Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Fragments of a chapter on Encryption Schemes Extracts from Foundations of Cryptography in preparation revised second p osted version Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science Rehovot Israel June Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. I to Dana c Copyright by Oded Goldreich Permission to make copies of part or all of this work for p ersonal or classro om use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that new copies b ear this notice and the full citation on the rst page Abstracting with credit is p ermitted Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. II Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Preface The current manuscript consists of fragments of a chapter on encryption schemes which is supp ose to b e Chapter of the threevolume work Foundations of Cryp tography These fragments provide a draft of the rst three sections of this chap ter covering the basic setting denitions and constructions Also included is a plan of the fourth section ie beyond eavesdropping security and fragments for the Miscellaneous section of this chapter This manuscript subsumes a previous version p osted in Dec The bigger picture The current manuscript consists of fragments of a chap ter on encryption schemes which is supp ose to constitute Chapter of the threepart work Foundations of Cryptography see Figure The three parts of this work are Basic Tools Basic Applications and Beyond the Basics The rst part containing Chapters has b een published by Cambridge University Press in June The second part consists of Chapters regarding En cryptioni Schemes Signatures Schemes and General Cryptographic Proto cols resp ectively We hop e to publish the second part with Cambridge University Press within a few years Part Introduction and Basic Tools Chapter Introduction Chapter Computational Diculty OneWay Functions Chapter Pseudorandom Generators Chapter ZeroKnowledge Pro ofs Part Basic Applications Chapter Encryption Schemes Chapter Signature Schemes Chapter General Cryptographic Proto cols Part Beyond the Basics Figure Organization of this work III Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. IV The partition of the work into three parts is a logical one Furthermore it oers the advantage of publishing the rst part without waiting for the comple tion of the other parts Similarly we hop e to complete the second part within a couple of years and publish it without waiting for the third part Prerequisites The most relevant background for this text is provided by basic knowledge of algorithms including randomized ones computability and elementary probability theory Background on computational number theory which is required for sp ecic implementations of certain constructs is not really required here Using this text The text is intended as part of a work that is aimed to serve b oth as a textb o ok and a reference text That is it is aimed at serving b oth the b eginner and the exp ert In order to achieve this aim the presentation of the basic material is very detailed so to allow a typical CSundergraduate to follow it An advanced student and certainly an exp ert will nd the pace in these parts way to o slow However an attempt was made to allow the latter reader to easily skip details obvious to himher In particular pro ofs are typically presented in a mo dular way We start with a highlevel sketch of the main ideas and only later pass to the technical details Passage from highlevel descriptions to lower level details is typically marked by phrases such as details fol low In a few places we provide straightforward but tedious details in in dented paragraphs as this one In some other even fewer places such paragraphs provide technical pro ofs of claims that are of marginal rele vance to the topic of the b o ok More advanced material is typically presented at a faster pace and with less details Thus we hop e that the attempt to satisfy a wide range of readers will not harm any of them Teaching The material presented in the full threevolume work is on one hand way b eyond what one may want to cover in a course and on the other hand falls very short of what one may want to know ab out Cryptography in general To assist these conicting needs we make a distinction b etween basic and advanced material and provide suggestions for further reading in the last section of each chapter In particular sections subsections and subsubsections marked by an asterisk are intended for advanced reading Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Table of Contets Preface III Encryption Schemes The Basic Setting PrivateKey versus PublicKey Schemes The Syntax of Encryption Schemes Denitions of Security Semantic Security The actual denitions Further discussion of some denitional choices Indistinguishability of Encryptions Equivalence of the Security Denitions Pro of of Prop osition Pro of of Prop osition Multiple Messages Denitions The eect on the publickey mo del The eect on the privatekey mo del A uniformcomplexity treatment The denitions Equivalence of the multiplemessage denitions Singlemessage versus multiplemessage The gain of a uniform treatment Constructions of Secure Encryption Schemes Probabilistic Encryption StreamCiphers Preliminaries Blo ckCiphers Privatekey encryption schemes Publickey encryption schemes Simple schemes An alternative scheme Beyond eavesdropping security Keydep endent passive attacks Chosen plaintext attack V Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Chosen ciphertext attack Nonmalleable encryption schemes Miscellaneous Historical Notes Suggestion for Further Reading Op en Problems Exercises Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Part II Basic Applications Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. Chapter Encryption Schemes Upto the s Cryptography was understo o d as the art of building encryption schemes that is the art of constructing schemes allowing secret data exchange over insecure channels Since the s other tasks eg signature schemes have b een recognized as falling within the domain of Cryptography and even as b eing at least as central to Cryptography Yet the construction of encryption schemes remains and is likely to remain a central enterprise of Cryptography In this chapter we review the wellknown notions of privatekey and public key encryption schemes More imp ortantly we dene what is meant by saying that such schemes are secure It turns out that using randomness throughout the encryption pro cess ie not only at the keygeneration phase is essential to security We present some basic constructions of secure privatekey and public key encryption schemes Finally we discuss dynamic notions of security culminating in robustness against chosen ciphertext attacks Authors Note Currently the writeup contains only a rough draft for the rst sections of this chapter Furthermore this writeup was NOT carefully pro ofread and may contain various hop efully minor errors Teaching Tip We assume that the reader is familiar with the material in previous chapters and sp ecically with Sections and This familiarity is imp ortant not only b ecause we use some of the notions and results presented in these sections but rather b ecause we use similar pro of tech niques and do it while assuming that this is not the readers rst encounter with these techniques The Basic Setting Lo osely sp eaking encryption schemes are supp osed to enable private communi cation b etween parties that communicate over an insecure channel Thus the Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. CHAPTER ENCRYPTION SCHEMES basic setting consists of a sender a receiver and an insecure channel that may b e tapp ed by an adversary The goal is to allow the sender to transfer infor mation to the receiver over the insecure channel without letting the adversary gure out this information Thus we distinguish b etween the actual secret information that the receiver wishes to transmit and the messages sent over the insecure communication channel The former is called the plaintext whereas the latter is called the ciphertext Clearly the ciphertext must dier from the plaintext or else the adversary can easily obtain