2.2 Cryptographic Primitives
2.2.5 Encryption
An encryption scheme consists of four efficient algorithms: Setup Setup, key generation KeyGen,encryption Enc and decryption Dec.
Definition 2.11. An encryption ENC scheme is determined by four algorithms:
• Setup: On input of a security parameter τ, this algorithm outputs a set P of public parameters that will be used by following algorithms, together with a key space K, a message space M and a ciphertext space C.
• KeyGen: On input of the public parameters P and the key space K, this algorithm outputs a pair of random keys (Ke, Kd)∈ K, where Ke is the encryption key and Kd is the corresponding decryption key.
• Enc: On input of a message m∈ Mand the encryption key Ke, this algorithm outputs a ciphertext c∈ C.
• Dec: On input of a ciphertext c∈ C and the decryption key Kd, this algorithm outputs a message m∈ M if the decryption succeeds; otherwise it outputs ⊥.
An encryption has to satisfy the following:
c=EncKe(m)⇔m=DecKd(c)
2. CRYPTOGRAPHY FUNDAMENTALS
Definition 2.12. A symmetric-key encryption schemeENCsymis an encryption scheme where Ke=Kd.
Definition 2.13. A public-key encryption scheme ENCpub is an encryption scheme where Ke 6= Kd. Ke is called public key and usually denoted pk and Kd is called secret key and usually denoted sk.
Note that public key encryption schemes enable any partyA to send encrypted messages to another party B that only B can decrypt, without any prior agreement. Contrary to symmetric key encryption schemes where the parties A and B have to agree beforehand on an encryption key.
Next, we review the definitions of secure encryption that will be referenced in the remain-der of this manuscript.
As proposed by Bellare et al. (11), we organize definitions by considering first the adver-sarial goal and then the attack model. As a result, security definitions are obtained as“a pairing of a particular adversarial goal and a particular attack model”(11).
Given an encryption scheme ENC and a challenge ciphertext c encrypted using the en-cryption keyKe, we consider two adversarial goals:
• One-wayness OW: The goal of an adversaryAis to decryptcwithout having access to the decryption keyKd.
• Indistinguishability IND: The goal of an adversary A is to tell whether a challenge ciphertextcencrypts a messagem0 or whether it encrypts a messagem1 with a proba-bility significantly larger than one half, wherem0 and m1 are two messages inMthat were chosen byA. Indistinguishability formalizes the inability of adversaryA to learn any information about the plaintextm underlying the ciphertextc.
In addition to the adversarial goals, we consider two attack models depending on the information provided to the adversary A. In order of increasing strength, these are: chosen plaintext attack andchosen ciphertext attack.
• Chosen plaintext attack CPA: An adversary A can encrypt any message of his choice.
To this effect, A has access to an encryption oracle OEnc, that when given a plaintext m and an encryption keyKe returns c=EncKe(m).
• Chosen ciphertext attack CCA: Besides being able to query the encryption oracleOEnc
with messages of his choice, adversaryA has access to a decryption oracle ODec, that when given a ciphertextcand a decryption keyKdreturnsm=DecKd(c). AdversaryA is allowed to queryODec with ciphertexts of his choice except for the challenge ciphertext c.
14
2.2 Cryptographic Primitives If adversary A uses the decryption oracle only before obtaining the challenge cipher-textc, then the attack model is called non-adaptive chosen ciphertext attack (CCA1).
Otherwise, the attack model is called adaptive chosen ciphertext attack (CCA2).
Consequently, we obtain six security models: OW-CPA, OW-CCA1, OW-CCA2, IND-CPA, IND-CCA1 and IND-CCA2. These security models are defined using interactive games in accordance with the work of Bellare et al. (11):
Definition 2.14. Let ENC = (Setup,KeyGen,Enc,Dec) be an encryption scheme, and let A(re, rd, se, sd, ǫ) be an adversary against the one wayness ofENC.
The OW-ATK∈ {OW-CPA, OW-CCA1, OW-CCA2}game consists of four phases:
• Learning-1: Adversary A makes a polynomial number of queries re to the encryption oracle OEnc and rd queries to the decryption oracle ODec.
• Challenge: ChallengerCpicks at random a messagem∈ Mand returns the challenge ciphertext c=EncKe(m) to adversary A.
• Learning-2: Adversary A makes a polynomial number of queries se to the encryption oracle OEnc and sd queries to the decryption oracle ODec, with the restriction that he cannot query the decryption oracle ODec with the challenge ciphertext c.
• Guess: Adversary A outputs a guess m′.
Adversary A is said to win the OW-ATK game if m=m′, where OW-ATK= OW-CPA, ifrd=sd= 0.
OW-ATK= OW-CCA1, if rd6= 0 and sd= 0.
OW-ATK= OW-CCA2, if sd6= 0.
The advantage ǫof adversary A in winning the OW-ATK game is defined as:
ǫ=Pr(A wins)
Definition 2.15. An encryption ENC = (Setup,KeyGen,Enc,Dec) is said to be OW-ATK secure, iff for any adversary A(re, se, rd, sd, ǫ), the advantage ǫ in winning the OW-ATK game is negligible.
Definition 2.16. Let ENC= (Setup,KeyGen,Enc,Dec) be an encryption scheme, and let A (re, rd, se, sd, ǫ) be an adversary against the indistinguishability of ENC.
The IND-ATK∈ {IND-CPA, IND-CCA1, IND-CCA2} game consists of four phases:
• Learning-1: Adversary A makes a polynomial number of queries re to the encryption oracle OEnc and rd queries to the decryption oracle ODec.
• Challenge: Adversary A provides challenger C with two messages m0 and m1 in M. Challenger C flips a fair coin b ∈ {0,1}, then returns the challenge ciphertext cb = EncKe(mb) to adversary A.
2. CRYPTOGRAPHY FUNDAMENTALS
• Learning-2: Adversary A makes a polynomial number of queries se to the encryption oracle OEnc and sd queries to the decryption oracle ODec, with the restriction that he cannot query the decryption oracle ODec with the challenge ciphertext cb.
• Guess: Adversary A outputs a guessb′.
Adversary A is said to win the IND-ATK game if b=b′, where IND-ATK = IND-CPA, if rd=sd= 0.
IND-ATK = IND-CCA1, ifrd6= 0 and sd= 0.
IND-ATK = IND-CCA2, ifsd6= 0.
The advantage ǫ of adversaryA in winning the IND-ATK game is defined as:
ǫ=Pr(A wins)−1