Security definitions in computational cryptography
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

Security Definitions in Computational Cryptography PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on
  • Presentation posted in: General

18739A: Foundations of Security and Privacy. Security Definitions in Computational Cryptography. Anupam Datta CMU Fall 2009. Cryptographic Concepts. Signature scheme Symmetric encryption scheme. Signature Scheme. Key generation algorithm Input: security parameter n

Download Presentation

Security Definitions in Computational Cryptography

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security definitions in computational cryptography

18739A: Foundations of Security and Privacy

Security Definitions in Computational Cryptography

Anupam Datta

CMU

Fall 2009


Cryptographic concepts

Cryptographic Concepts

  • Signature scheme

  • Symmetric encryption scheme


Signature scheme

Signature Scheme

  • Key generation algorithm

    • Input: security parameter n

    • Output: a private signing & public verification key pair

  • Algorithm to sign data

  • Algorithm to verify signature

  • Correctness:

    • Message signed with a signing key verifies with the corresponding verification key

      verify(m,sign(m,sk(A)), pk(A)) = ok

  • Symbolic Security:

    • A signature cannot be produced without access to the private signing key


Uf cma security

UF-CMA Security

mi

sign(mi, sk(C))

C

A

sign(m, sk(C))

UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi| A plays by the rules] <= f(n)


Symmetric encryption scheme

Symmetric Encryption Scheme

  • Key generation algorithm

    • Input: security parameter n

    • Output: a key that is used for encryption and decryption

  • Algorithm to encrypt a message

  • Algorithm to decrypt a ciphertext

  • Correctness:

    • Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m

      dec(enc(m,k),k) = m


What is a secure encryption scheme

What is a secure encryption scheme?

  • List of possible properties

    • Given a list of message, ciphertext pairs, it should not be possible to recover the key

    • Given ciphertext, it should not be possible recover plaintext

    • Given ciphertext, it should not be possible to recover 1st bit of plaintext

    • All of the above, but what else?

  • Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)


Ind eav security definition eavesdropping attacks

IND-EAV security definition(eavesdropping attacks)

k, b

m0, m1

enc(k, mb)

C

A

d

IND-EAV security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example

Example

  • General sends an encrypted message where the plaintext is either “attack” or “don’t attack”.

  • Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.


Ind cpa security definition chosen plaintext attacks

IND-CPA security definition (chosen-plaintext attacks)

mi

k, b

enc(k, mi)

m0, m1

enc(k, mb)

C

A

mi

enc(k, mi)

d

IND-CPA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example1

Example

  • US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942)

  • Concluded that Japan was planning to attack Midway island, but could not convince top brass

  • Sent out a message saying Midway island was low on water supply

  • Japanese intercepted this message and sent out a message saying “AF” was running low on water supply


Ind cca secure encryption chosen ciphertext attacks

IND-CCA secure encryption(chosen-ciphertext attacks)

mi or ci

k, b

enc(k, mi) or dec(k,ci)

m0, m1

enc(k, mb)

C

A cannot submit enc(k,mb) to the decryption oracle

A

mi or ci

enc(k, mi) or dec(k,ci)

d

IND-CCA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)


Example public key version

Example (public-key version)

  • Network protocols Q1 and Q2

  • QI

    C B: enc(pk(B), secret, Q1)

  • Q2

    A B: enc(pk(B),nonce, Q2)

    B A: nonce

  • Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)


Security definitions in computational cryptography

Questions?


  • Login