0% found this document useful (0 votes)
7 views

Security Games

The document discusses key aspects of modern cryptography including security definitions, schemes, proofs, computational security models, and security games. It defines semantic security, ciphertext-only attacks, chosen-plaintext attacks, chosen-ciphertext attacks, and indistinguishability security.

Uploaded by

hardisnetwork
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
7 views

Security Games

The document discusses key aspects of modern cryptography including security definitions, schemes, proofs, computational security models, and security games. It defines semantic security, ciphertext-only attacks, chosen-plaintext attacks, chosen-ciphertext attacks, and indistinguishability security.

Uploaded by

hardisnetwork
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Einführung in die Kryptographie

Security Games

1
Key Aspects in Modern Cryptography

• Definitions
– What means that a particular cryptographic mechanism is
secure?
– Modern cryptography is more than just encryption!
• Schemes
– Designing schemes to meet security definitions
– For instance, encryption scheme built on factorization
• Proofs
– Does the design meet the security definitions
– Provable security (reductionist security)
• Ideas from game theory
– From design to elementary building blocks (e.g., factoring large
numbers, secure block cipher)

2
Computational Models of Security

• Perfect security (Shannon)


– information theoretic secure against attacks with infinite
computer power (cf. previous lecture)

• Semantic security
– Secure against attacks with polynomial bounded computer
power, i.e., such an attacker cannot gain any advantage of
guessing the plaintext by knowing the ciphertext

• Indistinguishability security
– Attacker with polynomial bounded computer power cannot relate
ciphertext to one of two alternative plaintexts

3
Security Game (Challenger vs. Adversary)

• Modelling the interaction between challenger and adversary as a game

• Security game between a challenger (“the good”) and an adversary (“the


bad”) whether the adversary can solve a challenge Π
– e.g., decryption of a ciphertext

• Question: what is the probability that the adversary wins 𝑋 given Π


– Advantage of adversary: 𝐴𝑑𝑣Π𝑋 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠 𝑋

• Goal: for all polytime adversaries A, 𝐴𝑑𝑣Π𝑋 𝐴 is negligible

• Various games or variants of a game represent different levels of security

4
General Design of a Security Game

• Challenger sends a challenge Π to the adversary


• Adversary replies his solution to the challenge
• Oracles provide additional help to the adversary
– Adversary can ask the challenger specific form of questions
– Oracles allows one to scale the difficulty of a challenge

Q
Challenge Π
Oracle
Challenger C Adversary A A

Secrets ProposedSolution

A wins if challenge Π is solved

5
How to Model a Security Game
Consider a pseudo-random function 𝐹,
i.e., sequence 𝐹 0 , 𝐹 1 , 𝐹 2 , … seems to be randomly generated

𝑏 ← 0, 1
F
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝐶
if 𝑏 = 1 then 𝑦 ← 𝐹(𝑥)
𝑥, 𝑦

𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏 red: secret, not given to 𝐴
blue: public, provided to 𝐴

Does this game appropriately model the situation ?


No, advantage attacker !!!
Attacker receives too much information as he can compute 𝐹(𝑥) and 𝑦

6
Second Try

Consider pseudo-random functions 𝐹𝑘 for 𝑘 ∈ 𝐾

𝑏 ← 0, 1 , 𝑘 ∈ 𝐾
{𝐹𝑘 }𝐾
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝑁
if 𝑏 = 1 then 𝑦 ← 𝐹𝑘(𝑥)
𝑥, 𝑦

𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏

Does this game now appropriately model the situation ?


No, disadvantage attacker !!!
Attacker receives too less information as he only receives 𝑥, 𝑦 but not 𝑘

7
Last Try

Consider a pseudo-random function F

𝑏 ← 0, 1 , 𝑘 ∈ 𝐾 if ∃ 𝑥, 𝑦 ′ ∈ 𝐿: 𝑦 ← 𝑦 ′
𝑥∈𝐷
{𝐹𝑘 }𝐾 elif 𝑏 = 0: y ← 𝐶
else: 𝑦 ← 𝐹𝑘 𝑥
𝑏‘ 𝐿 ← 𝐿 ∪ {𝑥, 𝑦}
𝑦

𝐶 𝐴 Oracle 𝑶𝐹𝑘
A wins if 𝑏‘ = 𝑏

Does this game now appropriately model the situation ?

YES !!!

8
Negligible Functions

Definition
A function 𝑓 is negligible iff for any polynomial 𝑓′ there is
1
an 𝑁 ∈ 𝑁𝑎𝑡 such that for 𝑛 ≥ 𝑁. 𝑓(𝑛) ≤ holds
𝑓′(𝑛)
1
(i.e., there is a point N from which 𝑓(𝑛) is smaller as for all arguments n
𝑓′(𝑛)
greater or equal than N)

Example: 𝑓(𝑛) = 1 / 2𝑛 ,
Counterexample: 𝑓(𝑛) = 1 / 𝑛2 and 𝑓′ = 𝑛3

Remember:
Probability 𝑝 𝐶 = 𝑐 that a specific ciphertext c occurs is

𝑝 𝐶 = 𝑐 = σ𝑘∈𝐾,𝑐∈𝐶𝑡 𝑘 𝑝 𝐾 = 𝑘 ∙ 𝑝 𝑃 = 𝑑𝑒𝑐𝑘 𝑐
with 𝐶𝑡(𝑘) = { 𝑒𝑛𝑐𝑘 ( 𝑚 ) | 𝑚 ∈ 𝑃 }

9
Semantic Security

Secure against attacks with polynomial bounded computer power, i.e.,


such an attacker cannot gain any advantage of guessing the plaintext
by knowing the ciphertext

• Let 𝑔 ∶ 𝑃 → {0, 1} with 𝑝(𝑔 𝑚 = 1) = 𝑝(𝑔(𝑚) = 0) = ½


and all plaintexts and ciphertexts have same length

Given 𝑐 = 𝑒𝑛𝑐(𝑚) an adversary 𝐴 has to guess 𝑔(𝑚) from 𝑐

Advantage: 𝐴𝑑𝑣ΠSEM (𝐴) = 2 ∙ | 𝑝 ( 𝑔𝑢𝑒𝑠𝑠 𝑐 = 𝑔 𝑑𝑒𝑐𝑘 𝑐 ) − ½ |

A scheme is semantically secure iff 𝐴𝑑𝑣ΠSEM (𝐴) is negligible for all


polynomial-time adversaries A

10
Ciphertext-Only Attack

One-Way-Passive (OW-PASS)

Adversary sees only the ciphertext of a message and has to guess the
corresponding plaintext

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘

𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗

Advantage: 𝐴𝑑𝑣ΠOW−PASS 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠


Model disadvantages adversary (why?)

11
Chosen-Plaintext Attack Attack

One-Way Chosen Plaintext (OW-CPA)

Attacker sees the ciphertext and must guess the plaintext but additionally
he can ask an oracle 𝑂𝑒𝑘 to encrypt any chosen plaintext

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚)


𝑚∗ ← 𝑃 𝑐
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐 ∗
𝑶𝑒 𝑘
𝑚‘

𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗

Advantage: 𝐴𝑑𝑣ΠOW−CPA 𝐴 = 𝑝 𝐴 𝑤𝑖𝑛𝑠


Adversary can use oracle as some sort of memory for (other) examples

12
Chosen-Ciphertext Attack

One-Way Chosen Ciphertext (OW-CCA)


Attacker sees the ciphertext 𝑐 ∗ and must guess the plaintext.
He can ask an oracle 𝑶𝑒𝑘 to encrypt any chosen plaintext 𝑚 and
he can ask an oracle 𝑶𝑑𝑘 to decrypt any ciphertext 𝑐 except 𝑐 ∗

𝑚∈𝑃
𝑐 ← 𝑒𝑘 (𝑚)
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑐 𝑶𝑒 𝑘
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘ if 𝑐 = 𝑐 ∗ : abort
𝑐∈𝐶
𝑚 ← 𝑑𝑘 (𝑐)
𝑐∈𝐶 𝑚
𝐴 wins if 𝑚‘ = 𝑚∗
𝑶𝑑𝑘

Advantage: 𝐴𝑑𝑣Π𝑂𝑊−𝐶𝐶𝐴 𝐴 = 𝑝(𝐴 𝑤𝑖𝑛𝑠)

13
Indistinguishability Security

One-way games distort chances of the adversary when considering


large sets of plaintexts or ciphertexts. Abilities of adversary are
potentially underestimated

Indistinguishability security reduces problem to a binary choice. An


adversary cannot relate ciphertext to one of two alternative plaintexts
• Let 𝑚1 , 𝑚2 ∈ 𝑃 selected by the adversary and 𝑐 the ciphertext of 𝑚𝑖 with 𝑖 ∈
{1,2} chosen in secret by the challenger
Provided with 𝑐 an adversary 𝐴 has to guess 𝑖

Advantage: 𝐴𝑑𝑣ΠIND (𝐴) = 2 ∙ | 𝑝( 𝐴 guesses correct 𝑖) − ½ |

A scheme is indistinguishable secure iff 𝐴𝑑𝑣ΠIND (𝐴) is negligible for all


polynomial-time adversaries A

14
Ciphertext-Only Attack
Indistinguishable Security Game (IND-PASS)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃
𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘

𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝑃𝐴𝑆𝑆 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

15
Chosen-Plaintext Attack
Indistinguishable Security Chosen Plaintext (IND-CPA)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an encoding oracle

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘ 𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚)
𝑐
𝐶 𝐴 𝑶𝑒 𝑘
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
Notice: need for probabilistic behavior of encryption !

16
Chosen-Ciphertext Attack
Indistinguishable Security Chosen Ciphertext (IND-CCA)

Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an en-/decoding
oracle

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 ) 𝑶
𝑏 ← {0, 1}
𝑐 𝐿𝑅

𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒
𝑏‘ 𝑐 𝑘

𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

17
Nonce-Based Encryption

With exception for IND-PASS, IND games can only be won by the
challenger when encryption is „randomized“

Therefore, a plaintext 𝑚 is always enlarged by a fresh nonce 𝑛


(possibly visible to the adversary) before being encrypted
if 𝑛 ∈ 𝑁: abort
𝑁 ← 𝑁 ∪ {𝑛} 𝑶𝐿𝑅
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐∗ 𝑐 ∗ ← 𝑒𝑘 (𝑚𝑏 ; 𝑛)
𝑏 ← {0, 1}
𝑁← ∅ 𝑚∈𝑃 if 𝑛 ∈ 𝑁: abort
𝑁 ← 𝑁 ∪ {𝑛} 𝑶𝑒 𝑘
𝑏‘ 𝑐 𝑐 ← 𝑒𝑘 (𝑚; 𝑛)
𝑐∈𝐶
if 𝑐 = 𝑐 ∗ : abort
𝐶 𝐴 wins if 𝑏‘ = 𝑏 𝐴 𝑚 𝑚 ← 𝑑𝑘 (𝑐) 𝑶𝑑𝑘

1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2

18
RELATIONSHIPS BETWEEN
ALL THE SECURITY GAMES

19
Semantic Security vs. IND Security

Theorem

A system which is IND-PASS secure must be


necessarily OW-PASS secure, i.e., secure against
passive adversaries

20
Relation between OW and IND

• Obviously, it holds (due to the availability of oracles)


IND-CCA ⊆ IND-CPA ⊆ IND-PASS

• Also, IND-XXX ⊆ OW-XXX (with XXX being CCA, CPA, PASS)

𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚0 , 𝑚1 ∈ 𝑃
𝑶𝐿𝑅
𝑏 ← {0, 1}
𝑐∗

𝑏′ = 1 𝐴
if 𝑚0 = 𝑚′ (𝑂𝑊−𝐶𝐶𝐴)
then 𝑏 ′ = 0 𝑚‘
𝑏′

𝐵 wins if 𝑏‘ = 𝑏 Break of A results in a break of B !

Hence, we have 𝐴𝑑𝑣ΠOW−CCA 𝐴 ≤ 𝐴𝑑𝑣ΠIND−CCA 𝐴

21
General Technique: Reduction Proofs

How to prove relationships between different games?


Proofs are typically done by reduction
S’

Transformation
Instance of Instance of
problem Π‘ scheme Π

Solution to Π‘
S
Solution to Π

Pattern of such a proof:


• Given an efficient polytime adversary 𝑆 attacking Π with probability (𝑛)
• Define an algorithm 𝑆’ to solve Π‘ using 𝑆 such that
– problem transformation 𝑇 from Π‘ to Π and transformation of the solution
of Π to a solution of Π‘ must be efficient, same distributions of inputs
• If (𝑛) is not negligible and 𝑇 is efficient, then also 𝑆’ breaks Π‘ with non-
negligible probability

22
Real or Random Security Game

Can the adversary distinguish between a random string and the real
ciphertext?
Depending on the secret 𝑏, 𝑶𝑅𝑜𝑅 returns either the encrypted message
(𝑏 = 1) or a random string of same length (𝑏 = 0)

if 𝑏 = 0:
𝑚′ ← {0,1} |𝑚| 𝑶𝑅𝑜𝑅
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚∈𝑃 else 𝑚′ ← 𝑚
𝑏 ← {0, 1}
𝑐∗ 𝑐 ∗ ← 𝑒𝑘 (𝑚′)

𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒 𝑘
𝑏‘ 𝑐
𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴 wins if 𝑏‘ = 𝑏 𝐴

23
Relation between IND and RoR
Proof by reduction
Break for RoR-XXX will allow for a break of IND-XXX, XXX∈ {PASS, CPA, CCA}
Oracle 𝑂𝑅𝑜𝑅 is simulated by the 𝑂𝐿𝑅 using the original message 𝑚 and a randomly
generated second message 𝑚′

𝑚′, 𝑚
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚′ ∈ 𝑃 𝑶𝐿𝑅
𝑏 ← {0, 1}
ORoR
𝑚∈𝑃
𝐴
(RoR−𝐶𝐶𝐴)
𝑏′ 𝑏′

𝐵 wins if 𝑏‘ = 𝑏

24
Relation between IND and RoR

• If A is an adversary against RoR-CCA security of Π for a


symmetric encryption scheme, then we can build an adversary B
against IND-CCA security of Π with

𝐴𝑑𝑣ΠRoR−CCA 𝐴 = 𝐴𝑑𝑣ΠIND−CCA 𝐵

• If A is an adversary against IND-CCA security of Π for a


symmetric encryption scheme, then we can build an adversary B
against RoR-CCA security of Π with

𝐴𝑑𝑣ΠIND−CCA 𝐴 = 2 ∙ 𝐴𝑑𝑣ΠRoR−CCA 𝐵

𝑂𝑅𝑜𝑅 returns encryption of 𝑚𝑡 if 𝑏 = 1 and else a random value


𝐴 returns 𝑏‘ as its best guess of 𝑡

25
Relations Among Security Notions

1
IND
RoR CCA 1
CCA 2 OW
1 CCA

1 1
IND 1
Remarks:
CPA
RoR 1
CPA 2 OW
1 CPA • IND-CCA is top-most
1 1 and implies all other
IND 1 notions
RoR
PASS 1 • Labels at the links relate
PASS 2 OW to the loss of security in
XXX
PASS terms of 𝐴𝑑𝑣Π

26

You might also like