Security Definitions in Computational Cryptography

1
Security Definitions in Computational Cryptography
18739A Foundations of Security and Privacy

• Anupam Datta
• CMU
• Fall 2009

2
Cryptographic Concepts

• Signature scheme
• Symmetric encryption scheme

3
Signature Scheme

• Key generation algorithm
• Input security parameter n
• Output a private signing public verification
  key pair
• Algorithm to sign data
• Algorithm to verify signature
• Correctness
• Message signed with a signing key verifies with
  the corresponding verification key
• verify(m,sign(m,sk(A)), pk(A)) ok
• Symbolic Security
• A signature cannot be produced without access to
  the private signing key

4
UF-CMA Security
mi
sign(mi, sk(C))
C
A
sign(m, sk(C))
UF-CMA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob m ?mi A plays by the rules lt f(n)
5
Symmetric Encryption Scheme

• Key generation algorithm
• Input security parameter n
• Output a key that is used for encryption and
  decryption
• Algorithm to encrypt a message
• Algorithm to decrypt a ciphertext
• Correctness
• Decrypting a ciphertext obtained by encrypting
  message m with the corresponding key k returns m
• dec(enc(m,k),k) m

6
What is a secure encryption scheme?

• List of possible properties
• Given a list of message, ciphertext pairs, it
  should not be possible to recover the key
• Given ciphertext, it should not be possible
  recover plaintext
• Given ciphertext, it should not be possible to
  recover 1st bit of plaintext
• All of the above, but what else?
• Given ciphertext, adversary should have no
  information about underlying plaintext (not true
  because of apriori information)

7
IND-EAV security definition(eavesdropping
attacks)
k, b
m0, m1
enc(k, mb)
C
A
d
IND-EAV security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
8
Example

• General sends an encrypted message where the
  plaintext is either attack or dont attack.
• Adversary should not be able to figure out what
  the plaintext is although she knows that it is
  one of these two values.

9
IND-CPA security definition (chosen-plaintext
attacks)
mi
k, b
enc(k, mi)
m0, m1
enc(k, mb)
C
A
mi
enc(k, mi)
d
IND-CPA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
10
Example

• US Navy cryptanalysts received a ciphertext
  containing the word AF that they believed
  corresponded to Midway island (May, 1942)
• Concluded that Japan was planning to attack
  Midway island, but could not convince top brass
• Sent out a message saying Midway island was low
  on water supply
• Japanese intercepted this message and sent out a
  message saying AF was running low on water
  supply

11
IND-CCA secure encryption (chosen-ciphertext
attacks)
mi or ci
k, b
enc(k, mi) or dec(k,ci)
m0, m1
enc(k, mb)
C
A cannot submit enc(k,mb) to the decryption oracle
A
mi or ci
enc(k, mi) or dec(k,ci)
d
IND-CCA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
12
Example (public-key version)

• Network protocols Q1 and Q2
• QI
• C B enc(pk(B), secret, Q1)
• Q2
• A B enc(pk(B),nonce, Q2)
• B A nonce
• Adversary A has access to Bs decryption oracle,
  but should still not be able to learn additional
  information about Cs secret (e.g., cannot tell
  whether it is attack or dont attack)

13

• Questions?