Download presentation

1
**Security Definitions in Computational Cryptography**

18739A: Foundations of Security and Privacy Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009

2
**Cryptographic Concepts**

Signature scheme Symmetric encryption scheme

3
**verify(m,sign(m,sk(A)), pk(A)) = ok**

Signature Scheme Key generation algorithm Input: security parameter n Output: a private signing & public verification key pair Algorithm to sign data Algorithm to verify signature Correctness: Message signed with a signing key verifies with the corresponding verification key verify(m,sign(m,sk(A)), pk(A)) = ok Symbolic Security: A signature cannot be produced without access to the private signing key

4
**UF-CMA Security C A mi sign(mi, sk(C)) sign(m, sk(C))**

UF-CMA: Unforgeability of signatures under chosen message attacks. Attacker makes polynomial number of queries in the first stage. The security parameter determines the length of keys, messages and running times of honest parties and the attacker; everything is typically polynomially bounded in the security paramter. UF-CMA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n)

5
**Symmetric Encryption Scheme**

Key generation algorithm Input: security parameter n Output: a key that is used for encryption and decryption Algorithm to encrypt a message Algorithm to decrypt a ciphertext Correctness: Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m dec(enc(m,k),k) = m Computational Security: Ciphertext reveals no information about underlying plaintext

6
**What is a secure encryption scheme?**

List of possible properties Given a list of message, ciphertext pairs, it should not be possible to recover the key Given ciphertext, it should not be possible recover plaintext Given ciphertext, it should not be possible to recover 1st bit of plaintext All of the above, but what else? Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)

7
**IND-EAV security definition (eavesdropping attacks)**

k, b m0, m1 enc(k, mb) C A IND-CCA1: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage. d IND-EAV security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

8
Example General sends an encrypted message where the plaintext is either “attack” or “don’t attack”. Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.

9
**IND-CPA security definition (chosen-plaintext attacks)**

mi k, b enc(k, mi) m0, m1 enc(k, mb) C A mi enc(k, mi) IND-CCA1: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage. d IND-CPA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

10
Example US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942) Concluded that Japan was planning to attack Midway island, but could not convince top brass Sent out a message saying Midway island was low on water supply Japanese intercepted this message and sent out a message saying “AF” was running low on water supply

11
**IND-CCA secure encryption (chosen-ciphertext attacks)**

mi or ci k, b enc(k, mi) or dec(k,ci) m0, m1 enc(k, mb) C A cannot submit enc(k,mb) to the decryption oracle mi or ci A enc(k, mi) or dec(k,ci) IND-CCA: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage and third stages. d IND-CCA security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

12
**Example (public-key version)**

Network protocols Q1 and Q2 QI C B: enc(pk(B), secret, Q1) Q2 A B: enc(pk(B),nonce, Q2) B A: nonce Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)

13
Questions?

Similar presentations

OK

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To ensure the functioning of the site, we use **cookies**. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy & Terms.
Your consent to our cookies if you continue to use this website.

Ads by Google

Ppt on law against child marriage in afghanistan Ppt on phonetic transcription online Ppt on endangered animals Ppt on review of literature in research Ppt on centring ig Ppt on global financial crisis and its impact on india Chapter 16 dilutive securities and earnings per share ppt online Ppt on regulated dc power supply Ppt on disaster management act 2005 Animated ppt on magnetism powerpoint