Community hub
0 subscribers7 pages, 0 posts
Recent from talks
All channels
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to Semantic security.
Nothing was collected or created yet.
Semantic security
View on Wikipediafrom Wikipedia
In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message (taken from any distribution of messages), and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length (and not the ciphertext).[1] This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.[2][3]: 378–381
History
[edit]The notion of semantic security was first put forward by Goldwasser and Micali in 1982.[1][4] However, the definition they initially proposed offered no straightforward means to prove the security of practical cryptosystems. Goldwasser/Micali subsequently demonstrated that semantic security is equivalent to another definition of security called ciphertext indistinguishability under chosen-plaintext attack.[5] This latter definition is more common than the original definition of semantic security because it better facilitates proving the security of practical cryptosystems.
Symmetric-key cryptography
[edit]In the case of symmetric-key algorithm cryptosystems, an adversary must not be able to compute any information about a plaintext from its ciphertext. This may be posited as an adversary, given two plaintexts of equal length and their two respective ciphertexts, cannot determine which ciphertext belongs to which plaintext.
Public-key cryptography
[edit] | This section needs additional citations for verification. (September 2012) |
For an asymmetric key encryption algorithm cryptosystem to be semantically secure, it must be infeasible for a computationally bounded adversary to derive significant information about a message (plaintext) when given only its ciphertext and the corresponding public encryption key. Semantic security considers only the case of a "passive" attacker, i.e., one who generates and observes ciphertexts using the public key and plaintexts of their choice. Unlike other security definitions, semantic security does not consider the case of chosen ciphertext attack (CCA), where an attacker is able to request the decryption of chosen ciphertexts, and many semantically secure encryption schemes are demonstrably insecure against chosen ciphertext attack. Consequently, semantic security is now considered an insufficient condition for securing a general-purpose encryption scheme.
Indistinguishability under Chosen Plaintext Attack (IND-CPA) is commonly defined by the following experiment:[6]
- A random pair is generated by running .
- A probabilistic polynomial time-bounded adversary is given the public key , which it may use to generate any number of ciphertexts (within polynomial bounds).
- The adversary generates two equal-length messages and , and transmits them to a challenge oracle along with the public key.
- The challenge oracle selects one of the messages by flipping a fair coin (selecting a random bit ), encrypts the message under the public key, and returns the resulting challenging ciphertext to the adversary.
The underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than (the success rate of random guessing). Variants of this definition define indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack (IND-CCA, IND-CCA2).
Because the adversary possesses the public encryption key in the above game, a semantically secure encryption scheme must by definition be probabilistic, possessing a component of randomness; if this were not the case, the adversary could simply compute the deterministic encryption of and and compare these encryptions with the returned ciphertext to successfully guess the oracle's choice.
The role of randomness in semantic security
[edit]Randomness plays a key role in cryptography by preventing attackers from detecting patterns in ciphertexts. In a semantically secure cryptosystem, encrypting the same plaintext multiple times should produce different ciphertexts.[7]
If encryption relies on predictable or weak randomness, it becomes easier to break.[8] Poor randomness can lead to patterns that attackers can analyze, potentially allowing them to recover secret keys or decrypt messages. Because of this, cryptographic systems must use strong and unpredictable random values to maintain security.[9]
Why randomness is important
[edit]Strong randomness is critical in:
- Key generation – Ensures cryptographic keys are unpredictable.[10]
- Nonce selection – Reusing a nonce in AES-GCM or ElGamal can break security.[11]
- Probabilistic encryption – Some schemes, like Goldwasser–Micali, rely on randomness to ensure ciphertexts are indistinguishable.[11]
Failures of randomness in the past
[edit]Several cryptographic failures have resulted from weak randomness, allowing attackers to break encryption.
Debian OpenSSL vulnerability (2008)
[edit]An error in Debian’s OpenSSL removed entropy collection, producing a small set of predictable keys. Attackers could guess SSH and TLS keys, allowing unauthorized access.[12]
Sony PlayStation 3 ECDSA failure (2011)
[edit]Sony’s PlayStation 3 misused the Elliptic Curve Digital Signature Algorithm (ECDSA) by reusing the same nonce - a random number used once in cryptographic signing - in multiple signatures. Since ECDSA relies on unique nonces for security, attackers recovered Sony’s private signing key, allowing them to sign unauthorized software.[13]
ROCA vulnerability (2017)
[edit]A flaw in Infineon's RSA key generation created weak keys that attackers could efficiently factor. This vulnerability affected smart cards and Trusted Platform Modules (TPMs), requiring widespread key replacements.[14]
How to ensure strong randomness
[edit]To prevent such failures, cryptographic systems must generate unpredictable and high-quality random values.[15]
Use of cryptographically secure pseudorandom number generators (CSPRNGs)
[edit]CSPRNGs provide secure random numbers resistant to attacks. Common examples include:
- /dev/random and /dev/urandom (Unix)
- Windows CryptGenRandom
- NIST-approved DRBGs (Deterministic Random Bit Generators)[15]
Entropy collection
[edit]Secure randomness requires high entropy sources, such as:
- Hardware-based generators (e.g., Intel RDRAND)[16]
- Physical sources, like keystroke timing[16]
- Dedicated security hardware, including HSMs and TPMs[16]
Avoiding deterministic encryption without randomness
[edit]Some encryption schemes require added randomness to maintain security:
- RSA with OAEP padding introduces randomness to prevent deterministic encryption.[17]
- Unique nonces in AES-GCM and ElGamal ensure encrypting the same message multiple times produces different ciphertexts.[17]
Testing and auditing randomness
[edit]To verify randomness quality, cryptographic implementations should undergo:
- NIST SP 800-90B randomness tests[16]
- Diehard tests[18]
- FIPS 140-2 compliance checks[19]
Semantically secure encryption algorithms include Goldwasser-Micali, ElGamal and Paillier. These schemes are considered provably secure, as their semantic security can be reduced to solving some hard mathematical problem (e.g., Decisional Diffie-Hellman or the Quadratic Residuosity Problem). Other, semantically insecure algorithms such as RSA, can be made semantically secure (under stronger assumptions) through the use of random encryption padding schemes such as Optimal Asymmetric Encryption Padding (OAEP).
References
[edit]- ^ a b S. Goldwasser and S. Micali, Probabilistic encryption & how to play mental poker keeping secret all partial information, Annual ACM Symposium on Theory of Computing, 1982.
- ^ Shannon, Claude (1949). "Communication Theory of Secrecy Systems". Bell System Technical Journal. 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x. hdl:10338.dmlcz/119717.
- ^ Goldreich, Oded. Foundations of Cryptography: Volume 2, Basic Applications. Vol. 2. Cambridge university press, 2004.
- ^ Goldwasser, Shafi; Micali, Silvio (1984-04-01). "Probabilistic encryption". Journal of Computer and System Sciences. 28 (2): 270–299. doi:10.1016/0022-0000(84)90070-9. ISSN 0022-0000.
- ^ S. Goldwasser and S. Micali, Probabilistic encryption. Journal of Computer and System Sciences, 28:270-299, 1984.
- ^ Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall/CRC. ISBN 978-1584885511.
- ^ Menezes, Alfred; Van Oorschot, Paul C.; Vanstone, Scott (1996). Handbook of Applied Cryptography. CRC Press.
- ^ Menezes, Alfred; Van Oorschot, Paul C.; Vanstone, Scott (1996). Handbook of Applied Cryptography. CRC Press.
- ^ Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall/CRC. ISBN 978-1584885511.
- ^ Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall/CRC. ISBN 978-1584885511.
- ^ a b Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall/CRC. ISBN 978-1584885511.
- ^ Bello, Luciano (2008-05-13). "Debian OpenSSL Predictable Random Number Generator". Debian Security Advisory.
- ^ Schneier, Bruce (2011-01-06). "Sony PS3 Security Broken". Schneier on Security.
- ^ "ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance". National Cyber Security Centre. 2017-10-17.
- ^ a b "Recommendation for Random Number Generation Using Deterministic Random Bit Generators". National Institute of Standards and Technology (NIST). 2012-06-11.
- ^ a b c d "Recommendation for the Entropy Sources Used for Random Bit Generation". National Institute of Standards and Technology (NIST). 2018-01-10.
- ^ a b "Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography". National Institute of Standards and Technology (NIST). 2019-05-23.
- ^ "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications". National Institute of Standards and Technology (NIST). 2010-04-01.
- ^ "Security Requirements for Cryptographic Modules". National Institute of Standards and Technology (NIST). 2002-05-25.
Semantic security
View on Grokipediafrom Grokipedia
Semantic security is a cryptographic notion that defines the security of an encryption scheme against passive adversaries who can eavesdrop on ciphertexts but cannot actively influence the encryption process.[1] Introduced by Shafi Goldwasser and Silvio Micali in their seminal 1984 paper on probabilistic encryption, it requires that no computationally bounded adversary can learn any partial information about the plaintext from the ciphertext beyond what is already known from the message distribution or auxiliary information.[2] Formally, for a symmetric-key encryption scheme, semantic security holds if, for every efficient adversary A and every message distribution, there exists an efficient simulator that produces outputs indistinguishable from those of A given the ciphertext, ensuring the adversary gains negligible advantage in computing any function of the plaintext.[1]
In the context of public-key encryption, semantic security is equivalently defined through the indistinguishability under chosen-plaintext attack (IND-CPA) game, where an adversary given the public key and a challenge ciphertext for one of two chosen plaintexts cannot distinguish which plaintext was encrypted with more than negligible probability.[3] This equivalence, established in the original paper, simplifies proofs of security by allowing cryptographers to use either notion interchangeably.[2] The concept originated to address limitations of deterministic encryption, promoting probabilistic schemes like the Goldwasser-Micali cryptosystem based on quadratic residuosity, which hides all partial information about the message.[2]
Semantic security serves as a foundational primitive in modern cryptography, underpinning secure protocols such as secure multi-party computation, zero-knowledge proofs, and hybrid encryption systems.[4] It models realistic threats from eavesdroppers in scenarios like secure communication over public channels, but does not protect against active attacks like chosen-ciphertext scenarios, for which stronger notions like IND-CCA are required.[3] Ongoing research extends semantic security to quantum settings and post-quantum cryptography to ensure robustness against advanced adversaries.[5]
These modes assume a secure PRP like AES; real-world implementations must ensure IV/nonce unpredictability to maintain semantic security.[12]
Fundamentals
Definition
Semantic security, also known as probabilistic polynomial-time indistinguishability, is a fundamental security notion for encryption schemes in cryptography. It ensures that an encryption algorithm conceals all information about the plaintext from an adversary who observes the ciphertext, beyond what can be inferred from auxiliary information already known to the attacker. Introduced by Shafi Goldwasser and Silvio Micali, this concept requires that the encryption be probabilistic to prevent deterministic mappings that could leak partial details about the message. Semantically secure encryption protects against passive adversaries who can only eavesdrop on ciphertexts, making it a cornerstone for secure communication protocols.[2] Formally, an encryption scheme is semantically secure if, for any probabilistic polynomial-time (PPT) adversary , there exists a PPT simulator such that, for any efficient distribution over messages , any polynomial-time computable functions and (where represents auxiliary information), the difference in probabilities is negligible: where is a negligible function in the security parameter , and denotes the encryption algorithm. This simulation paradigm captures the intuition that no efficient computation on the plaintext can be meaningfully advanced by access to the ciphertext.[2] Goldwasser and Micali proved that semantic security is equivalent to the indistinguishability of encryptions under chosen-plaintext attack (IND-CPA), where an adversary cannot distinguish with non-negligible advantage between encryptions of two chosen plaintexts of equal length. This equivalence, later refined in subsequent works, allows for more tractable security proofs using the indistinguishability game, while preserving the semantic intuition of information-theoretic hiding. Seminal constructions achieving this security include the Goldwasser-Micali cryptosystem based on quadratic residuosity and ElGamal encryption under the decisional Diffie-Hellman assumption.[2][1]Formal Security Model
The formal security model for semantic security, introduced by Goldwasser and Micali, captures the intuition that a ciphertext should reveal no partial information about the underlying plaintext to any computationally bounded adversary, beyond what is inherent in the plaintext's length or structure. This model applies to probabilistic encryption schemes and is defined for public-key cryptosystems, where an encryption algorithm uses a public key to produce ciphertexts that are computationally indistinguishable for different plaintexts.[2] The security is formalized via the indistinguishability under chosen-plaintext attack (IND-CPA) experiment, which is equivalent to the original semantic security definition and has become the standard game-based formalism. In this two-stage game, a probabilistic polynomial-time adversary interacts with a challenger as follows:- Setup: The challenger generates a key pair for security parameter and provides to . The adversary may query the encryption oracle adaptively on chosen plaintexts of its choice.
- Challenge: At some point, submits two equal-length plaintexts . The challenger selects a random bit , computes the challenge ciphertext , and sends to . The adversary continues querying the encryption oracle but cannot query on or .
- Guess: Finally, outputs a guess for .
Historical Development
Origins
The concept of semantic security emerged in the early 1980s as a foundational notion in modern cryptography, specifically aimed at addressing the limitations of deterministic encryption schemes in revealing partial information about plaintexts. It was first introduced by Shafi Goldwasser and Silvio Micali in their seminal 1982 paper titled "Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information," presented at the Symposium on Theory of Computing (STOC).[6] A full journal version appeared in 1984. In this work, the authors sought to formalize a security model for public-key cryptosystems that ensures an adversary gains no useful information from a ciphertext, even when equipped with computational power polynomial in the security parameter. This marked a shift from earlier perfect secrecy definitions, such as Claude Shannon's 1949 model, which required information-theoretic indistinguishability but were impractical for computational settings. Goldwasser and Micali defined semantic security intuitively as a property where, for any probabilistic polynomial-time adversary, the view of the ciphertext conveys negligible information about the underlying plaintext message, beyond its length. Formally, they described it through a game where an adversary attempts to compute any function of the plaintext after observing the encryption, succeeding only with negligible probability over random choices. This definition was motivated by the need to protect against passive eavesdroppers in public-key settings, where encryption keys are publicly known, contrasting with symmetric schemes. Their paper also proposed the first probabilistic encryption scheme achieving semantic security: the Goldwasser-Micali cryptosystem, based on the hardness of distinguishing quadratic residues modulo a composite number. This construction demonstrated the feasibility of semantic security under standard computational assumptions, influencing subsequent developments in provable security. The introduction of semantic security catalyzed broader advancements in cryptographic definitions, including its equivalence to the indistinguishability (IND) model established by Micali, Rackoff, and others in the mid-1980s. Initially tailored for public-key encryption, the notion quickly extended to symmetric primitives, underscoring its versatility. Goldwasser and Micali's work, which earned them the 2012 Turing Award partly for this contribution, laid the groundwork for modern standards like IND-CPA security in schemes such as ElGamal and RSA-OAEP.Formalization and Evolution
The concept of semantic security was introduced by Shafi Goldwasser and Silvio Micali in their 1982 STOC paper, with a formal journal version in 1984 on probabilistic encryption, marking a pivotal shift in cryptographic security modeling from perfect secrecy to computational notions suitable for public-key systems.[7] In this work, they defined semantic security as a criterion ensuring that, for any efficient adversary, the view of the ciphertext provides no additional information about the plaintext beyond what the adversary already knows from the message distribution.[8] Formally, this means that no polynomial-time algorithm can compute any polynomially verifiable function of the plaintext with advantage beyond a negligible probability, given only the ciphertext and auxiliary information.[8] Goldwasser and Micali motivated this definition to capture the intuition that encryption should preserve the semantic content of messages against passive adversaries, contrasting with earlier deterministic schemes like textbook RSA, which leak partial information such as the least significant bit.[7] Alongside semantic security, Goldwasser and Micali proposed an alternative notion called "polynomial security," which requires that encryptions of two distinct messages are computationally indistinguishable by any efficient distinguisher.[8] They proved that polynomial security implies semantic security, establishing the former as a sufficient condition for the latter.[7] Subsequently, in the same paper, they demonstrated the equivalence between semantic security and indistinguishability under chosen-plaintext attack (IND-CPA), showing that the two notions are interchangeable for public-key encryption schemes.[8] This equivalence, later revisited and streamlined in a 1999 analysis by Dodis and Ruhl, simplified proofs by reducing the security loss from to in the asymptotic setting, where is the security parameter and is a constant.[8] The evolution of semantic security in the following decades refined its foundational role within the broader paradigm of provable security. In the late 1990s, researchers extended the model to symmetric-key settings and incorporated concrete security bounds, moving beyond asymptotic analysis to quantify adversary resources explicitly.[9] A landmark contribution came in 1998 from Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway, who systematically compared semantic security with related notions like non-malleability and indistinguishability under chosen-ciphertext attack (CCA), confirming its position as the minimal standard for basic confidentiality while highlighting separations from stronger guarantees.[10] This work solidified IND-CPA (equivalent to semantic security) as the de facto benchmark for evaluating encryption schemes, influencing standards like those in TLS and paving the way for hybrid constructions that achieve higher security levels under standard assumptions.[10] By the 2000s, semantic security had become integral to game-based frameworks, enabling modular proofs for complex protocols while emphasizing the need for randomness to prevent deterministic leakages.[11]Symmetric-Key Applications
Encryption Modes
In symmetric-key encryption, modes of operation define how a block cipher processes messages longer than the block size to achieve desired security properties, including semantic security. Semantic security in this context, equivalent to indistinguishability under chosen-plaintext attack (IND-CPA), requires that ciphertexts reveal no partial information about the plaintext, even when the adversary can obtain encryptions of chosen messages. Deterministic modes fail this due to their predictability, while probabilistic modes using random initialization vectors (IVs) or unique nonces can achieve it, assuming the underlying block cipher is a secure pseudorandom permutation (PRP).[12][13] The Electronic Codebook (ECB) mode encrypts each plaintext block independently and deterministically, producing identical ciphertexts for identical blocks. This leaks structural information about the plaintext, such as patterns in images, violating IND-CPA security; an adversary can distinguish encryptions of two messages differing in only one block with advantage 1. ECB is thus unsuitable for semantic security.[13][14] In contrast, Cipher Block Chaining (CBC) mode achieves IND-CPA security when prefixed with a random IV, where each block's ciphertext depends on the previous one via XOR. The security proof reduces to the PRP security of the block cipher, with adversary advantage bounded by approximately , where is the total number of blocks encrypted and is the block size (up to the birthday bound). CBC requires padding for non-multiples of the block size and is malleable, but provides semantic security against chosen-plaintext attacks with proper IV randomness.[12][13][14] Counter (CTR) mode turns a block cipher into a stream cipher by encrypting a counter (initialized with a unique nonce or random IV) and XORing the keystream with the plaintext. It achieves IND-CPA security if nonces are unique across messages, with advantage bounded similarly by , reducible to the PRP assumption. CTR supports parallel encryption/decryption and random access, making it efficient for large data, though nonce reuse catastrophically leaks information.[12][13][14] Output Feedback (OFB) and Cipher Feedback (CFB) modes also provide IND-CPA security with random IVs. OFB generates a keystream by repeatedly encrypting the IV and previous output, akin to a stream cipher, with security proven via PRP reduction and advantage . CFB operates similarly but feeds ciphertext back, offering self-synchronization after errors; its security follows analogous proofs. Both modes avoid padding but propagate errors in CFB, and they are less parallelizable than CTR.[13][14]| Mode | IND-CPA Secure? | IV/Nonce Requirement | Key Security Bound (Advantage) | Notes |
|---|---|---|---|---|
| ECB | No | None | N/A (advantage = 1 for pattern detection) | Deterministic; leaks block structure.[14] |
| CBC | Yes | Random IV per message | Chaining provides diffusion; padding needed.[13] | |
| CTR | Yes | Unique nonce | Stream-like; parallelizable.[14] | |
| OFB | Yes | Random IV | Keystream generation; no error propagation.[14] | |
| CFB | Yes | Random IV | Feedback from ciphertext; error propagation.[14] |