IND-onetime security

From CRYPTUTOR

Jump to: navigation, search

IND-onetime security is a security definition for one-time private-key encryption schemes, equivalent to perfect secrecy. The "IND" part of the name IND-onetime comes from the fact that it is an indistinguishability-based security definition (the adversary tries to distinguish between encryptions of two different messages).

[edit]

Definition

Let A be an adversary, which we model as an arbitrary (unbounded) computation. We define the following experiment/game played against A

IND-onetime Distinguishability Experiment:
  1. We (privately) choose a key k according to the key generation algorithm: k \gets \mathsf{KeyGen}.
  2. We (privately) choose a random bit b \gets \{0,1\}.
  3. Challenge: A outputs two messages, m_0\, and m_1\,.
  4. Response: We give A the ciphertext \mathsf{Enc}_k(m_b).
  5. A outputs b'\, (i.e, a guess for our b).
We say that the advantage of A in this experiment is \Pr[ b = b' ] - 1/2.

A one-time encryption scheme is \epsilon\,-IND-onetime secure if:

For all adversaries A, the advantage of A in the IND-onetime experiment is at most \epsilon\,.

When \epsilon=0\,, we omit it and simply call the scheme IND-onetime secure.

[edit]

Equivalence to perfect secrecy

It is not hard to see that IND-onetime security is equivalent to perfect secrecy. An IND-onetime adversary sees only a sample from the distribution \{\mathsf{Enc}_k(m_b)\}_{k \gets \mathsf{KeyGen}}. If the encryption scheme has perfect secrecy, then this distribution is independent of b and thus the adversary has no advantage in guessing b. Otherwise, the distributions \{\mathsf{Enc}_k(m_0)\}_{k \gets \mathsf{KeyGen}} and \{\mathsf{Enc}_k(m_1)\}_{k \gets \mathsf{KeyGen}} differ for some some m_0\, and m_1\,. Then an IND-onetime adversary can choose those as his challenge and then run any statistical test which has an advantage in distinguishing the two distributions (such a test must exist if the distributions differ).

[edit]

See also

Retrieved from "http://crypto.cs.uiuc.edu/wiki/index.php/IND-onetime_security"