S. Micali, C. Rackoff and B. Sloan, "The notion of security for probabilistic cryptosystems, " SIAM J. of Computing, April 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....encryption of the secrets underlying her validating tag. This approach raises some technical problems: First, the approach requires that each user encrypts each of her secret keys D i under one of her public keys E j , thereby creating circular encryptions . However, the canonical definitions [MRS88] 14 of secure encryption do not provide security for such encryptions. Moreover, it is not known whether circular security is possible under general assumptions. Nevertheless, we introduce in this section a new cryptographic primitive called circular encryption which is an encryption scheme that ....

Silvio Micali, Charles Racko#, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988. 24

....the de nition of the experiment E can be split up into two natural phases: the setup phase, and the actual experiment phase. A classical example is public key encryption, where the setup can chose a random public private key pair, and the actual experiment just encrypts the given message (see [42] for more details on de nitions of public key encryption) In this case we might want to let the adversary observe the public part of the setup, and based on that try to come up with: a) some x 0 and x 1 that he claims to distinguish for the case of indistinguishability, or b) distribution D ....

S. Micali, C. Racko, B. Sloan. The Notion of Security for Probabilistic Cryptosystems. In SIAM J. on Computing, 17(2):412-426, 1988.

....that help give an exact and concise description of the protocol. 2.1 The El Gamal Cryptosystem The El Gamal Cryptosystem [5] is based on arithmetic in a cyclic group G with generator g. The cryptosystem is proved by Tsiounis and Yung [30] to be 2 semantically secure in the classical sense of [17, 8] under the Decision DieHellman Assumption in G. We assume that jGj is prime. The private key is generated by picking an element x 2 Z jGj randomly, and the public key (g; y) is de ned by y = g . It is sometimes assumed that g is a system wide parameter. We use the following notation for ....

S. Micali, C. Racko, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

....r) where r is chosen randomly (uniformly) from Coins. We will also write x D to mean that x is drawn from the distribution D. If D is a nite set, then we mean the uniform distribution over that set. The weakest form of security for a public key encryption algorithm is known as semantic security [12], and is best described as a game. First, a key pair is generated according to the algorithm G. Then, the adversary ( rst represented by M) picks two messages. One of those two messages, chosen at random, in encrypted. The adversary (now represented by A) must then decide which of the two ....

.... encryption algorithm (G; E; D) is one pass semantically secure if: 8 PPT algorithms M and A; 8 polynomials q; 8 suciently large ; c E e (m b ) e; m 0 ; m 1 ; c) b ] The de nition above is slightly di erent from the better known form of security, the three pass version [12]. The only di erence is that in the three pass version of this de nition, the adversary M is not allowed to know the encryption key e when choosing the messages m 0 and m 1 . The onepass version of the de nition is strictly stronger than the three pass version, and we will need the additional ....

Silvio Micali, Charles Racko, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2), April 1988.

....a group homomorphism. This is true for any of the standard signature schemes in use today (RSA, DSA, etc. see [2, 22] 2. 2 Probabilistic Encryption Schemes A triple (G, E, D) of probabilistic polynomial time algorithms is a polynomially secure public key encryption system (see for instance [24, 28]) if we have the following: 1. For every output (E, D) and all messages m # 0, we have D(E(m) m. 2. For all probabilistic algorithms T and M , all polynomials p( and all su# ciently large k we have Pr [T (1 , E, m 0 , m 1 , #) m : E, D) G(1 ) m 0 , m 1 ) M(E, ....

S. Micali, C. Racko#, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988.

.... , seeing E(p) does not help in computing F (p) 18] This de nition is known to be equivalent to indistinguishability of encryptions, which says, roughly, that it is hard to nd a pair of plaintexts p; p such that encryptions of p are polynomial time distinguishable from encryptions of p [25, 13]. As it turns out, the diculty of computing the function F has no role in the proof thus, indistinguishability is equivalent to semantic security with respect to polynomial time computable functions. Indistinguishability of encryptions is also known to be equivalent to semantic security with ....

S. Micali, C. Racko, and R. Sloan, The notion of security for probabilistic cryptosystems, SIAM J. Computing 17(2) (1988), pp. 412-426.

....in the sense that whatever is efficiently computable about the plaintext given the ciphertext is also efficiently computable without the ciphertext. This is an informal definition of semantic security which can be thought of as a polynomially bounded version of Shannon s perfect secrecy. See [13] for other equivalent notions of security for public key cryptosystems. These encryption schemes can be thought of as the best we are seeking for, as far as passive attacks are concerned, since a polynomially bounded passive attacker can extract no information on the plaintexts from the ....

S.Micali, C.Rackoff and B.Sloan, "The notion of security for probabilistic cryptosystems, " SIAM J. Computing vol.17 no.2 (1988), 412-426.

....a group homomorphism. This is true for any of the standard signature schemes in use today (RSA, DSA, etc. see [1, 19] 2. 2 Probabilistic Encryption Schemes A triple (G; E; D) of probabilistic polynomial time algorithms is a polynomial secure public key encryption system (see for instance [21, 25]) if we have the following: 1. For every output (E; D) 2 G(1 k ) and all messages m 2 f0; 1g k we have D(E(m) m. 2. For all probabilistic algorithms T and M, all polynomials p( and all sufficiently large k we have Pr[T(1 k ; E; m 0 ; m 1 ; m : E; D) G(1 k ) m 0 ; m 1 ) ....

S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988.

....Achieving it rules out all of the problems listed above. 6.3. 3 De nition of Security: Polynomial Time Security Several de nitions of security for probabilistic encryption schemes have been proposed and studied in [79, 163, 78] All de nitions proposed so far have been shown to be equivalent in [78, 118]. We provide one de nition in detail, due to Goldwasser and Micali [78] De nition: We say that a probabilistic encryption scheme is polynomial time secure if for all suciently large security parameters k, any probabilistic polynomial time procedure that takes as input k (in unary) and a public ....

S. Micali, C. Racko, and R. H. Sloan. The notion of security for probabilistic cryptosystems. SIAM J. Computing, 17(2):412-426, April 1988.

....encryption of the secrets underlying her validating tag. This approach raises some technical problems: First, the approach requires that each user encrypts each of her secret keys D i under one of her public keys E j , thereby creating circular encryptions . However, the 16 canonical de nitions [MRS88] of secure encryption do not provide security for such encryptions. Moreover, it is not known whether circular security is possible under general assumptions. Nevertheless, we introduce in this section a new cryptographic primitive called circular encryption which is an encryption scheme that ....

Silvio Micali, Charles Racko, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412-426, April 1988.

....being taken over m 0 M(1 k ) m 1 M(1 k ) P;S) G(1 k ) i f0;1g, and selection of R. Theorem 1. An encryption scheme is semantically secure if and only if it offers indistinguishability of encryptions. The reverse implication was proven in [13] The forward implication appears in [20, 12]. We shall require a strengthened version of the reverse implication, which we refer to as an elision lemma. This 3 strengthened version, discussed in Section 2.4, was originally proved in [12] We give a streamlined proof of this result, which avoids the sampling present in existing proofs. ....

Silvio Micali, Charles Rackoff, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988.

....y) EKG(1 ) m 0 ; m 1 ) M(y; 1 ) i 2R f0; 1g; d : Enc(y; m i ) 1=2 1=p( Furthermore, as encryption and decryption should be ecient, for all messages m values v such that (m; v) 2 R must be eciently computable. Any semantically secure public key encryption scheme (e.g. [29, 37]) will give an shadow encryption scheme with basically the same eciency. However, if R is a hard relation (i.e. given v it is infeasible to nd an m such that (m; v) 2 R) the converse seems to be possible only at a loss of eciency, e.g. by shadow encrypting every bit of the message separately. ....

....of this algorithm is linear in the number of group members. We will later see that in our implementation this can be overcome and the tracing algorithm can also be made independent from the group s size. This problem could as well be solved by using semantically secure encryption (e.g. [29, 37]) instead of shadow encryption. However, nding an instance of the resulting generic group signature scheme with ecient signing and veri cation procedures is an open problem. We note that a (generic) identity escrow scheme can be obtained from the above scheme by replacing the SPK s in the ....

S. Micali, C. Racko, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412-426, April 1988.

....privacy even in the critical context where the messages are taken from a small set of plaintexts: it should be impossible for an eavesdropper to distinguish encryptions of distinct values. Such a requirement is captured by the notion of indistinguishability, also known as semantic security [13, 15]. Examples, secure against chosen plaintext attack, include El Gamal [12] based on the decisional Die Hellman assumption [10] Naccache Stern [16] based on higher residues) and Okamoto Uchiyama [18] based on factorization) Our de nition exactly follows [2] and uses the same notations. ....

S. Micali, C. Racko, and R. Sloan. The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

....It comprises adaptive chosenmessage attacks and secrecy of any partial information about the encrypted message. This is the strongest definition considered in cryptography. Several different definitions, both concerning partial information and active attacks, have all been proven equivalent [26,6]. Hence cryptographers are quite satisfied to have captured the concept adequately. Efficient systems provably secure in this strong sense under reasonable assumptions are known [11] One defines an encryption system as a triple of polynomial time algorithms (gen, E, D) where gen and E are ....

S. Micali, C. Rackoff, B. Sloan, The Notion of Security for Probabilistic Cryptosystems, SIAM Journal on Computing 17/2 (1988) 412--426

....the de nition of the experiment E can be split up into two natural phases: the setup phase, and the actual experiment phase. A classical example is public key encryption, where the setup can chose a random public private key pair, and the actual experiment just encrypts the given message (see [42] for more details on de nitions of public key encryption) In this case we might want to let the adversary observe the public part of the setup, and based on that try to come up with: a) some x 0 and x 1 that he claims to distinguish for the case of indistinguishability, or b) distribution D and ....

S. Micali, C. Racko, B. Sloan. The Notion of Security for Probabilistic Cryptosystems. In SIAM J. on Computing, 17(2):412-426, 1988.

....a group homomorphism. This is true for any of the standard signature schemes in use today (RSA, DSA, etc. see [2, 24] 2. 2 Probabilistic Encryption Schemes A triple (G; E; D) of probabilistic polynomial time algorithms is a polynomially secure public key encryption system (see for instance [26, 30]) if we have the following: 1. For every output (E; D) 2 G(1 k ) and all messages m 2 f0; 1g k we have D(E(m) m. 2. For all probabilistic algorithms T and M , all polynomials p( and all suciently large k we have Pr [T (1 k ; E; m 0 ; m 1 ; m : E; D) G(1 k ) m 0 ; m 1 ) ....

S. Micali, C. Racko, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412-426, April 1988.

....This agreement is due in large part to a body of work that has established that numerous other formalizations put forth to capture privacy are actually equivalent to indistinguishability. In particular this is true of semantic security [8] and for a notion of privacy based on computational entropy [14, 10]. These foundational results have since been refined and extended to other settings [7] These equivalences are a cornerstone of our understating of privacy, providing evidence that we have in fact found the right formalization. Characterizations. Semantic security captures in perhaps the most ....

S. Micali, C. Rackoff and R. Sloan, The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

....from S to R. Cryptographers are interested in allowing S and R to communicate any number of messages via C, securely. Security means an eavesdropper is unable to read messages M i through channel C. But what it means for an intruder to read a message can be defined in several different ways [Micali et.al.] We take an information theoretic view: if the intruder is able to gain any information from message M i we say that he has successfully read the message. In fact, the amount of information that the intruder is able to gain, with respect to the total information contained in the message, is a ....

S. Micali, C. Rackoff, an and B. Sloan, "The notion of security for probabilistic cryptosystems", SIAM Journal on Computing, 1988.

.... E(p) does not help in computing F (p) 19] This definition is known to be equivalent to indistinguishability of encryptions, which says, roughly, that it is hard to find a pair of plaintexts p; p 0 such that encryptions of p are polynomial time distinguishable from encryptions of p 0 [26, 14]. As it turns out, the difficulty of computing the function F has no role in the proof thus, indistinguishability is equivalent to semantic security with respect to polynomial time computable functions. Indistinguishability of encryptions is also known to be equivalent to semantic security with ....

S. Micali, C. Rackoff, and R. Sloan, The notion of security for probabilistic cryptosystems, SIAM J. Computing 17(2) (1988), pp. 412--426.

....list of coefficients m one sees that the information leaked about the coefficients of f equals the information leaked from the ciphertext of m under E about m. Recall that an encryption scheme that does not leak any information about the messages is called polynomial time indistinguishable (see [7] for further details) Theorem 3. Let E be an additively homomorphic encryption scheme. Then the program constructed in proposition 2 hides polynomials f 2 Z=NZ[X 1 ; X s ] Assume further that the used encryption scheme E is polynomial time indistinguishable. Then no information is ....

S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, 1988.

....EKG(1 ) m 0 ; m 1 ) M (y; 1 ) i 2R f0; 1g; d : Enc(y; m i ) 1=2 1=p( Furthermore, as encryption and decryption should be efficient, for all messages m values v such that (m; v) 2 R must be efficiently computable. Any semantically secure public key encryption scheme (e.g. [29, 37]) will give an shadow encryption scheme with basically the same efficiency. However, if R is a hard relation (i.e. given v it is infeasible to find an m such that (m; v) 2 R) the converse seems to be possible only at a loss of efficiency, e.g. by shadow encrypting every bit of the message ....

....of this algorithm is linear in the number of group members. We will later see that in our implementation this can be overcome and the tracing algorithm can also be made independent from the group s size. This problem could as well be solved by using semantically secure encryption (e.g. [29, 37]) instead of shadow encryption. However, finding an instance of the resulting generic group signature scheme with efficient signing and verification procedures is an open problem. We note that a (generic) identity escrow scheme can be obtained from the above scheme by replacing the SPK s in the ....

S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988.

....privacy even in the critical context where the messages are taken from a small set of plaintexts: it should be impossible for an eavesdropper to distinguish encryptions of distinct values. Such a requirement is captured by the notion of indistinguishability, also known as semantic security [11, 13]. Examples, secure against chosen plaintext attack, include El Gamal [10] based on the decisional Diffie Hellman assumption [8] Naccache Stern [14] based on higher residues) and Okamoto Uchiyama [16] based on factorization) Our definition exactly follows [1] and uses the same notations. ....

S. Micali, C. Rackoff, and R. Sloan. The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

....of prime order; recall one of the goals of our scheme was to be able to work in any group for which the Di e Hellman problem is hard. 3.2. 2 Symmetric Encryption Security of a symmetric encryption scheme is de ned as in [4] in turn an adaptation of the notion of polynomial security as given in [21, 31]. We imagine an adversary A that runs in two stages. During either stage the adversary may query an encryption oracle SYM:enc(K; which, on input x, returns SYM:enc(K; x; r) for a randomly chosen r. In the adversary s nd stage she endeavors to come up with a pair of equal length messages, x 0 ....

....and veri cation is done by simply re computing the MAC (this is typically true) then there is no di erence. Candidate algorithms were discussed in Section 1.1. 3.2.4 Asymmetric Encryption Privacy Against Chosen Plaintext Attack. Our treatment mimics the nd then guess notion of [4] and follows [21, 31, 20]. The de nition is similar to De nition 4, so we state it without further discussion. De nition 6 Let ASYM = ASYM:enc; ASYM:dec; ASYM:key) be an asymmetric encryption scheme and let A an adversary. The advantage of A in attacking ASYM is Adv Asym A (ASYM) def = 2 Pr h (sk; pk) ASYM:key; ....

S. Micali, C. Rackoff and B. Sloan, The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

....does not leak any information about f except its skeleton is now equivalent to the fact that our encryption function does not leak any information when applied to elements of the message spaces. Encryption schemes that have this strong property are called polynomial time indistinguishable (see [8] for further details) With this background we can summarize the results as follows: Theorem 4 Let E be an additively homomorphic encryption scheme on Z=NZ. Then the protocol of proposition 2 realizes non interactive EEF for polynomials f 2 Z=NZ[X 1 ; X s ] Assume further that the used ....

S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, 1988.

....of it [26] or RSA [38] are good examples of trapdoor permutations. Call a trapdoor permutation generator G uniform if for all k and all (f; f Gamma1 ; d) 2 [G(1 k ) it is the case that d is the uniform distribution on f0; 1g k . 3 Encryption We have relied on definitional work in [24, 33, 19, 18, 34, 13]. For simplicity we consider adversaries who are nonuniform (polynomial time) algorithms, possibly probabilistic; extensions to the uniform case can be made following [18] Encryption. We extend the notion of public key encryption [12] to the random oracle model. The scheme is specified by a PPT ....

S. Micali, C. Rackoff and B. Sloan, "The notion of security for probabilistic cryptosystems," SIAM J. of Computing, April 1988.

....it rules out all of the problems listed above. 6.3. 3 Definition of Security: Polynomial Time Security Several definitions of security for probabilistic encryption schemes have been proposed and studied in [79, 163, 78] All definitions proposed so far have been shown to be equivalent in [78, 118]. We provide one definition in detail, due to Goldwasser and Micali [78] Definition: We say that a probabilistic encryption scheme is polynomial time secure if for all sufficiently large security parameters k, any probabilistic polynomial time procedure that takes as input k (in unary) and a ....

S. Micali, C. Rackoff, and R. H. Sloan. The notion of security for probabilistic cryptosystems. SIAM J. Computing, 17(2):412--426, April 1988.

No context found.

Silvio Micali, Charles Racko, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412-426, April 1988.

No context found.

Silvio Micali, Charles Racko#, and Robert Sloan. The notion of security for probabilistic cryptosystems. SIJC, 17(2):412--426, 1988.

No context found.

S. Micali, C. Rackoff and B. Sloan, "The notion of security for probabilistic cryptosystems, " SIAM J. of Computing, April 1988.

No context found.

S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, Apr. 1988. Special issue on cryptography.

No context found.

S. Micali, C. Racko#, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988. Special issue on cryptography.

No context found.

S. Micali, C. Racko#, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

S. Micali, C. Rackoff and B. Sloan, The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

No context found.

Silvio Micali, Charles Racko#, and Bob Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412--426, April 1988.

No context found.

Micali, S., Rackoff, C., and Sloan, B. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing 17 (1988), 412--426.

No context found.

Micali, S., Racko, C., Sloan, B.: The Notion of Security for Probabilistic Cryptosystems. SIAM Journal on Computing 17 (1988) 412426

No context found.

S. Micali, C. Racko#, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

S. Micali, C. Racko#, and R. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing, vol. 17, no. 2 (1988), pp. 412--426.

No context found.

S. MICALI, C. RACKOFF AND R. SLOAN, The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988.

No context found.

S. Micali, C. Racko and R. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal on Computing 17, pp. 412-426, 1988.

No context found.

S. Micali, C. Racko, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing, 17(2):412-426, 1988.

No context found.

Micali, S., Rackoff, C., and Sloan, B. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing 17 (1988), 412--426. 18

No context found.

S. Micali, C. Rackoff, and B. Sloan, "The notion of security for probabilistic cryptosystems," SIAM Journal on Computing, vol. 17, no. 2, pp. 412--426, 1988.

No context found.

S. Micali, C. Racko, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

Micali, Racko, & Sloan, The Notion of Security for Probabilistic Cryptosystems, SIAM Journal of Computing, 17, April 1988

No context found.

S. Micali, C. Racko, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

S. Micali, C. Racko, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

S. Micali, C. Racko, B. Sloan, The notion of security for probabilistic cryptosystems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988.

No context found.

S. Micali, C. Rackoff and R. Sloan, "The notion of security for probabilistic cryptosystems." SIAM J. Computing, Vol. 17, No. 2, April 1988.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC