Uniform and non-uniform adversaries

From CRYPTUTOR

In cryptography, we consider the behaviors of adversaries that try to break cryptographic schemes. We classify an adversary as uniform or non-uniform depending on how it behaves when different values of the scheme's security parameter are used.

Uniform

A uniform adversary is best modeled as a Turing machine. The same code is executed to attack a cryptographic scheme, regardless of the value of the scheme's security parameter (though the security parameter can be implicitly provided as input). Such an adversary has (computationally) "uniform" behavior over all values of the security parameter. Though it may behave differently for different values of the security parameter, these behaviors are still computable as a function of the security parameter.

Non-uniform

A non-uniform adversary is best modeled as a "circuit family". More formally, a non-uniform adversary A is a sequence of programs indexed by the security parameter. To attack a cryptographic scheme whose security parameter is set to the value k, we execute the program . For simplicity of notation, though, we often omit the index k when the security parameter is understood.

Non-uniform adversaries may exhibit a vastly different behavior for every value of the security parameter. However, for polynomial-time non-uniform adversaries, we insist that there is a single polynomial p that bounds the running time of all .

Non-uniform computation is a much stronger class of computation than uniform computation. In fact, it can realize behaviors than are not computable in practice (efficiently or otherwise). Nonetheless, in order to have security against the widest range of adversaries, most cryptographic definitions of security consider non-uniform adversaries.