Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [indistinguishability]

Ciphertext indistinguishability is property of randomised encryption schemes where it is computationally infeasible to tell if two ciphertexts are encryptions of the same plaintext.

Ciphertext indistinguishability is a property of randomised encryption schemes where each possible plaintext has a large number of possible encryptions. For indistinguishability, it should be computationally infeasible to tell if two encryptions were created from the same plaintext. More specifically, given a plaintext and a choice of two ciphertexts (one of which is an encryption of the plaintext and the other which is not) it should be computationally infeasible to guess the correct ciphertext with probability significantly bigger than 1/2.

73 questions
14
votes
5 answers

Does Grover's algorithm really threaten symmetric security proofs?

By Shannon's theorem of perfect security, if I give you a ciphertext 'LOUPL', you can do a brute-force attack and then you would find plaintexts like 'HELLO', 'APPLE', 'SPOON', but you can't distinguish the true plaintext from the fake one, unless…
Victor Espinoza
  • 171
  • 1
  • 1
  • 9
5
votes
1 answer

What is the definition of function index

I'm reading through Indistinguishability Obfuscation from Well-Founded Assumptions and in Definition 3.1 describing sPRG, it mentions "samples a function index I." Can someone explain what a function index is in this context?
Kamaroyl
  • 53
  • 4
4
votes
1 answer

Distinguishers and next bit predictors without the uniform distribution

Consider a probability distribution $D$ over $n$ bit strings. Denote $U$ to be the uniform distribution over $n$ bit strings and $U_{n}$ to be the uniform distribution over integers $\{1, 2, \ldots, n\}$. Consider the following two equivalent…
BlackHat18
  • 397
  • 1
  • 9
4
votes
1 answer

Are there different definitions of secure two-party computation?

While reading tutorials on two-party computation I encountered two (at least formally) different definitions of security (with semi-honest adversaries). What I want to know is whether these definitions are actually different or can be shown to be…
Distinguishable Llama
  • 43
  • 5
4
votes
1 answer

Hybrid argument without efficient samplability

Let's say I have $k$ distributions, where $k$ is polynomially large, $D_1, D_2, \ldots, D_k$ such that each $D_i$ is computationally indistinguishable from the uniform distribution. Is it true that the distribution $D_1 D_2 \ldots D_k$ is also…
BlackHat18
  • 397
  • 1
  • 9
4
votes
1 answer

How to explain indistinguishability obfuscation (iO) to my grandmother?

At the risk of oversimplification, how do I explain indistinguishability obfuscation (iO) to my grandmother?
Nathan Aw
  • 2,357
  • 3
  • 18
  • 22
3
votes
0 answers

Is it necessary for a round function $F$ in a Feistel cipher to be pseudorandom?

I stumbled across this question where the questioner asked for specific requirements for the round function $F$ in a Feistel network so that the construction is secure. The answer explained that a pseudorandom function in a four round Feistel cipher…
trivicious
  • 31
  • 3
3
votes
0 answers

Should I normalize adversary's advantage in IND-XXX Game?

The Cryptography made simple (page 207, under Fig 11.12)(Nigel Smart) say that adversary's advantage of IND-PASS Game is $Adv1 = 2\times|Pr[b=b']-\frac{1}{2}|$. The reason for multiplying by 2 is to normalize advantage from $[0,\frac{1}{2}]$ to…
apapapa
  • 131
  • 2
3
votes
1 answer

Hint-LWE and decisional LWE

In the decisional LWE problem, we distinguish between the LWE sample $(a \cdot s + e = b, a)$ (where $s$ and $e$ are drawn from a Gaussian distribution) and $(u, a)$ for a uniformly random $u$. Can you distinguish between $(b, a, h)$ and $(u, a, h)$…
oracle
  • 35
  • 5
3
votes
1 answer

Is the first bit preserving version of a PRG also a PRG?

Given that $G$ is a pseudorandom generator from $\{0,1\}^n$ to $\{0,1\}^{l(n)}$, $G'$ defined as follows: $G'(s) = \begin{cases} G(s) \space \text{if the first bit of s and G(s) are the same} \\ G(s)\oplus 100\cdots0 \space \text{if the first…
Greedo
  • 33
  • 4
3
votes
1 answer

Hybrid argument for repeated but alternating sequence

In the usual hybrid argument, it is shown that if two efficiently samplable distributions, $X$ and $Y$, are indistinguishable given a single sample, then they remain indistinguishable with any polynomial number of samples (say $N$). This is proved…
manta
  • 87
  • 5
3
votes
1 answer

Hybrid argument for quantum states

The usual hybrid argument tells us that if two efficiently sampled ensembles are computationally indistinguishable based on a single sample, then, computational indistinguishability holds even for polynomially-many independent samples. My question…
manta
  • 87
  • 5
3
votes
2 answers

Privacy intuition vs formal definition

Suppose we define privacy as a game where a machine $M$ has a coin $b$, and on input $M_0, M_1$ always replies with encrypted $M_0$ if $b=0$ and encrypted $M_1$ if $b=1$. The adversary can send as many pairs $M_0, M_1$ as he wants. The goal is to…
pintor
  • 558
  • 3
  • 14
2
votes
1 answer

How small is the negligible advantage for DDH?

The well known Decisional Diffie Hellman assumption (DDH) assert that for any $n = \log q$ and generator $g$ of $\mathbb{Z}_q$, for uniformly i.i.d $A, B, C \sim U(\mathbb{Z}_q)$, the following are indistinguishable for any PPT $M$: $g^A, g^B, g^C$…
Napoleon
  • 123
  • 7
2
votes
2 answers

Ideal cipher vs Ideal encryption scheme

Ideal cipher is a random permutation for every key in its key space. And, ideal encryption scheme is the one which has perfect secrecy/indistinguishability. For an encryption scheme, random permutation from plain text space to cipher text space…
driewguy
  • 73
  • 4
1
2 3 4 5