Security models1st Semester 2011/2012

P.Lafourcade Clementine GrittiFloriane Janon

Victor-Manuel Ribeiro

Lecture Note 02Date : 26.09.2010

Contents

1 Introduction 2

2 Preliminaries 2

3 Hard Problems 23.1 Factorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33.2 Discrete Logarithm (DL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33.3 Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3.3.1 Computational Diffie-Hellman (CDH) . . . . . . . . . . . . . . . . . . . 43.3.2 Decisional Diffie-Hellman (DDH) . . . . . . . . . . . . . . . . . . . . . . 4

3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4 Notion of Indistinguishability 5

5 Adversaries 65.1 Chosen-Plaintext Attacks (CPA) . . . . . . . . . . . . . . . . . . . . . . . . . . 65.2 Non adaptive Chosen-Ciphertext Attacks (CCA1) . . . . . . . . . . . . . . . . 75.3 Adaptive Chosen-Ciphertext Attacks (CCA2) . . . . . . . . . . . . . . . . . . . 75.4 Summary of Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6 Three security notions for the public key encryption 86.1 One-Wayness (OW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86.2 Indistinguishability (IND) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86.3 Non-Malleability (NM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7 Computational security 107.1 The IND-XXX Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107.2 The NM-XXX Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117.3 Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1

1 Introduction

The goal of this lecture is to present some hard problems and to highlight the relationsbetween “Indistinguishability” and “Security Notions”.

First we recall some essential notions for this course in Section 2. With these notionswe can explain some hard problems and classify them by reduction. This is done in Section3.

In the second part of this lecture we recall the notion of indistinguishability in Section4. After that we show how to classify the adversaries in Section 5, what kinds of securitynotions exist and how to classify them by reduction in Section 6.

For the last part we conclude with games analyses about Indistinguishability and Non-Malleability for each adversary. These analyses are done in Section 7.

2 Preliminaries

To deal with hard problems we need to define what a one-way function is. It depends onthe difficulty to compute it, so we have to introduce the notions of adversary, experimentand advantage.

1. A one-way function is a bijective function that is easy to compute and such that theinverse function is supposed to be difficult to compute. In the next section we seetwo examples of one-way functions: the factorization of n = pq (p, q primes) and thediscrete logarithm.

2. An adversary is a probabilistic polynomial time Turing machine. Probabilistic meansto be able to generate random numbers. We use the notation A for an adversary.

3. An experiment is a game which returns 0 or 1. It is composed of polynomial compu-tations and an occurrence of the adversary A.

4. An advantage is a probabilistic measure of the difficulty of a given experiment. Agiven problem is hard if the advantage of the experiment is negligible. We note itAdv.

3 Hard Problems

Now we can explain some hard problems. Firstly we recall briefly the factorizationproblem and then we focus on problems using logarithms in a cyclic group. The secondpart includes the Discrete Logarithm problem and the Diffie-Hellman problem which canbe computational or decisional. These three last problems can be classified by reduction.

2

3.1 Factorization

Factorization uses the following function:

p, q ↦ n = p × q.This is a one-way function because one can compute it easily (quadratic complexity)whereas its inverse

n = p × q ↦ p, q

is considered difficult to compute.

Example 1. The most famous cryptosystem using this one-way function is probably RSA.In this case, the encryption

x↦ xe mod n

is easy (cubic complexity) but the decryption

y ↦ yd mod n

is difficult without knowing the private key d = e−1 mod ϕ(n).

3.2 Discrete Logarithm (DL)

Let g be a generator of a cyclic group of prime order q. This problem is based on thedifficulty for any adversary to produce x if he only knows gx:

1. Run G(1n) to get a cyclic group G of order q (∣∣q∣∣ = n) and g a generator.

2. Choose x in Zq and compute h = gx3. x′ ← A(h, g, q)4. If gx

′ = h return 1 else 0.

For any adversary A, the probability to find the correct exponent is negligible:

∀x ∈ ⟦1, q⟧, AdvDL(A) = Pr[A(gx)→ x] is negligible.

3.3 Diffie-Hellman

We begin with presenting the Diffie-Hellman problem. After that we can consider twosituations. The first one - Computational Diffie-Hellman - aims at producing the rightresult and the second one - Decisional Diffie-Hellman - is used to determine if a given valueis correct.

Let g be a generator of a cyclic group of prime order q.

A→ B ∶ gaB → A ∶ gbA→ B ∶ {N}gab

3

3.3.1 Computational Diffie-Hellman (CDH)

For any adversary the goal of this problem is to produce gxy if he only knows gx andgy:

1. Run G(1n) to get a cyclic group G of order q (∣∣q∣∣ = n) and g a generator.

2. Choose x, y in Zq and compute gx and gy

3. gz ← A(q, g, gx, gy)4. If gz = gxy return 1 else 0

For any adversary A, the probability to find the correct value is negligible:

∀x, y ∈ ⟦1, q⟧, AdvCDH(A) = Pr[A(gx, gy)→ gxy] is negligible.

3.3.2 Decisional Diffie-Hellman (DDH)

In this case we require the difficulty for any adversary to distinguish gxy and gr (rrandom) knowing gx and gy:

1. Run G(1n) to get a cyclic group G of order q (∣∣q∣∣ = n) and g a generator.

2. Choose x, y, r in Zq and compute gx, gy and gr

3. If gr = gxy return 1 else 0

For any adversary A,

∀x, y, r ∈ ⟦1, q⟧, AdvDDH(A) = Pr[A(gx, gy, gxy)→ 1] − Pr[A(gx, gy, gr)→ 1] is negligible.

It means that an adversary cannot extract a single bit of information on gxy from gx

and gy.

3.4 Summary

Most cryptographic constructions are based on hard problems. Their security isproved by reduction to the three previous problems (DL, CDH, DDH).

DDH ≤ CDH ≤DL or DL⇒ CDH ⇒DDH

Proof. 1. DDH ≤ CDH: since Oracle CDH returns gxy we just have to compare it withthe input value z to know whether z = gxy or z = gr.DDH(gx, gy, z){if (z == OracleCDH(gx, gy)) then

return true;else

return false;

4

end if}2. CDH ≤DL:

CDH(gx, gy){x = OracleDL(gx);y = OracleDL(gy);return gxy; }

Usage of DH assumption

The Diffie-Hellman problems are widely used in cryptography.– Some asymmetric cryptosystems use these problems; for example: ElGamal, Cramer

& Shoup.– There exist pseudorandom functions if we assume the difficulty of these problems;

for instance Noar & Reingold or Canetti.– Another use can be a cryptographically secure pseudorandom number generator

which gets its security from the difficulty of computing discrete logarithms. Thisis for example used by Blum & Micali.

– To end, there are also many key exchange protocols based on discrete logarithmproblems.

4 Notion of Indistinguishability

We saw the definition of Indistinguishability in the first lecture. As a recall two objectsare considered to be computationally equivalent if they cannot be differentiated by anyefficient procedure. Hence two distributions are said to be computationally indistinguish-able if no efficient procedure can tell them apart.

To illustrate this notion consider the following example of a medical issue.

Example 2 (Medical Issue). Consider two sets of patients following two distinguishabledistributions of probability. We give in similar conditions to the first set a new medicineand only water to the second set. If the results are significant then the treatment is efficient,i.e., the probability of distribution for the results with medicine is distinguishable from thefictive one.

For a medical test we would like to have a distinguishable difference between the re-sults, then it is exactly the opposite goal than ours because in our case we hope to find anindistinguishable difference between procedures.

Example 3. Considering an adversary A, we say that A does not distinguish the twodistributions D1 and D2 if and only if

∀x ∈ U, ∣Pr(A(x1) = 1) − Pr(A(x0) = 1)∣

5

is negligible, where Pr(A(xb) = 1), b ∈ {0,1}, is the probability for A to guess correctlythat the element x is taken from Db.

5 Adversaries

An adversary has to be considered with some qualities: it has to be clever (i.e. it canperform all operations he wants), but it has to be considered in a limited time. Thus wedo not consider attacks in more than 260 operations, otherwise a Brute Force enumerationis always possible.

To model what an adversary is, we consider it as a Probabilistic Polynomial Time Tur-ing Machine which represents all possible algorithms and which can generate keys, randomnumbers, etc. The adversary is given access to oracles (encryption and decryption of allmessages of his choice). A hierarchy of adversaries can be constructed depending on whenthey can access to the oracles. Obviously an adversary cannot call an oracle on the cipher-text he wants to decrypt!

Thus we consider three classical adversaries (corresponding to three security levels):– Chosen-Plaintext Attacks (CPA)– Non adaptive Chosen-Ciphertext Attacks (CCA1)– Adaptive Chosen-Ciphertext Attacks (CCA2)

5.1 Chosen-Plaintext Attacks (CPA)

Using this attack, the adversary has access to an encryption oracle, so he can obtain allciphertexts from any plaintexts. With a Public Encryption scheme, this attack is alwayspossible.

6

5.2 Non adaptive Chosen-Ciphertext Attacks (CCA1)

For such an attack, the adversary knows the public key and has access to a decryption oraclemultiple times before getting the challenge (ciphertext). This is also called “LunchtimeAttack” because we can consider that someone having access to an unlocked machineduring lunch for example, is in this situation. It has been introduced by M. Naor and M.Yung [NY90]).

5.3 Adaptive Chosen-Ciphertext Attacks (CCA2)

For this last powerful attack, the adversary knows the public key, and has access to adecryption oracle multiple times before and after getting the challenge. However, theadversary of course cannot decrypt the challenge (ciphertext). This attack was introducedby C. Rackoff and D. Simon [RS92]).

5.4 Summary of Adversaries

For CPA, O1 = O2 = ∅, the adversary has no access to the oracles.For CCA1, O1 = {D},O2 = ∅, the adversary can use the decryption oracle before the chal-lenge.For CCA2, O1 = O2 = {D}, the adversary can use the decryption oracle before and after

7

the challenge.

The more the attacker has access to different oracles, the more powerful it is. This obviousassertion can be mathematically translated has :

CCA2⇒ CCA1⇒ CPA

6 Three security notions for the public key encryption

After the adversaries, we now focus on the notions of security. We insist more preciselyon three of them which represent three levels of security. For each one we first give anintuition of the notion, then a classical definition of what this notion implies and then amathematical definition of it to be used in proofs. We detail these notions from the weakestone to the strongest.

6.1 One-Wayness (OW)

One-Wayness is equivalent to putting the message in a translucent box: you cannotrecover it completely but some parts may be accessible, especially if the adversary haspartial information about the message:FROM : XXXXTO : XXXXIn a more formal way, One-Wayness means that it is computationally impossible to recoverthe plain-text without the private key.

Mathematical definition 4. Let A be an adversary. One-Wayness is equivalent to sayingthat the following probability is negligible :

Prm,r[A(c) =m∣c = E(m,r)]The problem of this notion is that some parts of the message can be read by an attacker,

or can be guessed by him. Thus we introduce a more secure notion : Indistinguishibility.

6.2 Indistinguishability (IND)

Indistinguishibility can be seen as the insertion of the message in a black bag just tocompletely hide it from the attacker.

This means that an adversary is not able to guess in polynomial-time even a bit of theplain-text knowing the ciphertext. The mathematical definition of Indistinghuishibility ismore complicated than the One-Wayness one, we have to define some adversaries to for-malize it.

8

Mathematical definition 5. Let A = (A1,A2) be a game adversary and consider thefollowing scenario :

1. A1 is given the public key

2. A1 chooses two messages m0 and m1

3. b = 0,1 is chosen at random and c = E(mb) is given to A2

4. A2 answers b′.

Indistinguishability means that the following quantity is negligible :

Pr[b′ = b] − 1

2

Even if IND implies more security than OW (it seems obvious if we consider the in-tuitions given at the begining of each part), there is still some lacks of security becauseit is still possible to scramble the ciphertext. It can allow the attacker to produce a newciphertext which he decrypts to a related plaintext.

6.3 Non-Malleability (NM)

Non-Malleability is the strongest notion of security we see in this lecture. It correspondsto putting the message into a black box with no possibility to touch the message. Theattacker has now no possibility to make any computation on it.More formally, the adversary should not be able to produce a new ciphertext such thatthe plaintexts are meaningfully related. As for IND, we have to highlight a scenario tomathematically define what Non-Malleability is.

Mathematical definition 6. Let A = (A1,A2) be a game adversary and consider thefollowing scenario :

1. A1 is given the public key pk

2. A1 chooses a message space M

3. Two messages m and m∗ are chosen at random in M and c = E(m,r) is given to A2

4. A2 answers b′.

Non-Malleability means that the following measure is negligible :

Pr[R(m,m′)] −Pr[R(m,m∗)]where m′ = D(c).

NM is the strongest level of security demands. Obviouly it implies IND which impliesOW :

NM ⇒ IND⇒ OW

9

7 Computational security

Computational security is the link between the adversaries and the security notions.Let call XXX the adversaries (meaning XXX is CPA, CCA1 or CCA2). We recall that:

– for CPA, O1 = O2 = ∅– for CCA1, O1 = {D},O2 = ∅– for CCA2, O1 = O2 = {D}.

For IND and NM notions, we can define “games” that involve one kind of adversary. Agame corresponds to an attack scenario, for which we can compute the advantage of theattacker. This provides some kind of security level measure. The last graph shows theimplications between one situation and another and also what kind of security can bededuced from one situation.

7.1 The IND-XXX Games

Given an encryption scheme S = (K,E ,D). An adversary is a pair A = (A1,A2) ofpolynomial-time probabilistic algorithms. Let b ∈ {0,1} and INDb

XXX(A) be the followingalgorithm :

– Generate (pk, sk) R← K(η)– (s,m0,m1) R← AO1

1 (η, pk)– b′

R← AO22 (η, pk, s,E(pk,mb))

– return b′.We define the function

AdvINDXXX

S,A (η) = Pr[b′ R← IND1XXX(A) ∶ b′ = 1] −Pr[b′ R← IND0

XXX(A) ∶ b′ = 1]An encryption scheme is IND-XXX secure, if for any adversary A the function AdvINDXXX

S,Ais negligible.

This advantage may also be expressed as follows:

AdvINDXXX

S,A (η) = Pr[b′ R← IND1(A) ∶ b′ = 1]−Pr[b′ R← IND0(A) ∶ b′ = 1] = 2Pr[b′ R← INDb(A) ∶ b′ = b]−1

Proof.

AdvINDXXX

S,A (η) = Pr[b′ R← IND1(A) ∶ b′ = 1] −Pr[b′ R← IND0(A) ∶ b′ = 1]= Pr[b′ R← IND1(A) ∶ b′ = 1] − (1 −Pr[b′ R← IND0(A) ∶ b′ = 0])= Pr[b′ R← IND1(A) ∶ b′ = 1] +Pr[b′ R← IND0(A) ∶ b′ = 0] − 1

= Pr[b′ R← INDb(A) ∶ b′ = b ∣ b = 1] +Pr[b′ R← INDb(A) ∶ b′ = b ∣ b = 0] − 1

= 2(Pr[b′ R← INDb(A) ∶ b′ = b ∣ b = 1] × 12 +Pr[b′ R← INDb(A) ∶ b′ = b ∣ b = 0] × 1

2) − 1

We know that Pr[b = 0] = Pr[b = 1] = 12 and that Pr[A∣B] ×Pr[B] = Pr[A ∧B] so we get:

AdvINDXXX

S,A (η) = 2(Pr[b′ R← INDb(A) ∶ b′ = b ∧ b = 1] +Pr[b′ R← INDb(A) ∶ b′ = b ∧ b = 0]) − 1

10

And thus:AdvINDXXX

S,A (η) = 2Pr[b′ R← INDb(A) ∶ b′ = b] − 1

7.2 The NM-XXX Games

Given an encryption scheme S = (K,E ,D). An adversary is a pair A = (A1,A2) ofpolynomial-time probabilistic algorithms. For b ∈ {0,1}, let Expatk−b

S,A be the following ex-periment:

– (pk, sk)← K(η)– (M,s)← AO1

1 (pk) ; m0, m1R←M

– y ← E(mb); (R, y)← AO22 (M,s, y) ; x← D(y)

– return 1 if (y ∉ y) ∧ (� ∉ x) ∧R(mb, x) else return 0.

AdvNMXXX

S,A (η) = Pr[Expatk−1S,A (η) = 1] −Pr[Expatk−0

S,A (η) = 1]An encryption scheme is NM-XXX secure, if for any adversary A the function AdvNMXXX

S,Ais negligible.

7.3 Relations

To summarize all the different kinds of games, the following graph represents the impli-cations and non-implications between them along with their corresponding level of security.

Figure 1: Relations Among Notions of Security for Public-Key Encryption Scheme,Crypto’98, by Mihir Bellare, Anand Desai, David Pointcheval and Phillip Rogaway[BDPR’98]

To be considered as secure, a system should be at least IND-CPA secure. It has to be

11

noted that IND-CCA2 is equivalent to NM-CCA2, thus it is sufficient to prove IND-CCA2security to be sure to have NM-CCA2 security. These types of security both correspondto a very strong security.

References

[1] Pierre Barthelemy, Robert Rolland, and Pascal Veron. Cryptographie, principes et miseen oeuvre. Hermes Science, 2005.

[2] Oded Goldreich. Foundations of cryptography, volume 2. Cambridge University Press,2004.

[3] Alain Poli and Philippe Guillot. Algebre et protection de l’information. Hermes Science,2005.

12