security definitions in computational cryptography anupam datta cmu fall 2009 18739a: foundations of...
TRANSCRIPT
![Page 1: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/1.jpg)
Security Definitions in Computational Cryptography
Anupam DattaCMU
Fall 2009
18739A: Foundations of Security and Privacy
![Page 2: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/2.jpg)
Cryptographic Concepts Signature scheme Symmetric encryption scheme
![Page 3: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/3.jpg)
Signature Scheme Key generation algorithm
Input: security parameter n Output: a private signing & public verification key pair
Algorithm to sign data Algorithm to verify signature Correctness:
Message signed with a signing key verifies with the corresponding verification key
verify(m,sign(m,sk(A)), pk(A)) = ok Symbolic Security:
A signature cannot be produced without access to the private signing key
![Page 4: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/4.jpg)
UF-CMA Security
A
sign(mi, sk(C))
mi
UF-CMA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n)
Csign(m, sk(C))
![Page 5: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/5.jpg)
Symmetric Encryption Scheme Key generation algorithm
Input: security parameter n Output: a key that is used for encryption and
decryption Algorithm to encrypt a message Algorithm to decrypt a ciphertext Correctness:
Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m
dec(enc(m,k),k) = m
![Page 6: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/6.jpg)
What is a secure encryption scheme? List of possible properties
Given a list of message, ciphertext pairs, it should not be possible to recover the key
Given ciphertext, it should not be possible recover plaintext
Given ciphertext, it should not be possible to recover 1st bit of plaintext
All of the above, but what else?
Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)
6
![Page 7: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/7.jpg)
IND-EAV security definition(eavesdropping attacks)
CA
enc(k, mb)
m0, m1
d
k, b
IND-EAV security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)
![Page 8: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/8.jpg)
Example General sends an encrypted message where
the plaintext is either “attack” or “don’t attack”.
Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.
8
![Page 9: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/9.jpg)
IND-CPA security definition (chosen-plaintext attacks)
CA
enc(k, mb)
m0, m1
d
k, b
IND-CPA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)
enc(k, mi)
mi
enc(k, mi)
mi
![Page 10: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/10.jpg)
Example US Navy cryptanalysts received a ciphertext
containing the word “AF” that they believed corresponded to “Midway island” (May, 1942)
Concluded that Japan was planning to attack Midway island, but could not convince top brass
Sent out a message saying Midway island was low on water supply
Japanese intercepted this message and sent out a message saying “AF” was running low on water supply
10
![Page 11: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/11.jpg)
IND-CCA secure encryption (chosen-ciphertext attacks)
CA
enc(k, mb)
m0, m1
d
k, b
IND-CCA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)
enc(k, mi) or dec(k,ci)
mi or ci
A cannot submit enc(k,mb) to the decryption oracle
mi or ci
enc(k, mi) or dec(k,ci)
![Page 12: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/12.jpg)
Example (public-key version) Network protocols Q1 and Q2
QI C B: enc(pk(B), secret, Q1)
Q2A B: enc(pk(B),nonce, Q2)B A: nonce
Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)
12
![Page 13: Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649cb65503460f9497b3e9/html5/thumbnails/13.jpg)
Questions?