Professional Documents
Culture Documents
Game Based Definitions
Game Based Definitions
C. de Saint Guilhem
COSIC,
KU Leuven, ESAT,
Kasteelpark Arenberg 10, bus 2452,
B-3001 Leuven-Heverlee,
Belgium.
C. de Saint Guilhem
Game-Based Security Definitions Slide 1
Outline
Introduction
Security Proofs
C. de Saint Guilhem
Game-Based Security Definitions Slide 2
What Questions Will We Answer?
How do we think about game based security definitions?
C. de Saint Guilhem
Game-Based Security Definitions Slide 3
Security Definitions
C. de Saint Guilhem
Game-Based Security Definitions Slide 4
The FACTOR Security Game
p, q ← {v /2-bit primes}
N ←p·q -
′
p ,q ′ A
Win if p′ · q ′ = N
and p′ , q ′ ̸= N
Figure: Security game to define the FACTOR problem
C. de Saint Guilhem
Game-Based Security Definitions Slide 5
The Advantage
We write
AdvXv (A, t) = Pr[A wins the game X for v = log2 N in time less than t].
√
There is an algorithm which always factors a number in time N.
AdvFACTOR
v (A, 2v /2 ) = 1.
where v = log2 N.
C. de Saint Guilhem
Game-Based Security Definitions Slide 6
The Hardness of FACTOR
But if t is any polynomial function p1 of v = log2 N then we expect
that there is no efficient adversary A, and hence for such t we will
have
1
AdvFACTOR
v (A, p1 (v )) < ,
p2 (v )
for all adversaries A.
1
A problem is said to be hard if the advantage is bounded by p2 (v ) for
all adversaries A.
▶ The value v is called the security parameter
C. de Saint Guilhem
Game-Based Security Definitions Slide 7
RSA Problem
The most important problem in early public key cryptography was
the RSA problem...
p, q ← {v /2-bit primes}
N ←p·q
e, d ← Z s.t. e · d = 1 (mod ϕ(N))
y ← (Z/NZ)∗ A
N, e, y -
x
Win if x e = y (mod N)
Figure: Security game to define the RSA problem
AdvRSA
v (A, t) = Pr[A wins the RSA game for v = log2 N in time ≤ t].
C. de Saint Guilhem
Game-Based Security Definitions Slide 8
The QUADRES Security Game
Many games are about distinguishing two different situations.
▶ QN = {a ∈ ZN : a = b2 }
▶ JN = {a ∈ ZN : a has Jacobi symbol one}
Facts:
▶ QN ⊂ JN
▶ If N = p · q then |QN | = |JN |/2.
▶ Detecting if x ∈ ZN is such that x ∈ JN is easy.
▶ Detecting if x ∈ JN is such that x ∈ QN is hard.
This creates a problem called QUADRES
▶ Was once a very important cryptographic hard problem.
▶ Less so now, but useful for expository purposes
C. de Saint Guilhem
Game-Based Security Definitions Slide 9
The QUADRES Security Game
b ∈ {0, 1}
p, q ← {v /2-bit primes}
N ←p·q
If b = 0 then a ← QN
If b = 1 then a ← JN \ QN A
N, a -
′
b
Win if b = b′
Figure: Security game to define the QUADRES problem
C. de Saint Guilhem
Game-Based Security Definitions Slide 10
The QUADRES Security Game
We define the advantage as...
AdvQUADRES (A) = 2 · Pr[A wins the QUADRES game for v = log2 N]
v
1
− .
2
Note, sometimes we drop the time parameter from the advantage
for ease of writing
If the adversary just guesses the bit with probability 1/2 then its
advantage is zero.
C. de Saint Guilhem
Game-Based Security Definitions Slide 11
Distinguishing Games and Advantages
The following is an important equality, whose proof is comes up
again and again
cont’d...
C. de Saint Guilhem
Game-Based Security Definitions Slide 12
Distinguishing Games and Advantages
Proof (cont’d)
QUADRES
Advv (A) = . . .
′ ′
= Pr[b = 1|b = 1] + Pr[b = 0|b = 0] − 1
′ ′
= Pr[b = 1|b = 1] + 1 − Pr[b = 1|b = 0] − 1
′ ′
= Pr[b = 1|b = 1] − Pr[b = 1|b = 0].
C. de Saint Guilhem
Game-Based Security Definitions Slide 13
Discrete Logarithms
Given an abelian (multiplicative) group G of order q the DLP is given
g, h ∈ G, find an integer x ∈ [0, . . . , q) (if it exists) such that
g x = h.
[x]G = H.
C. de Saint Guilhem
Game-Based Security Definitions Slide 14
Discrete Logarithms
g←G -
x ← Z/qZ
h ← gx - A
x′
Win if x ′ = x
Figure: Security game to define the discrete logarithm problem
AdvDLP
G (A) = Pr[A wins the DLP game in the group G]
C. de Saint Guilhem
Game-Based Security Definitions Slide 15
Computational Diffie-Hellman Problem
g←G -
x, y ← Z/qZ
a ← gx , b ← gy - A
h
Win if h = g x·y
Figure: Security game to define the Computational Diffie–Hellman problem
AdvDHP
G (A) = Pr[A wins the DHP game in the group G].
C. de Saint Guilhem
Game-Based Security Definitions Slide 16
Decision Diffie-Hellman Problem
b ← {0, 1}
g←G -
x, y ← Z/qZ
If b = 0 then z ← Z/qZ A
If b = 1 then z ← x · y
a ← gx , b ← gy , c ← gz -
b′
Win if b′ = b
Figure: Security game to define the Decision Diffie–Hellman problem
1
AdvDDH
G (A) = 2 · Pr[A wins the DDH game in G] −
2
= Pr[b′ = 1|b = 1] − Pr[b′ = 1|b = 0].
C. de Saint Guilhem
Game-Based Security Definitions Slide 17
Security Proof
C. de Saint Guilhem
Game-Based Security Definitions Slide 18
A Simple Security Proof
Lemma
The RSA problem is no harder than the FACTOR problem.
AdvFACTOR
v (A) = AdvRSA
v (B).
C. de Saint Guilhem
Game-Based Security Definitions Slide 19
A Simple Security Proof
c d = me·d = m1 (mod Φ)
=m (mod N),
C. de Saint Guilhem
Game-Based Security Definitions Slide 20
Simple Security Proofs
C. de Saint Guilhem
Game-Based Security Definitions Slide 21
Defining Security for a Block Cipher
Defining how hard a problem RSA, DLP etc were is relatively easy.
▶ They are linked to well defined mathematical problems.
How do we do the same for a block cipher?
C. de Saint Guilhem
Game-Based Security Definitions Slide 22
Defining Security for a Block Cipher
First lets simplify to looking at security for Pseudo-Random
Functions, i.e. PRFs.
C. de Saint Guilhem
Game-Based Security Definitions Slide 23
Why a Function Family?
Suppose we have a function F : D −→ C, lets define a security
game for this to ‘look’ random...
b ← {0, 1}
F -
x ←D
If b = 0 then y ← C A
If b = 1 then y ← F (x)
x, y -
b ′
Win if b′ = b
Figure: First attempt at a security game for a PRF
C. de Saint Guilhem
Game-Based Security Definitions Slide 24
Why a Function Family?
The reason this fails is that almost always we want to give the
adversary the function.
But A has the function F they can query F on x in this game and so
work out if F (x) = y , or whether y is random.
If we are not giving the adversary F then (in some sense) we are
thinking of F as a ‘random oracle’ (see later).
C. de Saint Guilhem
Game-Based Security Definitions Slide 25
Second PRF Security Definition
{F k }K -
b ← {0, 1}, k ← K
x ←D
If b = 0 then y ← C A
If b = 1 then y ← F k (x)
x, y -
b ′
Win if b′ = b
Figure: Second attempt at a security game for a PRF
C. de Saint Guilhem
Game-Based Security Definitions Slide 26
Giving the Adversary More Power
C. de Saint Guilhem
Game-Based Security Definitions Slide 27
Final PRF Security Definition
L ← {}
We write
1
AdvPRF = 2 · Pr[AOFk wins] −
{Fk }K (A; q) ,
2
Note the superscript to show that A has access to an oracle, which
can be called at most q times.
C. de Saint Guilhem
Game-Based Security Definitions Slide 28
PRP Security Definition
To make a PRP security definition is now easy, we just need to
ensure (when b = 0) that the challenger is creating a permutation.
L ← {}
{F k }K - x ∈D OF-
k If ∃(x, y ′ ) ∈ L then y ← y ′
b ← {0, 1} else if b = 1 then y ← F k (x)
k ←K A else (repeat y ← D until ̸ ∃(x ′ , y ) ∈ L)
L ← L ∪ (x, y )
y
b′
Win if b′ = b
Figure: The security game for a PRP
1
AdvPRP (A; q) = 2 · Pr[AOFk wins] − .
{Fk }K
2
C. de Saint Guilhem
Game-Based Security Definitions Slide 29
PRP Security Definition
Why would such a definition not necessarily make sense in the case
of the PRF definition?
C. de Saint Guilhem
Game-Based Security Definitions Slide 30
PRF-PRP Switching Lemma
Suppose we have a pseudo-random permutation family {F k }K and
an adversary A.
The API for the PRP and the PRF game is the same
The question then is whether the adversary can tell the difference
C. de Saint Guilhem
Game-Based Security Definitions Slide 31
PRF-PRP Switching Lemma
Lemma (PRP-PRF Switching Lemma)
q2
AdvPRF (A; q) − AdvPRP
(A, q) < .
{Fk }K {Fk }K
|D|
Proof
Run A in the PRF game, and we let E denote the event that the oracle called by A returns the same value in the codomain
for two distinct input values.
The probability of E occurring is, from the birthday bound, at most q 2 /(2 · |D|).
Thus
Pr[A wins the PRF game] = Pr[A wins the PRF game | E] · Pr[E]
+ Pr[A wins the PRF game | ¬E] · Pr[¬E]
≤ Pr[E] + Pr[A wins the PRF game | ¬E]
= Pr[E] + Pr[A wins the PRP game | ¬E]
q2
≤ + Pr[A wins the PRP game].
2 · |D|
cont’d...
C. de Saint Guilhem
Game-Based Security Definitions Slide 32
PRF-PRP Switching Lemma
Proof (cont’d)
w.l.o.g we can assume
1. AdvPRF PRP
{Fk }K (A; q) ≥ Adv{Fk }K (A; q)
q2
!
≤2· + Pr[A wins the PRP game] by previous slide
2 · |D|
− 2 · Pr[A wins the PRP game]
q2
≤
|D|
C. de Saint Guilhem
Game-Based Security Definitions Slide 33
Symmetric Key Encryption
C. de Saint Guilhem
Game-Based Security Definitions Slide 34
Public Key Encryption
Anyone with Alice’s public key can send Alice a secret message.
But only Alice can decrypt the message, since only Alice has the
private key.
C. de Saint Guilhem
Game-Based Security Definitions Slide 35
Notation
Symmetric Key Encryption:
We denote the symmetric key by sk.
C. de Saint Guilhem
Game-Based Security Definitions Slide 36
Security Goals for Encryption
C. de Saint Guilhem
Game-Based Security Definitions Slide 37
One Time Pad
A famous result of Shannon says that the one-time pad is perfectly
secure
▶ An infinitely powerful adversary can learn nothing about the
message.
▶ What you can learn with the ciphertext is the same as what you
can learn without the ciphertext.
Problem is One Time Pad is unusable.
C. de Saint Guilhem
Game-Based Security Definitions Slide 38
OW Security: Symmetric Key Case
m∈P
A
c∗ = ek (m) -
m′
C. de Saint Guilhem
Game-Based Security Definitions Slide 39
Semantic Security
Recall perfect security for One Time Pads..
▶ An infinitely powerful adversary can learn nothing about the
message.
▶ What you can learn with the ciphertext is the same as what you
can learn without the ciphertext.
Want a similar notion for an adversary with polynomially bounded
computing power.
i.e. Having the ciphertext does not help one to learn anything about
an encrypted message.
C. de Saint Guilhem
Game-Based Security Definitions Slide 40
IND-Security
Semantic security is hard to get ones head around, luckily it is
equivalent to a nice definition called polynomial security or IND
C. de Saint Guilhem
Game-Based Security Definitions Slide 41
IND-Security: Symmetric Key Case
It is simpler to present this in terms of pictures representing a game
played with the adversary A
b ∈ {0, 1}
m0 , m1 A
c∗ = ek (mb ) -
b′
C. de Saint Guilhem
Game-Based Security Definitions Slide 42
IND-Security (Public Key Case)
For the public key case there is one main difference in the picture:
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
b′
C. de Saint Guilhem
Game-Based Security Definitions Slide 43
Adversarial Powers
IND and OW are definitions of adversarial goals.
▶ They say nothing about what powers we give the adversary
We define powers by giving the adversary access to various oracles.
C. de Saint Guilhem
Game-Based Security Definitions Slide 44
Adversarial Powers
Symmetric Case:
Usually we assume that if an adversary has access to the CCA
oracle, then it also has access to a CPA oracle.
▶ Although this is not true in one important case we will see later
C. de Saint Guilhem
Game-Based Security Definitions Slide 45
IND-CPA Symmetric Case
m1 OE
b ∈ {0, 1}
)c = e (m)
k
m0 , m1 A
c∗ = ek (mb ) -
b′
C. de Saint Guilhem
Game-Based Security Definitions Slide 46
IND-CCA Symmetric Case
m1 OE
b ∈ {0, 1}
)c = e (m)
k
m0 , m1 A
c∗ = ek (mb ) -
∗
Pc ̸= c
iP
b′
P
Pq P O
P
D
m = d k (c)
C. de Saint Guilhem
Game-Based Security Definitions Slide 47
IND-CPA Public Key Case
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
b′
C. de Saint Guilhem
Game-Based Security Definitions Slide 48
IND-CCA Public Key Case
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
∗
Pc ̸= c
iP
b′
P
PP P O
q
D
m = d sk (c)
C. de Saint Guilhem
Game-Based Security Definitions Slide 49
Advantage
We define the advantage of an adversary as (essentially) the
difference in the probability that it wins the game over random
chance.
AdvOW-XXX
Π (A) = Pr[A wins].
There should probably be a 1/|P| subtracted here, but as |P| is
usually huge this can be safely ignored.
1
AdvIND-XXX
Π (A) = 2 · Pr[A wins] − .
2
A scheme is said to be secure if the respective advantage is small
for all PPT adversaries A.
▶ Small here means exponentially small in the run-time of A.
C. de Saint Guilhem
Game-Based Security Definitions Slide 50
LR Oracle
We can capture multi-message attacks by treating the challenge as
a set of challenges, via a LR oracle
m1 OE
b ∈ {0, 1}
)c = e (m)
k
(i) (i)
m0 , m1 - OLR
A
c ∗(i) = ek (m(i) b )
c ̸= c ∗(i)
P
iP
b′
P
Pq P O
P
D
m = d k (c)
If you only allow one call to the LR oracle then this is the normal
IND-CCA game.
C. de Saint Guilhem
Game-Based Security Definitions Slide 51
LR Oracle
If you allow multiple calls to the LR oracle you can replace the OE
oracle with calls to OLR (m, m), even for symmetric encryption.
b ∈ {0, 1}
(i) (i)
m0 , m1 - O
LR
A c ∗(i) = ek (m(i) b )
̸= c ∗(i)
Pc
iP
b′
P
Pq P O
P
D
m = d k (c)
Advm-IND-XXX
Π (A; qLR )
C. de Saint Guilhem
Game-Based Security Definitions Slide 52
Real-or-Random Security
Another (equivalent) method of defining security is RoR security.
C. de Saint Guilhem
Game-Based Security Definitions Slide 53
IND vs LR vs RoR
Theorem
Let A be a poly-time adversary against the IND-XXX security of the
symmetric encryption scheme Π, then there is a poly-time adversary
B against the m-IND-XXX security of Π, with
AdvIND-XXX
Π (A) = Advm-IND-XXX
Π (B; 1).
Theorem
Let A be a poly-time adversary against the m-IND-XXX security of
the symmetric encryption scheme Π. Then there is a poly-time
adversary B against the IND-XXX security of Π, with
m-IND-XXX
AdvΠ (A; qLR ) ≤ qLR · AdvIND-XXX
Π (B).
C. de Saint Guilhem
Game-Based Security Definitions Slide 54
IND vs LR vs RoR
Theorem
If A is an adversary against RoR-CCA security for a symmetric
encryption scheme Π, then we can build an adversary B against
IND-CCA security of Π with
AdvRoR-CCA
Π (A; qRoR ) = Advm-IND-CCA
Π (B; qRoR ).
Theorem
If A is an adversary against m-IND-CCA security for a symmetric
encryption scheme Π, then we can build an adversary B against
RoR-CCA security of Π with
m-IND-CCA
AdvΠ (A; qLR ) = 2 · AdvRoR-CCA
Π (B; qLR ).
C. de Saint Guilhem
Game-Based Security Definitions Slide 55
Relations Among Notions
Of our other constructions one security notion implies another, or
one can find explicit seperations:
Symmetric Case:
- -
IND-CCA IND-CPA IND-PASS
6 6 6
? - ? - ?
OW-CCA OW-CPA OW-PASS
C. de Saint Guilhem
Game-Based Security Definitions Slide 56
Relations Among Notions
One security notion implies another:
C. de Saint Guilhem
Game-Based Security Definitions Slide 57
Showing IND-CCA =⇒ OW-CCA
To see how security proofs work look at the following diagram
k ← KeyGen() B m0 , m1 ← P OLR-
c∗
b ← {0, 1}
6
?
b′ = 1 - Oek-
If m0 = m′ ?
-
Oe-
k 6
b′ = 0 ?
A Odk-
-
m′ Od-
k 6
b′ ?
?
C. de Saint Guilhem
Game-Based Security Definitions Slide 58
Most Important Lesson
C. de Saint Guilhem
Game-Based Security Definitions Slide 59
Digital Signatures
Another very important public key primitive is the digital signature.
The idea is
Anyone can verify Alice’s signature, since everyone can obtain her
public key.
After verification the verifier is convinced that only Alice could have
produced the signature because
▶ Only Alice knows her private key!
C. de Saint Guilhem
Game-Based Security Definitions Slide 60
Digital Signatures
C. de Saint Guilhem
Game-Based Security Definitions Slide 61
Message Authentication Code
The idea is
Only someone with the same private key can verify this
authentication.
C. de Saint Guilhem
Game-Based Security Definitions Slide 62
Notation
Sigsk (m) = s
Verifypk (s, m) = YES/NO. (For with appendix case.)
Mack (m) = t
Verifyk (t, m) = YES/NO.
C. de Saint Guilhem
Game-Based Security Definitions Slide 63
Security of MACs and Digital Signatures
Again we define security via games by giving goals and powers.
Existential Forgery :
▶ A scheme is existentially unforgeable if, no matter how if the
adversary cannot produce a signature on any other message
(of his choice) .
C. de Saint Guilhem
Game-Based Security Definitions Slide 64
Attack Powers
We have just seen some adversarial goals; to form a complete
definition we also need attack models.
Passive Attack :
▶ Attacker obtains a public key and some message, signature
pairs produced using the public key.
L←∅
k ← KeyGen() OMack
m∈P - L ← L ∪ {m}
t ← Mack (m)
m∗ , t ∗ A
OVerifyk
Win if Verifyk (t ∗ , m∗ ) t, m ∈ T × P -
v ← Verifyk (t, m)
= valid and m∗ ∈ /L
Figure: Security game for MAC security EUF-CMA
C. de Saint Guilhem
Game-Based Security Definitions Slide 66
Signature Security Game
C. de Saint Guilhem
Game-Based Security Definitions Slide 67
Strong Existential Unforgebility
C. de Saint Guilhem
Game-Based Security Definitions Slide 68
Strong Existential Unforgebility
k ← KeyGen() OMack L ← ∅
m∈P - t ← Mac (m)
k
L ← L ∪ {(t, m)}
A
t
m∗ , t ∗
Win if Verifyk (t ∗ , m∗ ) OVerify
t, m ∈ T × P -k
= valid and (t ∗ , m∗ ) ∈ /L v ← Verifyk (t, m)
C. de Saint Guilhem
Game-Based Security Definitions Slide 69