Negative applications of the ASM thesis

Similar documents
Ordinary Interactive Small-Step Algorithms, III

Symbolic Encryption with Pseudorandom Keys

Lectures 2+3: Provable Security

1 Number Theory Basics

Computational Soundness

INTERACTIVE SMALL-STEP ALGORITHMS II: ABSTRACT STATE MACHINES AND THE CHARACTERIZATION THEOREM

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

CPA-Security. Definition: A private-key encryption scheme

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Symmetric Encryption

CPSC 467b: Cryptography and Computer Security

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

How to Encrypt with the LPN Problem

Computational security & Private key encryption

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Modern Cryptography Lecture 4

INTERACTIVE SMALL-STEP ALGORITHMS I: AXIOMATIZATION

Modern symmetric-key Encryption

CS 395T. Probabilistic Polynomial-Time Calculus

Notes on BAN Logic CSG 399. March 7, 2006

Block ciphers And modes of operation. Table of contents

CTR mode of operation

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

III. Pseudorandom functions & encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture Notes on Data Abstraction

1 Recap: Interactive Proofs

8 Security against Chosen Plaintext

A survey on quantum-secure cryptographic systems

Property Preserving Symmetric Encryption Revisited

Advanced Topics in Cryptography

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

1 Secure two-party computation

Introduction to Turing Machines. Reading: Chapters 8 & 9

Lecture 7: CPA Security, MACs, OWFs

Notes on Property-Preserving Encryption

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

AUTOMATED VERIFICATION OF ASYMMETRIC ENCRYPTION. Van Chan NGO

Lecture 5, CPA Secure Encryption from PRFs

Lecture 13: Private Key Encryption

Halting and Equivalence of Program Schemes in Models of Arbitrary Theories

On Post-Quantum Cryptography

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Chosen-Ciphertext Security (I)

Automated Verification of Asymmetric Encryption

CS 6260 Applied Cryptography

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Non-Conversation-Based Zero Knowledge

Characterization of EME with Linear Mixing

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Concurrent Non-malleable Commitments from any One-way Function

Lecture 9 - Symmetric Encryption

Random Oracles and Auxiliary Input

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

1 Indistinguishability for multiple encryptions

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Secure and Practical Identity-Based Encryption

Semantic Security and Indistinguishability in the Quantum World

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

OAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 14 - CCA Security

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 11: Key Agreement

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Public Key Cryptography

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Approximate and Probabilistic Differential Privacy Definitions

Notes on Complexity Theory Last updated: November, Lecture 10

Equational Logic. Chapter Syntax Terms and Term Algebras

FINITE STATE AUTOMATA

10 Concrete candidates for public key crypto

RSA-OAEP and Cramer-Shoup

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

7 Security Against Chosen Plaintext

Scribe for Lecture #5

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

ECS 189A Final Cryptography Spring 2011

Provable Security in Symmetric Key Cryptography

Cryptography CS 555. Topic 4: Computational Security

CS 6260 Applied Cryptography

Solutions to homework 2

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 18: Zero-Knowledge Proofs

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

Fully Homomorphic Encryption

Transcription:

Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007

Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms Ordinary interactive algorithms 2 Background classes Motivation Definition Background for abstract cryptography 3 Abstract Model of cryptography Experiments as Structures Soundness Relation with Abadi-Rogaway languages Cyclic messages

Church Turing vs ASM Church Turing thesis defines an envelope for practically computable functions negative intended use noncomputability ASM thesis captures the notion of algorithm positive intended use specification abstract algorithms can be uncomputable Can the ASM thesis be used for negative results?

Negative applications of the thesis Negative results Given states X, Y and x X: no small step algorithm A can output x. no small step algorithm A can make transition from X to Y. no small step algorithm A can distinguish X from Y. Are there meaningful interpretations for negative results? Can we effectively use postulates to establish negative results? Example: abstract model of cryptography 1 PPT cryptographic algorithms abstract algorithms 2 no abstract algorithm can break security 3 conclude no PPT algorithm can break security?

Basic definitions Definition Let X, Y be structures and x X. Then: x is accessible in X if there is a term t s.t. Val(t, X) = x. Y is reachable from X if there is a small step algorithm A s.t. τ A (X) = Y. X, Y are distinguishable by a small step algorithm A if there is a term t s.t. Val(t, τ(x)) Val(t, τ(y )). An algorithm must complete its step to conclude anything!!!

Basic definitions Definition Let X, Y be structures and T a set of (ground) terms. Then: X and Y coincide over T, written X = T Y, if for every t T Val(t, X) = Val(t, Y ) X and Y are T -similar, written X T Y, if for every t 1, t 2 T Val(t 1, X) = Val(t 2, X) iff Val(t 2, Y ) = Val(t 2, Y ) Theorem (Factorization) If X T Y, then exists Z s.t. X = Z and Z = T Y.

Next value What is the value of a term t in the next state? T f (t 1,...,t n) = T { f (t 1,..., t n) t i T t i } { T t i i = 1,... n }. Theorem (Next value) Exists A X t T t s.t. Val( A X t, X) = Val(t, τ A(X)), X, Y coincide over T t Val(t, τ A (X)) = Val(t, τ A (Y )), X, Y are T t -similar Val( A X t, Y ) = Val(t, τ A(Y )).

Consequences of the Next value Corollary (Preservation of coincidence and similarity) X, Y coincide τ A (X), τ A (Y ) coincide X Y τ A (X) τ A (Y ) Theorem (Linear speedup) For every algorithm A, there is an algorithm B s.t. τ B (X) = τ A (τ A (X)) with T T as a b.e.w.

Consequences of the Next value Next value relates dynamic and static notions! Theorem X and Y are indistinguishable iff X and Y are similar.

Example Problem: {0, 1} K is indistinguishable from {n} K without K. States X and Y with vocabulary {decrypt, fst, snd, op, c, k}, and base set {Pri, Pub, C, P, N, true, false, undef }. X Y decrypt Pri, C P Pri, C N fst P true P T snd P false P F op Pri Pub Pri Pub c C C k Pub Pub States X and Y are indistinguishable by algorithms. x. fst(decrypt(x, c, )) = true distinguishes X, Y.

Ordinary interaction In addition to state X, there is an answer function α mapping queries into answers extended state X, α. In addition to vocabulary Υ, there is a disjoint vocabulary of query templates E. Extended terms are terms of vocabulary Υ E. The value of a possibly undefined extended term is Val(f (t 1,..., t n ), X, α) = f X (Val(t 1, X, α),..., Val(t n, X, α)) Val(ˆf (t 1,..., t n ), X, α) = α(ˆf [Val(t 1, X, α),..., Val(t n, X, α)]) if f Υ if f E

Definitions carry over to extended state Definition Let X, Y be structures, α, β answer functions, T set of extended terms, and x X. Then: X, α and Y, α coincide over T, written X, α = T Y, β, if for every t T Val(t, X, α) = Val(t, Y, β) X, α and Y, β are T -similar, written X, α T Y, β, if for every t 1, t 2 T Val(t 1, X, α) = Val(t 2, X, α) iff Val(t 2, Y, β) = Val(t 2, Y, β)

Definitions carry over to extended state Definition Let X, Y be structures, α, β answer functions, T set of extended terms, and x X. Then: x is accessible in X, α if there is an extended term t s.t. Val(t, X, α) = x. Y is reachable from X if there is a small step algorithm A s.t. τ A (X, α) = Y. X, Y are distinguishable by a small step algorithm A if there is a ground term t s.t. Val(t, τ(x, α)) Val(t, τ(y, β)).

Distinguishability and similarity under contract Definition Let A, B be sets of answer functions. Then X, A and Y, B are indistinguishable (T-similar) if for every α A exists β B such that X, α and Y, β are indistinguishable (T-similar). for every β B exists α A such that X, α and Y, β are indistinguishable (T-similar). A, B represents the degree of freedom an environment has in providing answers.

The main result caries over Theorem Similarity = Indistinguishability Remark Algorithms can learn by interaction: X Y X, α Y, β

Import and reserve Algorithms need to enlarge their working space between steps. Options: add new elements to the base set discover unused elements, don t change the base set Lipari guide every state X is equipped with an infinite reserve: elements of X not in domain or codomain of any function import rule denotes a reserve element exact choice of a reserve element imported in a state X is irrelevant: every permutation of reserve elements is an automorphism on X.

External structure on reserve Non-trivial applications often need some kind of structure on the reserve like pairs, lists, sets... Problems How to create fresh objects, without having to create pairs, lists,... related to it? What sort of structures can exists above the set of atoms, without putting any structure except equality on atoms themselves?

Intuition for backgrounds The basic idea split vocabulary into foreground and background parts make all background functions static import denotes atoms special elements of structure foreground function exposes an element active part of a state includes atoms necessary to denote exposed elements reserve of a state are all non-active atoms

Examples Pairs Background functions are binary pair and unary fst and snd. Structure X is freely generated by pair X from atoms {a, b, c, d,... }, while fst X and snd X are projections. Foreground function is nullary function f denoting a, b, c. The only exposed element is a, b, c. Active atoms are {a, b, c}. Reserve contains all atoms but {a, b, c}.

Examples Hereditary finite sets Background vocabulary contains unary singleton and binary union function symbols, and binary in relation symbol. The base set of X are all hereditary finite sets built from atoms {a, b, c, d,... }. Foreground function is nullary function f denoting {{a, b}, c}. The only exposed element is {{a, b}, c}. Active atoms are {a, b, c}. Reserve contains all atoms but {a, b, c}.

Examples class OneWay private subject as object public OneWay(me as object) subject := me public Accept(me as object) as boolean return subject = me One way function Background vocabulary contains the binary function OneWay and binary relation Accept. Base set of X is freely generated by OneWay X from atoms. Given elements x, y, you can determine if x = OneWay(a, y) for some atom a. Model of a one way function: from new OneWay(x) you cannot obtain the value of x

Background classes Definition (Blass, Gurevich 2000) A class of structures K of a fixed vocabulary is a background class if K is closed under isomorphisms For every U there is X K such that Atoms(X) = U for X, Y K, any embedding (of sets) ξ : Atoms(X) Atoms(Y ) uniquely extends to an embedding (of structures) ζ : X Y for X K, every x X has an envelope the smallest K -substructure of X containing x.

Background of an algorithm Definition (Background) Fix K, of vocabulary Υ 0. K is the background of an algorithm over Υ Υ 0 if no background function f Υ 0 is ever updated, the reduct of every state to Υ 0 is in K. Definition (Reserve) exposed elements: in domain or codomain of a foreground function active part of a state: the envelope of the set of exposed elements reserve ( heap ) of a state: atoms not in the active part

Background of an algorithm Theorem (Blass, Gurevich 2000) Every permutation of the reserve of a state X extends uniquely to an automorphism that is the identity on the active part of X.

Background for abstract cryptography So far, having a background with sets, pairs,... was a matter of convenience: when we extend the working space of an algorithm, we were too lazy to do all of the bookkeeping we could have easily imported as many elements we really need and define necessary functions on them The model of a one way function with a background indicates that we have something far more powerful in our hands. We will show how a natural ASM model of public key cryptography would not be possible without a background.

Abstract public key cryptography Creation denote constants 0, 1,... given two messages denote pairs create random values (nonces) and private keys given a private key denote the matching public key given a message and a public key create an encryption Analysis given a pair, make projections given an encryption and a matching private key, obtain an encrypted message

Abstract public key cryptography Attempt to model without background! Strategy only the analysis part in the vocabulary: decrypt, fst, snd created objects are imported from reserve and analysis functions are set Problem Creation of encryption: subject m and public key k are accessible in X private key K is not accessible in X in order to create encryption of m with k, we need to have (decrypt, e, K, m) A (X) for some fresh e K must be critical K must be accessible!!!

Background solves the problem!!! Constructors are the obvious ones. class PriKey { } struct PubKey { private PriKey key; public bool Accept(PriKey K) return key == K; } class Enc{ private object subject; private PubKey key; public object Decrypt(PriKey K) return (key.accept(k)? subject : } Any undergraduate student will understand! null);

What have we done?! We have defined the following background class: Background vocabulary contains unary functions PriKey, PubKey, Fst, Snd, binary functions Pair, Decrypt and ternary function Encrypt. PriKey and Encrypt are defined only if the first argument is an atom. PubKey, Fst, Snd and Pair are undefined only if any argument is an atom. The base set is freely generated by PriKey, Pair, PubKey, Encrypt from atoms. functions Fst, Snd and Decrypt are projections: Fst(Pair(x, y)) = x, Snd(Pair(x, y)) = y, Decrypt(Encrypt(a 1, PriKey(a 2 ), m)) = m.

Abstract cryptography Motivation simple reasoning automation insight Challenge Relate computational and abstract model: abstract security computational security.

Syntax of encryption scheme Definition (Syntax of encryption scheme) A symmetric encryption scheme is a triple of PPT algorithms Π = (K, E, D) K : Parameter Coins Key E : Key String Coins Ciphertext { } D : Key String Plaintext { } Pr[D(k, E(k, m, c)) = m] = 1 for every k $ K(1 η ), c Coins and m Plaintext. A pairing scheme is a triple of PPT algorithms Σ = (P, F, S). All messages are tagged.

Protocol example Notation A k {k s } k B k Interpretation Experiment R producing a concrete run [m]: R = [k $ K(η); m $ A k ; B k (m) : m] A k = [k s $ K(η); e $ E k (k s ) : e] B k (m) = [k s D k (m)]

Experiments as terms Experiment-representing vocabulary Each function symbol can be additionally marked as probabilistic parameterized Vocabulary for symmetric encryption Υ TYPE-0 nullary symbol undef and nullary constants unary symbols K, F, S binary symbols P, D ternary symbol E K and E are marked as probabilistic K is marked as parameterized

Experiments as terms Experiment-representing terms Experiment-representing terms of vocabulary Υ TYPE-0 over a set Coins, assuming t 1,..., t n are terms and c Coins, are if G is an n-ary symbol not marked as probabilistic, then G(t 1,..., t n ) is a term; if G is an n-ary probabilistic symbol, then G(t 1,..., t n 1, c) is a term; What is the computational interpretation of terms?

Computational interpretation of terms Let σ be an assignment of infinite strings to Coins. Fix η. undef is interpreted as a failure undef Π,Σ η,σ = G is an n-ary symbol not marked as probabilistic, then G(t 1,..., t n ) Π,Σ η,σ = G( t 1 Π,Σ η,σ,..., t n Π,Σ η,σ ) G is an n-ary probabilistic symbol, but not parameterized G(t 1,..., t n, c) Π,Σ η,σ = G( t 1 Π,Σ η,σ,..., t n Π,Σ η,σ, σ(c)) G is n-ary probabilistic and parameterized symbol G(t 1,..., t n, c) Π,Σ η,σ = G(1 η, t 1 Π,Σ η,σ,..., t n Π,Σ η,σ, σ(c))

Experiments as structures Represents experiments as structures Induced by the equivalence relations on terms: D(K (c 1 ), E(m, K (c 1 ), c 2 ) = m F(P(m 1, m 2 )) = m 1 S(P(m 1, m 2 )) = m 2 Definition (Interpretation of elements) Let t x be the unique term not containing D, F, S symbols such that Val(t x ) = x. Then x Π,Σ η,σ = G( t x Π,Σ η,σ )

Definition of the background Definition BC TYPE-0 is an isomorphism-closed class of structures of vocabulary Υ TYPE-0 freely generated by functions K, P, E from atoms. Lemma BC TYPE-0 is a background class, with Coins X = Atoms(X) for every X BC TYPE-0.

Abstract algorithms for cryptography Ordinary small-step algorithms with import operate over BC TYPE-0 background. Definition Let A a small-step algorithm with ASM program R and let X be a state with background BC TYPE-0. Then X Π,Σ η,σ R Π,Σ η A Π,Σ η is a concatenation of x Π,Σ η,σ for every exposed x; is a calculation of t Π,Σ η,σ for every t in a R; and is a PPT algorithm executing R Π,Σ η on X Π,Σ η,σ.

Completeness Equality and inequality of terms in X BC TYPE-0 is preserved with overwhelming probability. Theorem (Completeness) If an ordinary small-step algorithm with import A distinguishes states X and Y, then a PPT algorithm A Π,Σ η distinguishes X Π,Σ η,σ and Y Π,Σ η,σ with overwhelming probability. Algorithm A Π,Σ η X Y = X Π,Σ η,σ Y Π,Σ η,σ does not reconstruct the pattern.

Notions of security Computational notions of security indistinguishability as the goal variable attack model completely characterized with two oracles Definition (Notion of security) Let Π be an encryption scheme and IND-ATT a notion of security characterized by oracles O 0 and O 1. If Adv ind-att (A) = Pr[A O 1 = 1] Pr[A O 0 = 1] is negligible for every PPT algorithm A, then Π is IND-ATT secure.

Abadi-Rogaway variants of IND-CPA Definition (Abadi,Rogaway) Adv type-0 (A) = Pr[k 1, k 2 $ K(1 η ) : A E k 1 ( ),E k2 ( ) = 1] Type-0 oracles Pr[k $ K(1 η ) : A E k (0),E k (0) = 1] O 1 is associated with two freshly sampled keys k 1, k 2 O 0 is associated with a freshly sampled key k binary queries m 1, m 2 O 1 returns fresh encryptions E k1 (m 1 ), E k2 (m 2 ) O 0 returns fresh encryptions E k (0), E k (0)

Abstract notions of security Abstract block Such interaction can be represented abstractly with two sets of answer functions A, B over BC TYPE-0 background: α A iff α Π,Σ η,σ O 0 β B iff α Π,Σ η,σ O 1 Are A and B distinguishable by abstract algorithms?they re not: X, A X, B for every state X with background BC TYPE-0.

Reducibility induced by a security notion Reducibility relation Let A and B be the sets of answer functions characterizing IND-ATT and X and Y states with BC TYPE-0 background. If there is an algorithm A, α A and β B such that X = A(0 X, α) Y = A(0 Y, β) then X IND-ATT Y. Equivalence closure is IND-ATT =. Computational security is implied by oracles: Corollary If X IND-ATT = Y, then X Π,Σ η Y Π,Σ η.

Properties of Type-0 reduction Elimination of subjects If inaccessible key k is not used as a subject, we can reduce to a state where all subjects encrypted with that key are 0. {K(c 1 )} c 2 K(c 3 ), {0}c 4 K(c 5 ) {0}c 2 K(c 3 ), {0}c 4 K(c 5 ) Elimination of keys If two inaccessible keys k 1, k 2 are not used as subjects and they encrypt only zeros, we can reduce to a state where all such encryptions are now with the key k 1 only. {0} c 2 K(c 3 ), {0}c 4 K(c 5 ) {0}c 2 K(c 3 ), {0}c 4 K(c 3 )

Recap What do we have? X Y = X Π,Σ η Y Π,Σ η What is missing? If we could show that X IND-ATT = Y = X Π,Σ η Y Π,Σ η X Y = X IND-ATT = Y then X Y X IND-ATT = Y X Π,Σ η Y Π,Σ η Soundness proof doesn t need to involve probability!!!

Type-0 reduction Theorem (Abadi, Rogaway) If X is an acyclic state, then X reduces to a state with single inaccessible key used for encryptions of zeros only. Corollary Let X and Y be acyclic states with background BC TYPE-0. Then X Y X Π,Σ η Y Π,Σ η The argument is completely abstract it does not reason about probability and Turing machines.

Abadi-Rogaway languages Language of messages over Coins Accessibility relation m ::= K(c) Block m 1, m 2 {m} c 1 K(c 2 ) m 1, m 2 m 1, m 2 m 1 m 2 m 1 m 2 m 1, m 2 c 1 is fresh K(c 1 ) b Block b K(c 1 ) {m} c 2 K(c 1 ) m K(c 1 ) m {m} c 2 K(c 1 )

Abadi-Rogaway languages Pattern is assigned to each message p ::= K(c) Block p 1, p 2 {p} c 1 K(c 2 ) f i by substituting undecryptable encryptions with fi. Messages are equivalent iff their patterns are equal up to renaming of coins.

Relation X m is the first order structure with AR messages as a non-logical part of the base set and single foreground constant denoting m. Theorem X BC TYPE-i (for the usual indexing functions). m 1 m 2 iff m 2 is accessible (by small-step algorithms) in X m1 m 1 = m2 iff X m1 X m2

Acyclicity What if the states are not acyclic? Sometimes it doesn t matter {{k 1 } k2 } k1 {{0} k2 } k1 {0} k1 Sometimes it does! {k 1 } k2, {k 1 } k1 {k 1 } k2, {0} k1 {0} k2, {k 1 } k1 {0} k2, {0} k1 Both have the same cycle (k 1 k 1, k 2 k1)!

What should we do? 1 Ignore the problem, protocols do not use cyclic encryption. honest participants do not, but an intruder might 2 Use the equivalence induced by a security notion. declare the equivalence by patterns wrong provable soundness for all messages with just CPA does it really solve the problem? 3 Find new (stronger) security notions. computational notions are just proof devices when they diverge from our intentions, look for new ones

Key dependant messages Definition (Black, Rogaway, Shrimpton 2002) IND-KDM notions of security is characterized with the following two oracles: oracles independently sample keys k 1,..., k n input to the oracles is a PPT function f on n tuple and index i both oracles compute f (k 1,..., k n ) oracle O 1 outputs a fresh encryption of f (k 1,..., k n ) with the key k i oracle O 0 outputs a fresh encryption of 0 f (k 1,...,k n) with the key k i

Abstract IND-KDM security Definition (IND-KDM answer functions) answer functions are associated with n freshly sampled keys abstract queries encode arbitrary background terms and index oracles returns a fresh encryption of the value of the term with key k i Theorem Every state reduces to a state where inaccessible keys encrypt zeros only. Soundness for all messages follows.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback