Security Notations

As discussed in Chapter 1, provable security evaluates the security of a given cryptographic scheme by presenting a reduction between the prop-erly defined security notation for the scheme and the undprop-erlying

primi-was not known at the time, Rabin [67], nevertheless, has given a scheme where an eavesdropper’s ability to exact the complete plaintext when given a ciphertext is computationally equivalent to factoring. This was the first scheme in which security problem was reduced to some complexity as-sumption. This presented a methodology of reducing the security property to a well-defined complexity assumption which, in the absence of lower bound proofs, has become the major one in cryptography.

Previously, what we have to face is that a passive attacker could break a cryptosystem only in the all-or-nothing (one-wayness) sense. However, this security notation which only deals with the case of passive attackers is not strong enough. On the contrary, the attacker maybe more active rather than passive; that is, she has more powerful capabilities to modify a ciphertext or to calculate a plaintext in some unspecified ways. In many applications, plaintexts may contain information which can be guessed easily such as in a BUY/SELL instruction to a stock broker. The attack only need to know a character (bit) of BUY/SELL instruction without decrypting the whole plaintext BUY/SELL instruction. He has the ability to determine what in-struction is sent by the victim.

For example, recall the RSA cryptosystem described in Section 2.1.1. As-sume that one encrypts his instruction x to a stock using the stock’s public key pk = (N, e) as follows.

y = x^e mod N.

It seems a safe bet that if an eavesdropper sees a ciphertext y corresponding to a random plaintext x, then it will impossible for that eavesdropper to fig-ure out what x is. But when the plaintext is not random such as BUY/SELL

instruction in this example, the eavesdropper can easily to check what the corresponding plaintext is as follows.

(BUY)^emod N = y,^? (SELL)^e mod N = y.^?

Since the RSA encryption is deterministic, the eavesdropper only encrypts the guessed plaintexts BUY/SELL and then checks its ciphertext is equal to his interception.

For the same situation, what happens in the ElGamal cryptosystem in Sec-tion 2.1.2? Note that there is a random integer r in the encrypSec-tion phase and this results in the ciphertext is different for the same plaintext. Obvi-ously, the ElGamal cryptosytem can withstand the above attack. In many applications of cryptosystems, it is often the case that user is required, upon receipt of a challenge message, to perform a decryption operation using her private key and send the decryption result back. If we give the power that the adversary can arbitrarily generate the ciphertexts and obtain the corre-sponding plaintexts. We can see the ElGamal cryptosystem cannot with-stand the adversary with this power. For example, the adversary intercepts the ciphertext y = (y1, y₂) = (g^r mod p, (BUY) · Y^rmod p), which encrypts the message BUY. How can the adversary know the plaintext is BUY? He can generate a ciphertext as follows:

y
= (y1, y₂/2)

= (g^r mod p, ((BUY) · Y^r mod p)/2)

Then, he obtains the plaintext BUY/2 and it multiplied by 2. Obviously, the

To capture the powerful attackers, the stronger security notations are nec-essary and have been proposed. Bellare et al. [8] uses the pair goal (GOAL) and adversary models (ATK) to define the security notations of public key cryptosystems and describe the relations among them.

The goalsGOAL={OW,IND,NM} are defined as follows.

One-wayness (OW): given the challenge ciphertext y, the adversary has no ability to decrypt y to obtain the whole plaintext x.

Indistinguishability (IND): given the challenge ciphertext y, the adversary has no ability to obtain any information about the plaintext x.

Non-malleability (NM): given the challenge ciphertext y, the adversary has no ability to decrypt y to get a different ciphertext y
and output a meaningful relation to relate the corresponding plaintexts x and x
.

The adversary modelsATK={CPA,CCA1,CCA2} are defined as follows.

Chosen-Plaintext Attack (CPA) [35]: the adversary is only given the public key and she can obtain any ciphertext from any plaintext chosen by her. In the public key cryptosystems, this attack cannot be avoided. It is considered as a basic requirement for most provably secure public key cryptosystems.

Chosen-Ciphertext Attack (CCA1) [59]: not only given the public key, but also the adversary has to access a decryption oracle before being given the chal-lenge ciphertext. It has also been called a lunch-time or midnight attack.

Adaptive Chosen-Ciphertext Attack (CCA2) [68]: The adversary queries the de-cryption before and after being challenged; her only restriction here is that she may not feed the decryption oracle with the challenge ciphertext itself.

It has also been called a small-hours attack.

The following [8, 31] are the relations among those GOAL-ATK, shown in

Figure 2.2

NM-CPA↓ ←−  NM-CCA1↓ ←−−→ NM-CCA1↓ ↑ IND-CPA ←− IND-CCA1 ←− IND-CCA2

↓ ↓ ↓

OW-CPA ←− OW-CCA1 ←− OW-CCA2

Figure 2.2: Relations amongGOAL-ATK

For A, B∈GOAL-ATK, “A→B” denotes A implies B, which means if a cryp-tosystem is secure in the sense of A, it is also secure in the sense of B. “A→B”

denotes A doesn’t imply B, which means if a cryptosystem is secure in the sense of A, it is not always secure in the sense of B.

Bellare [7] explains precisely how to achieve provable security, which are summarized in the following steps.

Step 1. Set up aGOAL, e.g. confidentiality via encryption;

Step 2. Construct aATKand define what it means for a cryptographic scheme be secure;

Step 3. Show by a reduction that the only way to break the security notation GOAL-ATKof cryptographic schemes is to solve computationally hard problems or break other primitives.

primitive cryptographic assumptions≤p the proposed cryptosystem is secure in theGOAL-ATKsense

Actually, setting up security goals and constructing relevant attack mod-els, in other words, formulating right definitions for the security of

crypto-important notations widely used in public key cryptography. We begin by describing theIND-ATKscenario, which is usually described in terms of the following game.

Stage 1. The public key pk and secure key sk is generated in the key genera-tion algorithm with inputting a security parameter κ. The adversary obtains pk but not sk.

Stage 2. The adversary makes a number of arbitrary queries to a decryption oracle. Each query is a ciphertext that is decrypted by the decryption oracle, making use of sk of the cryptosytem. The corresponding plain-text is given to the adversary. The adversary is free to construct the ci-phertexts in an arbitrary way without using the encryption algorithm.

Stage 3. The adversary arbitrarily chooses two plaintexts x₀ and x₁ with the same length |x₀| = |x₁| and gives these to an encryption oracle. Upon receiving x₀, x₁, the encryption oracle chooses a coin b∈ {0, 1} at ran-dom, encrypt xb and give the resulting “challenge” ciphertext y to the adversary.

Stage 4. The adversary continues to submit ciphertexts to the decryption ora-cle, subject to the restriction that the submitted ciphertexts are not the same as the challenge ciphertext y.

Stage 5. The adversary outputs b
∈ {0, 1}, representing its “guess” of b.

- If Stage 2 and Stage 4 are omitted from the above, thenATK=CPA;

- If Stage 2 is omitted from the above, thenATK=CCA1;

- If no stage is omitted from the above, thenATK=CCA2.

The adversary’s advantage in this attack scenario is defined to be

|Pr[b
= b] −1 2|

A cryptosystem is defined to be secure in the IND-ATKsense if for any ad-versary, its advantage is negligible. A concept of IND-CCA2 is present in Figure 2.3 and an exact definition is in Section 2.7.

C

Figure 2.3: A concept of IND-CCA2, C: cryptosystem, K: key generation algorithm,Epk: encryption algorithm,Dsk: decryption algorithm,A: adver-sary, B: flips a coin

Recently, Phan and Pointcheval [65] defined different levels for indistin-guishability and non-malleability, and it leads to a stricter and more com-plex hierarchy for security notations in the public key cryptosystem. That is, an adversary can ask at most i queries before receiving the challenge and at