## Lecture 5

Today’s lecture finished up on message authentication, and began talking about the public-key setting. All public-key crypto requires some basic algebra/number theory, so we started covering the needed prerequisites.

Slides are posted on the course syllabus as always.

This blog has been pretty quiet! Are there no questions/comments?

Advertisements

### 2 Responses to “Lecture 5”

1. akindred Says:

I have a question, could you clarify between the different types of plaintext attacks? I see there are three basic ones; ciphertext only, known plaintext, and chosen plaintext. What are the differences and similarities?

2. jonkatz Says:

The similarity in all these cases is how security is defined: the scheme is secure if, for all possible equal-length messages m’0, m’1, the adversary can’t tell whether a given ciphertext C = Enc_k(m’) (for m’ \in {m’0,m’1}) is an encryption of m’0 or m’1.

The difference is in the adversary’s power:
1) For a ciphertext-only attack, the adversary just gets C and that is it.

2) A known-plaintext attack isn’t formally defined, but roughly this means that in addition to C the adversary is given a bunch of plaintext/ciphertext pairs (m1, Enc_k(m1)), …, all encrypted using the same key that was used to encrypt C itself.

3) In a chosen-plaintext attack the adversary is given C and also has the ability to *request* encryptions of messages of its choice, using the same key k that was used to encrypt C itself. So the adversary is given (m1, Enc_k(m1)), (m_2, Enc_k(m2)), … for m_1, … of the adversary’s choice. Note in particular that it is allowed for mi \in {m’0, m’1}. This is why security against chosen-plaintext attacks required encryption to be randomized.