41761fdc |
1 | \xcalways\section{Introduction to Encryption}\x |
2 | |
3 | \xcalways\subsection{Security notions and attacks}\x |
4 | |
41761fdc |
5 | \begin{slide} |
6 | \head{Security notions for encryption} |
7 | |
8 | What does it mean to say that an encryption scheme is secure? |
9 | \end{slide} |
10 | |
11 | \begin{slide} |
12 | \topic{adversarial goals} |
53aa10b5 |
13 | \resetseq |
14 | \head{Encryption: adversarial goals \seq} |
41761fdc |
15 | |
16 | \begin{description} |
17 | \item [Indistinguishability (find-then-guess)] The adversary chooses two |
18 | plaintexts. One is selected at random, and the ciphertext is returned. |
19 | The adversary cannot guess which plaintext was chosen with probability |
20 | significantly better than $\frac{1}{2}$. |
21 | \item [Semantic security] An adversary given a ciphertext cannot compute |
22 | anything about the plaintext that it couldn't compute given only its |
23 | length. |
24 | \end{description} |
25 | \end{slide} |
26 | |
27 | \begin{slide} |
53aa10b5 |
28 | \head{Encryption: adversarial goals \seq} |
41761fdc |
29 | |
30 | \begin{description} |
31 | \item [Indistinguishability (left-or-right)] The adversary is given an |
32 | oracle which accepts two plaintexts. Before the game begins, a decision |
33 | is taken as to whether the oracle returns the result of encrypting the |
34 | `left' plaintext, or the `right' one. The adversary cannot guess which |
35 | with probability significantly better than $\frac{1}{2}$. |
36 | \item [Indistinguishability (real-or-random)] The adversary is given an |
37 | oracle. Before the game begins, a decision is taken as to whether the |
38 | oracle correctly encrypts the plaintexts it is given (`real') or whether |
39 | it returns a ciphertext for a randomly chosen plaintext of the same |
40 | length (`random'). The adversary cannot guess which with probability |
41 | significantly better than $\frac{1}{2}$. |
42 | \end{description} |
43 | \end{slide} |
44 | |
45 | \begin{slide} |
53aa10b5 |
46 | \head{Encryption: adversarial goals \seq} |
41761fdc |
47 | |
48 | \begin{description} |
49 | \item [Non-malleability] An adversary cannot transform a ciphertext such |
50 | that the plaintexts of the two ciphertexts are related, with better than |
51 | negligible probability. |
52 | \item [Plaintext awareness] An adversary cannot create a ciphertext without |
53 | `knowing' (or easily being able to find out) the corresponding plaintext |
54 | (or knowing that the ciphertext is invalid), except with negligible |
55 | probability. |
56 | \end{description} |
57 | \end{slide} |
58 | |
59 | \begin{slide} |
60 | \topic{types of attacks} |
61 | \head{Encryption: types of attacks} |
62 | |
63 | \begin{description} |
64 | \item [Chosen plaintext] The adversary may encrypt plaintexts of its |
65 | choice. In the asymmetric setting, it is given a public key; in the |
66 | symmetric setting, it is provided with an encryption oracle. |
67 | \item [Chosen ciphertext (lunchtime)] (Find-then-guess, semantic security |
68 | and non-malleability) As with chosen plaintext, but the adversary is |
69 | given an oracle which can decrypt ciphertexts during its first stage. |
70 | \item [Adaptive chosen ciphertexts] As with standard chosen ciphertexts, |
71 | except that the adversary is given the decryption oracle for its entire |
72 | run. The adversary is forbidden from using the oracle to decrypt |
73 | ciphertexts which it is required to distinguish. |
74 | \end{description} |
75 | \end{slide} |
76 | |
77 | \begin{slide} |
78 | \topic{funny abbreviations} |
79 | \head{Funny abbreviations} |
80 | |
81 | The attack goals are given abbreviations: IND, NM, PA for |
82 | indistinguishability, non-malleability and plaintext awareness. |
83 | |
84 | The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen |
85 | plaintext, chosen ciphertext and adaptive chosen ciphertext. |
86 | |
87 | Hence, IND-CPA means `indistinguishable under chosen plaintext attack', |
88 | NM-CCA2 means `non-malleable under chosen ciphertext attack'. |
89 | |
90 | PA stands on its own (but there are two different meanings). |
91 | \end{slide} |
92 | |
93 | \endinput |
94 | |
95 | %%% Local Variables: |
96 | %%% mode: latex |
97 | %%% TeX-master: "ips" |
98 | %%% End: |