Security definitions in computational cryptography
Sponsored Links
This presentation is the property of its rightful owner.
1 / 13

Security Definitions in Computational Cryptography PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on
  • Presentation posted in: General

18739A: Foundations of Security and Privacy. Security Definitions in Computational Cryptography. Anupam Datta CMU Fall 2009. Cryptographic Concepts. Signature scheme Symmetric encryption scheme. Signature Scheme. Key generation algorithm Input: security parameter n

Download Presentation

Security Definitions in Computational Cryptography

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


18739A: Foundations of Security and Privacy

Security Definitions in Computational Cryptography

Anupam Datta

CMU

Fall 2009


Cryptographic Concepts

  • Signature scheme

  • Symmetric encryption scheme


Signature Scheme

  • Key generation algorithm

    • Input: security parameter n

    • Output: a private signing & public verification key pair

  • Algorithm to sign data

  • Algorithm to verify signature

  • Correctness:

    • Message signed with a signing key verifies with the corresponding verification key

      verify(m,sign(m,sk(A)), pk(A)) = ok

  • Symbolic Security:

    • A signature cannot be produced without access to the private signing key


UF-CMA Security

mi

sign(mi, sk(C))

C

A

sign(m, sk(C))

UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi| A plays by the rules] <= f(n)


Symmetric Encryption Scheme

  • Key generation algorithm

    • Input: security parameter n

    • Output: a key that is used for encryption and decryption

  • Algorithm to encrypt a message

  • Algorithm to decrypt a ciphertext

  • Correctness:

    • Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m

      dec(enc(m,k),k) = m


What is a secure encryption scheme?

  • List of possible properties

    • Given a list of message, ciphertext pairs, it should not be possible to recover the key

    • Given ciphertext, it should not be possible recover plaintext

    • Given ciphertext, it should not be possible to recover 1st bit of plaintext

    • All of the above, but what else?

  • Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)


IND-EAV security definition(eavesdropping attacks)

k, b

m0, m1

enc(k, mb)

C

A

d

IND-EAV security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example

  • General sends an encrypted message where the plaintext is either “attack” or “don’t attack”.

  • Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.


IND-CPA security definition (chosen-plaintext attacks)

mi

k, b

enc(k, mi)

m0, m1

enc(k, mb)

C

A

mi

enc(k, mi)

d

IND-CPA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example

  • US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942)

  • Concluded that Japan was planning to attack Midway island, but could not convince top brass

  • Sent out a message saying Midway island was low on water supply

  • Japanese intercepted this message and sent out a message saying “AF” was running low on water supply


IND-CCA secure encryption(chosen-ciphertext attacks)

mi or ci

k, b

enc(k, mi) or dec(k,ci)

m0, m1

enc(k, mb)

C

A cannot submit enc(k,mb) to the decryption oracle

A

mi or ci

enc(k, mi) or dec(k,ci)

d

IND-CCA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example (public-key version)

  • Network protocols Q1 and Q2

  • QI

    C B: enc(pk(B), secret, Q1)

  • Q2

    A B: enc(pk(B),nonce, Q2)

    B A: nonce

  • Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)


Questions?


  • Login