Public key encryption

A public key encryption (PKE) scheme allows anyone to encrypt a message to a receiver using a public key, while only the holder of the corresponding secret key can decrypt. This enables secure communication over untrusted channels without a pre-shared secret, unlike SKE.

Syntax

A PKE scheme is a tuple of efficient algorithms $PKE = (KeyGen, Enc, Dec)$ with respect to secret keyspace $K_{sk}$ , public keyspace $K_{pk}$ , message space $M$ , and ciphertext space $C$ :

$KeyGen (1^{λ}) \to (sk, pk),$ is a randomized algorithm which samples a secret key $sk \in K_{sk}$ and public key $pk \in K_{pk}$ ,
$Enc (pk, m) \to c,$ is a randomized algorithm which takes a public key $pk \in K_{pk}$ and message $m \in M$ , outputting a ciphertext $c \in C$ ,
$Dec (sk, c) \to m,$ is a deterministic algorithm which takes a secret key $sk \in K_{sk}$ and ciphertext $c \in C$ , outputting a message $m \in M$ or $⊥$ to indicate an invalid ciphertext.

Properties

Correctness

A PKE scheme $PKE = (KeyGen, Enc, Dec)$ is $(1 - ε)$ -correct if for all $λ \in N$ and $m \in M$ ,

Pr [Dec (sk, Enc (pk, m)) = m] \geq 1 - ε,

over the choice of $(sk, pk) \leftarrow KeyGen (1^{λ})$ and randomness of $Enc .$ When $ε = 0$ , we say $PKE$ is perfectly correct.

CPA Security

The CPA game therefore takes the form of a single challenge: the adversary receives $pk$ , submits two messages, and tries to determine which was encrypted. Note that the adversary themselves can encrypt messages with $pk .$

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{cpa}}_{\PKE,\calA}(\secpar)$}
\begin{algorithmic}
\State $(\sk, \pk) \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $(m_0, m_1, \stA) \gets \calA(1^\secpar, \pk)$
\State $c^* \gets \Enc(\pk, m_b)$
\State $b' \gets \calA(c^*, \stA)$
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

A PKE scheme $PKE$ is CPA-secure if for all efficient $A$ ,

Adv_{PKE, A}^{cpa} (λ) := 2 Pr [G_{PKE, A}^{cpa} (λ) = 1] - 1

is negligible.

CCA Security

In the chosen-ciphertext attack (CCA, or IND-CCA2) game, the adversary additionally has access to a decryption oracle $D$ in two phases: before submitting $(m_{0}, m_{1})$ , and after receiving the challenge $c^{*}$ . To avoid a trivial win, $A$ is admissible: it may not query $D$ on $c^{*}$ itself.

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{cca}}_{\PKE,\calA}(\secpar)$}
\begin{algorithmic}
\State $(\sk, \pk) \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calD(c) := \Dec(\sk, c)$
\State $(m_0, m_1, \stA) \gets \calA^{\calD}(1^\secpar, \pk)$
\Comment{Phase 1: $\calA$ may query $\calD$ freely}
\State $c^* \gets \Enc(\pk, m_b)$
\State $b' \gets \calA^{\calD}(c^*, \stA)$
\Comment{Phase 2: $\calA$ may not query $\calD$ on $c^*$}
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

A PKE scheme $PKE$ is CCA-secure if for all admissible efficient $A$ ,

Adv_{PKE, A}^{cca} (λ) := 2 Pr [G_{PKE, A}^{cca} (λ) = 1] - 1

is negligible. The admissibility restriction is necessary: without it, $A$ trivially wins by querying $D (c^{*})$ to learn $m_{b}$ .

Variations

CCA1 Security

CCA1 (also called the lunchtime attack) is an intermediate notion between CPA and CCA2. The adversary has access to the decryption oracle only in Phase 1, before seeing the challenge ciphertext; no decryption queries are permitted after $c^{*}$ is revealed. CCA1 is strictly weaker than CCA2 and strictly stronger than CPA.

Key-hiding

TODO

Other results

PKE implies OWF
TDP implies PKE
PKE can be built assuming DDH is hard — DH76
PKE can be built assuming Mid-noise LPN

Cryptology City

Explorer