### Public Key Encryption [chapter]

Qijun Gu, Pascal Paillier, Tanja Lange, Edlyn Teske, Darrel Hankerson, Alfred Menezes, David Zhang, Feng Yue, Wangmeng Zuo, Jean-Jacques Quisquater, Gildas Avoine, Gerald Brose (+73 others)
2011 Encyclopedia of Cryptography and Security
Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion of security for this primitive, i.e. Semantic Security. We will discuss an alternative formulation of the semantic security definition that is sometimes more intuitive to work with. Finally, we will give two examples of semantically-secure public-key encryption schemes, namely the El-Gamal Encryption and the Paillier Encryption schemes. Throughout the sequel, we denote the security
more » ... rameter by λ. A public-key encryption (PKE) scheme E = (G, E, D) consists of three algorithms. • The key generation algorithm G takes as input the security parameter λ in unary form and outputs a pair (P K, SK), the public key and secret key for E. That is (P K, SK) ← G(1 λ ). • The encryption algorithm E takes as input a public key P K and a message m and outputs a ciphertext c. That is, c ← E(P K, m). • The decryption algorithm D takes as input a secret key SK and a ciphertext c and outputs a message m. That is m ← D(SK, m). Usually, the key generation and encryption algorithms are probabilistic while the decryption algorithm is deterministic 1 . The correctness property of the PKE scheme E is defined as: The most basic notion of security for a PKE encryption scheme E is Semantic Security or Indistinguishability. As usual, we define this notion in terms of a game between a challenger 1 The encryption algorithm must be probabilistic, even to satisfy the most basic notion of security for PKE schemes. The decryption algorithm may be probabilistic, but for most PKE schemes it is possible to derandomize the The task of the adversary A in this definition is to distinguish between these two games and its advantage against the encryption scheme E is defined as: A public-key encryption scheme E is said to be secure under this definition is the advantage AdvDist A is negligible for any probabilistic polynomial-time adversary A. We will now show L8-2