Einführung in die Kryptographie

Security Games

1
Key Aspects in Modern Cryptography

• Definitions
– What means that a particular cryptographic mechanism is
secure?
– Modern cryptography is more than just encryption!
• Schemes
– Designing schemes to meet security definitions
– For instance, encryption scheme built on factorization
• Proofs
– Does the design meet the security definitions
– Provable security (reductionist security)
• Ideas from game theory
– From design to elementary building blocks (e.g., factoring large
numbers, secure block cipher)

2
Computational Models of Security

• Perfect security (Shannon)

– information theoretic secure against attacks with infinite
computer power (cf. previous lecture)

• Semantic security
– Secure against attacks with polynomial bounded computer
power, i.e., such an attacker cannot gain any advantage of
guessing the plaintext by knowing the ciphertext

• Indistinguishability security
– Attacker with polynomial bounded computer power cannot relate
ciphertext to one of two alternative plaintexts

3
Security Game (Challenger vs. Adversary)

• Modelling the interaction between challenger and adversary as a game

• Security game between a challenger (“the good”) and an adversary (“the

bad”) whether the adversary can solve a challenge Π
– e.g., decryption of a ciphertext

• Question: what is the probability that the adversary wins 𝑋 given Π

– Advantage of adversary: 𝐴𝑑𝑣Π𝑋 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠 𝑋

• Goal: for all polytime adversaries A, 𝐴𝑑𝑣Π𝑋 𝐴 is negligible

• Various games or variants of a game represent different levels of security

4
General Design of a Security Game

• Challenger sends a challenge Π to the adversary

• Adversary replies his solution to the challenge
• Oracles provide additional help to the adversary
– Adversary can ask the challenger specific form of questions
– Oracles allows one to scale the difficulty of a challenge

Q
Challenge Π
Oracle
Challenger C Adversary A A

Secrets ProposedSolution

A wins if challenge Π is solved

5
How to Model a Security Game
Consider a pseudo-random function 𝐹,
i.e., sequence 𝐹 0 , 𝐹 1 , 𝐹 2 , … seems to be randomly generated

𝑏 ← 0, 1
F
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝐶
if 𝑏 = 1 then 𝑦 ← 𝐹(𝑥)
𝑥, 𝑦

𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏 red: secret, not given to 𝐴
blue: public, provided to 𝐴

Does this game appropriately model the situation ?

No, advantage attacker !!!
Attacker receives too much information as he can compute 𝐹(𝑥) and 𝑦

6
Second Try

Consider pseudo-random functions 𝐹𝑘 for 𝑘 ∈ 𝐾

𝑏 ← 0, 1 , 𝑘 ∈ 𝐾
{𝐹𝑘 }𝐾
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝑁
if 𝑏 = 1 then 𝑦 ← 𝐹𝑘(𝑥)
𝑥, 𝑦

𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏

Does this game now appropriately model the situation ?

No, disadvantage attacker !!!
Attacker receives too less information as he only receives 𝑥, 𝑦 but not 𝑘

7
Last Try

Consider a pseudo-random function F

𝑏 ← 0, 1 , 𝑘 ∈ 𝐾 if ∃ 𝑥, 𝑦 ′ ∈ 𝐿: 𝑦 ← 𝑦 ′
𝑥∈𝐷
{𝐹𝑘 }𝐾 elif 𝑏 = 0: y ← 𝐶
else: 𝑦 ← 𝐹𝑘 𝑥
𝑏‘ 𝐿 ← 𝐿 ∪ {𝑥, 𝑦}
𝑦

𝐶 𝐴 Oracle 𝑶𝐹𝑘
A wins if 𝑏‘ = 𝑏

Does this game now appropriately model the situation ?

YES !!!

8
Negligible Functions

Definition
A function 𝑓 is negligible iff for any polynomial 𝑓′ there is
1
an 𝑁 ∈ 𝑁𝑎𝑡 such that for 𝑛 ≥ 𝑁. 𝑓(𝑛) ≤ holds
𝑓′(𝑛)
1
(i.e., there is a point N from which 𝑓(𝑛) is smaller as for all arguments n
𝑓′(𝑛)
greater or equal than N)

Example: 𝑓(𝑛) = 1 / 2𝑛 ,
Counterexample: 𝑓(𝑛) = 1 / 𝑛2 and 𝑓′ = 𝑛3

Remember:
Probability 𝑝 𝐶 = 𝑐 that a specific ciphertext c occurs is

𝑝 𝐶 = 𝑐 = σ𝑘∈𝐾,𝑐∈𝐶𝑡 𝑘 𝑝 𝐾 = 𝑘 ∙ 𝑝 𝑃 = 𝑑𝑒𝑐𝑘 𝑐
with 𝐶𝑡(𝑘) = { 𝑒𝑛𝑐𝑘 ( 𝑚 ) | 𝑚 ∈ 𝑃 }

9
Semantic Security

Secure against attacks with polynomial bounded computer power, i.e.,

such an attacker cannot gain any advantage of guessing the plaintext
by knowing the ciphertext

• Let 𝑔 ∶ 𝑃 → {0, 1} with 𝑝(𝑔 𝑚 = 1) = 𝑝(𝑔(𝑚) = 0) = ½

and all plaintexts and ciphertexts have same length

Given 𝑐 = 𝑒𝑛𝑐(𝑚) an adversary 𝐴 has to guess 𝑔(𝑚) from 𝑐

Advantage: 𝐴𝑑𝑣ΠSEM (𝐴) = 2 ∙ | 𝑝 ( 𝑔𝑢𝑒𝑠𝑠 𝑐 = 𝑔 𝑑𝑒𝑐𝑘 𝑐 ) − ½ |

A scheme is semantically secure iff 𝐴𝑑𝑣ΠSEM (𝐴) is negligible for all

polynomial-time adversaries A

10
Ciphertext-Only Attack

One-Way-Passive (OW-PASS)

Adversary sees only the ciphertext of a message and has to guess the
corresponding plaintext

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘

𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗

Advantage: 𝐴𝑑𝑣ΠOW−PASS 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠

Model disadvantages adversary (why?)

11
Chosen-Plaintext Attack Attack

One-Way Chosen Plaintext (OW-CPA)

Attacker sees the ciphertext and must guess the plaintext but additionally
he can ask an oracle 𝑂𝑒𝑘 to encrypt any chosen plaintext

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚)

𝑚∗ ← 𝑃 𝑐
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐 ∗
𝑶𝑒 𝑘
𝑚‘

𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗

Advantage: 𝐴𝑑𝑣ΠOW−CPA 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠

Adversary can use oracle as some sort of memory for (other) examples

12
Chosen-Ciphertext Attack

One-Way Chosen Ciphertext (OW-CCA)

Attacker sees the ciphertext 𝑐 ∗ and must guess the plaintext.
He can ask an oracle 𝑶𝑒𝑘 to encrypt any chosen plaintext 𝑚 and
he can ask an oracle 𝑶𝑑𝑘 to decrypt any ciphertext 𝑐 except 𝑐 ∗

𝑚∈𝑃
𝑐 ← 𝑒𝑘 (𝑚)
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑐 𝑶𝑒 𝑘
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘ if 𝑐 = 𝑐 ∗ : abort
𝑐∈𝐶
𝑚 ← 𝑑𝑘 (𝑐)
𝑐∈𝐶 𝑚
𝐴 wins if 𝑚‘ = 𝑚∗
𝑶𝑑𝑘

Advantage: 𝐴𝑑𝑣Π𝑂𝑊−𝐶𝐶𝐴 𝐴 = 𝑝(𝐴 𝑤𝑖𝑛𝑠)

13
Indistinguishability Security

One-way games distort chances of the adversary when considering

large sets of plaintexts or ciphertexts. Abilities of adversary are
potentially underestimated

Indistinguishability security reduces problem to a binary choice. An

adversary cannot relate ciphertext to one of two alternative plaintexts
• Let 𝑚1 , 𝑚2 ∈ 𝑃 selected by the adversary and 𝑐 the ciphertext of 𝑚𝑖 with 𝑖 ∈
{1,2} chosen in secret by the challenger
Provided with 𝑐 an adversary 𝐴 has to guess 𝑖

Advantage: 𝐴𝑑𝑣ΠIND (𝐴) = 2 ∙ | 𝑝( 𝐴 guesses correct 𝑖) − ½ |

A scheme is indistinguishable secure iff 𝐴𝑑𝑣ΠIND (𝐴) is negligible for all

polynomial-time adversaries A

14
Ciphertext-Only Attack
Indistinguishable Security Game (IND-PASS)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃
𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘

𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝑃𝐴𝑆𝑆 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

15
Chosen-Plaintext Attack
Indistinguishable Security Chosen Plaintext (IND-CPA)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an encoding oracle

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘ 𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚)
𝑐
𝐶 𝐴 𝑶𝑒 𝑘
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
Notice: need for probabilistic behavior of encryption !

16
Chosen-Ciphertext Attack
Indistinguishable Security Chosen Ciphertext (IND-CCA)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an en-/decoding
oracle

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 ) 𝑶
𝑏 ← {0, 1}
𝑐 𝐿𝑅

𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒
𝑏‘ 𝑐 𝑘

𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

17
Nonce-Based Encryption

With exception for IND-PASS, IND games can only be won by the
challenger when encryption is „randomized“

Therefore, a plaintext 𝑚 is always enlarged by a fresh nonce 𝑛

(possibly visible to the adversary) before being encrypted
if 𝑛 ∈ 𝑁: abort
𝑁 ← 𝑁 ∪ {𝑛} 𝑶𝐿𝑅
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐∗ 𝑐 ∗ ← 𝑒𝑘 (𝑚𝑏 ; 𝑛)
𝑏 ← {0, 1}
𝑁← ∅ 𝑚∈𝑃 if 𝑛 ∈ 𝑁: abort
𝑁 ← 𝑁 ∪ {𝑛} 𝑶𝑒 𝑘
𝑏‘ 𝑐 𝑐 ← 𝑒𝑘 (𝑚; 𝑛)
𝑐∈𝐶
if 𝑐 = 𝑐 ∗ : abort
𝐶 𝐴 wins if 𝑏‘ = 𝑏 𝐴 𝑚 𝑚 ← 𝑑𝑘 (𝑐) 𝑶𝑑𝑘

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

18
RELATIONSHIPS BETWEEN
ALL THE SECURITY GAMES

19
Semantic Security vs. IND Security

Theorem

A system which is IND-PASS secure must be

necessarily OW-PASS secure, i.e., secure against
passive adversaries

20
Relation between OW and IND

• Obviously, it holds (due to the availability of oracles)

IND-CCA ⊆ IND-CPA ⊆ IND-PASS

• Also, IND-XXX ⊆ OW-XXX (with XXX being CCA, CPA, PASS)

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚0 , 𝑚1 ∈ 𝑃
𝑶𝐿𝑅
𝑏 ← {0, 1}
𝑐∗

𝑏′ = 1 𝐴
if 𝑚0 = 𝑚′ (𝑂𝑊−𝐶𝐶𝐴)
then 𝑏 ′ = 0 𝑚‘
𝑏′

𝐵 wins if 𝑏‘ = 𝑏 Break of A results in a break of B !

Hence, we have 𝐴𝑑𝑣ΠOW−CCA 𝐴 ≤ 𝐴𝑑𝑣ΠIND−CCA 𝐴

21
General Technique: Reduction Proofs

How to prove relationships between different games?

Proofs are typically done by reduction
S’

Transformation
Instance of Instance of
problem Π‘ scheme Π

Solution to Π‘
S
Solution to Π

Pattern of such a proof:

• Given an efficient polytime adversary 𝑆 attacking Π with probability (𝑛)
• Define an algorithm 𝑆’ to solve Π‘ using 𝑆 such that
– problem transformation 𝑇 from Π‘ to Π and transformation of the solution
of Π to a solution of Π‘ must be efficient, same distributions of inputs
• If (𝑛) is not negligible and 𝑇 is efficient, then also 𝑆’ breaks Π‘ with non-
negligible probability

22
Real or Random Security Game

Can the adversary distinguish between a random string and the real
ciphertext?
Depending on the secret 𝑏, 𝑶𝑅𝑜𝑅 returns either the encrypted message
(𝑏 = 1) or a random string of same length (𝑏 = 0)

if 𝑏 = 0:
𝑚′ ← {0,1} |𝑚| 𝑶𝑅𝑜𝑅
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚∈𝑃 else 𝑚′ ← 𝑚
𝑏 ← {0, 1}
𝑐∗ 𝑐 ∗ ← 𝑒𝑘 (𝑚′)

𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒 𝑘
𝑏‘ 𝑐
𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴 wins if 𝑏‘ = 𝑏 𝐴

23
Relation between IND and RoR
Proof by reduction
Break for RoR-XXX will allow for a break of IND-XXX, XXX∈ {PASS, CPA, CCA}
Oracle 𝑂𝑅𝑜𝑅 is simulated by the 𝑂𝐿𝑅 using the original message 𝑚 and a randomly
generated second message 𝑚′

𝑚′, 𝑚
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚′ ∈ 𝑃 𝑶𝐿𝑅
𝑏 ← {0, 1}
ORoR
𝑚∈𝑃
𝐴
(RoR−𝐶𝐶𝐴)
𝑏′ 𝑏′

𝐵 wins if 𝑏‘ = 𝑏

24
Relation between IND and RoR

• If A is an adversary against RoR-CCA security of Π for a

symmetric encryption scheme, then we can build an adversary B
against IND-CCA security of Π with

𝐴𝑑𝑣ΠRoR−CCA 𝐴 = 𝐴𝑑𝑣ΠIND−CCA 𝐵

• If A is an adversary against IND-CCA security of Π for a

symmetric encryption scheme, then we can build an adversary B
against RoR-CCA security of Π with

𝐴𝑑𝑣ΠIND−CCA 𝐴 = 2 ∙ 𝐴𝑑𝑣ΠRoR−CCA 𝐵

𝑂𝑅𝑜𝑅 returns encryption of 𝑚𝑡 if 𝑏 = 1 and else a random value

𝐴 returns 𝑏‘ as its best guess of 𝑡

25
Relations Among Security Notions

1
IND
RoR CCA 1
CCA 2 OW
1 CCA

1 1
IND 1
Remarks:
CPA
RoR 1
CPA 2 OW
1 CPA • IND-CCA is top-most
1 1 and implies all other
IND 1 notions
RoR
PASS 1 • Labels at the links relate
PASS 2 OW to the loss of security in
XXX
PASS terms of 𝐴𝑑𝑣Π

26