Probabilistic encryption is the use of
randomness
In common usage, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no order and does not follow an intelligible pattern or combination. Individual rand ...
in an
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
algorithm, so that when encrypting the same message several times it will, in general, yield different
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
s. The term "probabilistic encryption" is typically used in reference to
public key
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
encryption algorithms; however various
symmetric key encryption
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
algorithms achieve a similar property (e.g.,
block ciphers when used in a chaining mode such as
CBC), and stream ciphers such as Freestyle
which are inherently random. To be
semantically secure In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the cip ...
, that is, to hide even partial information about the
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
, an encryption algorithm must be
probabilistic.
History
The first provably-secure probabilistic public-key encryption scheme was proposed by
Shafi Goldwasser
en, Shafrira Goldwasser
, name = Shafi Goldwasser
, image = Shafi Goldwasser.JPG
, caption = Shafi Goldwasser in 2010
, birth_place = New York City, New York, U.S.
, birth_date =
, death_date ...
and
Silvio Micali
Silvio Micali (born October 13, 1954) is an Italian computer scientist, professor at the Massachusetts Institute of Technology and the founder of Algorand. Micali's research centers on cryptography and information security.
In 2012, he received ...
, based on the hardness of the
quadratic residuosity problem The quadratic residuosity problem (QRP) in computational number theory is to decide, given integers a and N, whether a is a quadratic residue modulo N or not.
Here N = p_1 p_2 for two unknown primes p_1 and p_2, and a is among the numbers which are ...
and had a message expansion factor equal to the public key size. More efficient probabilistic encryption algorithms include
Elgamal
In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in th ...
,
Paillier, and various constructions under the
random oracle model
In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
, including OAEP.
Security
Probabilistic encryption is particularly important when using
public key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
. Suppose that the
adversary
An adversary is generally considered to be a person, group, or force that opposes and/or attacks.
Adversary may also refer to:
* Satan ("adversary" in Hebrew), in Judeo-Christian religion
Entertainment Fiction
* Adversary (comics), villain fro ...
observes a ciphertext, and suspects that the plaintext is either "YES" or "NO", or has a hunch that the plaintext might be "ATTACK AT CALAIS". When a
deterministic encryption
A deterministic encryption scheme (as opposed to a probabilistic encryption scheme) is a cryptosystem which always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm. Examples o ...
algorithm is used, the adversary can simply try encrypting each of his guesses under the recipient's public key, and compare each result to the target ciphertext. To combat this attack, public key encryption schemes must incorporate an element of randomness, ensuring that each plaintext maps into one of a large number of possible ciphertexts.
An intuitive approach to converting a deterministic encryption scheme into a probabilistic one is to simply pad the plaintext with a random string before encrypting with the
deterministic algorithm
In computer science, a deterministic algorithm is an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states. Deterministic algorithms are by far ...
. Conversely, decryption involves applying a deterministic algorithm and ignoring the random padding. However, early schemes which applied this naive approach were broken due to limitations in some deterministic encryption schemes. Techniques such as
Optimal Asymmetric Encryption Padding (OAEP) integrate random padding in a manner that is secure using any
trapdoor permutation
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "tra ...
.
Examples
Example of probabilistic encryption using any trapdoor permutation:
* ''x'' - ''single bit'' plaintext
* ''f'' -
trapdoor permutation
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "tra ...
(deterministic encryption algorithm)
* ''b'' -
hard core predicate of ''f''
* ''r'' - random string
This is inefficient because only a single bit is encrypted. In other words, the message expansion factor is equal to the public key size.
Example of probabilistic encryption in the random oracle model:
* ''x'' - plaintext
* ''f'' -
trapdoor permutation
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "tra ...
(deterministic encryption algorithm)
* ''h'' -
random oracle (typically implemented using a publicly specified
hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
)
* ''r'' - random string
See also
*
Deterministic encryption
A deterministic encryption scheme (as opposed to a probabilistic encryption scheme) is a cryptosystem which always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm. Examples o ...
*
Efficient Probabilistic Public-Key Encryption Scheme
*
Strong secrecy
References
{{Reflist
External links
* Shafi Goldwasser and Silvio Micali
Probabilistic Encryption Special issue of Journal of Computer and Systems Sciences, Vol. 28, No. 2, pages 270-299, April 1984
*Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attack
Theory of cryptography