41761fdc |
1 | \xcalways\section{Introduction to Encryption}\x |
2 | |
3 | \xcalways\subsection{Security notions and attacks}\x |
4 | |
5 | %%% * Security notions and attacks: semantic security and find-then- |
6 | %%% guess indistinguishability; left-or-right and real-or-random |
7 | %%% indistinguishability; chosen plaintext and chosen ciphertext |
8 | %%% (lunchtime and adaptive) attacks; non-malleability; plaintext |
9 | %%% awareness; funny abbreviations (e.g., IND-CPA, NM-CCA2). |
10 | |
11 | \begin{slide} |
12 | \head{Security notions for encryption} |
13 | |
14 | What does it mean to say that an encryption scheme is secure? |
15 | \end{slide} |
16 | |
17 | \begin{slide} |
18 | \topic{adversarial goals} |
19 | \head{Encryption: adversarial goals 1} |
20 | |
21 | \begin{description} |
22 | \item [Indistinguishability (find-then-guess)] The adversary chooses two |
23 | plaintexts. One is selected at random, and the ciphertext is returned. |
24 | The adversary cannot guess which plaintext was chosen with probability |
25 | significantly better than $\frac{1}{2}$. |
26 | \item [Semantic security] An adversary given a ciphertext cannot compute |
27 | anything about the plaintext that it couldn't compute given only its |
28 | length. |
29 | \end{description} |
30 | \end{slide} |
31 | |
32 | \begin{slide} |
33 | \head{Encryption: adversarial goals 2} |
34 | |
35 | \begin{description} |
36 | \item [Indistinguishability (left-or-right)] The adversary is given an |
37 | oracle which accepts two plaintexts. Before the game begins, a decision |
38 | is taken as to whether the oracle returns the result of encrypting the |
39 | `left' plaintext, or the `right' one. The adversary cannot guess which |
40 | with probability significantly better than $\frac{1}{2}$. |
41 | \item [Indistinguishability (real-or-random)] The adversary is given an |
42 | oracle. Before the game begins, a decision is taken as to whether the |
43 | oracle correctly encrypts the plaintexts it is given (`real') or whether |
44 | it returns a ciphertext for a randomly chosen plaintext of the same |
45 | length (`random'). The adversary cannot guess which with probability |
46 | significantly better than $\frac{1}{2}$. |
47 | \end{description} |
48 | \end{slide} |
49 | |
50 | \begin{slide} |
51 | \head{Encryption: adversarial goals 3} |
52 | |
53 | \begin{description} |
54 | \item [Non-malleability] An adversary cannot transform a ciphertext such |
55 | that the plaintexts of the two ciphertexts are related, with better than |
56 | negligible probability. |
57 | \item [Plaintext awareness] An adversary cannot create a ciphertext without |
58 | `knowing' (or easily being able to find out) the corresponding plaintext |
59 | (or knowing that the ciphertext is invalid), except with negligible |
60 | probability. |
61 | \end{description} |
62 | \end{slide} |
63 | |
64 | \begin{slide} |
65 | \topic{types of attacks} |
66 | \head{Encryption: types of attacks} |
67 | |
68 | \begin{description} |
69 | \item [Chosen plaintext] The adversary may encrypt plaintexts of its |
70 | choice. In the asymmetric setting, it is given a public key; in the |
71 | symmetric setting, it is provided with an encryption oracle. |
72 | \item [Chosen ciphertext (lunchtime)] (Find-then-guess, semantic security |
73 | and non-malleability) As with chosen plaintext, but the adversary is |
74 | given an oracle which can decrypt ciphertexts during its first stage. |
75 | \item [Adaptive chosen ciphertexts] As with standard chosen ciphertexts, |
76 | except that the adversary is given the decryption oracle for its entire |
77 | run. The adversary is forbidden from using the oracle to decrypt |
78 | ciphertexts which it is required to distinguish. |
79 | \end{description} |
80 | \end{slide} |
81 | |
82 | \begin{slide} |
83 | \topic{funny abbreviations} |
84 | \head{Funny abbreviations} |
85 | |
86 | The attack goals are given abbreviations: IND, NM, PA for |
87 | indistinguishability, non-malleability and plaintext awareness. |
88 | |
89 | The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen |
90 | plaintext, chosen ciphertext and adaptive chosen ciphertext. |
91 | |
92 | Hence, IND-CPA means `indistinguishable under chosen plaintext attack', |
93 | NM-CCA2 means `non-malleable under chosen ciphertext attack'. |
94 | |
95 | PA stands on its own (but there are two different meanings). |
96 | \end{slide} |
97 | |
98 | \endinput |
99 | |
100 | %%% Local Variables: |
101 | %%% mode: latex |
102 | %%% TeX-master: "ips" |
103 | %%% End: |