SIM-onetime security

From CRYPTUTOR

Revision as of 07:31, 18 August 2007; view current revision
←Older revision | Newer revision→
Jump to: navigation, search

SIM-onetime security is a security definition for one-time private-key encryption schemes, equivalent to perfect secrecy. The "SIM" part of the name SIM-onetime comes from the fact that it is a simulation-based security definition.

[edit]

Definition

Consider the following two experiments among two honest parties Alice and Bob, an adversary Eve, and an environment. The behaviors of Alice and Bob are fixed, but Eve and the environment may be any arbitrary (unbounded) computations.

The environment models an arbitrary influence Eve might have over the messages that Alice sends to Bob, as well as arbitrary criteria for whether Eve has succeeded in doing something "malicious."

Real world experiment:
SIM-onetime-real
  1. The adversary Eve arbitrarily interacts with the environment (i.e, to influence its choice of message in the next step).
  2. The environment sends a message m to Alice.
  3. Alice sends an encryption of m to Bob according to the encryption scheme. In particular, they must already share a key, chosen randomly as prescribed in the definition of the encryption scheme.
  4. Eve receives a copy of the ciphertext, and then arbitrarily interacts with the environment (to influence the behavior of the environment).
  5. The environment outputs a bit (whether Eve caused a particular observable effect on the environment).

The adversary is said to "succeed" in the experiment if the environment outputs 1.

Ideal world experiment:
SIM-onetime-ideal
  1. The adversary Eve arbitrarily interacts with the environment.
  2. The environment sends a message m to Alice.
  3. Alice sends the message m to Bob through a secure channel.
  4. Eve does not receive a copy of the ciphertext, but continues to arbitrarily interact with the environment.
  5. The environment outputs a bit (whether Eve caused a particular observable effect -- same as above -- on the environment).

The adversary is said to "succeed" in the experiment if the environment outputs 1.

The encryption scheme is SIM-onetime secure if:

For all real-world adversaries A, there exists an ideal-world adversary A'\,, such that for all environments, the success probabilities in these two experiments are the same.

It is convenient to interpret this definition in the following way: for all ways to "do something malicious" in the presence of the encryption scheme (i.e, an adversary A\,), there is another way to do the same malicious thing (i.e, the corresponding A'\,) without looking at the ciphertext at all!

[edit]

See also

Retrieved from "http://crypto.cs.uiuc.edu/wiki/index.php/SIM-onetime_security"
Personal tools