[doc/ips] / enc-intro.tex

\xcalways\section{Introduction to Encryption}\x

\xcalways\subsection{Security notions and attacks}\x

\begin{slide}
  \head{Security notions for encryption}

  What does it mean to say that an encryption scheme is secure?
\end{slide}

\begin{slide}
  \topic{adversarial goals}
  \resetseq
  \head{Encryption: adversarial goals \seq}

  \begin{description}
  \item [Indistinguishability (find-then-guess)] The adversary chooses two
    plaintexts.  One is selected at random, and the ciphertext is returned.
    The adversary cannot guess which plaintext was chosen with probability
    significantly better than $\frac{1}{2}$.
  \item [Semantic security] An adversary given a ciphertext cannot compute
    anything about the plaintext that it couldn't compute given only its
    length.
  \end{description}
\end{slide}

\begin{slide}
  \head{Encryption: adversarial goals \seq}

  \begin{description}
  \item [Indistinguishability (left-or-right)] The adversary is given an
    oracle which accepts two plaintexts.  Before the game begins, a decision
    is taken as to whether the oracle returns the result of encrypting the
    `left' plaintext, or the `right' one.  The adversary cannot guess which
    with probability significantly better than $\frac{1}{2}$.
  \item [Indistinguishability (real-or-random)] The adversary is given an
    oracle.  Before the game begins, a decision is taken as to whether the
    oracle correctly encrypts the plaintexts it is given (`real') or whether
    it returns a ciphertext for a randomly chosen plaintext of the same
    length (`random').  The adversary cannot guess which with probability
    significantly better than $\frac{1}{2}$.
  \end{description}
\end{slide}

\begin{slide}
  \head{Encryption: adversarial goals \seq}

  \begin{description}
  \item [Non-malleability] An adversary cannot transform a ciphertext such
    that the plaintexts of the two ciphertexts are related, with better than
    negligible probability.
  \item [Plaintext awareness] An adversary cannot create a ciphertext without
    `knowing' (or easily being able to find out) the corresponding plaintext
    (or knowing that the ciphertext is invalid), except with negligible
    probability.
  \end{description}
\end{slide}

\begin{slide}
  \topic{types of attacks}
  \head{Encryption: types of attacks}

  \begin{description}
  \item [Chosen plaintext] The adversary may encrypt plaintexts of its
    choice.  In the asymmetric setting, it is given a public key; in the
    symmetric setting, it is provided with an encryption oracle.
  \item [Chosen ciphertext (lunchtime)] (Find-then-guess, semantic security
    and non-malleability) As with chosen plaintext, but the adversary is
    given an oracle which can decrypt ciphertexts during its first stage.
  \item [Adaptive chosen ciphertexts] As with standard chosen ciphertexts,
    except that the adversary is given the decryption oracle for its entire
    run.  The adversary is forbidden from using the oracle to decrypt
    ciphertexts which it is required to distinguish.
  \end{description}
\end{slide}

\begin{slide}
  \topic{funny abbreviations}
  \head{Funny abbreviations}

  The attack goals are given abbreviations: IND, NM, PA for
  indistinguishability, non-malleability and plaintext awareness.

  The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen
  plaintext, chosen ciphertext and adaptive chosen ciphertext.

  Hence, IND-CPA means `indistinguishable under chosen plaintext attack',
  NM-CCA2 means `non-malleable under chosen ciphertext attack'.
  
  PA stands on its own (but there are two different meanings).
\end{slide}

\endinput

%%% Local Variables: 
%%% mode: latex
%%% TeX-master: "ips"
%%% End:
Commit	Line	Data
41761fdc	1	\xcalways\section{Introduction to Encryption}\x
	2
	3	\xcalways\subsection{Security notions and attacks}\x
	4
41761fdc	5	\begin{slide}
	6	\head{Security notions for encryption}
	7
	8	What does it mean to say that an encryption scheme is secure?
	9	\end{slide}
	10
	11	\begin{slide}
	12	\topic{adversarial goals}
53aa10b5	13	\resetseq
53aa10b5	14	\head{Encryption: adversarial goals \seq}
41761fdc	15
	16	\begin{description}
	17	\item [Indistinguishability (find-then-guess)] The adversary chooses two
	18	plaintexts. One is selected at random, and the ciphertext is returned.
	19	The adversary cannot guess which plaintext was chosen with probability
	20	significantly better than $\frac{1}{2}$.
	21	\item [Semantic security] An adversary given a ciphertext cannot compute
	22	anything about the plaintext that it couldn't compute given only its
	23	length.
	24	\end{description}
	25	\end{slide}
	26
	27	\begin{slide}
53aa10b5	28	\head{Encryption: adversarial goals \seq}
41761fdc	29
	30	\begin{description}
	31	\item [Indistinguishability (left-or-right)] The adversary is given an
	32	oracle which accepts two plaintexts. Before the game begins, a decision
	33	is taken as to whether the oracle returns the result of encrypting the
	34	`left' plaintext, or the `right' one. The adversary cannot guess which
	35	with probability significantly better than $\frac{1}{2}$.
	36	\item [Indistinguishability (real-or-random)] The adversary is given an
	37	oracle. Before the game begins, a decision is taken as to whether the
	38	oracle correctly encrypts the plaintexts it is given (`real') or whether
	39	it returns a ciphertext for a randomly chosen plaintext of the same
	40	length (`random'). The adversary cannot guess which with probability
	41	significantly better than $\frac{1}{2}$.
	42	\end{description}
	43	\end{slide}
	44
	45	\begin{slide}
53aa10b5	46	\head{Encryption: adversarial goals \seq}
41761fdc	47
	48	\begin{description}
	49	\item [Non-malleability] An adversary cannot transform a ciphertext such
	50	that the plaintexts of the two ciphertexts are related, with better than
	51	negligible probability.
	52	\item [Plaintext awareness] An adversary cannot create a ciphertext without
	53	`knowing' (or easily being able to find out) the corresponding plaintext
	54	(or knowing that the ciphertext is invalid), except with negligible
	55	probability.
	56	\end{description}
	57	\end{slide}
	58
	59	\begin{slide}
	60	\topic{types of attacks}
	61	\head{Encryption: types of attacks}
	62
	63	\begin{description}
	64	\item [Chosen plaintext] The adversary may encrypt plaintexts of its
	65	choice. In the asymmetric setting, it is given a public key; in the
	66	symmetric setting, it is provided with an encryption oracle.
	67	\item [Chosen ciphertext (lunchtime)] (Find-then-guess, semantic security
	68	and non-malleability) As with chosen plaintext, but the adversary is
	69	given an oracle which can decrypt ciphertexts during its first stage.
	70	\item [Adaptive chosen ciphertexts] As with standard chosen ciphertexts,
	71	except that the adversary is given the decryption oracle for its entire
	72	run. The adversary is forbidden from using the oracle to decrypt
	73	ciphertexts which it is required to distinguish.
	74	\end{description}
	75	\end{slide}
	76
	77	\begin{slide}
	78	\topic{funny abbreviations}
	79	\head{Funny abbreviations}
	80
	81	The attack goals are given abbreviations: IND, NM, PA for
	82	indistinguishability, non-malleability and plaintext awareness.
	83
	84	The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen
	85	plaintext, chosen ciphertext and adaptive chosen ciphertext.
	86
	87	Hence, IND-CPA means `indistinguishable under chosen plaintext attack',
	88	NM-CCA2 means `non-malleable under chosen ciphertext attack'.
	89
	90	PA stands on its own (but there are two different meanings).
	91	\end{slide}
	92
	93	\endinput
	94
	95	%%% Local Variables:
	96	%%% mode: latex
	97	%%% TeX-master: "ips"
	98	%%% End: