Cryptography Reference
In-Depth Information
=
Gen
Gen 1 .
(
,
)
E 1 and m a message in the
Enc acts on pairs
pk
m
where pk is a public key of
plaintext space of
E 2 . Thus, on input
(
pk
,
m
)
, a random key k for
E 2 is chosen and
c
Enc
(
pk
,
m
)
is defined as the pair c
= (
Enc 1 (
pk
,
k
),
Enc 2 (
k
,
m
))
.
Dec acts on pairs
(
sk
,
c
)
where c
= (
c 1 ,
c 2 )
, with c 1 a ciphertext corresponding to
E 1 and c 2 a ciphertext corresponding to
E 2 , by computing first k
:=
Dec 1 (
sk
,
c 1 )
and then outputting m
:=
Dec 2 (
k
,
c 2 )
.
Remarks 8.4
1. A hybrid encryption scheme as defined above is actually a special kind of
public-key encryption scheme because no previous secret information needs
to be exchanged between the parties.
2. The plaintext space for the hybrid scheme
E 2 ,sowe
may assume that arbitrary length messages can be encrypted as we saw when
discussing private-key cryptography.
3. The combination of
E
is the same as the one of
E 2 to produce a hybrid encryption scheme is often
referred to as a KEM/DEM scheme in which
E 1 and
E 1 provides the Key Encapsulation
E 2 provides the Data Encapsulation Mechanism (DEM).
There are also more involved KEM/DEM constructions, with these mechanisms
usually subject to specific security requirements.
Regarding the security of hybrid encryption schemes, we have the following
important result:
Mechanism (KEM) and
Theorem 8.1
E 2 is a private-
key encryption scheme indistinguishable to eavesdroppers, then the hybrid encryption
scheme
If
E 1 is a CPA secure public-key encryption scheme and
constructed from them as in Definition 8.9 is a CPA secure public-key
encryption scheme.
E
Sketch of proof. We give an informal description of the proof, and we refer to [109,
Theorem 10.13] for a detailed proof. Assuming that m 0 and m 1 are two messages, we
argue that a PPT adversary that knows the public key pk cannot distinguish between
(
Enc 1 (
pk
,
k
),
Enc 2 (
k
,
m 0 ))
and
(
Enc 1 (
pk
,
k
),
Enc 2 (
k
,
m 1 ))
. Afirst intuition is that
this should be true because Enc 1 (
pk
,
k
)
does not reveal information about k (because
E 1 is CPA secure) and hence Enc 2 (
k
,
m 0 )
is indistinguishable from Enc 2 (
k
,
m 1 )
E 2 is indistinguishable to eavesdroppers. But the rigorous
taking into account that
version of ' Enc 1 (
,
)
does not reveal information about k ' that we have is in
terms of indistinguishability of two encryptions and hence we have to formalize the
argument in these terms. Since indistinguishability is transitive (due essentially to
the fact that the sum of two negligible functions is negligible) we can go from the
first ciphertext pair to the second in three 'indistinguishability steps' as follows:
pk
k
0 n
(
Enc 1 (
pk
,
k
),
Enc 2 (
k
,
m 0 ))
is
indistinguishable from
(
Enc 1 (
pk
,
),
Enc 2
(
k
,
m 0 ))
. This follows from the fact that
E 1 is CPA secure (we are assuming here
1 n
n ).
that pk
Gen
(
)
and k
←{
0
,
1
}
 
Search WWH ::




Custom Search