- Public key crypto question by Michael Rogers
- Re: [remailer] Public key crypto question by Yuri Nahum
- Re: [remailer] Public key crypto question by danimoth

- From:
- Michael Rogers
- Date:
- 2012-03-14 @ 18:18

Dear list, I'm looking for a way to use a public key cryptosystem (preferably ECC) that has the following property: If a random bitstring is encrypted with the public key, nobody should be able to distinguish the ciphertext from a random bitstring. In particular, even the holder of the private key shouldn't be able to tell, after decrypting the ciphertext with the private key, whether the ciphertext was encrypted with the public key or whether it was just a random bitstring. It seems likely that this property has a name - can anyone tell me what it is so I can find out more? Thanks, Michael

- From:
- Yuri Nahum
- Date:
- 2012-03-14 @ 19:32

I don't know this special security property, but it reminds me of "indistinguishability" or "semantic security". That means we have an attacker with several known plaintexts and now he gets a ciphertext of one of those plaintexts. Then he should not be able to associate the ciphertext to any of those plaintexts. Note that the cryptosystem should then be able to encrypt the same plaintext to more ciphertexts. We need this if the adversary is able to do multiple queries. I don't know if that is what you thought of, but to me it seems closely connected at first glance. All The Best Yuri > Dear list, > > I'm looking for a way to use a public key cryptosystem (preferably ECC) > that has the following property: > > If a random bitstring is encrypted with the public key, nobody should be > able to distinguish the ciphertext from a random bitstring. In > particular, even the holder of the private key shouldn't be able to > tell, after decrypting the ciphertext with the private key, whether the > ciphertext was encrypted with the public key or whether it was just a > random bitstring. > > It seems likely that this property has a name - can anyone tell me what > it is so I can find out more? > > Thanks, > Michael >

- From:
- danimoth
- Date:
- 2012-03-14 @ 19:46

Il giorno mer, 14/03/2012 alle 18.18 +0000, Michael Rogers ha scritto: > even the holder of the private key shouldn't be able to > tell, after decrypting the ciphertext with the private key, whether the > ciphertext was encrypted with the public key or whether it was just a > random bitstring. If that happen with probability > negl(n), such scheme would be incorrect. You want this happen all the time, or time to time with negligible probability? Anyway, (incorrect) is the only definition that's up in my mind right now...