User:Kosniaz/Cryptography Attacks

Cryptosystems formally represented
Cryptosystems are sets of {M,K,C,KeyGen,Encrypt,Decrypt}


 * M,K,C: sets of all possible messages,keys,ciphertexts.
 * $$ KeyGen(1^{\lambda}) = (key_{enc},key_{dec})\epsilon K^2$$
 * $$Encrypt(k_{enc},m)=c \epsilon C$$
 * $$Decrypt(k_{dec},c)=m \epsilon M $$

Types of attacks

 * COA Ciphertext only attack
 * KPA Known Plaintext attack
 * CPA Chosen plaintext attack
 * CCA Chosen Ciphertext attack)

Computational safety
A Cryptosystem must be (at least practically) safe. That means that breaking it must either take too much time or take a lot of luck. We sometimes call this condition computational safety.( 1st kerchoffs rule)

Computational safety means that a PPT Adversary cannot break our cryptosystem, or they can with very small possibilty. Also, this kind of safety is based on assumptions not yet proved (NP<>P, hardness of DISCRETELOG, FACTORIZATION and more).

Perfect Secrecy (Shannon)
"The biased possibility of a message being m is equal to the unbiased." (see lecture 2 page 14)

Semantical Safety
There are several definitions of semantical safety. One of the most formal follows.

Given that an Adversary (A) wants to decide if q(m) (where q(m) is a κατηγόρημα ), we define the Advantage of A as $$ Adv(\Alpha) = | Pr[\Alpha(c)=q(m)] - \frac{1}{2}| $$. A Cryptosystem is semantically safe when foreach PPT Adversary: $$ Adv(A)=negl(\lambda) $$

where λ is our safety parameter (usually controls the length of our key).

Ιndistinguishability games

 * IND-EAV
 * IND-CPA
 * IND-CCA
 * IND-CCA2

IND-EAV
The adversary sends to messages $$ m_0,m_1 $$ for encryption and then get one ciphertext. The adversary then has to decide which of his two messages was encrypted.

IND-CPA
Adversary can encrypt a polynomially large number of messages before sending $$ m_0,m_1 $$ for encryption.

Every cryptosystem with deterministic encryption isn't IND-CPA secure.

IND-CCA
Stronger than IND-CPA. Now the adversary ...

Malleability
Definition: A cryptosystem is called malleable when an Adversary A who knows a ciphertext c = Enc(m) is able to create another ciphertext c' = Enc(h(m))), where h is a polynomially invertible function.

We know that Non-malleability $$ \Leftrightarrow$$ IND-CCA2. Malleable systems are very useful sometimes (e.g. voting)

Malleable cryptosystems:
 * Partially Homomorphic
 * Totally Homomorphic (any circuit (κυκλωμα) is "kept" in the ciphertexts

Reductions
Very common they are. In proving that a cryptosystem is safe.