IND-onetime security

From CRYPTUTOR

Revision as of 07:31, 18 August 2007; view current revision
←Older revision | Newer revision→

IND-onetime security is a security definition for one-time private-key encryption schemes, equivalent to perfect secrecy. The "IND" part of the name IND-onetime comes from the fact that it is an indistinguishability-based security definition (the adversary tries to distinguish between encryptions of two different messages).

[edit]

Definition

Let $A$ be an adversary, which we model as an arbitrary (unbounded) computation. We define the following experiment/game played against A

IND-onetime Distinguishability Experiment:

We (privately) choose a key $k$ according to the key generation algorithm: $k \gets \mathsf{KeyGen}$ .
We (privately) choose a random bit $b \gets \{0,1\}$ .
Challenge: $A$ outputs two messages, $m_0\,$ and $m_1\,$ .
Response: We give $A$ the ciphertext $\mathsf{Enc}_k(m_b)$ .
$A$ outputs $b'\,$ (i.e, a guess for our $b$ ).
We say that the advantage of $A$ in this experiment is $\Pr[ b = b' ] - 1/2$ .

A one-time encryption scheme is $\epsilon\,$ -IND-onetime secure if:

For all adversaries

A

, the advantage of

A

in the IND-onetime experiment is at most $\epsilon\,$ .

When $\epsilon=0\,$ , we omit it and simply call the scheme IND-onetime secure.

[edit]

Equivalence to perfect secrecy

It is not hard to see that IND-onetime security is equivalent to perfect secrecy. An IND-onetime adversary sees only a sample from the distribution $\{\mathsf{Enc}_k(m_b)\}_{k \gets \mathsf{KeyGen}}$ . If the encryption scheme has perfect secrecy, then this distribution is independent of $b$ and thus the adversary has no advantage in guessing $b$ . Otherwise, the distributions $\{\mathsf{Enc}_k(m_0)\}_{k \gets \mathsf{KeyGen}}$ and $\{\mathsf{Enc}_k(m_1)\}_{k \gets \mathsf{KeyGen}}$ differ for some some $m_0\,$ and $m_1\,$ . Then an IND-onetime adversary can choose those as his challenge and then run any statistical test which has an advantage in distinguishing the two distributions (such a test must exist if the distributions differ).

[edit]

IND-onetime security

From CRYPTUTOR

Definition

Equivalence to perfect secrecy

See also

Views

Personal tools

Navigation

Search

Toolbox