Security Definitions in Computational Cryptography - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Security Definitions in Computational Cryptography

Description:

Title: PowerPoint Presentation Last modified by: csd Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show (4:3) Other titles – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 14
Provided by: eceCmuEdu4
Category:

less

Transcript and Presenter's Notes

Title: Security Definitions in Computational Cryptography


1
Security Definitions in Computational Cryptography
18739A Foundations of Security and Privacy
  • Anupam Datta
  • CMU
  • Fall 2009

2
Cryptographic Concepts
  • Signature scheme
  • Symmetric encryption scheme

3
Signature Scheme
  • Key generation algorithm
  • Input security parameter n
  • Output a private signing public verification
    key pair
  • Algorithm to sign data
  • Algorithm to verify signature
  • Correctness
  • Message signed with a signing key verifies with
    the corresponding verification key
  • verify(m,sign(m,sk(A)), pk(A)) ok
  • Symbolic Security
  • A signature cannot be produced without access to
    the private signing key

4
UF-CMA Security
mi
sign(mi, sk(C))
C
A
sign(m, sk(C))
UF-CMA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob m ?mi A plays by the rules lt f(n)
5
Symmetric Encryption Scheme
  • Key generation algorithm
  • Input security parameter n
  • Output a key that is used for encryption and
    decryption
  • Algorithm to encrypt a message
  • Algorithm to decrypt a ciphertext
  • Correctness
  • Decrypting a ciphertext obtained by encrypting
    message m with the corresponding key k returns m
  • dec(enc(m,k),k) m

6
What is a secure encryption scheme?
  • List of possible properties
  • Given a list of message, ciphertext pairs, it
    should not be possible to recover the key
  • Given ciphertext, it should not be possible
    recover plaintext
  • Given ciphertext, it should not be possible to
    recover 1st bit of plaintext
  • All of the above, but what else?
  • Given ciphertext, adversary should have no
    information about underlying plaintext (not true
    because of apriori information)

7
IND-EAV security definition(eavesdropping
attacks)
k, b
m0, m1
enc(k, mb)
C
A
d
IND-EAV security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
8
Example
  • General sends an encrypted message where the
    plaintext is either attack or dont attack.
  • Adversary should not be able to figure out what
    the plaintext is although she knows that it is
    one of these two values.

9
IND-CPA security definition (chosen-plaintext
attacks)
mi
k, b
enc(k, mi)
m0, m1
enc(k, mb)
C
A
mi
enc(k, mi)
d
IND-CPA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
10
Example
  • US Navy cryptanalysts received a ciphertext
    containing the word AF that they believed
    corresponded to Midway island (May, 1942)
  • Concluded that Japan was planning to attack
    Midway island, but could not convince top brass
  • Sent out a message saying Midway island was low
    on water supply
  • Japanese intercepted this message and sent out a
    message saying AF was running low on water
    supply

11
IND-CCA secure encryption (chosen-ciphertext
attacks)
mi or ci
k, b
enc(k, mi) or dec(k,ci)
m0, m1
enc(k, mb)
C
A cannot submit enc(k,mb) to the decryption oracle
A
mi or ci
enc(k, mi) or dec(k,ci)
d
IND-CCA security ?? PPT attackers A ? negligible
function f ? n0 ? security parameters n n0
Prob d b A plays by the rules lt ½ f(n)
12
Example (public-key version)
  • Network protocols Q1 and Q2
  • QI
  • C B enc(pk(B), secret, Q1)
  • Q2
  • A B enc(pk(B),nonce, Q2)
  • B A nonce
  • Adversary A has access to Bs decryption oracle,
    but should still not be able to learn additional
    information about Cs secret (e.g., cannot tell
    whether it is attack or dont attack)

13
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com