Game Based Definitions

Game-Based Security Definitions
C. de Saint Guilhem
COSIC,
KU Leuven, ESAT,
Kasteelpark Arenberg 10, bus 2452,
B-3001 Leuven-Heverlee,
Belgium.
March 17, 2023
C. de Saint Guilhem
Game-Based Security Definitions Slide 1
Outline
Introduction
Games and Advantages
Security Proofs
What is a Block Cipher/PRF/PRP?
Encryption Security Definitions
Relations and Equivalence Between Notions
Digital Signatures and Message Authentication Codes
Security of MACs and Digital Signatures
C. de Saint Guilhem
What Questions Will We Answer?
How do we think about game based security definitions?
How do we measure the ability of an adversary to win such games?
How do we present simple security proofs?
How do we define security for a block cipher?
What does it mean for a symmetric/public key encryption algorithm

to be secure?
How do we prove a scheme is secure?
What does it mean for a signature or MAC to be secure?
C. de Saint Guilhem
Security Definitions
In much of cryptography security is defined by a game.
The game is between a Challenger and an Adversary.
The Adversary is given

▶ A goal to achieve (see OW/IND/UF later)
▶ Powers it can use (see CPA/CCA/CMA later)
▶ Restrictions on its operations (see ROM later)
C. de Saint Guilhem
The FACTOR Security Game
We define the problem FACTOR by:

▶ Given N = p · q: Find p and q.
Graphically we can present this by
p, q ← {v /2-bit primes}
N ←p·q -
′
p ,q ′ A
Win if p′ · q ′ = N
and p′ , q ′ ̸= N
Figure: Security game to define the FACTOR problem
C. de Saint Guilhem
The Advantage
We write
AdvXv (A, t) = Pr[A wins the game X for v = log2 N in time less than t].
Note the advantage is always between zero and one.

▶ Zero means the adversary is no better than random.
▶ One means the adversary is always correct.
√
There is an algorithm which always factors a number in time N.
So there is an adversary A such that
AdvFACTOR
v (A, 2v /2 ) = 1.
where v = log2 N.
C. de Saint Guilhem
The Hardness of FACTOR
But if t is any polynomial function p1 of v = log2 N then we expect
that there is no efficient adversary A, and hence for such t we will
have
1
AdvFACTOR
v (A, p1 (v )) < ,
p2 (v )
for all adversaries A.
1
A problem is said to be hard if the advantage is bounded by p2 (v ) for
all adversaries A.
▶ The value v is called the security parameter
So a problem is hard if the advantage is always negligible.

▶ Note this is an asymptotic notion.
▶ Depends on a parameter v getting big.
▶ After all it is easy to factor small numbers!
C. de Saint Guilhem
RSA Problem
The most important problem in early public key cryptography was
the RSA problem...
N ←p·q
e, d ← Z s.t. e · d = 1 (mod ϕ(N))
y ← (Z/NZ)∗ A
N, e, y -
x
Win if x e = y (mod N)
Figure: Security game to define the RSA problem
AdvRSA
v (A, t) = Pr[A wins the RSA game for v = log2 N in time ≤ t].
C. de Saint Guilhem
The QUADRES Security Game
Many games are about distinguishing two different situations.
▶ QN = {a ∈ ZN : a = b2 }
▶ JN = {a ∈ ZN : a has Jacobi symbol one}
Facts:
▶ QN ⊂ JN
▶ If N = p · q then |QN | = |JN |/2.
▶ Detecting if x ∈ ZN is such that x ∈ JN is easy.
▶ Detecting if x ∈ JN is such that x ∈ QN is hard.
This creates a problem called QUADRES
▶ Was once a very important cryptographic hard problem.
▶ Less so now, but useful for expository purposes
C. de Saint Guilhem
b ∈ {0, 1}
N ←p·q
If b = 0 then a ← QN
If b = 1 then a ← JN \ QN A
N, a -
′
b
Win if b = b′
Figure: Security game to define the QUADRES problem
C. de Saint Guilhem
We define the advantage as...

AdvQUADRES (A) = 2 · Pr[A wins the QUADRES game for v = log2 N]

v
1
− .
2
Note, sometimes we drop the time parameter from the advantage
for ease of writing
If the adversary just guesses the bit with probability 1/2 then its
advantage is zero.
If however the adversary is always right, or indeed always wrong,

then the advantage is one.
Thus the advantage is normalized to lie between zero and one, as

earlier.
C. de Saint Guilhem
Distinguishing Games and Advantages
The following is an important equality, whose proof is comes up
again and again
Let A be an adversary in the QUADRES game.
Then, if b′ is the bit chosen by A and b is the bit chosen by the

challenger in the game, we have
AdvQUADRES (A) = Pr[b′ = 1|b = 1] − Pr[b′ = 1|b = 0] .

v
Proof
1

QUADRES
Advv (A) = 2 · Pr[A wins] −
2
1

′ ′
= 2 · Pr[b = 1 and b = 1] + Pr[b = 0 and b = 0] −
2
1

′ ′
= 2 · Pr[b = 1|b = 1] · Pr[b = 1] + Pr[b = 0|b = 0] · Pr[b = 0] −
2
1 1 1

′ ′
= 2 · Pr[b = 1|b = 1] · + Pr[b = 0|b = 0] · −
2 2 2
cont’d...
C. de Saint Guilhem
Distinguishing Games and Advantages
Proof (cont’d)
QUADRES
Advv (A) = . . .

′ ′
= Pr[b = 1|b = 1] + Pr[b = 0|b = 0] − 1

′ ′
= Pr[b = 1|b = 1] + 1 − Pr[b = 1|b = 0] − 1

′ ′
= Pr[b = 1|b = 1] − Pr[b = 1|b = 0].

The writing of a distinguishing advantage as

Pr[b′ = 1|b = 1] − Pr[b′ = 1|b = 0]

is so common, that often the distinguishing advantage is written in

this way to start with.
C. de Saint Guilhem
Discrete Logarithms
Given an abelian (multiplicative) group G of order q the DLP is given
g, h ∈ G, find an integer x ∈ [0, . . . , q) (if it exists) such that
g x = h.
We write x = dlogg (h).
Given an abelian (additive) group G of order q the DLP is given

G, H ∈ G, find an integer x ∈ [0, . . . , q) (if it exists) such that
[x]G = H.
We write x = dlogG (H).
As almost all groups in cryptography are abelian, we usually drop

the term abelian.
C. de Saint Guilhem
Discrete Logarithms
g←G -
x ← Z/qZ
h ← gx - A
x′
Win if x ′ = x
Figure: Security game to define the discrete logarithm problem
AdvDLP
G (A) = Pr[A wins the DLP game in the group G]
C. de Saint Guilhem
Computational Diffie-Hellman Problem
g←G -
x, y ← Z/qZ
a ← gx , b ← gy - A
h
Win if h = g x·y
Figure: Security game to define the Computational Diffie–Hellman problem
AdvDHP
G (A) = Pr[A wins the DHP game in the group G].
C. de Saint Guilhem
Decision Diffie-Hellman Problem
b ← {0, 1}
g←G -
x, y ← Z/qZ
If b = 0 then z ← Z/qZ A
If b = 1 then z ← x · y
a ← gx , b ← gy , c ← gz -
b′
Win if b′ = b
Figure: Security game to define the Decision Diffie–Hellman problem

1
AdvDDH

G (A) = 2 · Pr[A wins the DDH game in G] −
2

= Pr[b′ = 1|b = 1] − Pr[b′ = 1|b = 0].

C. de Saint Guilhem
Security Proof
A security proof is a mathematical proof that an adversary which

can win the game with high probability can be turned into something
which does something impossible.
e.g. If A breaks game G then we can construct an algorithm B which

factors RSA moduli.
A proof is essentially the algorithm B.

▶ B usually plays the role of the challenger in the security game.
▶ B has to simulate a real environment to A, so A does not think it
is just being “used”.
C. de Saint Guilhem
A Simple Security Proof
Lemma
The RSA problem is no harder than the FACTOR problem.
In particular, if A is an algorithm which can solve FACTOR for

integers of size v , then there is an efficient algorithm B which can
solve the RSA problem for integers of size v .
In particular for N a product of two primes we have
AdvFACTOR
v (A) = AdvRSA
v (B).
If RSA problem is hard, then so is FACTOR

▶ What about the other way around?
C. de Saint Guilhem
A Simple Security Proof
To prove this lemma we use the factoring algorithm A to construct

the algorithm B.
First, using A, we find the factorization of N.
Algorithm B can now compute Φ = ϕ(N) and then compute
d ← 1/e (mod Φ).
Once d has been computed it is easy to recover m via
c d = me·d = m1 (mod Φ)
=m (mod N),
with the last equality following by Lagrange’s Theorem.
C. de Saint Guilhem
Simple Security Proofs
In the exercises you will show that

1. DHP is no harder than DLP.
2. DDH is no harder than DHP.
3. FACTOR and a problem called SQRROOT are equivalent; i.e. if
you have an algorithm to solve one then you can solve the
other.
C. de Saint Guilhem
Defining Security for a Block Cipher
Defining how hard a problem RSA, DLP etc were is relatively easy.
▶ They are linked to well defined mathematical problems.
How do we do the same for a block cipher?
In some sense a block cipher is a family {F k }K of functions.

▶ Each function in the family is indexed by a key k .
▶ The key comes from a fixed set K .
▶ Each function maps elements in a domain D to the same
domain D.
▶ If you dont know k this mapping should look like a random
permutation (i.e. a random bijection)
In other words a block cipher should be a Pseudo-Random
Permutation on D, i.e. a PRP.
C. de Saint Guilhem
Defining Security for a Block Cipher
First lets simplify to looking at security for Pseudo-Random
Functions, i.e. PRFs.
A PRF is a function family {F k }K such that

▶ Each function in the family is indexed by a key k .
▶ The key comes from a fixed set K .
▶ Each function maps elements in a domain D to a codomain C.
▶ If you dont know k this mapping should look like a random
function from D to C.
Why do we talk about PRF’s being function families?

▶ Why cannot we just talk about a single pseudo-random
function?
C. de Saint Guilhem
Why a Function Family?
Suppose we have a function F : D −→ C, lets define a security
game for this to ‘look’ random...
b ← {0, 1}
F -
x ←D
If b = 0 then y ← C A
If b = 1 then y ← F (x)
x, y -
b ′
Win if b′ = b
Figure: First attempt at a security game for a PRF
i.e. can the adversary distinguish this specific function F from a

random function?
C. de Saint Guilhem
Why a Function Family?
The reason this fails is that almost always we want to give the
adversary the function.
But A has the function F they can query F on x in this game and so
work out if F (x) = y , or whether y is random.
So somehow we need to give the adversary F , but not quite give

them F ; hence the need for a key.
If we are not giving the adversary F then (in some sense) we are
thinking of F as a ‘random oracle’ (see later).
C. de Saint Guilhem
Second PRF Security Definition
{F k }K -
b ← {0, 1}, k ← K
x ←D
If b = 0 then y ← C A
If b = 1 then y ← F k (x)
x, y -
b ′
Win if b′ = b
Figure: Second attempt at a security game for a PRF
But now the challenger has too much power

▶ Unless the function family is simple the adversary has almost
no chance in winning.
▶ e.g. the adversary cannot win the above game for the PRF
given by the one-time pad.
C. de Saint Guilhem
Giving the Adversary More Power
To give the adversary more power we allow it to ask questions.

▶ We give the adversary an oracle to which it can ask questions.
▶ The oracle answers are provided by the challenger.
In particular instead of giving the adversary a single query, we allow

the multiple queries of its own choosing.
The challenger needs to keep track of what answers have been

given, in the case when b = 0, i.e. the function is truly random, to
ensure the output is consistent with F k being a function.
C. de Saint Guilhem
Final PRF Security Definition
L ← {}
{F k }K - x ∈D OFk- If ∃(x, y ′ ) ∈ L then y ← y ′

b ← {0, 1} else if b = 0 then y ← C
k ←K A else y ← F k (x)
L ← L ∪ (x, y )
y
b′
Win if b′ = b
Figure: The final security game for a PRF
We write
1
AdvPRF = 2 · Pr[AOFk wins] −

{Fk }K (A; q) ,
2
Note the superscript to show that A has access to an oracle, which
can be called at most q times.
C. de Saint Guilhem
PRP Security Definition
To make a PRP security definition is now easy, we just need to
ensure (when b = 0) that the challenger is creating a permutation.
L ← {}
{F k }K - x ∈D OF-
k If ∃(x, y ′ ) ∈ L then y ← y ′
b ← {0, 1} else if b = 1 then y ← F k (x)
k ←K A else (repeat y ← D until ̸ ∃(x ′ , y ) ∈ L)
L ← L ∪ (x, y )
y
b′
Win if b′ = b
Figure: The security game for a PRP
1
AdvPRP (A; q) = 2 · Pr[AOFk wins] − .

{Fk }K
2
C. de Saint Guilhem
PRP Security Definition
We could extend the above game to allow the adversary to query

the function backwards
▶ How would you modify the oracle?
Then the advantage would be
OFk ,O −1 1
AdvPRP (A; q , q ) = 2 · Pr[A F
wins] − .
k
{Fk }K 0 1
2

with at most q0 calls to OFk and q1 calls to OF −1 .

k
Why would such a definition not necessarily make sense in the case
of the PRF definition?
C. de Saint Guilhem
PRF-PRP Switching Lemma
Suppose we have a pseudo-random permutation family {F k }K and
an adversary A.
The API for the PRP and the PRF game is the same
So we can place A in either game, along with the function family

{F k }K .
The question then is whether the adversary can tell the difference
If there is some difference she will act differently.

▶ Thus her output will be different
So we will see a non-zero value in

PRF PRP
Adv{Fk }K (A; q) − Adv{Fk }K (A; q)

The question is how large can such a difference of Advantages be?
C. de Saint Guilhem
Lemma (PRP-PRF Switching Lemma)
q2
AdvPRF (A; q) − AdvPRP
(A, q) < .

{Fk }K {Fk }K
|D|

Proof
Run A in the PRF game, and we let E denote the event that the oracle called by A returns the same value in the codomain
for two distinct input values.
The probability of E occurring is, from the birthday bound, at most q 2 /(2 · |D|).
Thus
Pr[A wins the PRF game] = Pr[A wins the PRF game | E] · Pr[E]
+ Pr[A wins the PRF game | ¬E] · Pr[¬E]
≤ Pr[E] + Pr[A wins the PRF game | ¬E]
= Pr[E] + Pr[A wins the PRP game | ¬E]
q2
≤ + Pr[A wins the PRP game].
2 · |D|
cont’d...
C. de Saint Guilhem
Proof (cont’d)
w.l.o.g we can assume
1. AdvPRF PRP
{Fk }K (A; q) ≥ Adv{Fk }K (A; q)
2. Pr[A wins the PRF game] ≥ 1/2,

3. Pr[A wins the PRP game] ≥ 1/2,
so

PRF PRP
Adv{F } (A; q) − Adv{F } (A; q)

k K k K
1

= 2 · Pr[A wins the PRF game] −
2
1

− 2 · Pr[A wins the PRP game] −
2
= 2 · Pr[A wins the PRF game] − 1
− 2 · Pr[A wins the PRP game] + 1
= 2 · Pr[A wins the PRF game] − 2 · Pr[A wins the PRP game]
q2
!
≤2· + Pr[A wins the PRP game] by previous slide
2 · |D|
− 2 · Pr[A wins the PRP game]
q2
≤
|D|
C. de Saint Guilhem
Symmetric Key Encryption
The basic idea of symmetric key encryption is:
Message + Shared Secret Key = Ciphertext
Ciphertext + Shared Secret Key = Message
Anyone with the shared secret key can decrypt.
C. de Saint Guilhem
Public Key Encryption
The basic idea of public key encryption is:
Message + Alice’s Public Key = Ciphertext
Ciphertext + Alice’s Private Key = Message
Anyone with Alice’s public key can send Alice a secret message.
But only Alice can decrypt the message, since only Alice has the
private key.
C. de Saint Guilhem
Notation
Symmetric Key Encryption:
We denote the symmetric key by sk.
A message is denoted m, an encryption algorithm is denoted by

Enc, a decryption algorithm by Dec, and a ciphertext by c.
▶ Encsk (m) = c and Decsk (c) = m.
Public Key Encryption:

We denote a public/secret key pair (pk, sk).
A message is denoted m, an encryption algorithm is denoted by

Enc, a decryption algorithm by Dec, and a ciphertext by c.
▶ Encpk (m) = c and Decsk (c) = m.
C. de Saint Guilhem
Security Goals for Encryption
There are two main security goals

▶ OW: One way security. Can you decrypt a message?
▶ IND: Indistinguishability. Can you learn any information about a
message?
The later is the one we aim for.
The former is what primitives sometimes achieve.
C. de Saint Guilhem
One Time Pad
A famous result of Shannon says that the one-time pad is perfectly
secure
▶ An infinitely powerful adversary can learn nothing about the
message.
▶ What you can learn with the ciphertext is the same as what you
can learn without the ciphertext.
Problem is One Time Pad is unusable.
We restrict adversarys to be PPT’s

▶ Probabilistic Polynomial Time Turing machine
▶ i.e. A computer program running in a reasonable amount of
time.
Can no longer achieve perfect security though
C. de Saint Guilhem
OW Security: Symmetric Key Case
Perhaps the most basic notion of security could be defined by the

following game
m∈P
A
c∗ = ek (m) -
m′
What would be the equivalent picture in the public key case?
C. de Saint Guilhem
Semantic Security
Recall perfect security for One Time Pads..
▶ An infinitely powerful adversary can learn nothing about the
message.
▶ What you can learn with the ciphertext is the same as what you
can learn without the ciphertext.
Want a similar notion for an adversary with polynomially bounded
computing power.
Formally: For all probability distributions on the message space,

whatever a passive PPT can compute in polynomial time about the
plaintext given the ciphertext, they could also compute without the
ciphertext.
i.e. Having the ciphertext does not help one to learn anything about
an encrypted message.
C. de Saint Guilhem
IND-Security
Semantic security is hard to get ones head around, luckily it is
equivalent to a nice definition called polynomial security or IND
Suppose that the challenger is given an encryption function f

▶ Defined by some key, i.e. f (m) = ek (m).
The attacker chooses two messages m0 and m1 of equal length.
The challenger gives the attacker given a ciphertext c such that

c = f (m0 ) or c = f (m1 ).
A scheme is polynomially secure if a PPT cannot decide which
message c is the encryption of, with probability significantly greater
than 0.5.
A scheme that is polynomially secure is often said to have

indistinguishability of encryptions (IND).
C. de Saint Guilhem
IND-Security: Symmetric Key Case
It is simpler to present this in terms of pictures representing a game
played with the adversary A
b ∈ {0, 1}
m0 , m1 A
c∗ = ek (mb ) -
b′
The ciphertext c ∗ is called the target ciphertext.
Remember we must have |m0 | = |m1 |.
C. de Saint Guilhem
IND-Security (Public Key Case)
For the public key case there is one main difference in the picture:
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
b′
C. de Saint Guilhem
Adversarial Powers
IND and OW are definitions of adversarial goals.
▶ They say nothing about what powers we give the adversary
We define powers by giving the adversary access to various oracles.
Passive Attack (PASS)

The adversary is given no oracles (the pictures are as above)
Chosen Plaintext Attack (CPA)

The adversary can encrypt any message of his choosing.
Chosen Ciphertext Attack (CCA)

The adversary can decrypt any message of his choosing, except he
is not allowed to decrypt c ∗ .
We say a scheme is IND-PASS, IND-CPA, IND-CCA, OW-PASS,

OW-CPA, OW-CCA.
C. de Saint Guilhem
Adversarial Powers
Symmetric Case:
Usually we assume that if an adversary has access to the CCA
oracle, then it also has access to a CPA oracle.
▶ Although this is not true in one important case we will see later
Public Key Case:

There is no notion of PASS security in the public key case as the
adversary always has access to a CPA oracle
▶ Why?
C. de Saint Guilhem
IND-CPA Symmetric Case
m1 OE
b ∈ {0, 1}

)c = e (m)

k
m0 , m1 A
c∗ = ek (mb ) -
b′
C. de Saint Guilhem
IND-CCA Symmetric Case
m1 OE
b ∈ {0, 1}

)c = e (m)

k
m0 , m1 A
c∗ = ek (mb ) -
∗
Pc ̸= c
iP
b′
P
Pq P O
P
D
m = d k (c)
C. de Saint Guilhem
IND-CPA Public Key Case
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
b′
C. de Saint Guilhem
IND-CCA Public Key Case
b ∈ {0, 1}
pk -
m0 , m1 A
c∗ = epk (mb ) -
∗
Pc ̸= c
iP
b′
P
PP P O
q
D
m = d sk (c)
C. de Saint Guilhem
Advantage
We define the advantage of an adversary as (essentially) the
difference in the probability that it wins the game over random
chance.
AdvOW-XXX
Π (A) = Pr[A wins].
There should probably be a 1/|P| subtracted here, but as |P| is
usually huge this can be safely ignored.

1
AdvIND-XXX

Π (A) = 2 · Pr[A wins] − .
2
A scheme is said to be secure if the respective advantage is small
for all PPT adversaries A.
▶ Small here means exponentially small in the run-time of A.
C. de Saint Guilhem
LR Oracle
We can capture multi-message attacks by treating the challenge as
a set of challenges, via a LR oracle
m1 OE
b ∈ {0, 1}

)c = e (m)

k
(i) (i)
m0 , m1 - OLR
A
c ∗(i) = ek (m(i) b )
c ̸= c ∗(i)
P
iP
b′
P
Pq P O
P
D
m = d k (c)
If you only allow one call to the LR oracle then this is the normal
IND-CCA game.
C. de Saint Guilhem
LR Oracle
If you allow multiple calls to the LR oracle you can replace the OE
oracle with calls to OLR (m, m), even for symmetric encryption.
b ∈ {0, 1}
(i) (i)
m0 , m1 - O
LR
A c ∗(i) = ek (m(i) b )
̸= c ∗(i)
Pc
iP
b′
P
Pq P O
P
D
m = d k (c)
The advantage is denoted by
Advm-IND-XXX
Π (A; qLR )
C. de Saint Guilhem
Real-or-Random Security
Another (equivalent) method of defining security is RoR security.
The adversary needs to distinguish between seeing an encryption of

a message of its choosing, or a random encryption.
′ |m|
ORoR- If b = 0′ then m ← {0, 1}
k ← KeyGen() m∈P else m ←m
b ← {0, 1} c ∗ ← ek (m′ )
m ∈ P Oek - c ← ek (m)
A
O If c = c ∗ then abort.
b′ c ∈ C dk - m ← d k (c)
Win if b′ = b
Figure: Security game for symmetric key RoR-CCA
The advantage is denoted by AdvRoR-XXX

Π (A; qRoR ).
C. de Saint Guilhem
IND vs LR vs RoR
Theorem
Let A be a poly-time adversary against the IND-XXX security of the
symmetric encryption scheme Π, then there is a poly-time adversary
B against the m-IND-XXX security of Π, with
AdvIND-XXX
Π (A) = Advm-IND-XXX
Π (B; 1).
Theorem
Let A be a poly-time adversary against the m-IND-XXX security of
the symmetric encryption scheme Π. Then there is a poly-time
adversary B against the IND-XXX security of Π, with
m-IND-XXX
AdvΠ (A; qLR ) ≤ qLR · AdvIND-XXX
Π (B).
C. de Saint Guilhem
IND vs LR vs RoR
Theorem
If A is an adversary against RoR-CCA security for a symmetric
encryption scheme Π, then we can build an adversary B against
IND-CCA security of Π with
AdvRoR-CCA
Π (A; qRoR ) = Advm-IND-CCA
Π (B; qRoR ).
Theorem
If A is an adversary against m-IND-CCA security for a symmetric
encryption scheme Π, then we can build an adversary B against
RoR-CCA security of Π with
m-IND-CCA
AdvΠ (A; qLR ) = 2 · AdvRoR-CCA
Π (B; qLR ).
C. de Saint Guilhem
Relations Among Notions
Of our other constructions one security notion implies another, or
one can find explicit seperations:
Symmetric Case:
- -
IND-CCA IND-CPA IND-PASS
6 6 6
? - ? - ?
OW-CCA OW-CPA OW-PASS
Hence the strongest notion is IND-CCA.

▶ All modern ciphers must provably meet this definition of
security.
C. de Saint Guilhem
Relations Among Notions
One security notion implies another:
Public Key Case:

-
IND-CCA IND-CPA
6 6
? ?
-
OW-CCA OW-CPA
Hence, again, the strongest notion is IND-CCA.

▶ All modern ciphers must provably meet this definition of
security.
C. de Saint Guilhem
Showing IND-CCA =⇒ OW-CCA
To see how security proofs work look at the following diagram
k ← KeyGen() B m0 , m1 ← P OLR-
c∗
b ← {0, 1}

6
?
b′ = 1 - Oek-
If m0 = m′ ?
-
Oe-
k 6
b′ = 0 ?
A Odk-
-
m′ Od-
k 6
b′ ?
?
Figure: Constructing an IND-CCA adversary B from a OW-CCA adversary

A
C. de Saint Guilhem
Most Important Lesson
IND-CCA is the de facto security definition we should accept.
Hence encryption must be probabilistic.

▶ Why?
Therefore any IND-CCA algorithm must expand the message space

into the ciphertext space.
▶ i.e. Encryption is a one-to-many “function”
C. de Saint Guilhem
Digital Signatures
Another very important public key primitive is the digital signature.
The idea is
Message + Alice’s Private Key = Signature
Message + Signature + Alice’s Public Key = YES/NO
Alice can sign a message using her private key.
Anyone can verify Alice’s signature, since everyone can obtain her
public key.
After verification the verifier is convinced that only Alice could have
produced the signature because
▶ Only Alice knows her private key!
C. de Saint Guilhem
Digital Signatures
On the last slide we described a signature scheme with appendix:

the message is an explicit input of the verification algorithm.
Some signature schemes have the property of message recovery:

the message is recovered from a signature.
The basic idea is
Message + Alice’s Private Key = Signature
Signature + Alice’s Public Key = Message or INVALID
C. de Saint Guilhem
Message Authentication Code
A MAC is the symmetric key equivalenet of a digital signature.
The idea is
Message + Private Key = Tag
Message + Tag + Private Key = YES/NO
Alice can authenticate a message using the private key.
Only someone with the same private key can verify this
authentication.
C. de Saint Guilhem
Notation
Henceforth we denote a public/secret key pair (pk, sk), and a

symmetric key by k .
A message is denoted m, the signing algorithm is denoted Sig, the

verification algorithm is denoted Verify, the signature is denoted s,
the MAC algorithm is denoted MAC and the resulting tag is denoted
t.
Sigsk (m) = s
Verifypk (s, m) = YES/NO. (For with appendix case.)
Mack (m) = t
Verifyk (t, m) = YES/NO.
C. de Saint Guilhem
Security of MACs and Digital Signatures
Again we define security via games by giving goals and powers.
There are two types of forgery:

Selective Forgery :
▶ Clearly we require that an attacker should not be able to
produce a message, signature pair on a message of the
challengers choice.
▶ This is considered to be a weak notion of security.
Existential Forgery :
▶ A scheme is existentially unforgeable if, no matter how if the
adversary cannot produce a signature on any other message
(of his choice) .
C. de Saint Guilhem
Attack Powers
We have just seen some adversarial goals; to form a complete
definition we also need attack models.
Passive Attack :
▶ Attacker obtains a public key and some message, signature
pairs produced using the public key.
Adaptive Chosen Message Attack :

▶ Attacker can obtain signatures on messages of its choosing.
▶ It can choose the messages based on what it has already seen
- hence adaptive.
▶ It’s job is to produce a signature on a new message.
Accepted definition of security :

▶ A signature scheme is deemed secure if it resists existential
forgery under an adaptive chosen message attack.
C. de Saint Guilhem
MAC Security Game
L←∅
k ← KeyGen() OMack
m∈P - L ← L ∪ {m}

t ← Mack (m)
m∗ , t ∗ A
OVerifyk
Win if Verifyk (t ∗ , m∗ ) t, m ∈ T × P -
v ← Verifyk (t, m)
= valid and m∗ ∈ /L
Figure: Security game for MAC security EUF-CMA
C. de Saint Guilhem
Signature Security Game
(pk, sk) ← KeyGen() L←∅

pk -
∗
m ,s ∗ A OSigsk
m∈P - L ← L ∪ {m}
Win if Verifypk (s∗ , m∗ )
s ← Sigsk (m)
= valid and m∗ ∈ /L
Figure: Security game for signature security EUF-CMA
C. de Saint Guilhem
Strong Existential Unforgebility
This notion applies to both signature and MAC schemes
Winning condition is changed from A winning if she

▶ Outputs a MAC/signature on a new message
to
▶ Outputs a new message/signature pair.
C. de Saint Guilhem
Strong Existential Unforgebility
k ← KeyGen() OMack L ← ∅
m∈P - t ← Mac (m)
k
L ← L ∪ {(t, m)}
A
t
m∗ , t ∗
Win if Verifyk (t ∗ , m∗ ) OVerify
t, m ∈ T × P -k
= valid and (t ∗ , m∗ ) ∈ /L v ← Verifyk (t, m)
Figure: Security game for MAC security sEUF-CMA
C. de Saint Guilhem

Game Based Definitions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Game Based Definitions

Uploaded by

Copyright:

Available Formats

Game-Based Security Definitions

March 17, 2023

Games and Advantages

What is a Block Cipher/PRF/PRP?

Encryption Security Definitions

Relations and Equivalence Between Notions

Digital Signatures and Message Authentication Codes

Security of MACs and Digital Signatures

How do we measure the ability of an adversary to win such games?

How do we present simple security proofs?

How do we define security for a block cipher?

What does it mean for a symmetric/public key encryption algorithm

How do we prove a scheme is secure?

What does it mean for a signature or MAC to be secure?

In much of cryptography security is defined by a game.

The game is between a Challenger and an Adversary.

The Adversary is given

We define the problem FACTOR by:

Note the advantage is always between zero and one.

So there is an adversary A such that

So a problem is hard if the advantage is always negligible.

If however the adversary is always right, or indeed always wrong,

Thus the advantage is normalized to lie between zero and one, as

Let A be an adversary in the QUADRES game.

Then, if b′ is the bit chosen by A and b is the bit chosen by the

The writing of a distinguishing advantage as

is so common, that often the distinguishing advantage is written in

We write x = dlogg (h).

Given an abelian (additive) group G of order q the DLP is given

We write x = dlogG (H).

As almost all groups in cryptography are abelian, we usually drop

A security proof is a mathematical proof that an adversary which

e.g. If A breaks game G then we can construct an algorithm B which

A proof is essentially the algorithm B.

In particular, if A is an algorithm which can solve FACTOR for

In particular for N a product of two primes we have

If RSA problem is hard, then so is FACTOR

To prove this lemma we use the factoring algorithm A to construct

First, using A, we find the factorization of N.

Algorithm B can now compute Φ = ϕ(N) and then compute

d ← 1/e (mod Φ).

Once d has been computed it is easy to recover m via

with the last equality following by Lagrange’s Theorem.

In the exercises you will show that

In some sense a block cipher is a family {F k }K of functions.

A PRF is a function family {F k }K such that

Why do we talk about PRF’s being function families?

i.e. can the adversary distinguish this specific function F from a

So somehow we need to give the adversary F , but not quite give

But now the challenger has too much power

To give the adversary more power we allow it to ask questions.

In particular instead of giving the adversary a single query, we allow

The challenger needs to keep track of what answers have been

{F k }K - x ∈D OFk- If ∃(x, y ′ ) ∈ L then y ← y ′

We could extend the above game to allow the adversary to query

with at most q0 calls to OFk and q1 calls to OF −1 .

So we can place A in either game, along with the function family

If there is some difference she will act differently.

The question is how large can such a difference of Advantages be?

2. Pr[A wins the PRF game] ≥ 1/2,

The basic idea of symmetric key encryption is:

Message + Shared Secret Key = Ciphertext