9

I'm taking a Coursera cryptography course. The definition of semantic security is hard to understand. I tried to restate it with some slight changes (the word "efficient" was in the original definition). Have I gotten it right?

The adversary chooses two messages: $m_0, m_1$. We encrypt one of these messages: $c \leftarrow E(k, m_b)$. The adversary has to guess which message was ciphered.

There are two events: $M_b = \{ \ \text{adversary $A$ decides that $m_b$ is ciphered} \ \}$.

$E$ is semantically secure if for all "efficient" adversaries $A$ advantage $\operatorname{Adv}[A, E] = \big| \ \Pr(M_0) \ - \ \Pr(M_1) \ \big|$ is negligible.

This means the adversary can't tell which of the two messages is ciphered.

What if it could? What does this definition mean in practice?

Update: in the original definition (which is given on a diagram and wasn't stated clearly) there is a concept of two experiments, $exp(b)=1$ when the adversary decides $m_b$ is ciphered. And events are: $M_b = \{ \ \text{$exp(b) = 1$} \ \}$. I don't get this part of definition.

Patriot
  • 3,132
  • 3
  • 18
  • 65
koddo
  • 191
  • 1
  • 1
  • 4
  • Is the whole portion in the blockquote your modified definition? If so, what did the original definition say. – mikeazo Jul 03 '13 at 19:24
  • mikeazo: I threw out the idea of experiment, $exp(b)=1$ when the adversary decides that $m_b$ is ciphered. So $M_b = { \ exp(b)=1 \ }$. That was written on a diagram and I don't understand why this thing is needed here. – koddo Jul 03 '13 at 22:02
  • That thing is needed to make semantic security possible. $:$ Consider an adversary that always $\hspace{.47 in}$ decides that $m_{\hspace{.01 in}0}$ is ciphered. $:$ Another thing that's needed is for $m_{\hspace{.01 in}0}$ and $m_1$ to have equal length. –  Jul 03 '13 at 23:28
  • Only the ciphertexts must have equal length, correct? – mikeazo Jul 03 '13 at 23:44
  • That would penalize ciphers for being somewhat length-hiding. $:$ –  Jul 03 '13 at 23:52
  • Ricky Demer: I'm sorry for a poorly stated question. I still don't get the concept of two experiments. – koddo Jul 05 '13 at 10:41
  • If that's actually how the course defined those experiments (which I doubt), then it's getting the definition of semantic security very wrong. $:$ $\operatorname{exp}(b)$ is defined to equal the bit that the adversary outputs when the challenge ciphertext is an encryption of $m_{\hspace{.01 in}b}$. $;;;$ –  Jul 06 '13 at 19:35
  • We discussed this in lecture. The lecturer's response was the following: A real valued function $f(x)$ is negligible (with respect to $x$) if $\lim \limits_{x \to \infty} f(x)p(x)=0$ for any polynomial $p(x)$. Furthermore, the security of a cryptosystem can usually be described by a security parameter $\lambda$ (say $\lambda=256$ for 256-bit keys). Then most properties of the system is expressible in terms of $\lambda$, such as the size of the key space, etc. The point is that $\text{Adv}[A,E]$ will be a function of $\lambda$, and we require this function to be negligible wrt. $\lambda$. – AfterMath Sep 16 '21 at 12:04

2 Answers2

3

What if it could? What does this definition mean in practice?

Consider $M_0=$ attack and $M_1=$ don't attack. If the adversary can distinguish which message you are sending to your troops, they can optimize their strategy to defeat you.

Another example. Say you are casting a yes ($1$) no ($0$) vote for a proposed piece of legislation. If the adversary can distinguish between yes and no votes, they might be able to throw the election (by discarding votes that don't go their way) or persecute you according to your vote.

mikeazo
  • 38,563
  • 8
  • 112
  • 180
2

That basically means 'an adversary running in a reasonable amount of time can (or cannot) distinguish one message from another once encrypted'. If we didn't care about that, there would be no point in using cryptography altogether. mikeazo gives a few good examples why this is important.

Furthermore here's the definition for the security of an encryption scheme as given in Introduction to Modern Cryptography p. 21:

an encryption scheme is secure if no adversary can compute any function of the plaintext from the ciphertext.

Not as good as HAC for a reference but good enough.

I know the question is about distinguishing two messages and my quote focuses on a single message but since the adversary compares $m_0$ to $m_1$ to reach some conclusion, I would argue that this is a function of at least one plaintext.

rath
  • 2,548
  • 3
  • 25
  • 40