6

I just started on encryption schemes and have some trouble in understanding the following definition of IND-CPA security:

$E$ is polynomially CPA (IND-CPA) secure, if for all adversaries $A$ and all polynomials $p$, we have: $Adv_a <= \frac{1}{p(\lambda)}$ for sufficiently large $\lambda$, i.e.: For all $A$ and all $p$, there exists an $N_p>0$ such that $Adv_a \leq \frac{1}{p(\lambda)}$ for all $\lambda > N_p$.

As far as I understand, in a simple IND-CPA game, an oracle sends a ciphertext to an adversary that is the encryption of one of two possible messages chosen by the adversary. An adversary now needs reply with what the actual message is.

What I don't understand is how I should interprate the polynomials $p$ and parameters $\lambda$. What do they consist of?

rzdzc2WUQKJeB6GS
  • 267
  • 1
  • 2
  • 8
  • 2
    " one of two possible messages known by the adversary" This should be chosen by the adversary. – tylo May 23 '17 at 12:34

3 Answers3

5

As explained on Wikipedia:

The reciprocal-of-polynomial formulation is used for the same reason that computational boundedness is defined as polynomial running time: it has mathematical closure properties that make it tractable in the asymptotic setting. For example, if an attack succeeds in violating a security condition only with negligible probability, and the attack is repeated a polynomial number of times, the success probability of the overall attack still remains negligible.

Which is why you want it to work for all polynomial $p$ in your definition.

It is also important to notice that in this definition, it is implied that the adversary has a polynomially bounded computational power.

Which means basically that in the IND-CPA game, the adversary has the right to perform a polynomially bounded number of encryptions or other operations, before sending the two plaintexts to the challenger, which will choose one and return its encryption to the adversary, who must now guess to which plaintexts it corresponds.

Let me develop this with an example: in the RSA-OAEP case, this forbids for instance the adversary to factor the public key using the GNFS since it has a complexity of : $$\exp\left( \left(\sqrt[3]{\frac{64}{9}} + o(1)\right)(\ln n)^{\frac{1}{3}}(\ln \ln n)^{\frac{2}{3}}\right) =L_n\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]$$ for factoring the number $n$, but we're usually interested by the security parameter, which, in RSA-OAEP case, is the $\lambda=\log_2(n)$ , but this is not a problem, since its running time is super-polynomial but sub-exponential in the size $\lambda$ of the input $n$: $$O\left(\exp\sqrt[3]{\frac{64}{9} \lambda (\log \lambda)^2}\right)$$ so it is still not a polynomial algorithm and thus cannot be considered when studying the IND-CPA security of RSA-OAEP.

However, if factorization were to be proven polynomial, then the adversary would win the IND-CPA game in the RSA-OAEP case thanks to it.

PS: As mentioned below, plain RSA is not IND-CPA since it is deterministic.

Lery
  • 7,679
  • 1
  • 26
  • 46
  • Referencing RSA with regards to IND-CPA is unsuitable, because textbook-RSA is not IND-CPA. I do get why you chose this example, but I suggest using an algorithm for DLOG (e.g. index calculus) and ElGamal encryption instead. – tylo May 23 '17 at 12:36
  • Yay, I'll add the mention of OAEP, so it's clear... I wanted to avoid mentioning quasi-polynomial algorithms like Joux's. – Lery May 23 '17 at 12:55
4

$\lambda$ is the security parameter. ​ $p$ and $N_p$ are from the definition of negligible.

With the definition of negligible, the definition of security can be condensed to
"for all adversaries $A$, $Adv_a$ is negligible." .

4

You have to understand what the advantage of the adversary is.

In this specific game, it measures the probability of the adversary $\mathcal{A}$ to distinguish between the two challenge messages $m_0$ and $m_1$.

Let's say that the adversary can distinguish the encryption of two given messages with probability $\frac{1}{\lambda^2}$. It means that at each independent attack, $\mathcal{A}$ has probability $\frac{1}{\lambda^2}$ of breaking the IND-CPA security of the scheme. Therefore, we can expect that in (about) $\lambda^2$ tentatives, $\mathcal{A}$ will break the IND-CPA security.

Now, replace $\lambda^2$ by any polynomial and repeat the argument: if the advantage is $\frac{1}{p(\lambda)}$, then $\mathcal{A}$ can "break" the scheme with roughly $p(\lambda)$ tentatives, or, in other words, executing only a polynomial number of operations (since each attack is also polynomial bounded...).

And this is what we don't want! We want any attacker to take super polynomial time to attack the scheme (usually, exponential time).

Therefore, the advantage of $\mathcal{A}$ has to be smaller than $\frac{1}{p(\lambda)}$, for any polynomial $p(\lambda)$, so that any attack takes time bigger than any polynomial $p(\lambda)$.

But for each given polynomial, we just do that requirement about the advantage asymptotically, this is why we talk about $\lambda > N_p$.

For instance, if the advantage of $\mathcal{A}$ is $\frac{1}{2^\lambda}$, then, this scheme is IND-CPA secure, but this advantage is still bigger than inverse polynomial functions for some values of $\lambda$. For instance, $\frac{1}{2^\lambda} > \frac{1}{\lambda^{10}}$ for some values of $\lambda$, but that is ok, because if we choose, for example, $N_p = 64$, then, for all $\lambda > N_p$, we will have $\frac{1}{2^\lambda} < \frac{1}{\lambda^{10}}$.

Hilder Vitor Lima Pereira
  • 6,484
  • 21
  • 40