140 likes | 293 Views
18739A: Foundations of Security and Privacy. Security Definitions in Computational Cryptography. Anupam Datta CMU Fall 2009. Cryptographic Concepts. Signature scheme Symmetric encryption scheme. Signature Scheme. Key generation algorithm Input: security parameter n
E N D
18739A: Foundations of Security and Privacy Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009
Cryptographic Concepts • Signature scheme • Symmetric encryption scheme
Signature Scheme • Key generation algorithm • Input: security parameter n • Output: a private signing & public verification key pair • Algorithm to sign data • Algorithm to verify signature • Correctness: • Message signed with a signing key verifies with the corresponding verification key verify(m,sign(m,sk(A)), pk(A)) = ok • Symbolic Security: • A signature cannot be produced without access to the private signing key
UF-CMA Security mi sign(mi, sk(C)) C A sign(m, sk(C)) UF-CMA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [m ≠mi| A plays by the rules] <= f(n)
Symmetric Encryption Scheme • Key generation algorithm • Input: security parameter n • Output: a key that is used for encryption and decryption • Algorithm to encrypt a message • Algorithm to decrypt a ciphertext • Correctness: • Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m dec(enc(m,k),k) = m
What is a secure encryption scheme? • List of possible properties • Given a list of message, ciphertext pairs, it should not be possible to recover the key • Given ciphertext, it should not be possible recover plaintext • Given ciphertext, it should not be possible to recover 1st bit of plaintext • All of the above, but what else? • Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)
IND-EAV security definition(eavesdropping attacks) k, b m0, m1 enc(k, mb) C A d IND-EAV security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)
Example • General sends an encrypted message where the plaintext is either “attack” or “don’t attack”. • Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.
IND-CPA security definition (chosen-plaintext attacks) mi k, b enc(k, mi) m0, m1 enc(k, mb) C A mi enc(k, mi) d IND-CPA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)
Example • US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942) • Concluded that Japan was planning to attack Midway island, but could not convince top brass • Sent out a message saying Midway island was low on water supply • Japanese intercepted this message and sent out a message saying “AF” was running low on water supply
IND-CCA secure encryption(chosen-ciphertext attacks) mi or ci k, b enc(k, mi) or dec(k,ci) m0, m1 enc(k, mb) C A cannot submit enc(k,mb) to the decryption oracle A mi or ci enc(k, mi) or dec(k,ci) d IND-CCA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b| A plays by the rules] <= ½ + f(n)
Example (public-key version) • Network protocols Q1 and Q2 • QI C B: enc(pk(B), secret, Q1) • Q2 A B: enc(pk(B),nonce, Q2) B A: nonce • Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)