Welcome back to the lecture.

Last week

we had our introduction into what we are planning to do in this course and we started with the

basic definitions of public key encryption and looked at the most basic construction

of public key encryption that is based on the Diffie-Hellman key exchange which is El

Gamal public key encryption and we had our first security proof of end CPA security of

public key encryption.

So this was rather simple.

The proof had our first game based sequences of games proof and it was kind of a warm up

to catch up with the ideas that were taught in the introduction to modern cryptography

course.

Today's topic is to understand how to define security because as we will look at more complex

primitives that are used in secure messaging we will see that definitions become one of

the complex parts.

So far we are used to look at complex constructions, complex security proofs but the more interaction

our primitives have the more complicated it is to define what we expect from these constructions

particularly what type of security goals we require.

So the overall goal today is to understand how to define security systematically.

And for this we will use the example of key encapsulation mechanisms.

We will in contrast to what we saw last week see stronger adversaries.

And we will briefly look at forward security.

Okay, so this is the abstract roadmap and we will directly jump into the example that

we will use today which is key encapsulation.

Mechanisms.

And as we did also last week for public key encryption we will start with specifying the

syntax so a key encapsulation mechanism, CHEM, is a tuple of three algorithms, GEN, ENG,

and DEC.

And the basic idea is that we have two users Alice and Bob and Bob generates a decapsulation

key and an encapsulation key using algorithm GEN.

And Bob distributes the encapsulation key and Alice and this is the basic very simple

difference to public key encryption.

The encapsulation key outputs a symmetric key and a ciphertext with probabilistic algorithm

encapsulate or ENG just taking as input the public key or as I just called it here encapsulation

key.

Okay, now Alice sends the ciphertext over to Bob who can use the decapsulation algorithm

to obtain the same key using the decapsulation key as well as the ciphertext.

Okay, so this is the basic idea of key encapsulation mechanisms.

As you see here it's basically the same as public key encryption the only difference

is that public key encryption is more abstract and more powerful so public key encryption

can encrypt arbitrary messages whereas key encapsulation mechanisms always encapsulate

symmetric keys.

And instead of taking these symmetric keys that are encapsulated as inputs the encapsulation

algorithm can just produce them internally which allows for better efficiency, better

security guarantees so we don't have to trust the outside environment that produces the

keys that these keys are randomly distributed we just produce them internally by ourselves

with the encapsulation algorithm and so the primitive it knows itself knows that these

keys are good that these keys have enough entropy that these keys then can be treated

as secure symmetric keys.

And the basic purpose of considering key encapsulation mechanisms is that using symmetric keys for

encryption is super simple we know how to do that so we can basically use another primitive