Professional Documents
Culture Documents
)
Lecture 3
SIM & IND security
Beyond One-Time: CPA security
Computational Indistinguishability
all
ec
R Onetime Encryption
Perfect Secrecy A (2,2)-secret-sharing scheme:
K and Enc(m,K) are shares of m
Key/ Key/
Send Recv Enc Dec
SIM-Onetime
secure if:
"
# s.t.
"
IDEAL=REAL
Env Env
IDEAL REAL
Security of Encryption
Perfect secrecy is too strong for multiple messages (though, as
we shall see later, too weak in some other respects)
Encryption: Randomized
Decryption: Deterministic
Dec: C ×K ³ M
Symmetric-Key Encryption
Security DeÞnitions
IND-CPA &
Multi-msg correctness
c SIM-CPA today
IND-CCA & c
Active/multi-msg correctness
SIM-CCA
Key/ Key/
Send Recv Enc Dec
SIM-CPA
secure if:
"
# s.t.
"
IDEAL j REAL
Env Env
IDEAL To be formalised REAL
Symmetric-Key Encryption
IND-CPA Security IND-CPA +
Experiment picks a random bit b. It also ~correctness
equivalent to
runs KeyGen to get a key K Key/
Enc SIM-CPA
For as long as Adversary wants
Enc(mb,K)
Adv sends two messages m0, m1
mb
to the experiment
But what is j ?
Feasible Computation
In analyzing complexity of algorithms: Rate at which
computational complexity grows with input size
Message size?
Will denote by k
and this to be
Advantage
negligible
Admissible
advantage
Then its advantage
is no more than this
Symmetric-Key Encryption
SIM-CPA Security
Key/ Key/
Send Recv Enc Dec
SIM-CPA
secure if:
" PPT
# PPT s.t.
" PPT
IDEAL j REAL
Env Env
| Pr[IDEAL=0] - Pr[REAL=0] |
IDEAL is negligible REAL
Symmetric-Key Encryption
IND-CPA Security IND-CPA +
Experiment picks a random bit b. It also ~correctness
equivalent to
runs KeyGen to get a key K Key/
Enc SIM-CPA
For as long as Adversary wants
Enc(mb,K)
Adv sends two messages m0, m1
mb
to the experiment
In practice, Òblock-ciphersÓ