

n n

n n n n

Y Y Y as in Denition induces an ensemble of

n n

triplets fT X Y Z g for the case t Sp ecically we shall use

n n n n

i i

X Y Z i where i is uniformly and Z Y Y X X

n n

n n n n n

distributed in f tng

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

For the privatekey mo del singlemessage uniformindistinguishability of

encryptions do es not imply multiplemessage uniformindistinguishability

of encryptions The pro of is exactly as in the nonuniform case

The gain of a uniform treatment

Supp ose that one is content with the uniformcomplexity level of security which

is what we advocate b elow Then the gain in using the uniformcomplexity

treatment is that a uniformcomplexity level of security can b e obtained using

only uniform complexity assumptions rather than nonuniform complexity as

sumptions Sp ecically the results presented in the next section are based on

nonuniform assumptions such as the existence of functions that cannot b e in

verted by p olynomialsize circuits rather than by probabilistic p olynomialtime

algorithms These nonuniform assumption are used in order to satisfy the

nonuniform denitions presented in the main text ab ove Using any of these

constructions while making the analogous uniform assumptions yields encryp

tion schemes with the analogous uniformcomplexity security We stress that

this is no coincidence but is rather an artifact of these results b eing proven by

a uniform reducibility argument

However something is lost when relying on these seemingly weaker uniform

complexity assumptions Namely the security we obtain is only against the

seemingly weaker uniform adversaries We b elieve that this loss in security

is immaterial Our b elief is based on the thesis that uniform complexity is the

right mo del of real world cryptography We b elieve that it is reasonable to

consider only ob jects ie inputs generated by uniform and ecient pro cedures

and the eect that these ob jects have on uniformly and ecient observers ie

adversaries In particular schemes secure against probabilistic p olynomialtime

adversaries can b e used in any setting consisting of probabilistic p olynomialtime

machines with inputs generated by probabilistic p olynomialtime pro cedures

We b elieve that the cryptographic setting is such a case

Constructions of Secure Encryption Schemes

In this subsection we present constructions of secure privatekey and public

key encryption schemes Here and throughout this section security means se

mantic security in the multiplemessage setting Recall that this is equivalent

to ciphertextindistinguishability in the multiplemessage setting Also recall

that for publickey schemes it suces to prove ciphertextindistinguishability in

the singlemessage setting The main results of this section are

Using any nonuniformly robust pseudorandom function one can con

struct secure privatekey encryption schemes Recall that the former can

b e constructed using any nonuniformly strong oneway function

Using any nonuniform strong trap do or oneway p ermutation one can

construct secure publickey encryption schemes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

In addition we review some p opular suggestions for privatekey and publickey

encryption schemes

Probabilistic Encryption Before starting we recall that a secure publickey

encryption scheme must employ a probabilistic ie randomized encryption al

gorithm Otherwise given the encryptionkey as additional input it is easy

to distinguish the encryption of the allzero message from the encryption of the

allones message The same holds for privatekey encryption schemes when con

sidering the multimessage setting For example using a deterministic private

key encryption algorithm allows the adversary to distinguish two encryptions

of the same message from the encryptions of a pair of dierent messages Thus

the common practice of using pseudorandom p ermutations as blo ckciphers

see denition b elow is not secure again one can distinguish two encryptions

of the same message from encryptions of two dierent messages This explains

the linkage b etween the ab ove robust security denitions and randomized aka

probabilistic encryption schemes Indeed all our encryption schemes will em

ploy randomized encryption algorithms

StreamCiphers

It is common practice to use pseudorandom generators as a basis for private

key stream ciphers We stress that this is a very dangerous practice when the

pseudorandom generator is easy to predict such as the linear congruential

generator or some mo dications of it that output a constant fraction of the

bits of each resulting number However this common practice b ecomes sound

provided one uses pseudorandom generators as dened in Section Thus we

obtain a privatekey stream cipher that allows to encrypt a stream of plaintext

bits Note that such a stream cipher do es not conform with our formulation of

an encryption scheme ie as in Denition since for encrypting several

messages one is required to maintain a counter In other words we obtain a

encryption scheme with a variable state that is mo died after the encryption of

each message

We comment that constructions of secure and stateless encryption schemes

ie conforming with Denition are known and presented in Sections

and The traditional interest in stream ciphers is due to eciency consid

erations We discuss this issue at the end of Section But b efore doing so

let us formalize the ab ove discussion

We note that the ab ove do es not hold with resp ect to privatekey schemes in the single

message setting Hint the privatekey can b e augmented to include a seed for a pseudorandom

generator the output of which can b e used to eliminate randomness from the encryption

algorithm Question why do es the argument fail in the publickey setting and in the multi

message privatekey setting

The privatekey streamciphers discussed in Section are an exception but as

we p oint out they do not adhere to our basic formulation of encryption schemes as in

Denition

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Denitions The following formalization extends Denition The key

generation algorithm remains unchanged but b oth the encryption and decryp

tion algorithm take an additional input and emit an additional output corre

sp onding to their state b efore and after the op eration The length of the state

is not allowed to grow by to o much during each application of the encryption

algorithm see Item b elow or else eciency of the entire rep eated encryp

tion pro cess can not b e guaranteed The initial state of b oth algorithms is

the empty string For clarity the reader may consider of the sp ecial case in

which the state counts the number of times the scheme was invoked or the total

number of plaintext bits in such invocations

Denition statebased cipher the mechanism A statebased encryp

tion scheme is a triple G E D of probabilistic polynomialtime algorithms

satisfying the fol lowing two conditions

On input algorithm G outputs a pair of bit strings

For every pair e d in the range of G every string s representing

a possible state every f g and every pair s in the range of

E e s it holds that D d s

That is given ciphertext and the decryptionkey along with the state of

the encryption pro cess b efore encrypting the current plaintext the decryp

tion algorithm retrieves the plaintext

There exists a polynomial p so that for every pair e d in the range of

G every string s representing a possible state every f g and

every pair s in the range of E e s it holds that js j jsj jj pn

That is as in Denition the encryptiondecryption pro cess op erates prop

erly ie the decrypted message equals the plaintext provided that the corre

sp onding algorithm get the corresp onding keys along with the same start state

However since the ab ove holds also for the empty string s it is not clear in

what sense the ab ove yields something novel Indeed the novelty is in the se

curity denition that refers to the encryption of multiple messages and holds

only in case the state is prop erly maintained throughout the multiplemessage

encryption pro cess Below we present only the semantic security denition for

privatekey schemes

Denition semantic security statebased cipher For a statebased

x x x we let E x encryption scheme G E D and any

t t

S C S C be the result of the fol lowing tstep random pro

i i

cess where S is the empty string For i t we let S C

i i

E S x where each of the t invocations E utilizes independently cho

e e

sen random coins The scheme G E D is semantically secure in the statebased

A stronger requirement which is achieved by the construction b elow is that D d s

s That is that the decryption algorithm can gure out the up dated state of the encryp

tion pro cess This extra prop erty is useful in applications where decryption is p erformed in

the same order as encryption eg in fifo communication

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

privatekey mo del if for every polynomial t and every probabilistic polynomial

time algorithm A there exists a probabilistic polynomialtime algorithm A such

i tn

j p oly n g with jX X X X that for every ensemble f

n n n

every pair of functions f h f g f g every polynomial p and al l

suciently large n

h i

j X j

Pr A E X X f X h

n n n

h i

j X j

Pr A X f X h

n n

Note that Denition diers from Denition only in the pream

E x Furthermore Denition guaran ble dening the random variable

tees nothing regarding an encryption pro cess in which the plaintext sequence

t t

x x is encrypted by E S x E S x E S x ie

e e e

the state is reset to S after each encryption Finally note that the secu

rity is preserved also when the adversary knows all intermediate values of the

encryption state This is required in applications since we need to pass these

intermediate states to the receiver in order to allow prop er decryption

A sound version of a common practice Lo osely sp eaking using any pseu

dorandom generator one can easily construct a secure statebased privatekey

encryption scheme The state will hold the total number of bits encrypted so

th th

far and the i bit to b e encrypted is encrypted by xoring it with the i bit of

the pseudorandom generator A minor technicality arises since pseudorandom

generators were dened to have an apriori xed number of output bits as a

function of the seed length whereas here we need an apriori unbounded p oly

nomial number of bits This technicality is resolved by using variableoutput

pseudorandom generators as dened and studied in Section

Construction how to construct statebased privatekey encryption schemes

N t

Let G f g f g so that jGr j t for every r f g and t N

keygeneration and initial state Uniformly select r f g and output the

keypair r r The initial state is viewed as t

encrypting plaintext x with key r and state t Let jxj and p be the bit suf

x of Gr Then the ciphertext is x p and the new state is set to

decrypting ciphertext y with key r and state t Let jy j and p be the bit

sux of Gr Then the ciphertext is y p

The reader may easily verify the following

The decryption algorithm can infer the state of the encryption algorithm ie t For

motivation see Footnote

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Prop osition Suppose that G is a variableoutput pseudorandom genera

tor with respect to polynomialsize circuits Then Construction constitutes

a secure statebased privatekey encryption scheme

Preliminaries Blo ckCiphers

Many encryption schemes are more conveniently presented by rst presenting a

restricted type of encryption scheme that we call a blockcipher In contrast

to encryption schemes as dened in Denition blo ckciphers dened

b elow are only required to op erate on plaintext of a sp ecic length which is a

function of the security parameter As we shall see given a secure blo ckcipher

we can easily construct a general secure encryption scheme

Denition blo ckcipher A blo ckcipher is a triple G E D of prob

abilistic polynomialtime algorithms satisfying the fol lowing two conditions

On input algorithm G outputs a pair of bit strings

There exists a polynomiallybounded function N N called the blo ck

length so that for every pair e d in the range of G and for each

f g algorithms E and D satisfy

Pr D E

d e

Typically we use either n n or n Analogously to Deni

tion the ab ove denition do es not distinguish privatekey encryption schemes

from publickey ones The dierence b etween the two types is captured in the

security denitions which are essentially as b efore with the mo dication that

we only consider plaintexts of length n For example the analogue of Deni

tion reads

Denition semantic security privatekey blo ckciphers A blockcipher

G E D with block length is semantically secure in the privatekey mo del

if for every probabilistic polynomialtime algorithm A there exists a probabilis

tic polynomialtime algorithm A such that for every ensemble fX g with

jX j n and f h p and n as in Denition

h i

jX j

Pr AE X hX f X

n n n

h i

jX j

Pr A hX f X

n n

In using the term blockcipher we abuse standard terminology by which a blo ckcipher

must in addition to op erating on plaintext of sp ecic length pro duce ciphertexts equal in

length to the length of the corresp onding plaintexts We comment that the latter cannot b e

semantically secure see Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Transforming blo ckciphers into a general encryption schemes There

are obvious ways of transforming a blo ckcipher into a general encryption scheme

The basic idea is to break the plaintexts for the resulting scheme into blo cks

and enco de each blo ck separately by using the blo ckcipher Thus the security

of the blo ckcipher in the multiplemessage settings implies the security of the

resulting encryption scheme The only technicality we need to deal with is how

to encrypt plaintexts of length that is not an integer multiple of the blo cklength

ie n This is easily resolved by padding the last blo ck while indicating

the end of the actual plaintext

Construction from blo ckciphers to general encryption schemes Let

G E D be a blockcipher with block length function We construct an en

cryption scheme G E D as fol lows The keygeneration algorithm G is

identical to G To encrypt a message with encryption key e generated under

security parameter n we break it into consecutive blocks of length n while

possibly augmenting the last block Let be the resulting blocks Then

def

E jj E E

e e t

To decrypt the ciphertext m with decryption key d we let

t i

D for i t and let the plaintext be the mbit long prex of the con

d i

catenated string

The ab ove construction yields ciphertexts which reveal the exact length of the

plaintext Recall that this is not prohibited by the denitions of security and

that we cannot hop e to entirely hide the length However we can easily construct

encryption schemes that hide some information ab out the length of the plaintext

see examples in Exercise Also note that the ab ove construction applies even

to the sp ecial case where is identically

Prop osition Let G E D and G E D be as in Construction

Suppose that the former a secure privatekey resp publickey blockcipher

Then the latter is a secure privatekey resp publickey encryption scheme

Pro of Sketch The pro of is by a reducibility argument Assuming towards the

contradiction that the encryption scheme G E D is not secure we conclude

that neither is G E D contradicting our hypothesis Note that in case the

security of G E D is violated via tn messages of length Ln p oly n

the security of G E D is violated via tn dLnne messages of length

n Also the argument may utilize any of the two notions of security ie

semantic security or ciphertextindistinguishability

We choose to use a very simple indication of the end of the actual plaintext ie include

its length in the ciphertext In fact it suces to include the length of the plaintext mo dulo

njj mo d n

n Another natural alternative is to use a padding of the form while

observing that no padding is ever required in case n

Recall that throughout this section security means security in the multiplemessage setting

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Privatekey encryption schemes

Secure privatekey encryption schemes can b e easily constructed using any e

ciently computable pseudorandom function ensemble see Section Sp eci

cally we present a blo ck cipher with blo ck length n n The key generation

algorithm consists of selecting a seed denoted s for such a function denoted

f To encrypt a message x f g using key s the encryption algorithm

uniformly selects a string r f g and pro duces the ciphertext r x f r

To decrypt the ciphertext r y using key s the decryption algorithm just

computes y f r Formally we have

Construction a privatekey blo ckcipher based on pseudorandom func

tions Let F fF g be an eciently computable function ensemble and let I

and V be the algorithms associated with it That is I selects a function with

distribution F and V i x returns f x where f is the function associated with

n i i

the string i We dene a privatekey block cipher G E D with block length

n n as fol lows

n n

keygeneration G i i where i I

encrypting plaintext x f g E x r V i r x where r is uniformly

chosen in f g

decrypting ciphertext r y D r y V i r y

Below we assume that F is pseudorandom with respect to polynomialsize cir

cuits meaning that no p olynomialsize circuit having oracle gates can distin

guish the case the answers are provided by a random function from the case in

which the answers are provided by a function in F Alternatively one may con

sider probabilistic p olynomialtime oracle machines that obtain a nonuniform

p olynomiallylong auxiliary input That is

for every probabilistic polynomialtime oracle machine M for every

pair of positive polynomial p and q for al l suciently large ns and

al l z f g

f f

I (1 )

Pr M z Pr M z

q n

n n

where f is a uniformly selected function mapping f g to f g

Recall that such nonuniformly strong pseudorandom functions can b e con

structed using any nonuniformly strong oneway function

Prop osition Let F and G E D be as in Construction and sup

pose that F is pseudorandom with respect to polynomialsize circuits Then

G E D is secure

Combining Prop ositions and with the ab ove we obtain

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Theorem If there exist nonuniformly strong oneway functions then

there exist secure privatekey encryption schemes

The converse holds to o see Exercise

Pro of of Prop osition The pro of consists of two steps suggested as

a general metho dology in Section

Prove that an idealized version of the scheme in which one uses a uniformly

n n

selected function f f g f g rather than the pseudorandom func

tion f is secure in the sense of ciphertextindistinguishability

Conclude that the real scheme as presented ab ove is secure since other

wise one could distinguish a pseudorandom function from a truly random

one

Sp ecically in the ideal version the messages x x are encrypted by

t t t i

r f r x r f r x where the r s are indep endently and

uniformly selected and f is a random function Thus with probability greater

n i i i

than t the r s are all distinct and so the values f r x are

indep endently and uniformly distributed regardless of the x s It follows that

the ideal version is ciphertextindistinguishable Now if the actual scheme is

not ciphertextindistinguishable then for some sequence of r s a p olynomial

i i i i

size circuit can distinguish the f r x s from the f r x s where

f is random and f is pseudorandom But this contradicts the hypothesis that

p olynomialsize circuits cannot distinguish b etween the two

Discussion Note that we could have gotten rid of the randomization if we

had allowed the encryption algorithm to b e history dep endent as discussed in

Section ab ove Sp ecically in such a case we could have used a counter in

the role of r Furthermore if the encryption scheme is used for fifo communica

tion b etween the parties and b oth can maintain the counter value then there is

no need for the sender to send the counter value However in the later case Con

struction is preferable b ecause the adequate pseudorandom generator may

b e more ecient than a pseudorandom function as used in Construction

We note that in case the encryption scheme is not used for fifo communication

and one may need to decrypt messages with arbitrary varying counter values it

is typically b etter to use Construction Furthermore in many cases it may

b e preferable to select a value ie r at random rather than rely on a counter

that must stored in a reliable manner b etween applications of the encryption

algorithm

The ciphertexts pro duced by Construction are longer than the corre

sp onding plaintexts This is unavoidable in case of secure historyindep endent

encryption schemes see Exercise In particular the common practice of

using pseudorandom p ermutations as blo ckciphers is not secure eg one

That is letting E x p x where p is the p ermutation asso ciated with the string i

i i i

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

can distinguish two encryptions of the same message from encryptions of two

dierent messages

Publickey encryption schemes

As mentioned ab ove randomization during the encryption pro cess can b e avoided

in privatekey encryption schemes that employ a varying state not allowed in

our basic Denition In case of publickey encryption schemes random

ization during the encryption pro cess is essential even if the encryption scheme

employs a varying state Thus the randomized encryption paradigm plays an

even more pivotal role in the construction of publickey encryption scheme To

demonstrate this paradigm we start with a very simple and quite wasteful con

struction But b efore doing so we recall the notion of trap do or p ermutations

Trapdo or p ermutations All our constructions employ a collection of trap

do or p ermutations as in Denition Recall that such a collection fp g

comes with four probabilistic p olynomialtime algorithms denoted here by I S F

and B for index sample forward and backward such that the following syn

tactic conditions hold

On input algorithm I selects a random nbit long index of a p ermu

tation p along with a corresp onding trap do or

On input algorithm S samples the domain of p returning a random

element in it

For x in the domain of p given and x algorithm F returns p x ie

F x p x

For y in the range of p if is a p ossible output of I then given

y y ie B y p and y algorithm B returns p

The hardness condition refers to the diculty of inverting p on a random

element of its range when given only the rangeelement and That is let

n n

I denote the rst element in the output of I ie the index then for

every p olynomialsize circuit family fC g every p olynomial p and all suciently

large ns

n n n

Pr C I p S I S I

Namely C fails to invert p on p x where and x are selected by I and

S as ab ove Recall the ab ove collection can b e easily mo died to have a hard

core predicate cf Theorem For simplicity we continue to refer to the

collection as fp g and let b denote the corresponding hardcore predicate

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Simple schemes

We are now ready to present a very simple alas quite wasteful construction of

a secure publickey encryption scheme It is a blo ckcipher with

Construction a simple publickey blo ckcipher scheme Let fp g

I S F B and b be as above

keygeneration The key generation algorithm consists of selecting at random

a permutation p together with a trapdoor for it The permutation or

rather its description serves as the publickey whereas the trapdoor serves

n n

as the privatekey That is G I which means that the index

trapdoor pair generated by I is associated with the keypair of G

encryption To encrypt a bit using the encryptionkey the encryption

algorithm randomly selects an element r in the domain of p and produces

the ciphertext p r br That is E F r br where

r S

decryption To decrypt the ciphertext y using the decryptionkey the de

cryption algorithm just computes bp y where the inverse is com

puted using the trapdoor of p That is D y bB y

Clearly for every p ossible output of G and for every f g it holds

that

D E bB F S bS

bp p S bS

bS bS

The security of the ab ove publickey encryption scheme follows from the non

uniform oneway feature of the collection fp g or rather from the hypothesis

that b is a corresp onding hardcore predicate

Prop osition Suppose that b is a nonuniformly strong hardcore of

the collection fp g Then Construction constitute a secure publickey

blockcipher with blocklength

Pro of Recall that by the equivalence theorems ie Theorems and

it suces to show singlemessage ciphertextindistinguishability Furthermore

by Prop osition and the fact that here there are only two plaintexts ie

and it suces to show that one cannot predict which of the two plaintexts

selected at random is b eing encrypted signicantly b etter than with success

probability We conclude by noting that a guess for the plaintext

given the encryptionkey and the ciphertext E f r br where

r S yields a guess br for br given f r The latter guess

is correct with probability equal to the probability that and contradicts

the hypothesis that b is a hardcore of fp g Details follow

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Recall that by saying that b is a hardcore of fp g we mean that for every

p olynomialsize circuit family fC g every p olynomial p and all suciently large

n n n

Pr C I p S I bS I

By Prop osition it suces to show that for randomly chosen ie

I and uniformly distributed f g no p olynomialsize circuit given the

encryptionkey and the ciphertext E can predict nonnegligibly b etter

than with success probability Supp ose towards the contradiction that there

exists a p olynomialsize circuit family fC g a p olynomial p and innitely many

ns such that

Pr C I E

p n

where is uniformly distributed in f g Recall that E p r br

where r S is a random sample in p s domain and consider the following

probabilistic circuit C On input and y in the range of p the circuit

C uniformly selects f g invokes C on input y and outputs

n n

C y In the following analysis of the b ehavior of C we let

n n

I r S and consider uniformly distributed f g

Pr C p r br Pr C p r br

n n

Pr C p r br

Pr C p r br br br

Pr C E

p n

where the inequality is due to Eq Removing the randomization from C

ie by xing the b est p ossible choice we derive a contradiction to Eq

The prop osition follows

Using Prop ositions and and recalling that Theorem applies also

to collections of oneway functions and to the nonuniform setting we obtain

Theorem If there exist collections of nonuniformly hard trapdoor per

mutations then there exist secure publickey encryption schemes

A generalization As admitted ab ove Construction is quite wasteful

Sp ecically it is wasteful in bandwidth that is the relation b etween the length of

the plaintext and the length of the ciphertext In Construction the relation

b etween these lengths equals the security parameter ie the length of descrip

tion of individual elements in the domain of the p ermutation However the

idea underlying Construction can yield ecient publickey schemes pro

vided we use trap do or p ermutations having hardcore functions with large range

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

see Section To demonstrate the p oint we use the following assumption

relating to the RSA collection of trap do or p ermutations cf Subsections

and

Large hardcore conjecture for RSA The rst n least signicant bits of

the argument constitute a nonuniformly strong hardcore function of the RSA

function when applied with nbit long moduli

We stress that the conjecture is not know to follow from the assumption that

the RSA collection is nonuniformly hard to invert What can b e proved

under the latter assumption is only that the rst O log n least signicant bits

of the argument constitute a nonuniformly strong hardcore function of RSA

with nbit long mo duli Still if the ab ove conjecture holds then one obtains

a secure publickey encryption scheme with eciency comparable to that of

plain RSA see discussion b elow Furthermore this scheme coincides with

the common practice of randomly padding messages using padding equal in

length to the message b efore encrypting them applying the RSA function That

is we consider the following scheme

Construction Randomized RSA a publickey blo ckcipher scheme

This scheme employs the RSA collection of trapdoor permutations cf Subsec

tions and The fol lowing description is however selfcontained

keygeneration The key generation algorithm consists of selecting at random

two nbit primes P and Q setting N P Q selecting at random a

pair e d so that e d mo d P Q and outputting the

tuple N e N d where N e is the encryptionkey and N d is the

decryptionkey That is N e N d G where N e and d are

as specied above

Note that N is nbit long

encryption To encrypt an nbit string using the encryptionkey N e the

encryption algorithm randomly selects an element r f N g and

produces the ciphertext r mo d N lsbr where lsbr denotes the

n least signicant bits of r That is E r mo d N lsbr

N e

decryption To decrypt the ciphertext y f N g f g using

the decryptionkey N d the decryption algorithm just computes

lsby mo d N where lsb is as above That is D y

N d

lsby mo d N

The bandwidth of the ab ove scheme is much b etter than in Construction

a plaintext of length n is encrypted via a ciphertext of length n On the

other hand Randomized RSA is almost as ecient as plain RSA or the RSA

function itself

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

To see that Randomized RSA satises the syntactic requirements of an en

cryption scheme consider any p ossible output of G denoted N e N d

and any f g Then it holds that

D E D r mo d N lsbr

N d N e N d

e d

lsbr lsbr mo d N mo d N

lsbr lsbr mo d N

where the last equality is due to r r mo d N The security of Random

ized RSA as a publickey encryption scheme follows from the large hardcore

conjecture for RSA analogously to the pro of of Prop osition

Prop osition Suppose that the large hardcore conjecture for RSA does

hold Then Construction constitute a secure publickey blockcipher with

blocklength n n

Pro of Recall that by the equivalence theorems ie Theorems and

it suces to show singlemessage ciphertextindistinguishability Considering

any two strings x and y we need to show that r mo d N x lsbr and

r mo d N y lsbr are indistinguishable where N e and r are selected at

random as in the construction It suces to show that for every x the distribu

e e

tions r mo d N x lsbr and r mo d N x s are indistinguishable where

s f g is uniformly distributed indep endently of anything else The latter

claim follows from the hypothesis that the n least signicant bits are a hardcore

function for RSA with mo duli of length n

Discussion We wish to stress that encrypting messages by merely applying

the RSA function to them without randomization yields an insecure encryption

scheme Unfortunately this pro cedure referred to ab out as plain RSA is

quite common in practice The fact that plain RSA is denitely insecure is a

sp ecial case of the fact that any publickey encryption scheme that employs a

deterministic encryption algorithm is insecure We warn that the fact that in

such deterministic encryption schemes one can distinguish encryptions of two

sp ecic messages eg the allzero message and the allone message is not

merely of theoretical concern it may seriously endanger some applications

In contrast Randomized RSA as dened in Construction may be secure

provided a quite reasonable conjecture ie the large hardcore conjecture for

RSA holds Thus the common practice of applying the RSA function to a

randomlypadded version of the plaintext is way sup erior to using the RSA

function directly ie without randomization the randomized version is likely

to be secure whereas the nonrandomized or plain version is denitely insecure

Recall that Construction or alternatively Construction gener

alizes to any collection of trap do or p ermutations having a corresp onding large

hardcore function Supp ose that fp g is such a collection and h or rather

fh g is a corresp onding hardcore function resp a corresp onding collection of

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

hardcore functions such that any element in the domain of p is mapp ed to

an jjbit long string Then we can encrypt an jjbit long plaintext x

by p r hr x resp p r h r x where r S as in Construc

tion This yields a secure publickey encryption scheme with bandwidth

that relates to the relation b etween jj and the length of a description of

individual elements in the domain of p

An alternative scheme

An alternative construction of a publickey encryption scheme is presented b e

low Rather than encrypting each plaintext bit or blo ck of bits by an indep en

dently selected element in the domain of the trap do or p ermutation as done in

Construction we select only one such element for the entire plaintext

and generate an additional bit p er each bit of the plaintext These additional

bits are determine by successive applications of the trap do or p ermutation and

only the last result is included in the ciphertext In a sense the construction

of the encryption scheme b elow augments the construction of a pseudorandom

generator based on oneway p ermutations ie Construction

Construction a publickey encryption scheme Let fp g I S F B

i i

and b be as in Construction We use the notation p x p p x

x p and p x p

keygeneration The keygeneration algorithm consists of selecting at random a

permutation p together with a trapdoor exactly as in Construction

n n

That is G I which means that the indextrapdoor pair generated

by I is associated with the keypair of G

encryption To encrypt a string using the encryptionkey the encryption

algorithm randomly selects an element r in the domain of p and produces

j j

the ciphertext p r G r where

def

j j

G r br bp r bp r

j j

S G S That is E p

decryption To decrypt the ciphertext y using the decryptionkey the

j j

decryption algorithm just computes G p y where the inverse is

j j

computed using the trapdoor of p That is D y G p y

We stress that the ab ove encryption scheme is a fulledged one rather than a

blo ckcipher Its bandwidth tends to with the length of the plaintext that

is a plaintext of length p oly n is encrypted via a ciphertext of length

m where m denotes the length of the description of individual elements

in the domain of p Clearly for every p ossible output of G it holds

that D E The security of the ab ove publickey encryption scheme

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

follows from the nonuniform oneway feature of the collection fp g but here

we restrict the sampling algorithm S to pro duce almost uniform distribution over

the domain so that this distribution is preserved under successive applications

of p

Prop osition Suppose that b is a nonuniformly strong hardcore of

the trapdoor collection fp g Furthermore suppose that this trapdoor collection

utilizes a domain sampling algorithm S so that the statistical dierence between

S and the uniform distribution over the domain of p is negligible in terms of

jj Then Construction constitute a secure publickey encryption scheme

Pro of Again we prove singlemessage ciphertextindistinguishability As in the

pro of of Prop osition it suces to show that for every the distributions

j j j j

p S G S and p S s are indistinguishable where

j j

s f g is uniformly distributed indep endently of anything else The latter

claim holds by a minor extension to Prop osition the latter refers to the

case S is uniform over the domain of p but can b e extended to the case in

which there is a negligible statistical dierence b etween the distributions The

prop osition follows

An instantiation Assuming that factoring Blum Integers ie pro ducts of

two primes each congruent to mo d is hard one may use the mo dular

squaring function in role of the trap do or p ermutation ab ove see Section

This yields a secure publickey encryption scheme presented b elow with e

ciency comparable to that of plain RSA Recall that plain RSA itself is not secure

as it employs a deterministic encryption algorithm whereas Randomized RSA

ie Construction is not known to b e secure under standard assumption

such as intractability of factoring or of inverting the RSA function

Construction The BlumGoldwasser PublicKey Encryption Scheme

For simplicity we present a blockcipher with arbitrary blocklength n

p oly n

keygeneration The key generation algorithm consists of selecting at random

two nbit primes P and Q each congruent to mod and outputting the

pair N P Q where N P Q

Actually for sake of eciency the keygenerator also computes

d P mo d P in f P g

d Q mo d Q in f Q g

c Q Q mo d P in f N Qg

c P P mo d Q in f N P g

Recall that Randomized RSA is secure assuming that the n least signicant bits con

stitute a hardcore function for nbit RSA mo duli Even when assuming the intractability of

factoring we only know that the O log n least signicant bits constitute a hardcore function

for nbit mo duli

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

It outputs the pair N T where N serves as the encryptionkey and T

P Q N c d c d serves as decryptionkey

P P Q Q

encryption To encrypt the message f g using the encryptionkey N

Uniformly select s f N g

mo d N and b lsbs For i n compute s s

i i i

where lsbs is the least signicant bit of s

The ciphertext is s where b b b

n n

decryption To decrypt of the ciphertext r using the decryptionkey T

P Q N c d c d one rst retrieves s and then computes the b s

P P Q Q i

as above Instead of extracting modular square roots successively n

times we extract the th root which can be done as eciently as

extracting a single square root

d d

Q P

mo d Q mo d P and s r Let s r

Let s c s c s mo d N

P Q

For i n compute b lsbs and s s mo d N

i i i

The plaintext is b b b

Again one can easily verify that the ab ove construction constitutes an encryp

tion scheme the main fact to verify is that the value of s as reconstructed in

the decryption stage equals the value used in the encryption stage This fol

lows by combining the Chinese Reminder Theorem with the fact that for every

mo d P and quadratic residue s mo d N it holds that s s mo d N

mo d Q similarly s s mo d N

Details Recall that for a prime P mo d and every integer i we

have i i mo d P Thus for every integer j we have

j mo d N j mo d N mo d P

j mo d P

Similarly j j mo d N mo d Q Observing that c and c are as

P Q

in the Chinese Reminder Theorem ie i c i mo d P c i mo d Q

P Q

mo d N for every integer i we conclude that s as recovered in Step

of the decryption equals s as rst computed in Step of the encryption

Encryption amounts to n mo dular multiplications whereas decryption

amounts to n such multiplications and mo dular exp onentiations relative

to halfsized mo duli Counting mo dular exp onentiations with resp ect to n

bit mo duli as O n ie at least n and at most n mo dular multiplications

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BEYOND EAVESDROPPING SECURITY

with resp ect to nbit mo duli we conclude that the entire encryptiondecryption

pro cess requires work comparable to n n mo dular multiplications For

comparison to Randomized RSA note that encryptingdecrypting nbit

messages amounts to dnne mo dular exp onentiations and so the total work

is comparable to nn n n for general exp onent e or half that

much in case e

The security of the BlumGoldwasser scheme ie Construction fol

lows immediately from Prop osition and the fact that lsb is a hardcore

for the mo dular squaring function Recalling that inverting the latter is compu

tationally equivalent to factoring we get

Corollary Suppose that factoring is infeasible in the sense that for every

polynomialsize circuit fC g every positive polynomial p and al l suciently large

Pr C P Q P

n n n n

where P and Q are uniformly distributed nbit long primes Then Construc

n n

tion constitutes a secure publickey encryption scheme

Beyond eavesdropping security

Our treatment so far refers only to a passive attack in which the adversary

merely eavesdrops on the line over which ciphertexts are b eing sent Stronger

types of attacks culminating in the socalled Chosen Ciphertext Attack may b e

p ossible in various applications Sp ecically in some settings it is feasible for the

adversary to make the sender encrypt a message of the adversarys choice and in

some settings the adversary may even make the receiver decrypt a ciphertext of

the adversarys choice This gives rise to chosen message attacks and to chosen

ciphertext attacks resp ectively which are not covered by the ab ove security

denitions Thus our main goal in this section is to provide a treatment to such

types of attacks In addition we also discuss the related notion of nonmalleable

encryption schemes We start with an overview of the type of attacks considered

in this section

Types of attacks The following minitaxonomy of attacks is certainly not

exhaustive

Passive attacks as captured in the denitions ab ove In case of publickey

schemes we distinguish two subcases

a A keyoblivious passive attack as captured in the denitions ab ove

By keyobliviousness we refer to the fact that the choice of plaintext

do es not dep end on the publickey

b A keydependent passive attack in which the choice of plaintext may

dep end on the publickey

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

X In Denition the choice of plaintext means the random variable

whereas in Denition it means the pair of sequences x y In b oth

these denitions the choice of the plaintext is keyoblivious

Chosen Plaintext Attacks Here the attacker may obtain the encryption of

any plaintext of its choice under the key b eing attacked

Indeed such an attack do es not add p ower in case of publickey schemes

Chosen Ciphertext Attacks Here the attacker may obtain the decryption

of any ciphertext of its choice under the key b eing attacked That is the

attacker is given oracle access to the decryption function corresp onding to

the decryptionkey in use We distinguish two types of such attacks

a In an apriori chosen ciphertext attack the attacker is given this

oracle access prior to b eing presented the ciphertext that it should

attack ie the ciphertext for which it has to learn partial informa

tion That is the attack consists of two stages in the rst stage the

attacker is given the ab ove oracle access and in the second stage the

oracle is removed and the attacker is given a test ciphertext ie a

target to b e learned

b In an aposteriori chosen ciphertext attack after b eing given the

target ciphertext the oracle is not removed but the adversarys access

to it is restricted in that it is not allowed to make a query equal to

the target ciphertext

In b oth cases the adversary may make queries that do not corresp ond to

a legitimate ciphertext and the answer will b e accordingly ie a sp ecial

failure symbol Furthermore in b oth cases the adversary may eect the

selection of the target ciphertext

Formal denitions of all types of attacks listed ab ove are given in the following

corresp onding subsections Before presenting the actual denitions we provide

an overview of the known results

Some known constructions As in the basic case the strongly secure

privatekey encryption schemes can b e constructed based on the existence of

oneway functions whereas the strongly secure publickey encryption schemes

are based on the existence of trap do or p ermutations In b oth cases withstand

ing ap osteriori chosen ciphertext attacks is harder than withstanding apriori

chosen ciphertext attacks We will present the following schemes

Privatekey schemes The privatekey encryption scheme based on pseudo

random functions ie Construction is secure also against apriori

chosen ciphertext attacks

Note that this scheme is not secure under an ap osteriori chosen ciphertext attack on

input a ciphertext r x f r we obtain f r by making the query r y where y

s s

x f r This query is answered with x so that y x f r

s s

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BEYOND EAVESDROPPING SECURITY

It is easy to turn any passively secure privatekey encryption scheme into

a scheme secure under aposteriori chosen ciphertext attacks by using a

message authentication scheme on top of the basic encryption

Publickey schemes Publickey encryption schemes secure against apriori

chosen ciphertext attacks can b e constructed assuming the existence of

trap do or p ermutations and utilizing noninteractive zeroknowledge pro ofs

Recall that the latter pro of systems can b e constructed under the former

assumption

Publickey encryption schemes secure against ap osteriori chosen cipher

text attacks can also b e constructed under the same assumption but this

construction is even more complex

Keydep endent passive attacks

Authors Note Applicable only to publickey schemes

Authors Note Plan dene and show that ab ove constructions sat

isfy the denition

Chosen plaintext attack

Authors Note No aect in case of publickey schemes

Authors Note Plan dene and show that ab ove constructions sat

isfy the denition

Chosen ciphertext attack

Authors Note For privatekey refer also to a combined plaintextciphertext

attack

Authors Note Plan

Dene the two types ie apriori and ap osteriori CCA

Prove that the PRFbased privatekey scheme remains secure

under apriori CCA

Using MAC transform any passivelysecure privatekey scheme

into an a scheme secure under ap osteriori CCA

The NYframework for constructing CCAsecure publickey schemes

doubleencryption use of NIZK

a Apply the framework to obtain security under apriori CCA

See denition in Section

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

b Apply the framework to obtain security under ap osteriori

CCA DDN Amit

Authors Note Indeed my plans were mo died due to a recent result

of Amit Sahai further simplied by Yehuda Lindell This result

makes it feasible to present in the context of the current b o ok a

publickey encryption scheme that is secure under ap osteriori CCA

Nonmalleable encryption schemes

Authors Note Tentative introductory test follows

So far our treatment has referred to an adversary that tries to extract explicit

information ab out the plaintext A less explicit attempt captured by the so

called notion of mal leability is to generate an encryption of a related plaintext

p ossibly without learning anything ab out the original plaintext

Thus we have a matrix of adversaries with one dimension parameter

b eing the type of attack and the second b eing its purpose So far we have

discussed the rst dimension ie the type of the attack We now turn to the

second ie the purp ose of the attack We make a distinction b etween the

following two notions or purp oses of attack

Standard security the infeasibility of obtaining information regarding the

plaintext As dened ab ove such information must b e a function or a

randomized pro cess applied to the bare plaintext and may not dep end

on the encryption or decryption key

In contrast the notion of nonmal leability refers to generating a string de

p ending on b oth the plaintext and the current encryptionkey Sp ecically

one requires that it should b e infeasible for an adversary given a cipher

text to pro duce a valid ciphertext for a related plaintext For example

given a ciphertext of a plaintext of the form x it should b e infeasible to

pro duce a ciphertext to the plaintext x

We shall show b elow that with the exception of passive attacks on privatekey

schemes nonmalleability always implies security against attempts to obtain in

formation on the plaintext We shall also show that security and nonmalleability

are equivalent under ap osteriori chosen ciphertext attack

Authors Note Plan

discuss and dene the notion of nonmalleable encryption

prove the following relations b etween denitions

a With the exception of passive attacks on privatekey schemes

nonmalleability always implies security against attempts to

obtain information on the plaintext

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

b Under ap osteriori chosen ciphertext attacks security and

nonmalleability are equivalent This is very intuitive and

the intuition can b e presented already in the denitional

discussion ab ove

Derive the existence of nonmalleable encryption schemes as a

corollary to the ab ove

Miscellaneous

Authors Note The entire section is fragmented and tentative

Historical Notes

The notion of privatekey encryption scheme seems almost as ancient as the al

phab et itself Furthermore it seems that the development of encryption metho ds

went along with the development of communication media As the amounts of

communication grow more ecient and sophisticated encryption metho ds were

required Computational complexity considerations were explicitly introduced

into the arena by Shannon In his work Shannon considered the classi

cal setting where no computational considerations are present He showed that

in this information theoretic setting secure communication of information was

p ossible only as long as its entropy is lower than the entropy of the key He thus

concluded that if one wishes to have an encryption scheme which is capable of

handling messages with total entropy exceeding the length of the key then one

must settle for a computational relaxation of the secrecy condition That is

rather than requiring that the ciphertext yields no information on the plaintext

one has to require that such information cannot b e eciently computed from the

ciphertext The latter requirement indeed coincides with the ab ove denition of

semantic security

The notion of publickey encryption scheme was introduced by Die and

Hellman First concrete candidates were suggested by Rivest Shamir and

Adleman and by Merkle and Hellman However satisfactory de

nitions of security were presented only a few years afterwards by Goldwasser

and Micali The two denitions presented in Section originate in

where it was shown that ciphertextindistinguishability implies semantic secu

rity The converse direction is due to

Regarding the seminal pap er of Goldwasser and Micali a few additional

comments are due Arguably this pap er is the basis of the entire rigorous

approach to cryptography presented in the current b o ok It introduced general

notions such as computational indistinguishability denitional approaches such

as the simulation paradigm and techniques such as the hybrid argument The

pap ers title Probabilistic Encryption is due to the authors realization that

publickey encryption schemes in which the encryption algorithm is deterministic

cannot b e secure in the sense dened in their pap er Indeed this led the authors

to explicitly introduce and justify the paradigm of randomizing the plaintext

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

as part of the encryption pro cess Technically sp eaking the pap er only presents

security denitions for publickey encryption schemes and furthermore some

of these denitions are syntactically dierent from the ones we have presented

ab ove yet all these denitions are equivalent Finally the term ciphertext

indistinguishability used here replaces the generic term p olynomialsecurity

used in Some of our mo dications have already app eared in which is

also the main source of our uniformcomplexity treatment

The rst construction of a secure publickey encryption scheme based on

a simple complexity assumption was given by Goldwasser and Micali

Sp ecically they constructed a publickey encryption scheme assuming that de

ciding Quadratic Residiousity mo dulo comp osite numbers is intractable The

condition was weaken by Yao who prove that any trap do or p ermutation

will do The ecient publickey encryption scheme of Construction is

due to Blum and Goldwasser The security is based on the fact that the

least signicant bit of the mo dular squaring function is a hardcore predicate

provided that factoring is intractable a result mostly due to

For decades it has b een common practice to use pseudorandom generators

in the design of stream ciphers As p ointed out by Blum and Micali this

practice is sound provided that one uses pseudorandom generators as dened

in Chapter The construction of privatekey encryption schemes based on

pseudorandom functions is due to

We comment that it is indeed p eculiar that the rigorous study of the security

of privatekey encryption schemes has legged b ehind the corresp onding study

of publickey encryption schemes This historical fact may b e explained by the

very thing that makes it p eculiar that is privatekey encryption schemes are

less complex that publickey ones and hence the problematics of their security

when applied to p opular candidates is less obvious In particular the need

for a rigorous study of the security of publickey encryption schemes arose

from observations regarding their concrete applications eg doubts raised by

Lipton concerning the security of the mental p oker proto col of which

used plain RSA as an encryption scheme In contrast the need for a rigorous

study of the security of privatekey encryption schemes arose later and by

analogy to the publickey case

Authors Note The rest of this subsection is yet to b e written The

following notes are merely placeholders

Authors Note The NYframework for constructing publickey en

cryption schemes secure under Chosen Ciphertext Attacks double

encryption NIZK Naor and Yung Its original application

to the case of apriori Chosen Ciphertext Attacks Its appli

cation to the case of apriori Chosen Ciphertext Attacks Sahai

following Dolev Dwork and Noar Refer to NIZK works such

Recall that plain RSA is not secure whereas Randomized RSA is based on the Large

HardCore Conjecture for RSA which is less app ealing that the standard conjecture referring

to the intractability of inverting RSA

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Authors Note The study of nonmalleability of the encryption schemes

was initiated by Dolev Dwork and Noar Security and non

malleability are equivalent under ap osteriori chosen ciphertext at

tack cf

Suggestion for Further Reading

Authors Note This subsection is yet to b e written The following

notes are merely placeholders

Authors Note On the gap b etween privatekey and publickey en

cryption the former is p ossible under OWF whereas Impagliazzo and

Rudich indicate the this is unlikely for the latter

Authors Note For discussion of NonMalleable Cryptography which

actually transcends the domain of encryption see

Authors Note For a detailed discussion of the relationship among

the various notions of secure privatekey and publickey encryption

the reader is referred to and resp ectively

Op en Problems

Secure publickey encryption schemes exist if there exist collections of non

uniformly hard trap do or p ermutations cf Theorem It is not known

whether the converse holds although secure publickey encryption schemes eas

ily imply oneway function The fewto feature of the function collection is

imp ortant see

Randomized RSA ie Construction is commonly b elieved to b e a

secure publickey encryption scheme It would b e of great practical imp ortance

to gain additional supp ort for this b elief As shown in Prop osition the

security of Randomized RSA follows from the Large HardCore Conjecture for

RSA but the latter is not known to follow from a more standard assumption

such as that RSA is hard to invert This is indeed the third place in this b o ok

where we suggest the establishment of the latter implication as an imp ortant

op en problem

Both constructions of publickey encryption schemes secure against chosen

ciphertext attacks presented in Section are to b e considered as plausibil

ity results which also oer some useful construction paradigms Presenting

reasonablyecient publickey encryption schemes that are secure against a

p osteriori chosen ciphertext attacks under widely b elieved assumptions is an

imp ortant op en problem We comment that the reasonablyecient scheme

of is based on a very strong assumption regarding the DieHel lman Key

Exchange Sp ecically it is assumed that for a prime P and primitive element

x y z

g given P g g mo d P g mo d P g mo d P it is infeasible to decide

whether z xy mo d P

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Exercises

Authors Note The following are but a tentative collection of exercises

that o ccurred to me while writing the main text

Exercise Encryption schemes imply oneway function Show that the

existence of a secure privatekey encryption scheme ie as in Deni

tion implies the existence of oneway functions

Guideline Recall that by Exercise of Chapter it suces to prove

that the former implies the existence of a pair of p olynomialtime con

structible probability ensembles that are statistically far apart and still

are computationally indistinguishable To prove the existence of such en

sembles consider the encryption of n bit plaintexts relative to a ran

dom nbit long key denoted K Sp ecically let the rst ensemble b e

x and the second ensem fU E U g where E x E

n n

ble b e fU E U g where U and U are indep endently

n n n n

distributed It is easy to show that these ensembles are computationally

indistinguishable and are b oth p olynomialtime constructible The more

interesting part is to show that these ensembles are statistically far apart

To prove this fact assume towards the contradiction that for all but a negli

gible fraction of the p ossible xs the distribution of E x is statistically

close to a single distribution Y and show that this do es not allow correct

decryption since there are only p ossible keys

Exercise Encryption schemes with unboundedlength plaintext Supp ose that

the denition of semantic security is mo died so that no b ound is placed

on the length of plaintexts Prove that in such a case there exists no

semantically secure publickey encryption scheme Hint A plaintext of length

exp onential in the security parameter allows the adversary to nd the decryption key

by exhaustive search

Exercise Encryption schemes must leak information about the length of the

plaintext Supp ose that the denition of semantic security is mo died so

that the algorithms are not given the length of the plaintext Prove that

in such a case there exists no semantically secure encryption scheme

Guideline First show that for some p olynomial p jE j pn

whereas for some x f g it holds that Pr jE xj pn

Exercise Hiding partial information about the length of the plaintext Using

an arbitrary encryption scheme construct an encryption scheme that hides

the exact length of the plaintext In particular construct an encryption

scheme that reveals only the following function h of the length of the

plaintext

h m dmne n where n is the security parameter

dlog me

h m

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Hint Just use an adequate padding convention making sure that it always allows

correct deco ding

Exercise Length parameters Assuming the existence of a secure publickey

resp privatekey encryption scheme prove the existence of such scheme

in which the length of keys equal the security parameter Furthermore

show that without loss of generality the length of ciphertexts may b e a

xed p olynomial in the length of the plaintext

Exercise Deterministic encryption schemes Prove that in order to b e se

mantically secure a publickey encryption scheme must have a probabilistic

encryption algorithm Hint Otherwise one can distinguish the encryptions of two

candidate plaintexts by computing the unique ciphertext for each of them

Exercise Prove that the following denition in which we use nonuniform

families of p olynomialsize circuits rather than probabilistic p olynomial

time algorithms is equivalent to Denition

There exists a probabilistic p olynomialtime transformation T

such that for every p olynomialsize circuit family fC g and

for every fX g f h f g f g p and n as in

Denition

h i

jX j

Pr C E X hX f X

n n n n

h i

jX j

Pr C hX f X

n n

T C and the probability is also taken over the where C

internal coin tosses of T

Same for publickey encryption

Guideline The alternative view of nonuniformity discussed in Sec

tion is useful here That is we can view a circuit family as a sequence of

advices given to a universal machine Thus the ab ove denition states that

advices for a machine that gets the ciphertext can b e eciently transformed

into advices for a machine that do es not get the ciphertext However we

can incorp orate the probabilistic transformation program into the second

universal algorithm which then b ecome probabilistic Consequently the

advices are identical for b oth machines and can b e incorp orated in the

auxiliary input hX used in Denition Viewed this way the ab ove

denition is equivalent to asserting that for some universal deterministic

p olynomialtime algorithm U there exists a probabilistic p olynomialtime

algorithm U and for every fX g f h f g f g p and n

as in Denition

jX j

Pr U E n X hX f X

n n n

jX j

Pr U hX f X

n n

Still a gap remains b etween the ab ove denition and Denition

the ab ove condition refers only to one p ossible deterministic algorithm

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

U whereas Denition refers to all probabilistic p olynomialtime al

gorithms To close the gap we rst observe that by Prop ositions

and Denition is equivalent to a form in which one only quan

ties over deterministic p olynomialtime algorithms A We conclude by

observing that one can co de any algorithm A and p olynomial timeb ound

referred to by Denition in the auxiliary input ie hX given to

Exercise In continuation to Exercise consider a denition in which the

transformation T of the circuit family fC g to the circuit family

fC g is not required to even b e computable Clearly the new

denition is not stronger than the one in Exercise Show that the two

denitions are in fact equivalent

Guideline Use the furthermoreclause of Prop osition to show that

the new denition implies indistinguishability of encryptions and conclude

by applying Prop osition and invoking Exercise

Exercise Prove that Denition remains unchanged when supplying the

circuit with auxiliaryinput That is an encryption scheme satises De

nition if and only if

for every p olynomialsize circuit family fC g every p olynomial

p olyn

p all suciently large n and every x y f g ie jxj

p olyn

jy j and z f g

n n

jPr C z E x Pr C z E y j

n n

G G

1 1

Hint incorp orate z in the circuit C

Exercise Equivalence of the security denitions in the publickey model

Prove that a publickey encryption scheme is semantically secure if and

only if it has indistinguishable encryptions

Exercise The technical contents of semantic security The following ex

plains the lack of computational requirements regarding the function f

in Denition Prove that an encryption scheme G E D is se

mantically secure in the privatekey mo del if and only if the following

holds

There exists a probabilistic p olynomialtime algorithm A so

that for every fX g and h f g f g as in Def

inition the following two ensembles are computationally

indistinguishable

jX j

fE X hX g

n n

Equivalently one may require that for any p olynomialsize circuit family fC g there

exists a p olynomialsize circuit family fC g satisfying the ab ove inequality

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

jX j

fA hX g

Formulate and prove an analogous claim for the publickey mo del

Guideline We care mainly ab out the easy to establish fact by which

the ab ove implies semantic security The other direction can b e proven

analogously to the pro of of Prop osition

Exercise Prove that Denition remains unchanged if we may restrict

the function h to dep end only on the length of its input ie hx h jxj

for some h N f g

Guideline It suces to prove that this sp ecial case ie obtained by the

restriction on h is equivalent to the general one This follows by combining

Prop ositions and

Exercise A variant on Exercises and Prove that an encryption

scheme G E D is semantically secure in the privatekey mo del if

and only if the following holds

For every probabilistic p olynomialtime algorithm A there ex

ists a probabilistic p olynomialtime algorithm A such that for

every ensemble fX g with jX j p oly n and p olynomi

n n

ally b ounded h the following two ensembles are computationally

indistinguishable

jX j

fAE X h jX jg

n n

jX j

fA h jX jg

Indeed since jX j is constant so is h jX j So an equivalent form is

n n

obtained by replacing h jX j with a p oly nbit long string v

n n

Formulate and prove an analogous claim for the publickey mo del

Guideline Again we care mainly ab out the fact that the ab ove im

plies semantic security The easiest pro of of this direction is by applying

Prop ositions and A more interesting pro of is obtained by using

Exercise Indeed the current formulation is a sp ecial case of the formu

lation in Exercise and so we need to prove that it implies the general

case The latter is proven by observing that otherwise using an averag

ing argument we derive a contradiction in one of the residual probability

spaces dened by conditioning on hX ie X jhX v for some v

n n n

Exercise Another equivalent denition of security The following exercise

is interesting mainly for historical reasons In the denition of semantic

security app earing in the term max fPr f X v jhX ug

uv n n

jX j

app ears instead of the term Pr A hX f X That is it is

n n

required that

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

for every probabilistic p olynomialtime algorithm A every en

semble fX g with jX j p oly n every pair of p olynomially

n n

b ounded functions f h f g f g every p olynomial p

and all suciently large n

h i

jX j

Pr AE X hX f X

n n n

max fPr f X v jhX ug

n n

Prove that the ab ove formulation is in fact equivalent to Denition

Guideline First note that the ab ove denition implies Denition

since max fPr f X v jhX ug Pr A hX jX j f X

uv n n n n n

for every algorithm A Next note that in the special case in which X sat

ises Pr f X jhX u Pr f X jhX u for all us

n n n n

the ab ove terms are equal since A can easily achieve success probability

by simply always outputting Finally combining Prop ositions

and infer that it suces to consider only the latter sp ecial case

Exercise Yet another equivalent denition of security The following syn

tactic strengthening of semantic security is imp ortant in some applications

Its essence is in considering information related to the plaintext in the

form of a related random variable rather than partial information ab out

the plaintext in the form of a function of it Prove that an encryption

scheme G E D is semantically secure in the privatekey mo del if

and only if the following holds

For every probabilistic p olynomialtime algorithm A there ex

ists a probabilistic p olynomialtime algorithm A such that for

every fX Z g with jX Z j p oly n where Z may

n n n n n

dep endent arbitrarily on X and f p and n as in Deni

tion

h i

jX j

Pr AE X Z f X

n n n

h i

jX j

Pr A Z f X

n n

That is the auxiliary input hX of Denition is replaced by the

random variable Z Formulate and prove an analogous claim for the

publickey mo del

Guideline Denition is clearly a sp ecial case of the ab ove On

the other hand the pro of of Prop osition extends easily to the ab ove

seemingly stronger formulation of semantic security

Exercise Extended Semantic Security suggested by Boaz Barak Con

sider an extended denition of semantic security in which in addition

to the regular inputs the algorithms have oracle access to a function

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

H f g f g instead of b eing given the value hx The func

tion H s have to b e restricted to have p olynomial in jxj size circuit

That is an encryption scheme G E D is extendedsemantically secure

in the privatekey mo del For every probabilistic polynomialtime algo

rithm A there exists a probabilistic polynomialtime algorithm A such that

for every ensemble fX g with jX j p oly n every polynomially

n n

bounded function f f g f g every family of polynomialsized

circuits fH g every polynomial p and al l suciently large n

xfg

h i

H jX j

X n

Pr A E X f X

n n

h i

jX j

Pr A f X

The denition of publickey security is analogous

Show that if G E D has indistinguishable encryptions then it is

extendedsemantically secure

Show that if no restriction are placed on the H s then no scheme can

b e extendedsemantically secure in this unrestricted sense

Guideline for Part The pro of is almost identical to the pro of

jX j

of Prop osition The algorithm A forms an encryption of and

invokes A on it Indistinguishability of encryptions is used in order to es

jX j

n X

p erforms essentially as well as A E X tablish that A

jx j

Otherwise we obtain a distinguisher of E x from E for some in

nite sequence of x s In particular the oracle H b eing implementable

n x

by a small circuit can b e incorp orated into a distinguisher

Guideline for Part In such a case H may b e dened so that

when queried ab out a ciphertext it reveals the decryptionkey in use par

tial information ab out the corresp onding plaintext This is obvious in case

of publickey schemes but is also doable in some privatekey schemes eg

supp ose that the ciphertext always contains a commitment to the private

key Such an oracle allows A which is given a ciphertext to recover the

jX j

corresp onding plaintext but do es not help A which is given nd

any information ab out the value of X

Exercise Multiple messages of varying lengths In continuation to Sec

tion generalize the treatment to encryption of multiple messages

of varying lengths Provide adequate denitions and analogous results

Guideline For example a generalization of the rst item of Deni

tion p ostulates that for every pair of p olynomials t and and

every probabilistic p olynomialtime algorithm A there exists a probabilis

tic p olynomialtime algorithm A such that for every ensemble f X

tn i

X X g with jX j n every pair of functions f h

n n n

f g f g every p olynomial p and all suciently large n

i h

(t(n)) (1)

j j jX jX

n n

h E n X X f X Pr A

n n n

h i

(1) (t(n))

jX j jX j

n n

Pr A h X f X

n n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER ENCRYPTION SCHEMES

Exercise Known plaintext attacks Lo osely sp eaking in a known plaintext

attack on a privatekey resp publickey encryption scheme the adver

sary is given some plaintextciphertext pairs in addition to some extra

ciphertexts without corresp onding plaintexts Semantic security in this

setting means that whatever can b e eciently computed ab out the missing

plaintexts can b e also eciently computed given only the length of these

plaintexts

Provide formal denitions of security for privatekeypublickey in

b oth the singlemessage and multiplemessage settings

Prove that any secure publickey encryption scheme is also secure in

the presence of known plaintext attack

Prove that any privatekey encryption scheme that is secure in the

multiplemessage setting is also secure in the presence of known plain

text attack

Guideline for Part Consider a function h in the multiplemessage

setting that reveals some of the plaintexts

Exercise The standard term of blockcipher A standard blo ckcipher is a

triple G E D of probabilistic p olynomialtime algorithms that satises

Denition as well as jE j n for every pair e d in the range

n n

of G and every f g

Prove that a standard blo ckcipher cannot b e semantically secure in

the multiplemessage mo del Furthermore show that any seman

tically secure encryption scheme must employ ciphertexts that are

longer than the corresp onding plaintexts

Present a statebased version of a standard blo ckcipher and note that

Construction satises it

Guideline for Part Consider the encryption of a pair of two iden

tical messages versus the encryption of a pair of two dierent messages

and use the fact that E must b e a p ermutation of f g Extend the

argument to any encryption scheme in which plaintexts of length n are

encrypted by ciphertexts of length n O log n observing that otherwise

most plaintexts have only p oly nmany ciphertexts under E

Exercise The BlumGoldwasser publickey encryption scheme was presented

in Construction as a blo ckcipher with arbitrary blo ck length Pro

vide an alternative presentation of this scheme as a fulledged encryption

scheme rather than a blo ckcipher and prove its security under the

factoring assumption

Authors Note First draft written mainly in Ma jor revision

completed in Dec Further signicant revisions were conducted

in MayJune

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Index

nonuniform see nonuniform com Author Index

plexity

Adleman L

oracle machines see oracle ma

Blum M

chines

Die W

probabilistic machines see prob

Goldwasser S

abilistic machines

Hellman ME

Lipton R

Discrete Logarithm Problem see DLP

Merkle RC

function

Micali S

DLP see DLP function

Rivest RL

Shamir A

Encryption Schemes

Shannon CE

asymmetric

Yao AC

Basic Setting

Blo ckCiphers

Arguments see Interactive Pro ofs

Denitions

Averaging Argument see Techniques

indistinguishability of encryptions

Chinese Reminder Theorem

p erfect privacy

Clawfree Pairs see OneWay Func

PrivateKey

tions

CollisionFree Hashing see Hashing

PublicKey

Complexity classes

Randomized RSA

PCP see Probabilistically Check

Semantic Security

able Pro ofs

StreamCiphers

Comp osite numbers

symmetric

Blum integers see Blum inte

the mechanism

gers

Computational Diculty see One

Factoring integers

Way Functions

FiatShamir Identication Scheme

Computational Indistinguishability

see Identication Schemes

by circuits

HardCore Predicates see OneWay

Computational mo dels

Functions

Hashing interactive machines see inter

active machines

Universal see Hashing functions

Hybrid Argument see Techniques nondeterminism see nondeterminism

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

INDEX

Random Oracle Mo del see Random Interactive Pro ofs

Oracle Metho dology ZeroKnowledge see ZeroKnowledge

Reducibility Argument see Techniques

RSA function

as a class see Complexity classes

hardcore function

the notion see Interactive Pro ofs

Signatures see Signature Schemes

Message authentication

Simulation paradigm see Techniques

NIZK see ZeroKnowledge

Techniques

NonInteractive ZeroKnowledge see

Averaging Argument

ZeroKnowledge

Hybrid Argument

nonuniform complexity

Reducibility Argument

as a class see Complexity classes

the simulation paradigm

as a pro of system see Interac

tive Pro ofs

Trapdo or Permutations see OneWay

versus P see P vs NP Question

Permutations

OneWay Functions

ZeroKnowledge

nonuniform hardness

Pro ofs of Knowledge see Pro ofs

OneWay Permutations

of Knowledge

hardcore

Witness Hiding see Witness Hid

mo dular squaring

ing

RSA

Witness Indistinguishability see

with trap do or

Witness Indistinguishabil

ity

PCP see Probabilistically Checkable

Pro ofs

as a class see Complexity classes

Probability ensembles

the notion see ZeroKnowledge

eciently constructible

ZKIP see ZeroKnowledge

Pro ofs of Identity see Identication

Schemes

Pro ofs of Knowledge

Ability see Pro ofs of Ability

Proto cols see Cryptographic Proto

cols

Pseudorandom Functions

nonuniform hardness

Pseudorandom Generators

Computational Indistinguishabil

ity see Computational In

distinguishability

nonuniform hardness

Rabin function

hardcore