1 \xcalways\section{Introduction to Encryption
}\x
3 \xcalways\subsection{Security notions and attacks
}\x
5 %%% * Security notions and attacks: semantic security and find-then-
6 %%% guess indistinguishability; left-or-right and real-or-random
7 %%% indistinguishability; chosen plaintext and chosen ciphertext
8 %%% (lunchtime and adaptive) attacks; non-malleability; plaintext
9 %%% awareness; funny abbreviations (e.g., IND-CPA, NM-CCA2).
12 \head{Security notions for encryption
}
14 What does it mean to say that an encryption scheme is secure?
18 \topic{adversarial goals
}
19 \head{Encryption: adversarial goals
1}
22 \item [Indistinguishability (find-then-guess)
] The adversary chooses two
23 plaintexts. One is selected at random, and the ciphertext is returned.
24 The adversary cannot guess which plaintext was chosen with probability
25 significantly better than $
\frac{1}{2}$.
26 \item [Semantic security
] An adversary given a ciphertext cannot compute
27 anything about the plaintext that it couldn't compute given only its
33 \head{Encryption: adversarial goals
2}
36 \item [Indistinguishability (left-or-right)
] The adversary is given an
37 oracle which accepts two plaintexts. Before the game begins, a decision
38 is taken as to whether the oracle returns the result of encrypting the
39 `left' plaintext, or the `right' one. The adversary cannot guess which
40 with probability significantly better than $
\frac{1}{2}$.
41 \item [Indistinguishability (real-or-random)
] The adversary is given an
42 oracle. Before the game begins, a decision is taken as to whether the
43 oracle correctly encrypts the plaintexts it is given (`real') or whether
44 it returns a ciphertext for a randomly chosen plaintext of the same
45 length (`random'). The adversary cannot guess which with probability
46 significantly better than $
\frac{1}{2}$.
51 \head{Encryption: adversarial goals
3}
54 \item [Non-malleability
] An adversary cannot transform a ciphertext such
55 that the plaintexts of the two ciphertexts are related, with better than
56 negligible probability.
57 \item [Plaintext awareness
] An adversary cannot create a ciphertext without
58 `knowing' (or easily being able to find out) the corresponding plaintext
59 (or knowing that the ciphertext is invalid), except with negligible
65 \topic{types of attacks
}
66 \head{Encryption: types of attacks
}
69 \item [Chosen plaintext
] The adversary may encrypt plaintexts of its
70 choice. In the asymmetric setting, it is given a public key; in the
71 symmetric setting, it is provided with an encryption oracle.
72 \item [Chosen ciphertext (lunchtime)
] (Find-then-guess, semantic security
73 and non-malleability) As with chosen plaintext, but the adversary is
74 given an oracle which can decrypt ciphertexts during its first stage.
75 \item [Adaptive chosen ciphertexts
] As with standard chosen ciphertexts,
76 except that the adversary is given the decryption oracle for its entire
77 run. The adversary is forbidden from using the oracle to decrypt
78 ciphertexts which it is required to distinguish.
83 \topic{funny abbreviations
}
84 \head{Funny abbreviations
}
86 The attack goals are given abbreviations: IND, NM, PA for
87 indistinguishability, non-malleability and plaintext awareness.
89 The attack types are given abbreviations too: CPA, CCA1, CCA2 for chosen
90 plaintext, chosen ciphertext and adaptive chosen ciphertext.
92 Hence, IND-CPA means `indistinguishable under chosen plaintext attack',
93 NM-CCA2 means `non-malleable under chosen ciphertext attack'.
95 PA stands on its own (but there are two different meanings).
102 %%% TeX-master: "ips"
~mdw / doc / ips / blob