Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [security-definition]

Questions about formal definitions of "security" for various cryptographic schemes (e.g. perfect secrecy, semantic security, ciphertext indistinguishability, etc.)

This tag is intended for questions about the various definitions formalizing the concept of "security" for different cryptographic schemes. Examples of such definitions include:

  • Perfect secrecy, wherein the ciphertext is required to provide no information about the plaintext even to a computationally unlimited adversary. Provided by the one-time pad, and basically nothing else.

  • Semantic security, essentially a relaxed form of perfect secrecy, wherein the computational power allowed to the adversary may not increase faster than any polynomial function of the length of the key. Provably equivalent to ciphertext indistinguishability under a chosen-plaintext attack (see below).

  • Ciphertext indistinguishability under various attack models, requiring that a polynomial-time adversary, given certain kinds of access to the encryption and/or decryption function, should not be able to distinguish the encryptions of two messages from each other significantly more often than just by guessing at random. Common subtypes include indistinguishability under a chosen-plaintext attack (IND-CPA), under a chosen-ciphertext attack (IND-CCA) or even under an adaptive chosen-ciphertext attack (IND-CCA2).

  • Non-malleability under various attack models, essentially requiring the the adversary be unable to change the ciphertext so that it decrypts to a message of their choosing. Closely related to ciphertext indistinguishability.

  • Resistance to various types (e..g. universal, selective or existential) forgery, a property required of secure digital signatures or message authentication codes and related to non-malleability of encryption systems.

  • Collision and preimage resistance, properties of cryptographic hash functions.

  • Forward secrecy, a property of key-agreement protocols guaranteeing that a future compromise of the long-term keys will not compromise any previously agreed temporary keys.

  • Pseudorandomness, a strong security definition requiring that a given function or permutation (such as a block cipher) be indistinguishable from a randomly chosen function or permutation with the same domain and range.

  • etc.

322 questions
42
votes
8 answers

Simply put, what does “perfect secrecy” mean?

I would like to ask for a clear (but maybe not so deep) explanation of what the term "perfect secrecy" means. As far as I have researched and understood, it has to do with probabilities of assuming that a certain variable will be the key for a…
Emyr
  • 571
  • 1
  • 5
  • 6
42
votes
3 answers

What are preimage resistance and collision resistance, and how can the lack thereof be exploited?

What is "preimage resistance", and how can the lack thereof be exploited? How is this different from collision resistance, and are there any known preimage attacks that would be considered feasible?
John Gietzen
  • 1,515
  • 2
  • 15
  • 16
34
votes
1 answer

What do the signature security abbreviations like EUF-CMA mean?

From time to time, one stumbles across formal security definitions. This includes security definitions for signature schemes. The most common ones are the *UF-* ones, advertising security against specific classes of attackers. Now these notions may…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
31
votes
1 answer

Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RLWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply uniformly selecting the coefficients from the set…
Morty
  • 639
  • 4
  • 13
22
votes
2 answers

Why is AES considered to be secure?

The security of RSA is based on the integer factorization problem, which is a very well defined and understood mathematical problem. This problem must be solved in order to fundamentally break RSA. What about AES (and others based on the same…
Eiver
  • 323
  • 2
  • 8
21
votes
2 answers

What stops the Multiply-With-Carry RNG from being a Cryptographically Secure PRNG?

Despite the fact that Marsaglia's MWC PRNG (multiply-with-carry random number generator) is considered to be "the mother of all RNGs", it does not seem to be considered to be a CSPRNG (cryptographically secure pseudo-random number generator) even…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
19
votes
3 answers

What is the difference between uniformly and at random in crypto definitions?

Very often in the description and analysis of a cryptographic protocol there is a need for a an element $k$ that is sampled uniformly AND at random. Is there a redundancy in the definition with uniformity and randomness? If no what is the…
curious
  • 6,280
  • 6
  • 34
  • 48
16
votes
6 answers

How exactly is "true randomness" defined in the realms of cryptography?

Especially in relation to stream ciphers, I frequently read about (sometimes theoretical, sometimes practical) attacks that are able to "distinguish a ciphertext from a truly random stream". What's logical to me is that - just because a ciphertext…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
15
votes
2 answers

Does GCM (or GHASH) only provide 64-bit security against forgeries?

In a recent comment a doubt was voiced about my answer, which claims GCM to requires $2^{128}$ for a successful forgery. The doubt was that the square root needs to be taken meaning the security would be $2^{64}$. So of course I immediately checked…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
14
votes
1 answer

Meaning of "Security can be reduced to a problem"

I'm studying reductions in cryptography and confused about the way people use the word "reduction". My question is almost the same as a past question, but what I want to ask is slightly different. A lot of papers or articles (e.g. Wikipedia…
rapier
  • 141
  • 1
  • 5
13
votes
2 answers

Example of a PRP that is not a strong PRP

The exact definition of security for a pseudorandom permutation is straightforward - for some encryption scheme $E\,\colon\,\mathcal{K}\times\mathcal{D}\rightarrow\mathcal{D}$, it must be the case that no efficient adversary can distinguish…
pg1989
  • 4,736
  • 25
  • 43
13
votes
1 answer

Proofs by reduction and times of adversaries

I have some difficulties to understand, when we construct a reduction, how we determine the time for the constructed adversary to break a target security property. In general these details are not explained in books. Do you have some examples in…
Dingo13
  • 2,917
  • 3
  • 29
  • 46
12
votes
3 answers

How small is negligible?

When proving theorems in crypto we often make use of the concept of negligible functions or, more simply, negligible parameters. As a rule of thumb, given today (2018) computational power, what is the smallest inverse power of 2 that we can consider…
Rexcirus
  • 333
  • 3
  • 14
12
votes
2 answers

Definitions of secrecy

I found terms like "forward secrecy", "future secrecy", "backwards secrecy" and "perfect forward secrecy" and I would like to know their definitions and to understand the differences among them. I found several confusing definitions online,…
M-elman
  • 1,278
  • 3
  • 16
  • 24
12
votes
4 answers

Is the one-time-pad a secure system according to modern definitions?

Occasionally I hear people say that one-time pads are "useless" or even "broken". "modern cryptography knows more security definitions, under some of which the one-time pad is completely broken." -- How do we know a cryptographic primitive…
David Cary
  • 5,744
  • 4
  • 22
  • 35
1
2 3
21 22