Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Probabilistic encryption
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Use of randomness in key code generation}} '''Probabilistic encryption''' is the use of [[randomness]] in an [[encryption]] algorithm, so that when encrypting the same message several times it will, in general, yield different [[ciphertext]]s. The term "probabilistic encryption" is typically used in reference to [[public key cryptography|public key]] encryption algorithms; however various [[symmetric key encryption]] algorithms achieve a similar property (e.g., [[block ciphers]] when used in a chaining mode such as [[Cipher block chaining|CBC]]), and stream ciphers such as Freestyle<ref>{{Cite journal|last=Puthuparambil|first=Arun Babu|last2=Thomas|first2=Jithin Jose|date=2019-12-01|title=Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attacks|journal=Journal of Information Security and Applications|language=en|volume=49|pages=102396|doi=10.1016/j.jisa.2019.102396|arxiv=1802.03201|issn=2214-2126}}</ref> which are inherently random. To be [[semantic security|semantically secure]], that is, to hide even partial information about the [[plaintext]], an encryption algorithm must be [[randomized algorithm|probabilistic]]. == History == The first provably-secure probabilistic public-key encryption scheme was proposed by [[Shafi Goldwasser]] and [[Silvio Micali]], based on the hardness of the [[quadratic residuosity problem]] and had a message expansion factor equal to the public key size. More efficient probabilistic encryption algorithms include [[ElGamal encryption|Elgamal]], [[Paillier]], and various constructions under the [[random oracle model]], including OAEP. == Security == Probabilistic encryption is particularly important when using [[public key cryptography]]. Suppose that the [[Adversary (cryptography)|adversary]] observes a ciphertext, and suspects that the plaintext is either "YES" or "NO", or has a hunch that the plaintext might be "ATTACK AT CALAIS". When a [[deterministic encryption]] algorithm is used, the adversary can simply try encrypting each of their guesses under the recipient's public key, and compare each result to the target ciphertext. To combat this attack, public key encryption schemes must incorporate an element of randomness, ensuring that each plaintext maps into one of a large number of possible ciphertexts. An intuitive approach to converting a deterministic encryption scheme into a probabilistic one is to simply pad the plaintext with a random string before encrypting with the [[deterministic algorithm]]. Conversely, decryption involves applying a deterministic algorithm and ignoring the random padding. However, early schemes which applied this naive approach were broken due to limitations in some deterministic encryption schemes. Techniques such as [[Optimal Asymmetric Encryption Padding]] (OAEP) integrate random padding in a manner that is secure using any [[trapdoor permutation]]. == Examples == Example of probabilistic encryption using any trapdoor permutation: * ''x'' - ''single bit'' plaintext * ''f'' - [[trapdoor permutation]] (deterministic encryption algorithm) * ''b'' - [[hard core predicate]] of ''f'' * ''r'' - random string <math> {\rm Enc}(x) = (f(r), x \oplus b(r)) </math> <math> {\rm Dec}(y, z) = b(f^{-1}(y)) \oplus z </math> This is inefficient because only a single bit is encrypted. In other words, the message expansion factor is equal to the public key size. Example of probabilistic encryption in the random oracle model: * ''x'' - plaintext * ''f'' - [[trapdoor permutation]] (deterministic encryption algorithm) * ''h'' - [[random oracle]] (typically implemented using a publicly specified [[cryptographic hash function|hash function]]) * ''r'' - random string <math> {\rm Enc}(x) = (f(r), x \oplus h(r)) </math> <math> {\rm Dec}(y, z) = h(f^{-1}(y)) \oplus z </math> ==See also== * [[Deterministic encryption]] * [[Efficient Probabilistic Public-Key Encryption Scheme]] * [[Strong secrecy]] ==References== {{Reflist}} ==External links== * Shafi Goldwasser and Silvio Micali, [https://web.archive.org/web/20090319000035/http://groups.csail.mit.edu/cis/pubs/shafi/1984-jcss.pdf Probabilistic Encryption], Special issue of Journal of Computer and Systems Sciences, Vol. 28, No. 2, pages 270-299, April 1984 *Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attacks [https://github.com/arun-babu/freestyle]. [[Category:Theory of cryptography]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite journal
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)