Public Key Encryption (PKE): Difference between revisions
No edit summary |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
* <math>\mathsf{Enc}_{pk}(m) \to c</math>, is a randomized function that takes a public key <math>pk\in \mathcal{K}_{\text{pub}}</math> and plaintext message <math>m\in \mathcal{M}</math>, and outputs a ciphertext <math>c\in \mathcal{C}</math>, | * <math>\mathsf{Enc}_{pk}(m) \to c</math>, is a randomized function that takes a public key <math>pk\in \mathcal{K}_{\text{pub}}</math> and plaintext message <math>m\in \mathcal{M}</math>, and outputs a ciphertext <math>c\in \mathcal{C}</math>, | ||
* <math>\mathsf{Dec}_{sk}(c) \to m</math>, is a deterministic function that takes a secret key <math>sk\in \mathcal{K}_{\text{sec}}</math> and ciphertext <math>c\in \mathcal{C}</math>, and outputs a plaintext message <math>m\in \mathcal{M}</math>. | * <math>\mathsf{Dec}_{sk}(c) \to m</math>, is a deterministic function that takes a secret key <math>sk\in \mathcal{K}_{\text{sec}}</math> and ciphertext <math>c\in \mathcal{C}</math>, and outputs a plaintext message <math>m\in \mathcal{M}</math>. | ||
=== Correctness === | |||
A PKE scheme is ''correct'' if for all <math>m\in \mathcal{M}</math>, there exists a negligible function <math>\nu</math>, such that | |||
<center><math> | |||
\Pr[\mathsf{Dec}_{sk}(\mathsf{Enc}_{pk}(m)) = m] \ge 1 - \nu(\lambda), | |||
</math></center> | |||
where <math>(pk,sk)\gets \mathsf{Gen}(1^{\lambda})</math>. | |||
=== Chosen Plaintext Attack (CPA) Security === | === Chosen Plaintext Attack (CPA) Security === | ||
Line 17: | Line 24: | ||
A PKE scheme is ''CPA-secure'' if for all efficient adversaries <math>A</math>, there exists a negligible function <math>\nu</math>, such that | A PKE scheme is ''CPA-secure'' if for all efficient adversaries <math>A</math>, there exists a negligible function <math>\nu</math>, such that | ||
<center><math> | <center><math> | ||
\big| \Pr [A( | \big| \Pr [A(\sigma, \mathsf{Enc}_{pk}(m_b)) = b : (m_0,m_1,\sigma) \gets A(pk)] - 1/2\big| \le \nu(\lambda), | ||
</math></center> | </math></center> | ||
where <math>(pk,sk)\gets \mathsf{Gen}(1^{\lambda})</math> | where <math>(pk,sk)\gets \mathsf{Gen}(1^{\lambda})</math>, <math>b</math> is a uniformly random bit, and <math>\sigma</math> represents the state of the adversary after the first phase. | ||
=== Chosen Ciphertext Attack (CCA) Security === | === Chosen Ciphertext Attack (CCA) Security === | ||
Line 25: | Line 32: | ||
A SE scheme is ''CCA-secure'' if for all admissible efficient adversaries <math>A</math>, there exists a negligible function <math>\nu</math>, such that | A SE scheme is ''CCA-secure'' if for all admissible efficient adversaries <math>A</math>, there exists a negligible function <math>\nu</math>, such that | ||
<center><math> | <center><math> | ||
\big| \Pr [A^{\mathsf{Dec}_{sk}}( | \big| \Pr [A^{\mathsf{Dec}_{sk}}(\sigma,\mathsf{Enc}_{pk}(m_b)) = b : (m_0,m_1,\sigma) \gets A^{\mathsf{Dec}_{sk}}(pk)] - 1/2\big| \le \nu(\lambda), | ||
</math></center> | </math></center> | ||
where <math>(pk,sk)\gets \mathsf{Gen}(1^{\lambda})</math> | where <math>(pk,sk)\gets \mathsf{Gen}(1^{\lambda})</math>, <math>b</math> is a uniformly random bit, and <math>\sigma</math> represents the state of the adversary after the first phase. Further, we say an adversary is admissible if it never queries <math>\mathsf{Dec}_{sk}</math> on the ciphertext given to <math>A</math> in the second phase of the game. | ||
Further, we say an adversary is admissible if it never queries <math>\mathsf{Dec}_{sk}</math> on the ciphertext given to <math>A</math> in the second phase of the game. | |||
The difference in this definition is that we additionally give the adversary access to a decryption oracle. This is a strictly stronger definition than [[PKE#CPA-security]]. | The difference in this definition is that we additionally give the adversary access to a decryption oracle. This is a strictly stronger definition than [[PKE#CPA-security]]. |
Latest revision as of 02:37, 5 July 2024
A Public Key Encryption (PKE) scheme is a primitive that allows someone to publish a public key that can be used to encrypt plaintext. Then, the generator of the key can use a secret key to decrypt the ciphertext. It is a critical notion for the modern public-key infrastructure and was famously made possible by [RSA78] and [Elg85].
Formal Definition
Syntax
A Public Key Encryption (PKE) scheme is a tuple of efficient functions , with respect to a keyspace , plaintext space , and ciphertext space , such that:
- , is a randomized function that takes a security parameter, and outputs a public key and secret key
- , is a randomized function that takes a public key and plaintext message , and outputs a ciphertext ,
- , is a deterministic function that takes a secret key and ciphertext , and outputs a plaintext message .
Correctness
A PKE scheme is correct if for all , there exists a negligible function , such that
where .
Chosen Plaintext Attack (CPA) Security
A PKE scheme is CPA-secure if for all efficient adversaries , there exists a negligible function , such that
where , is a uniformly random bit, and represents the state of the adversary after the first phase.
Chosen Ciphertext Attack (CCA) Security
A SE scheme is CCA-secure if for all admissible efficient adversaries , there exists a negligible function , such that
where , is a uniformly random bit, and represents the state of the adversary after the first phase. Further, we say an adversary is admissible if it never queries on the ciphertext given to in the second phase of the game.
The difference in this definition is that we additionally give the adversary access to a decryption oracle. This is a strictly stronger definition than PKE#CPA-security.
Relationship to other primitives
Sufficient assumptions
See the sufficient assumptions for TDPs.
Variations
Other Notes
- Other security definitions, named CCA1 and CCA2, exist and have historically been confused with the CCA notion outlined above