Lecture 10 Asymmetric Encryption

Recall that in the last lecture we discussed cryptographic security in the symmetric setting. The typical arrangement is that Alice and Bob share a common key that they use for encryption and decryption. This shared secret creates an distinction between the communicating parties (Alice and Bob) and the adversarial eavesdropper (Eve). The goal in this setting is to ensure that without the shared secret key, Eve will not be able to learn anything about the messages being sent between Alice and Bob (except, of course, the fact that Alice and Bob are communicating via messages from a known space). Perfect secrecy (equivalently, Shannon secrecy) is typically impractical in the symmetric setting because it requires that the shared key be at least as large as any message sent, and each key may only be used once. For practicality, we relaxed our notion of perfect secrecy to allow for a computationally bounded adversary, and we arrived at the notion of indistinguishability under (adaptive) chosen plaintext attack (IND-CPA). In this security notion, we allow a computationally bounded adversary access to an encryption oracle Enck(·) and a challenge oracle Ck(·, ·). The adversary may make (a polynomially bounded number of) calls to the encryption oracle, adapting its queries to the answers it has already received. The adversary may make a single call to the challenge oracle, passing two messages of his choice. The challenge oracle encrypts one of the two messages (determined by the bit b) and returns the ciphertext to the adversary. The adversary examines the returned ciphertext and attempts to determine which of the two messages was encrypted. If there does not exist any efficient adversary that can tell which message was encrypted (with better than negligible advantage), then the scheme is considered IND-CPA secure. Formally, the pairs of oracle