librelist archives

« back to archive

Public key crypto question

Public key crypto question

From:
Michael Rogers
Date:
2012-03-14 @ 18:18
Dear list,

I'm looking for a way to use a public key cryptosystem (preferably ECC)
that has the following property:

If a random bitstring is encrypted with the public key, nobody should be
able to distinguish the ciphertext from a random bitstring. In
particular, even the holder of the private key shouldn't be able to
tell, after decrypting the ciphertext with the private key, whether the
ciphertext was encrypted with the public key or whether it was just a
random bitstring.

It seems likely that this property has a name - can anyone tell me what
it is so I can find out more?

Thanks,
Michael

Re: [remailer] Public key crypto question

From:
Yuri Nahum
Date:
2012-03-14 @ 19:32
I don't know this special security property, but it reminds me of
"indistinguishability" or "semantic security".
That means we have an attacker with several known plaintexts and now he
gets a ciphertext of one of those plaintexts. Then he should not be able
to associate the ciphertext to any of those plaintexts.

Note that the cryptosystem should then be able to encrypt the same
plaintext to more ciphertexts. We need this if the adversary is able to
do multiple queries.

I don't know if that is what you thought of, but to me it seems closely
connected at first glance.

All The Best
Yuri



> Dear list,
>
> I'm looking for a way to use a public key cryptosystem (preferably ECC)
> that has the following property:
>
> If a random bitstring is encrypted with the public key, nobody should be
> able to distinguish the ciphertext from a random bitstring. In
> particular, even the holder of the private key shouldn't be able to
> tell, after decrypting the ciphertext with the private key, whether the
> ciphertext was encrypted with the public key or whether it was just a
> random bitstring.
>
> It seems likely that this property has a name - can anyone tell me what
> it is so I can find out more?
>
> Thanks,
> Michael
>

Re: [remailer] Public key crypto question

From:
danimoth
Date:
2012-03-14 @ 19:46
Il giorno mer, 14/03/2012 alle 18.18 +0000, Michael Rogers ha scritto:
> even the holder of the private key shouldn't be able to
> tell, after decrypting the ciphertext with the private key, whether the
> ciphertext was encrypted with the public key or whether it was just a
> random bitstring.

If that happen with probability > negl(n), such scheme would be
incorrect.
You want this happen all the time, or time to time with negligible
probability?

Anyway, (incorrect) is the only definition that's up in my mind right
now...