Review of Foundations of Cryptography II : Basic Applications ∗

This volume is the second in a series that aims at elucidating the foundations of cryptography. The first volume, Foundations of Cryptography: Basic Tools , emphasized the basic computational tools needed to study cryptography; this volume applies these tools to the design of practical schemes for encryption, digital signatures, and general cryptographic protocols. Throughout both volumes, Goldreich advocates a particular approach to reasoning about security, characterized by the following very plausible starting point: we can make no assumption as to the strategies of adversaries. In fact, the only assumption that can be justified is an assumption on the computational abilities of adversaries. (For instance, the adversary may only be able to perform probabilistic polynomial-time computations.) This leads to very natural models in terms of computational complexity. From this point of view, many cryptographic constructs can exist only if some hard problems exist. This makes the existence of cryptographic constructs dependent on complexity theoretic assumptions, such as the existence of one-way functions. I will return to this point shortly. The main technique for reasoning about security in this setting is the imulation paradigm: a scheme is secure if whatever a feasible adversary can obtain after attacking it is also feasibly attainable in an “ideal setting”. For example, an encryption scheme is secure if whatever information an adversary can obtain after eavesdropping an encrypted message on an insecure channel, he can already obtain by eavesdropping on the communication performed on a private channel; in other words, he may as well guess what the message is.