Semantic security

Semantic security

Semantic security is a widely-used definition for security in an asymmetric key encryption algorithm. For a cryptosystem to be semantically secure, it must be infeasible for a computationally-bounded adversary to derive significant information about a message (plaintext) when given only its ciphertext and the corresponding public encryption key. Semantic security considers only the case of a "passive" attacker, i.e., one who generates and observes ciphertexts using the public key and plaintexts of her choice. Unlike other security definitions, semantic security does not consider the case of chosen ciphertext attack (CCA), where an attacker is able to request the decryption of chosen ciphertexts, and many semantically-secure encryption schemes are demonstrably insecure against chosen ciphertext attack. Consequently, semantic security is now considered an insufficient condition for securing a general-purpose encryption scheme.

The notion of semantic security was first put forward by Goldwasser and Micali in 1982.S. Goldwasser and S. Micali, [http://portal.acm.org/citation.cfm?id=802212 Probabilistic encryption & how to play mental poker keeping secret all partial information] , Annual ACM Symposium on Theory of Computing, 1982.] However, the definition they initially proposed offered no straightforward means to prove the security of practical cryptosystems. Goldwasser/Micali subsequently demonstrated that semantic security is equivalent to the property of ciphertext indistinguishability.S. Goldwasser and S. Micali, [http://dx.doi.org/10.1016/0022-0000(84)90070-9 Probabilistic encryption] . Journal of Computer and System Sciences, 28:270-299, 1984.] This equivalence allowed for security proofs of practical cryptosystems, and consequently the indistinguishability definition is used more commonly than the original definition of semantic security.

Indistinguishability under Chosen Plaintext Attack (IND-CPA) is commonly defined by the following game:

# A probabilistic polynomial time-bounded adversary is given a public key, which it may use to generate any number of ciphertexts (within polynomial bounds).
# The adversary generates two equal-length messages m_0 and m_1, and transmits them to a challenge oracle along with the public key.
# The challenge oracle selects one of the messages by flipping a fair coin, encrypts the message under the public key, and returns the resulting ciphertext c to the adversary.

The underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than 1/2 (the success rate of random guessing). Variants of this definition define indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack (IND-CCA, IND-CCA2).

Because the adversary possesses the public encryption key in the above game, a semantically secure encryption scheme must by definition be probabilistic, possessing a component of randomness; if this were not the case, the adversary could simply compute the deterministic encryption of m_0 and m_1 and compare these encryptions with the returned ciphertext c to successfully guess the oracle's choice.

Semantically secure encryption algorithms include Goldwasser-Micali, El Gamal and Paillier. These schemes are considered provably secure, as their semantic security can be reduced to solving some hard mathematical problem (e.g., Decisional Diffie-Hellman or the Quadratic Residuosity Problem). Other, non-semantically-secure algorithms such as RSA, can be made semantically secure (under stronger assumptions) through the use of random encryption padding schemes such as Optimal Asymmetric Encryption Padding (OAEP).

References


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Semantic interoperability — (also referred to as Computable Semantic Interoperability) is the ability of two or more computer systems to exchange information and have the meaning of that information automatically interpreted by the receiving system accurately enough to… …   Wikipedia

  • SeMantic Information Logistics Architecture — Betriebssystem unabhängig Programmier­sprache Java Kategorie Framework für Informationsmanagement Lizenz Eclipse Public License …   Deutsch Wikipedia

  • Semantic Information Logistics Architecture — Betriebssystem: unabhängig Programmiersprache: Java Kategorie: Framework für Informationsmanagement Lizenz: Eclipse Public License …   Deutsch Wikipedia

  • Semantic dispute — For semantic arguments in linguistics, see verb argument. A semantic dispute is a disagreement that arises if the parties involved disagree about whether a particular claim is true, not becausethey disagree on material facts, but rather because… …   Wikipedia

  • Semantic URL — The term semantic URL refers to a URL which is of a form that is immediately and intuitively meaningful to non experts. Such URL schemes tend to reflect the conceptual structure of a collection of information (see Information Architecture) and… …   Wikipedia

  • Semantic service oriented architecture — A Semantic Service Oriented Architecture (SSOA) is a computer architecture that allows for scalable and controlled Enterprise Application Integration solutions. [ [http://www.wsmx.org/papers/publications/SSOA.pdf Exposing Semantic Web Service… …   Wikipedia

  • Entropic security — is a security definition for encryption for specific message spaces. Standard security definitions such as semantic security permit the adversary a great deal of knowledge about the messages being encrypted for example, the adversary is often… …   Wikipedia

  • Provable security — In cryptography, a system has provable security if its security requirements can be stated formally in an adversarial model, as opposed to heuristically, with clear assumptions that the adversary has access to the system as well as enough… …   Wikipedia

  • Information theoretic security — A cryptosystem is information theoretically secure if its security derives purely from information theory. That is, it is secure even when the adversary has unbounded computing power. An example of an information theoretically secure cryptosystem …   Wikipedia

  • United Nations Security Council Resolution 242 — (S/RES/242) was adopted unanimously by the UN Security Council on November 22, 1967 in the aftermath of the Six Day War. It was adopted under Chapter VI of the United Nations Charter. [ [http://domino.un.org/unispal.nsf/db942872b9eae454852560f6005… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”