Re: ciphertext-only attacks

From: Alex (ay43_at_pantheon.yale.edu)
Date: 02/23/04 

Date: 22 Feb 2004 17:19:53 -0800

daw@taverner.cs.berkeley.edu (David Wagner) wrote in message news:<c18spj$1hcv$1@agate.berkeley.edu>...
> Alex wrote:
> >(2) Does anyone know of a paper, which gives a formal proof of
> >ciphertext-only attack security for a similar scheme --> possibly by
> >reducing adversary to algorithm for factoring integers.
>
> No. Actually, it's a little tricky to define just what you mean
> by ciphertext-only security. But I guess the latter is a moot question,
> since ciphertext-only security is pretty uninteresting; if you don't have
> security against known-plaintext attacks, the system is pretty worthless.
>
> While we're on the topic of privacy homomorphisms, you might enjoy the
> following paper. It shows how to break a different privacy homomorphism
> scheme proposed by Domingo-Ferrer. That scheme was also claimed to be
> provably secure, but it turns out that what was proven falls far short
> of what's needed for security.
> http://www.cs.berkeley.edu/~daw/papers/domingo-isc03.ps

Thanks, David.
In fact, the reason I switched to this privacy homomorphism was
because I encountered your paper that the other one was totally
insecure :-)
This one has not been broken yet, but no formal proof of security for
it exists -- only a conjecture that it's secure against plaintext
attacks.

-Aleksandr

Loading