Cryptography Reference
In-Depth Information
A
in Definitions 8.3 and 8.5
because this access is automatically granted by the knowledge of the public key
pk
. Thus Definition 8.5 serves also to define the concept of indistinguishability
in the presence of an eavesdropper in the public-key setting which is, in this
case, equivalent to being indistinguishable under a chosen plaintext attack.
2. We have seen in Remarks 3.8 that in the private-key setting an encryption scheme
may have indistinguishable encryptions in the presence of an eavesdropper
without having
multiple
indistinguishable encryptions in the presence of an
eavesdropper. This is essentially due to the fact that a deterministic private-key
encryption scheme may have the former property but cannot have the latter
one. However, an IND-CPA secure private-key encryption scheme also has
multiple encryptions indistinguishable to an eavesdropper. We did not give a for-
mal proof of this fact but we remarked that multiple indistinguishability comes
from the fact that IND-CPA secure schemes must have a probabilistic encryption
algorithm (in other words, no deterministic encryption scheme can be IND-CPA
secure). In the public-key setting indistinguishable to eavesdroppers is the same
as IND-CPA secure and, similarly to the private-key case, it can be proved that the
concept of IND-CPA secure for a single encryption is equivalent to the concept
of IND-CPA secure for multiple encryptions (see, for example, [109, Theorem
10.10] for a proof). Therefore, in the public-key setting there is no difference
between security for a single encryption or for multiple encryptions.
3. The just-observed fact that security for single encryption implies security for
multiple encryptions entails that if we have a public-key encryption scheme for
fixed-length messages that is CPA secure, then a public-key encryption scheme
for arbitrary-length messages can be constructed from it which is also CPA
secure. This is because a longer message can be regarded as the concatenation of
shorter messages and the resulting ciphertext will be the result of concatenating
the ciphertexts corresponding to the shorter messages.
explicitly included oracle access to encryption for
Another important notion of security is obtained by considering, like in the private-
key setting, chosen ciphertext attacks. These attacks are, if anything, even more
dangerous in public-key cryptography because receivers may get ciphertexts from
many senders, who are possibly unknown to them. For example, we mention in
Sect.
8.3.5
an attack against an implementation of RSAcalled PKCS #1 v1.5, based on
sending to a server many variants of a ciphertext and looking at the server responses.
The server returned an error message if the ciphertext was not well formatted and by
observing these messages it was possible to recover the plaintext.
The definition of CCA security is very similar to the corresponding one in the
private-key setting, except that in this case no explicit mention of an encryption
oracle—which is always available in the public-key setting—is made:
Definition 8.7
The
public-key CCA indistinguishability experiment
PubK
ind-cca
A,E
(
n
)
,
E
=
(
,
,
)
A
where
Gen
Enc
Dec
is a public-key encryption scheme,
a PPT adversary,
and
n
any value of the security parameter, is the following:
1. Keys
1
n
(
pk
,
sk
)
←
Gen
(
)
are generated.
