Symmetric key encryption

A symmetric key encryption (SKE) scheme allows a sender and receiver sharing a secret key to encrypt and decrypt messages, such that an adversary who does not know the key cannot learn anything about the plaintext from the ciphertext.

Syntax

A SKE scheme is a tuple of efficient algorithms $SKE = (KeyGen, Enc, Dec)$ with respect to keyspace $K,$ message space $M,$ and ciphertext space $C$ :

$KeyGen (1^{λ}) \to k,$ is a randomized algorithm which samples a key $k \in K$ ,
$Enc (k, m) \to c,$ is a randomized algorithm which takes a key $k \in K$ and message $m \in M$ , outputting a ciphertext $c \in C$ ,
$Dec (k, c) \to m,$ is a deterministic algorith which takes a key $k \in K$ and ciphertext $c \in C$ , outputting a message $m \in M$ or $⊥$ to indicate an invalid ciphertext.

Properties

Correctness

A SKE scheme $SKE = (KeyGen, Enc, Dec)$ is $(1 - ε)$ -correct if for all $λ \in N$ and $m \in M$ ,

Pr [Dec (k, Enc (k, m)) = m] \geq 1 - ε,

over the choice of $k \leftarrow KeyGen (1^{λ})$ and randomness of $Enc .$ When $ε = 0$ , we say $SKE$ is perfectly correct.

CPA Security

In the chosen-plaintext attack (CPA) game, the adversary adaptively queries a left-right encryption oracle: it submits message pairs $(m_{0}, m_{1})$ and receives an encryption of $m_{b}$ , where $b$ is a hidden bit. The adversary wins by guessing $b$ .

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{cpa}}_{\SKE,\calA}(\secpar)$}
\begin{algorithmic}
\State $k \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calO_0(m_0, m_1) := \Enc(k, m_0)$
\State $\calO_1(m_0, m_1) := \Enc(k, m_1)$
\State $b' \gets \calA^{\calO_b}(1^\secpar)$
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

A SKE scheme $SKE$ is CPA-secure if for all efficient $A$ ,

Adv_{SKE, A}^{cpa} (λ) := 2 Pr [G_{SKE, A}^{cpa} (λ) = 1] - 1

is negligible.

IND$-CPA Security

Indistinguishability from random (IND$-CPA) is a stronger notion where the adversary must distinguish real encryptions from uniformly random ciphertexts, rather than encryptions of two chosen messages. The oracle in world 0 encrypts the query; in world 1 it returns a fresh uniform random ciphertext regardless of the input.

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{ind\$\text{-}cpa}}_{\SKE,\calA}(\secpar)$}
\begin{algorithmic}
\State $k \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calO_0(m) := \Enc(k, m)$
\State $\calO_1(m) \getsr \calC$
\Comment{Each $m$ is a uniform random ciphertext}
\State $b' \gets \calA^{\calO_b}(1^\secpar)$
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

A SKE scheme $SKE$ is IND$-CPA-secure if for all efficient $A$ ,

Adv_{SKE, A}^{ind$ - cpa} (λ) := 2 Pr [G_{SKE, A}^{ind$cpa} (λ) = 1] - 1

is negligible. IND$-CPA implies CPA security, but not vice versa.

CCA Security

In the chosen-ciphertext attack (CCA) game, the adversary additionally has access to a decryption oracle. To avoid a trivial win, $A$ is admissible: it may not query $D$ on any ciphertext output by the encryption oracle $O_{b}$ .

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\mathrm{cca}}_{\SKE,\calA}(\secpar)$}
\begin{algorithmic}
\State $k \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calO_b(m_0, m_1) := \Enc(k, m_b)$
\State $\calD(c) := \Dec(k, c)$
\Comment{$\calA$ may not query $\calD$ on outputs of $\calO_b$}
\State $b' \gets \calA^{\calO_b, \calD}(1^\secpar)$
\Return $[b' = b]$
\end{algorithmic}
\end{algorithm}

A SKE scheme $SKE$ is CCA-secure if for all admissible efficient $A$ ,

Adv_{SKE, A}^{cca} (λ) := 2 Pr [G_{SKE, A}^{cca} (λ) = 1] - 1

is negligible. The admissibility restriction is necessary: without it, $A$ could query $O_{b} (0, 1)$ and then decrypt the result to trivially learn $b$ .

Other results

(Both CPA and CCA) SKE can be built in a black-box way from a OWF — Folklore?
CPA-secure SKE can be boosted to CCA-secure SKE using a MAC

Cryptology City

Explorer