Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Definitions in Computational Cryptography

Published byRowan Buff Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Definitions in Computational Cryptography"— Presentation transcript:

1 Security Definitions in Computational Cryptography
18739A: Foundations of Security and Privacy Security Definitions in Computational Cryptography Anupam Datta CMU Fall 2009

2 Cryptographic Concepts
Signature scheme Symmetric encryption scheme

3 verify(m,sign(m,sk(A)), pk(A)) = ok
Signature Scheme Key generation algorithm Input: security parameter n Output: a private signing & public verification key pair Algorithm to sign data Algorithm to verify signature Correctness: Message signed with a signing key verifies with the corresponding verification key verify(m,sign(m,sk(A)), pk(A)) = ok Symbolic Security: A signature cannot be produced without access to the private signing key

4 UF-CMA Security C A mi sign(mi, sk(C)) sign(m, sk(C))
UF-CMA: Unforgeability of signatures under chosen message attacks. Attacker makes polynomial number of queries in the first stage. The security parameter determines the length of keys, messages and running times of honest parties and the attacker; everything is typically polynomially bounded in the security paramter. UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n)

5 Symmetric Encryption Scheme
Key generation algorithm Input: security parameter n Output: a key that is used for encryption and decryption Algorithm to encrypt a message Algorithm to decrypt a ciphertext Correctness: Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m dec(enc(m,k),k) = m Computational Security: Ciphertext reveals no information about underlying plaintext

6 What is a secure encryption scheme?
List of possible properties Given a list of message, ciphertext pairs, it should not be possible to recover the key Given ciphertext, it should not be possible recover plaintext Given ciphertext, it should not be possible to recover 1st bit of plaintext All of the above, but what else? Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information)

7 IND-EAV security definition (eavesdropping attacks)
k, b m0, m1 enc(k, mb) C A IND-CCA1: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage. d IND-EAV security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

8 Example General sends an encrypted message where the plaintext is either “attack” or “don’t attack”. Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values.

9 IND-CPA security definition (chosen-plaintext attacks)
mi k, b enc(k, mi) m0, m1 enc(k, mb) C A mi enc(k, mi) IND-CCA1: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage. d IND-CPA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

10 Example US Navy cryptanalysts received a ciphertext containing the word “AF” that they believed corresponded to “Midway island” (May, 1942) Concluded that Japan was planning to attack Midway island, but could not convince top brass Sent out a message saying Midway island was low on water supply Japanese intercepted this message and sent out a message saying “AF” was running low on water supply

11 IND-CCA secure encryption (chosen-ciphertext attacks)
mi or ci k, b enc(k, mi) or dec(k,ci) m0, m1 enc(k, mb) C A cannot submit enc(k,mb) to the decryption oracle mi or ci A enc(k, mi) or dec(k,ci) IND-CCA: Indistinguishability under chosen ciphertext attacks. Attacker makes polynomial number of queries in the first stage and third stages. d IND-CCA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

12 Example (public-key version)
Network protocols Q1 and Q2 QI C B: enc(pk(B), secret, Q1) Q2 A B: enc(pk(B),nonce, Q2) B A: nonce Adversary A has access to B’s decryption oracle, but should still not be able to learn additional information about C’s secret (e.g., cannot tell whether it is “attack” or “don’t attack”)

13 Questions?

Download ppt "Security Definitions in Computational Cryptography"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
CS 395T Formal Models of Cryptography: Symmetric Encryption.

CS 395T Formal Models of Cryptography: Symmetric Encryption.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Similar presentations

Ads by Google