1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
3 Semantic Security (KL3.1, KL3.2)
----------------------------------
In order to formally study secrecy of schemes that use shorter keys
one must somehow incorporate the computational power of an
adversary. One way of doing this is to use concrete bounds:
A scheme is (t,epsilon)-secure if every adversary running for time t
succeeds in breaking the scheme (in the appropriate sense) with
probability at most epsilon.
For example, if we use keys of bit length n and the only possible
attack is by trying out all keys (this happens e.g. with Vernam's
cipher) then assuming that 10^9 keys can be tried out every second
(1GHz) trying out 2^60 operations takes 35years thus several years
even with highly parallel computers. Thus, a 60bit key takes this time
to be broken with certainty, a 64 bit key takes this time to be broken
with probability 1/16 etc. Currently, one recommends key lengths of
128bit (128 *bits of security*) to make the success probability
negligible (e.g. lower than that of a meteor crashing into the device)
and to allow for future technological advances.
Now, working with concrete runtimes and probabilities is difficult and
brittle because of its dependency on concrete hardware configuration,
programming language, implementation details, etc. As a result, one
uses instead an asymptotic approach where runtimes and probabilities
as well as sizes of keys and texts are functions of a *security
parameter* n. One then wants that the success probability of an
adversary whose runtime is polynomial in the security parameter is a
*negligible function* of the security parameter, i.e. smaller than n^k
for any k.
Definition: A private-key encryption scheme is a tuple of
probabilistic polynomial-time algorithms (Gen,Enc,Dec) such that:
1. Gen computes a key (in {0,1}^*) from the security parameter
(presented in unary, i.e. as 1...1 (n times)). We write this as k <-
Gen(n) or k <- Gen(1^n) to emphasize the unary notation.
2. Enc_k(m) and Dec_k(c) are as before, except that m, c are
bitsequences (in {0,1}^*). In particular, we must have Dec_k(Enc_k(m))=m.
A fixed-length private-key encryption scheme is defined analogously,
but there is a function l(n) fixing the length of plaintexts as a
function of the security parameter. Formally, when k is returned from
Gen(n) then Dec_k(m) is defined only for m of length exactly l(n).
For example, the one-time pad can be cast into this framework. Given
the security parameter n, Gen generates a random bit sequence of
length n. One has l(n)=n and Enc_k(m) = m+k etc.
Indistinguishability in the presence of an eavesdropper
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
We now want to adapt the notion of perfect secrecy from above to the
asymptotic framework. An adversary thus also gets the security
parameter n and its runtime must be bounded by a polynomial in n. It
is allowed to use randomization (has access to random bits).
Given a scheme Pi=(Gen,Enc,Dec) and an adversary A the experiment
PrivK^eav_{A,Pi}(n) is now defined as follows:
1. The adversary produces two messages m0, m1 of equal length
and of length l(n) in the case of fixed length.
2. Key k is generated by Gen(n) and a bit b <- {0,1} is
chosen uniformly at random (50/50). The (or rather a) ciphertext
c = Enc_k(m_b) as well as the security parameter n are then given to A.
3. A answers by outputting a bit b'.
4. The output of the experiment is defined 1 if b=b' and 0 otherwise.
Definition: A scheme Pi=(Gen,Enc,Dec) has *indistinguishable
encryptions in the presence of an eavesdropper* if there is a
negligible function negl(n) such that for all adversaries A
Pr[PrivK^eav_{A,Pi}(n) = 1] <= 1/2 + negl(n)
Remark: rather than having the adversary supply m0 and m1 they could
also be universally quantified. Randomizing over m0 and m1 would lead
to a weaker (and unreasonable) definition though.
*Semantic security* proper:
One can show (see 3.2) that this definition is equivalent to other
ones that give even more power to the adversary. The most compelling
one is "semantic security" which assumes an arbitrary probability
distribution on the plaintexts and also partial information on the
plaintexts to be given to the adversary.
We remark that in general proofs of semantic security (in the sense of
the above definition) are constructive in that the negligible function
bounding the probability can be read off as an explicit term. From
this, one can --- possibly after optimizing the constructions used in
the proof --- read off concrete bounds for fixed security parameter n.
|
