| 1 | \xcalways\section{Introduction to Encryption}\x |
| 2 | |
| 3 | \xcalways\subsection{Security notions and attacks}\x |
| 4 | |
| 5 | \begin{slide} |
| 6 | \head{Security notions for encryption} |
| 7 | |
| 8 | What does it mean to say that an encryption scheme is secure? |
| 9 | \end{slide} |
| 10 | |
| 11 | \begin{slide} |
| 12 | \topic{adversarial goals} |
| 13 | \resetseq |
| 14 | \head{Encryption: adversarial goals \seq} |
| 15 | |
| 16 | \begin{description} |
| 17 | \item [Indistinguishability (find-then-guess)] The adversary chooses two |
| 18 | plaintexts. One is selected at random, and the ciphertext is returned. |
| 19 | The adversary cannot guess which plaintext was chosen with probability |
| 20 | significantly better than $\frac{1}{2}$. |
| 21 | \item [Semantic security] An adversary given a ciphertext cannot compute |
| 22 | anything about the plaintext that it couldn't compute given only its |
| 23 | length. |
| 24 | \end{description} |
| 25 | \end{slide} |
| 26 | |
| 27 | \begin{slide} |
| 28 | \head{Encryption: adversarial goals \seq} |
| 29 | |
| 30 | \begin{description} |
| 31 | \item [Indistinguishability (left-or-right)] The adversary is given an |
| 32 | oracle which accepts two plaintexts. Before the game begins, a decision |
| 33 | is taken as to whether the oracle returns the result of encrypting the |
| 34 | `left' plaintext, or the `right' one. The adversary cannot guess which |
| 35 | with probability significantly better than $\frac{1}{2}$. |
| 36 | \item [Indistinguishability (real-or-random)] The adversary is given an |
| 37 | oracle. Before the game begins, a decision is taken as to whether the |
| 38 | oracle correctly encrypts the plaintexts it is given (`real') or whether |
| 39 | it returns a ciphertext for a randomly chosen plaintext of the same |
| 40 | length (`random'). The adversary cannot guess which with probability |
| 41 | significantly better than $\frac{1}{2}$. |
| 42 | \end{description} |
| 43 | \end{slide} |
| 44 | |
| 45 | \begin{slide} |
| 46 | \head{Encryption: adversarial goals \seq} |
| 47 | |
| 48 | \begin{description} |
| 49 | \item [Non-malleability] An adversary cannot transform a ciphertext such |
| 50 | that the plaintexts of the two ciphertexts are related, with better than |
| 51 | negligible probability. |
| 52 | \item [Plaintext awareness] An adversary cannot create a ciphertext without |
| 53 | `knowing' (or easily being able to find out) the corresponding plaintext |
| 54 | (or knowing that the ciphertext is invalid), except with negligible |
| 55 | probability. |
| 56 | \end{description} |
| 57 | \end{slide} |
| 58 | |
| 59 | \begin{slide} |
| 60 | \topic{types of attacks} |
| 61 | \head{Encryption: types of attacks} |
| 62 | |
| 63 | \begin{description} |
| 64 | \item [Chosen plaintext] The adversary may encrypt plaintexts of its |
| 65 | choice. In the asymmetric setting, it is given a public key; in the |
| 66 | symmetric setting, it is provided with an encryption oracle. |
| 67 | \item [Chosen ciphertext (lunchtime)] (Find-then-guess, semantic security |
| 68 | and non-malleability) As with chosen plaintext, but the adversary is |
| 69 | given an oracle which can decrypt ciphertexts during its first stage. |
| 70 | \item [Adaptive chosen ciphertexts] As with standard chosen ciphertexts, |
| 71 | except that the adversary is given the decryption oracle for its entire |
| 72 | run. The adversary is forbidden from using the oracle to decrypt |
| 73 | ciphertexts which it is required to distinguish. |
| 74 | \end{description} |
| 75 | \end{slide} |
| 76 | |
| 77 | \begin{slide} |
| 78 | \topic{funny abbreviations} |
| 79 | \head{Funny abbreviations} |
| 80 | |
| 81 | The attack goals are given abbreviations: IND, NM, PA for |
| 82 | indistinguishability, non-malleability and plaintext awareness. |
| 83 | |
| 84 | The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen |
| 85 | plaintext, chosen ciphertext and adaptive chosen ciphertext. |
| 86 | |
| 87 | Hence, IND-CPA means `indistinguishable under chosen plaintext attack', |
| 88 | NM-CCA2 means `non-malleable under chosen ciphertext attack'. |
| 89 | |
| 90 | PA stands on its own (but there are two different meanings). |
| 91 | \end{slide} |
| 92 | |
| 93 | \endinput |
| 94 | |
| 95 | %%% Local Variables: |
| 96 | %%% mode: latex |
| 97 | %%% TeX-master: "ips" |
| 98 | %%% End: |