Beefing up public-key encryption

By By Larry Hardesty, MIT News Office | 19 Feb 2013

Most financial transactions on the Internet are safeguarded by a cryptographic technique called public-key encryption. Where traditional encryption relies on a single secret key, shared by both sender and recipient, public-key encryption uses two keys that are mathematically related. One, the public key, is published on the internet, and any sender can use it to encrypt a message; the second, the private key, is known only to the recipient and is required for decryption.

Standard public-key encryption is secure as long as an attacker knows nothing other than the public key. But financial institutions and other large organisations seek security against more sophisticated attacks, called chosen-ciphertext attacks (CCAs), in which the attacker also has examples of successful decryption.

Unfortunately, public-key encryption schemes that are resilient against CCAs are hard to devise. Their complexity means that software implementations are prone to small errors that can introduce both vulnerabilities and inaccuracies during decryption.

At the International Conference on the Theory and Applications of Cryptographic Techniques this spring, a pair of postdocs at MIT's Computer Science and Artificial Intelligence Laboratory describe a new technique for taking one of these vulnerable, error-prone CCA schemes and turning it into a secure CCA scheme.

The result could be of practical use, in the development of more-secure encryption protocols, but it could also provide theoretical insight into the very nature of cryptographic security.

Playing the odds
In cryptography circles, a message to be encoded is called a plaintext; the encrypted version of it is called a ciphertext. An encryption scheme is considered secure if even someone who knows two plaintexts in advance would find it virtually impossible to deduce which of two ciphertexts encodes which.