Security Definitions in Computational Cryptography

1 / 13

# Security Definitions in Computational Cryptography - PowerPoint PPT Presentation

18739A: Foundations of Security and Privacy. Security Definitions in Computational Cryptography. Anupam Datta CMU Fall 2009. Cryptographic Concepts. Signature scheme Symmetric encryption scheme. Signature Scheme. Key generation algorithm Input: security parameter n

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Security Definitions in Computational Cryptography' - dong

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

18739A: Foundations of Security and Privacy

### Security Definitions in Computational Cryptography

Anupam Datta

CMU

Fall 2009

Cryptographic Concepts
• Signature scheme
• Symmetric encryption scheme
Signature Scheme
• Key generation algorithm
• Input: security parameter n
• Output: a private signing & public verification key pair
• Algorithm to sign data
• Algorithm to verify signature
• Correctness:
• Message signed with a signing key verifies with the corresponding verification key

verify(m,sign(m,sk(A)), pk(A)) = ok

• Symbolic Security:
• A signature cannot be produced without access to the private signing key
UF-CMA Security

mi

sign(mi, sk(C))

C

A

sign(m, sk(C))

UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi| A plays by the rules] <= f(n)

Symmetric Encryption Scheme
• Key generation algorithm
• Input: security parameter n
• Output: a key that is used for encryption and decryption
• Algorithm to encrypt a message
• Algorithm to decrypt a ciphertext
• Correctness:
• Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m

dec(enc(m,k),k) = m

What is a secure encryption scheme?
• List of possible properties
• Given a list of message, ciphertext pairs, it should not be possible to recover the key
• Given ciphertext, it should not be possible recover plaintext
• Given ciphertext, it should not be possible to recover 1st bit of plaintext
• All of the above, but what else?
• Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)
IND-EAV security definition(eavesdropping attacks)

k, b

m0, m1

enc(k, mb)

C

A

d

IND-EAV security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)

Example
• General sends an encrypted message where the plaintext is either “attack” or “don’t attack”.
• Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.
IND-CPA security definition (chosen-plaintext attacks)

mi

k, b

enc(k, mi)

m0, m1

enc(k, mb)

C

A

mi

enc(k, mi)

d

IND-CPA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)

Example
• US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942)
• Concluded that Japan was planning to attack Midway island, but could not convince top brass
• Sent out a message saying Midway island was low on water supply
• Japanese intercepted this message and sent out a message saying “AF” was running low on water supply
IND-CCA secure encryption(chosen-ciphertext attacks)

mi or ci

k, b

enc(k, mi) or dec(k,ci)

m0, m1

enc(k, mb)

C

A cannot submit enc(k,mb) to the decryption oracle

A

mi or ci

enc(k, mi) or dec(k,ci)

d

IND-CCA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)

Example (public-key version)
• Network protocols Q1 and Q2
• QI

C B: enc(pk(B), secret, Q1)

• Q2

A B: enc(pk(B),nonce, Q2)

B A: nonce

• Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)