[Cryptography] We need a new encryption algorithm competition.

[Jerry Leichter]

On Mar 19, 2014, at 5:02 PM, Nico Williams <nico at cryptonector.com> wrote:
> Eh, this is if you know the one bit of the plaintext encrypted with
> RSA, but that plaintext is generally a randomly chosen key for a
> symmetric cryptosystem used to protect the real plaintext of the
> message....
Hmm.  A day or so back, I sent one message explaining why MITM was a meaningless concept in one usage of DH, and got the response "but DH is vulnerable to MITM".  Here, I described an attack explaining why you want to use asymmetric crypto such as RSA to establish a key for a symmetric crypto system, rather than directly encrypting semantically meaningful information ... and the response is that the attack isn't relevant because we use RSA to encrypt keys for symmetric cryptosystems.

Either my writing has become very unclear, or some of my correspondents aren't bothering to read what I wrote before responding with canned repetitions of well-known cryptographic principles, whether they are relevant to the situation at hand or not.

So for this one, let me repeat myself:  The Goldwasser/Micali/Tong paper shows why you should not encrypt semantically meaningful messages using an asymmetric key system.  The fact that anyone can send a message using the same public key means it's possible to turn the recipient into an oracle for information about the message, which may leak enough information to allow the message to be decrypted.  That's why, *independent of performance considerations*, it's best to use an asymmetric key system to establish keying information for a symmetric key system.  When used this way, the data sent is random and not directly meaningful to the recipient, so it's harder (probably not impossible, but much harder) to turn the recipient into an oracle.
                                                        -- Jerry