Security Games
Security Games
Security Games
1
Key Aspects in Modern Cryptography
• Definitions
– What means that a particular cryptographic mechanism is
secure?
– Modern cryptography is more than just encryption!
• Schemes
– Designing schemes to meet security definitions
– For instance, encryption scheme built on factorization
• Proofs
– Does the design meet the security definitions
– Provable security (reductionist security)
• Ideas from game theory
– From design to elementary building blocks (e.g., factoring large
numbers, secure block cipher)
2
Computational Models of Security
• Semantic security
– Secure against attacks with polynomial bounded computer
power, i.e., such an attacker cannot gain any advantage of
guessing the plaintext by knowing the ciphertext
• Indistinguishability security
– Attacker with polynomial bounded computer power cannot relate
ciphertext to one of two alternative plaintexts
3
Security Game (Challenger vs. Adversary)
4
General Design of a Security Game
Q
Challenge Π
Oracle
Challenger C Adversary A A
Secrets ProposedSolution
5
How to Model a Security Game
Consider a pseudo-random function 𝐹,
i.e., sequence 𝐹 0 , 𝐹 1 , 𝐹 2 , … seems to be randomly generated
𝑏 ← 0, 1
F
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝐶
if 𝑏 = 1 then 𝑦 ← 𝐹(𝑥)
𝑥, 𝑦
𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏 red: secret, not given to 𝐴
blue: public, provided to 𝐴
6
Second Try
𝑏 ← 0, 1 , 𝑘 ∈ 𝐾
{𝐹𝑘 }𝐾
𝑥 ←𝐷
if 𝑏 = 0 then 𝑦 ← 𝑁
if 𝑏 = 1 then 𝑦 ← 𝐹𝑘(𝑥)
𝑥, 𝑦
𝐶 𝑏‘ 𝐴
𝐴 wins if 𝑏‘ = 𝑏
7
Last Try
𝑏 ← 0, 1 , 𝑘 ∈ 𝐾 if ∃ 𝑥, 𝑦 ′ ∈ 𝐿: 𝑦 ← 𝑦 ′
𝑥∈𝐷
{𝐹𝑘 }𝐾 elif 𝑏 = 0: y ← 𝐶
else: 𝑦 ← 𝐹𝑘 𝑥
𝑏‘ 𝐿 ← 𝐿 ∪ {𝑥, 𝑦}
𝑦
𝐶 𝐴 Oracle 𝑶𝐹𝑘
A wins if 𝑏‘ = 𝑏
YES !!!
8
Negligible Functions
Definition
A function 𝑓 is negligible iff for any polynomial 𝑓′ there is
1
an 𝑁 ∈ 𝑁𝑎𝑡 such that for 𝑛 ≥ 𝑁. 𝑓(𝑛) ≤ holds
𝑓′(𝑛)
1
(i.e., there is a point N from which 𝑓(𝑛) is smaller as for all arguments n
𝑓′(𝑛)
greater or equal than N)
Example: 𝑓(𝑛) = 1 / 2𝑛 ,
Counterexample: 𝑓(𝑛) = 1 / 𝑛2 and 𝑓′ = 𝑛3
Remember:
Probability 𝑝 𝐶 = 𝑐 that a specific ciphertext c occurs is
𝑝 𝐶 = 𝑐 = σ𝑘∈𝐾,𝑐∈𝐶𝑡 𝑘 𝑝 𝐾 = 𝑘 ∙ 𝑝 𝑃 = 𝑑𝑒𝑐𝑘 𝑐
with 𝐶𝑡(𝑘) = { 𝑒𝑛𝑐𝑘 ( 𝑚 ) | 𝑚 ∈ 𝑃 }
9
Semantic Security
10
Ciphertext-Only Attack
One-Way-Passive (OW-PASS)
Adversary sees only the ciphertext of a message and has to guess the
corresponding plaintext
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘
𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗
11
Chosen-Plaintext Attack Attack
Attacker sees the ciphertext and must guess the plaintext but additionally
he can ask an oracle 𝑂𝑒𝑘 to encrypt any chosen plaintext
𝐶 𝐴
𝐴 wins if 𝑚‘ = 𝑚∗
12
Chosen-Ciphertext Attack
𝑚∈𝑃
𝑐 ← 𝑒𝑘 (𝑚)
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛()
𝑐 𝑶𝑒 𝑘
𝑚∗ ← 𝑃
𝑐 ∗ ← 𝑒𝑘 (𝑚∗ ) 𝑐∗
𝑚‘ if 𝑐 = 𝑐 ∗ : abort
𝑐∈𝐶
𝑚 ← 𝑑𝑘 (𝑐)
𝑐∈𝐶 𝑚
𝐴 wins if 𝑚‘ = 𝑚∗
𝑶𝑑𝑘
13
Indistinguishability Security
14
Ciphertext-Only Attack
Indistinguishable Security Game (IND-PASS)
Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃
𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘
𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏
1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝑃𝐴𝑆𝑆 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
15
Chosen-Plaintext Attack
Indistinguishable Security Chosen Plaintext (IND-CPA)
Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an encoding oracle
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 )
𝑏 ← {0, 1} 𝑐
𝑶𝐿𝑅
𝑏‘ 𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚)
𝑐
𝐶 𝐴 𝑶𝑒 𝑘
𝐴 wins if 𝑏‘ = 𝑏
1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
Notice: need for probabilistic behavior of encryption !
16
Chosen-Ciphertext Attack
Indistinguishable Security Chosen Ciphertext (IND-CCA)
Find stage: the adversary chooses two messages 𝑚0, 𝑚1 of equal length
Guess stage: the adversary receives the ciphertext of one message and
must guess which message was chosen with the help of an en-/decoding
oracle
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ← 𝑒𝑘 (𝑚𝑏 ) 𝑶
𝑏 ← {0, 1}
𝑐 𝐿𝑅
𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒
𝑏‘ 𝑐 𝑘
𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴
𝐴 wins if 𝑏‘ = 𝑏
1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
17
Nonce-Based Encryption
With exception for IND-PASS, IND games can only be won by the
challenger when encryption is „randomized“
1
Advantage: 𝐴𝑑𝑣Π𝐼𝑁𝐷−𝐶𝑃𝐴 𝐴 = 2 ∙ 𝑝 𝐴 𝑤𝑖𝑛𝑠 − 2
18
RELATIONSHIPS BETWEEN
ALL THE SECURITY GAMES
19
Semantic Security vs. IND Security
Theorem
20
Relation between OW and IND
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚0 , 𝑚1 ∈ 𝑃
𝑶𝐿𝑅
𝑏 ← {0, 1}
𝑐∗
𝑏′ = 1 𝐴
if 𝑚0 = 𝑚′ (𝑂𝑊−𝐶𝐶𝐴)
then 𝑏 ′ = 0 𝑚‘
𝑏′
21
General Technique: Reduction Proofs
Transformation
Instance of Instance of
problem Π‘ scheme Π
Solution to Π‘
S
Solution to Π
22
Real or Random Security Game
Can the adversary distinguish between a random string and the real
ciphertext?
Depending on the secret 𝑏, 𝑶𝑅𝑜𝑅 returns either the encrypted message
(𝑏 = 1) or a random string of same length (𝑏 = 0)
if 𝑏 = 0:
𝑚′ ← {0,1} |𝑚| 𝑶𝑅𝑜𝑅
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() 𝑚∈𝑃 else 𝑚′ ← 𝑚
𝑏 ← {0, 1}
𝑐∗ 𝑐 ∗ ← 𝑒𝑘 (𝑚′)
𝑚∈𝑃 𝑐 ← 𝑒𝑘 (𝑚) 𝑶𝑒 𝑘
𝑏‘ 𝑐
𝑐∈𝐶 if 𝑐 = 𝑐 ∗ : abort
𝑚
𝑶𝑑𝑘
𝑚 ← 𝑑𝑘 (𝑐)
𝐶 𝐴 wins if 𝑏‘ = 𝑏 𝐴
23
Relation between IND and RoR
Proof by reduction
Break for RoR-XXX will allow for a break of IND-XXX, XXX∈ {PASS, CPA, CCA}
Oracle 𝑂𝑅𝑜𝑅 is simulated by the 𝑂𝐿𝑅 using the original message 𝑚 and a randomly
generated second message 𝑚′
𝑚′, 𝑚
𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛() B (IND-CCA) 𝑚′ ∈ 𝑃 𝑶𝐿𝑅
𝑏 ← {0, 1}
ORoR
𝑚∈𝑃
𝐴
(RoR−𝐶𝐶𝐴)
𝑏′ 𝑏′
𝐵 wins if 𝑏‘ = 𝑏
24
Relation between IND and RoR
𝐴𝑑𝑣ΠRoR−CCA 𝐴 = 𝐴𝑑𝑣ΠIND−CCA 𝐵
𝐴𝑑𝑣ΠIND−CCA 𝐴 = 2 ∙ 𝐴𝑑𝑣ΠRoR−CCA 𝐵
25
Relations Among Security Notions
1
IND
RoR CCA 1
CCA 2 OW
1 CCA
1 1
IND 1
Remarks:
CPA
RoR 1
CPA 2 OW
1 CPA • IND-CCA is top-most
1 1 and implies all other
IND 1 notions
RoR
PASS 1 • Labels at the links relate
PASS 2 OW to the loss of security in
XXX
PASS terms of 𝐴𝑑𝑣Π
26