On Sun, May 07, 2000 at 01:27:31PM -0400, dmolnar wrote:
> 1) is the term "indeterministic cryptosystem" formally
> defined anywhere?
It sounds kind of like "probabilistic encryption" which is a standard
term. Maybe they're the same thing?
> 2) has anyone followed up on "How to Break..." with a
> characterization of what properties of a cryptosystem
> are desirable for a mix-net? Off the top of my head,
> the notion of "non-malleability" seems sufficient to
> prevent the attacks mentioned in that paper.
I don't think so, but it's not hard to make up a suitable definition of
security. We could call it "mixability": an attacker, given a list of
ciphertexts, a randomized list of their decryptions, and access to a
decryption oracle that would decrypt any ciphertext except the ones in
the list, can't do substantially better than chance at matching up the
ciphertexts with the plaintexts. This is obviously no stronger than
indistinguishability under adaptive chosen-ciphertext attack, which in
turn is equivalent to non-malleability under adaptive chosen-ciphertext
attack. See
http://www.cs.ucdavis.edu/~rogaway/papers/relations-abstract.html for the
proof.
> You might also want a cryptosystem to be
> what I call "recipient-hiding" -- a ciphertext gives
> up no information about to whom it has been encrypted.
Can you elaborate on how "recipient-hiding" might help?
