Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [security-definition]

Questions about formal definitions of "security" for various cryptographic schemes (e.g. perfect secrecy, semantic security, ciphertext indistinguishability, etc.)

This tag is intended for questions about the various definitions formalizing the concept of "security" for different cryptographic schemes. Examples of such definitions include:

  • Perfect secrecy, wherein the ciphertext is required to provide no information about the plaintext even to a computationally unlimited adversary. Provided by the one-time pad, and basically nothing else.

  • Semantic security, essentially a relaxed form of perfect secrecy, wherein the computational power allowed to the adversary may not increase faster than any polynomial function of the length of the key. Provably equivalent to ciphertext indistinguishability under a chosen-plaintext attack (see below).

  • Ciphertext indistinguishability under various attack models, requiring that a polynomial-time adversary, given certain kinds of access to the encryption and/or decryption function, should not be able to distinguish the encryptions of two messages from each other significantly more often than just by guessing at random. Common subtypes include indistinguishability under a chosen-plaintext attack (IND-CPA), under a chosen-ciphertext attack (IND-CCA) or even under an adaptive chosen-ciphertext attack (IND-CCA2).

  • Non-malleability under various attack models, essentially requiring the the adversary be unable to change the ciphertext so that it decrypts to a message of their choosing. Closely related to ciphertext indistinguishability.

  • Resistance to various types (e..g. universal, selective or existential) forgery, a property required of secure digital signatures or message authentication codes and related to non-malleability of encryption systems.

  • Collision and preimage resistance, properties of cryptographic hash functions.

  • Forward secrecy, a property of key-agreement protocols guaranteeing that a future compromise of the long-term keys will not compromise any previously agreed temporary keys.

  • Pseudorandomness, a strong security definition requiring that a given function or permutation (such as a block cipher) be indistinguishable from a randomly chosen function or permutation with the same domain and range.

  • etc.

298 questions
19
votes
3 answers

What is the difference between uniformly and at random in crypto definitions?

Very often in the description and analysis of a cryptographic protocol there is a need for a an element $k$ that is sampled uniformly AND at random. Is there a redundancy in the definition with uniformity and randomness? If no what is the…
curious
  • 6,160
  • 6
  • 32
  • 45
8
votes
1 answer

Difference between semi-honest and malicious adversary using Ideal Real Model Paradigm

Would you please explain to me why in the security definition of ideal/real model paradigm which is described in the efficient secure two-party protocol book(Hazay, Lindell), the simulator tries to simulate inputs and outputs of a party(in the…
Amirhossein Adavoudi
  • 251
  • 4
  • 13
7
votes
3 answers

Is there a cryptographic approach to availability

Background Cryptography can be said to provide the tools used to fulfill the goals of information security. The three pillars of information security are confidentiality, integrity, and availability. For confidentiality, we have ciphers. The…
Ella Rose
  • 19,603
  • 6
  • 53
  • 101
5
votes
1 answer

Strong One-Way Function

In the book "Foundations of cryptography-Oded Goldreich-Page 33", if we use the deterministic polynomial-time algorithm instead of the probabilistic polynomial-time algorithm for case 2 (Hard to invert), what would be the situation?
Amirhossein Adavoudi
  • 251
  • 4
  • 13
4
votes
0 answers

Differences in definitions of "Computational Special Soundness"

I am looking at Unruh's transform (ePrint 2014/587) and in particular the definition in §2.2 for computational special soundness in sigma protocols. Let $\cal{R} \subset \cal{X} \times \cal{Y}$ be some relation, with statements $x \in \cal{X}$ and…
Eamonn Postlethwaite
  • 91
  • 2
4
votes
1 answer

What's the difference between perfect security and unconditional security?

This paper refers to two distinct security models: perfect security and unconditional security. Until now, I knew of them as the same thing and equivalent to information-theoretic security. From the paper, it's obvious that perfect security is the…
SpiderRico
  • 451
  • 6
  • 17
4
votes
1 answer

Is the practice of "security through obscurity" violating Kerckhoffs's second principle?

Security through obscurity is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. Kerckhoffs's second principle: "It should not require secrecy, and it should…
AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
4
votes
1 answer

Security proof in the Malicious Model

According to the above protocol(Efficient Secure Two-Pary Protocols-Hazay-Lindell-page 27), the authors proved the security of this protocol according to the two paragraphs below: We separately consider the case where P1 is corrupted and the case…
Amirhossein Adavoudi
  • 251
  • 4
  • 13
4
votes
1 answer

difference between the uniform and non-uniform probabilistic polynomial algorithms (ppt)

I am reading the book "Efficient Secure Two-Party Protocol". A question came to my mind. why has the author used a probabilistic polynomial time algorithm for security definition of ideal/real model in the semi-honest model, but used a non-uniform…
Amirhossein Adavoudi
  • 251
  • 4
  • 13
4
votes
1 answer

How to determine the security in bits of a scheme?

This may be a stupid question. But how would we determine the security bit of a crypto scheme? For example, SHA2-256 offers 128 bit security due to birthday paradox, so do they measure the security bit by calculating $\log_2$ of best-known…
DiamondDuck
  • 403
  • 3
  • 17
4
votes
1 answer

What is the relevance of "physical layer security" to cryptography?

I found that there are quite some active research activities in a field named "physical layer security", with in particular some types of codes that apparently are different from those commonly treated in the conventional textbooks on coding theory.…
Mok-Kong Shen
  • 1,312
  • 1
  • 11
  • 15
3
votes
1 answer

The number of cipher texts possible for each plaintext

This is from Dan Boneh's book Theorem 2.1. Let X = (E, D) be a Shannon cipher defined over (K, M, C). The following are equivalent: (i) X is perfectly secure. (ii) For every $c \in C$, there exists $N_c$ (possibly depending on c) such that for all…
user93353
  • 2,191
  • 3
  • 23
  • 43
2
votes
0 answers

Encrypting random coins used for the encryption itself

Circular security notions for PKE schemes capture the security of (PKE) schemes when encrypting the secret decryption key. Is there an analogous notion but for encrypting the randomness used for the encryption? i.e. what if one first fixes the…
guilhermemtr
  • 141
  • 5
2
votes
1 answer

Why do we need multiple adversaries in a game-based definition?

Consider we have a protocol, where multiple algorithms of it are run by an adversary. When we want to define a game for that protocol (or its security properties), I have seen that an adversary is defined as $A=(A_1,A_2,...A_n)$. Then each of them…
Aydin
  • 442
  • 2
  • 10
2
votes
3 answers

What does trust mean in cryptography?

Terms like "trustless protocol", "trusted third party", "trusted platform", "trusted server", etc. require a notion of trust. I already wrote The term trust when used in the context of cryptography does not refer to personal confidence in whether a…
UTF-8
  • 264
  • 1
  • 10
1
2