Professional Documents
Culture Documents
Introduction
Spring 2020
Outline
Introduction
Symmetric encryption
Security models
Outline
Introduction
Symmetric encryption
Security models
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 3 / 22
Introduction Symmetric encryption Security models
Computational security
1. Perfect security is impractical: keys must be as long as messages
2. We would like to securely encrypt arbitrary long messages using
short keys
3. How ? Relax the security requirements:
3.1 Consider only adversaries that use a reasonable amount of time and
memory
3.2 Consider a weaker notion of security such as concrete security or
asymptotic security
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 4 / 22
Introduction Symmetric encryption Security models
Computational security
1. We follow the asymptotic security approach
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 5 / 22
Outline
Introduction
Symmetric encryption
Security models
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 6 / 22
Introduction Symmetric encryption Security models
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 7 / 22
Introduction Symmetric encryption Security models
Symmetric encryption
Definition 1
A symmetric key encryption (SKE) scheme over (K, M, C) is a triple of
algorithms S = (G, E, D) such that:
1. G is a PPT algorithm, called the key generation algorithm, which
outputs a key K ∈ K when invoked on a security parameter λ;
2. E is a PPT algorithm, called the encryption algorithm, which outputs
a ciphertext c ∈ C when invoked on a key K and a message m ∈ M;
3. D is a deterministic PT algorithm, called the decryption algorithm,
which outputs a message m ∈ M or a special symbol ⊥ (denoting
failure) when invoked on a key K and a ciphertext c.
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 8 / 22
Introduction Symmetric encryption Security models
Symmetric encryption
1. The complexity of G is measured w.r.t. the input λ
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 9 / 22
Introduction Symmetric encryption Security models
Symmetric encryption
Terminology, notation, remarks:
1. Symmetric key encryption: the encryption key is also the decryption
key
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 10 / 22
Outline
Introduction
Symmetric encryption
Security models
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 11 / 22
Introduction Symmetric encryption Security models
Security models
Definition 2
A security model is a pair consisting of a security goal and an attack
model.
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 12 / 22
Introduction Symmetric encryption Security models
Security goals
1. Semantic security was proposed by Goldwasser and Micali in 1982,
and it was the first definition of security for encryption. It formalizes
the fact that no adversary can obtain any partial information about
the message of a given ciphertext. In other words, whatever can
efficiently be computed about a message from its ciphertext can also
be computed without the ciphertext
2. Semantic security is a “polynomially bounded” version of the
concept of perfect secrecy introduced by Shannon in 1949
3. Semantic security is complex and difficult to work with
4. Indistinquishability is an equivalent definition to semantic security
which is somewhat simpler
5. Non-malleability means that, given a ciphertext c of some message
m, no efficient adversary can construct another ciphertext c 0 of
some message m0 meaningfully related to m
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 13 / 22
Introduction Symmetric encryption Security models
Attack models
Some common attack models are:
1. Passive attacks:
1.1 Cipher-only attack (COA): A has access to the ciphertext
1.2 Known plaintext attack (KPA): A knows pairs (plaintext,ciphertext)
2. Active attacks:
2.1 Chosen plaintext attack (CPA): A has access to the encryption
oracle (this is for free for PKE)
2.2 Non-adaptive chosen ciphertext attack (CCA1): A has, in addition
to the ability of a CPA adversary, access to a decryption oracle
before the challenge phase
2.3 Adaptive chosen ciphertext attack (CCA2): A has, in addition to the
ability of a CCA1 adversary, access to a decryption oracle after the
challenge phase. However, no decryption query is allowed involving
the challenge ciphertext
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 14 / 22
Introduction Symmetric encryption Security models
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 15 / 22
Introduction Symmetric encryption Security models
Security models
The diagram below only aims to create an image on the relationships
between the security models introduced so far (an arrow means an
implication). Some of these relationships are far from trivial.
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 16 / 22
Introduction Symmetric encryption Security models
Remark 3
ind-coa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S
ind-coa-b
(λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 17 / 22
Introduction Symmetric encryption Security models
Remark 4
ind-kpa-b ind-kpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 18 / 22
Introduction Symmetric encryption Security models
Remark 5
ind-cpa-b ind-cpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 19 / 22
Introduction Symmetric encryption Security models
IND-XXX security
Definition 6
An SKE scheme S is IND-XXX secure, where XXX ∈ {COA, KPA, CPA},
if
ind-xxx-0 ind-xxx-1
P(PrivKA,S (λ) = 1) − P(PrivKA,S (λ) = 1)
is negligible, for all PPT algorithms A.
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 20 / 22
Introduction Symmetric encryption Security models
Proposition 8
For any SKE scheme S and any PPT adversary A, the following property
holds:
ind-cpa
AdvA,S (λ) =
1
ind-cpa-0 ind-cpa-1
(λ) = 1) − P(PrivKA,S (λ) = 1)
P(PrivKA,S
2
Ferucio Laurentiu Tiplea Symmetric Key Cryptography Spring 2020 17 :25 :40 22 / 22