Department of Electrical Engineering, IIT Bombay
August 4, 2023
Cryptographic scheme design was based on heuristics
If any attacks were found on a scheme, it would be modified to resist the attack
Easy to say that a scheme was not secure, but no way to argue that a scheme was secure
Modern approach to cryptography
Formal definitions
Precise assumptions
Proofs of security
Ultimate goal is to prove that a given construction is secure
Essential for the proper design and evaluation of cryptographic primitives
If you don’t understand what you want to achieve, how can you possibly know when (or if ) you have achieved it?
A security definition has two components
A security guarantee: What the scheme is intended to prevent the attacker from doing?
A threat model: What is the power of the attacker?
What should a secure encryption scheme guarantee?
It should be impossible for an attacker to recover the key
It should be impossible for an attacker to recover the plaintext from the ciphertext
It should be impossible for an attacker to recover any character of the plaintext from the ciphertext
Regardless of any information an attacker already has, a ciphertext should leak no additional information about the underlying plaintext.
What is missing here is a precise mathematical formulation.
How should we capture an attacker’s prior knowledge about the plaintext?
And what does it mean to not leak information?
Answers in upcoming lectures
Specifies what “power” the attacker is assumed to have
Does not place any restrictions on the adversary’s strategy
Standard threat models in order of increasing power of the attacker
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Chosen-ciphertext attack
Models the weakest adversary
The adversary just observes one or more ciphertexts
Adversary then attempts to recover information about the underlying plaintexts
This is the threat model assumed in our discussion of classical cryptography
Adversary is able to learn one or more plaintext/ciphertext pairs generated using some key
Adversary then attempts to recover information about the underlying plaintext of some other ciphertext produced using the same key
Similar to known-plaintext attack but now the adversary obtains plaintext/ciphertext pairs for plaintexts it chooses
For completeness, here is the threat model
Adversary is able to learn one or more plaintext/ciphertext pairs generated using some key where it can choose the plaintext
Adversary then attempts to recover information about the underlying plaintext of some other ciphertext produced using the same key
In addition to CPA abilities, the adversary is able to obtain the decryption of ciphertexts of its choice
Adversary then attempts to recover information about the underlying plaintext of some other ciphertext produced using the same key
Models an adversary that can tamper with the ciphertexts passing through the channel
Most modern cryptographic schemes cannot be proven secure unconditionally
Proofs of security have to rely on assumptions
These assumptions are widely believed to be true based on theoretical and empirical evidence
Formal definitions and precise assumptions allow us to give proofs of security
A proof of security guarantees that no attacker will succeed, under the security definition and threat model
In the past, unproven schemes have been eventually broken
Warning
If the security guarantee does not match what is needed, or if the threat model does not capture the adversary’s true abilities, the proof may be irrelevant.
Section 1.4 from Katz & Lindell