In this section we will give examples of designing game models for security proofs. There are a lot of examples in literature. Game models consist of an adversary and the challenger. The adversary, referred to as Adam throughout this thesis, is the bad entity in the game model that is trying to break the security condition. The challenger is the good entity in the model who runs certain queries and challenges the adversary to break the condition. We will refer to the challenger as Charles.
Provable Security in Encryption Schemes: An example of a game model for proving encryption schemes secure is IND-CPA [94] security. IND-CPA stands for IN- Distinguishable Chosen Plaintext Attack. Adam and Charles agree on the encryption scheme, the plaintext message space M and ciphertext message space C they want to challenge. We say that encryption scheme is IND-CPA secure if and only if there exist no polynomial time adversary that can win the IND-CPA game. By polyno- mial time adversary we mean that Adam must complete the game and output a guess within a polynomial number of time steps. Assume the encryption algorithm is E. The IND-CPA game is described as follows:
• Charles sets up the system by creating a public key pk, and a secret key sk . Charles gives pk to Adam and retains sk.
• Adam chooses two messages M0 and M1. They should be the same size or the
shorter message should be padded to equalize the size. Adam sends the two messages to Charles.
• Charles randomly chooses b ∈ {0, 1} and encrypts a message Cb = E(Mb). In
other words one of the messages is chosen randomly and encrypted. Cb is sent to
Adam as the challenge.
• Adam uses the ciphertext Cb and all his computational ability to choose a ¯b ∈ {0, 1} that matches b. If ¯b = b then Adam wins the game else Adam loses the game.
The advantage of winning the game is defined by how much better Adam can do than a simple random guess (which has a probability 1/2 of being right). In other words, AdvCP A(k) = |P r[b = ¯b] − 1/2| where k is the security parameter used in setting up
3.2. Provable Security Examples 3. Provable Security
Definition 3.2.1. (Indistinguishable Chosen Plaintext Attack) An encryption scheme is IND-CPA secure if and only if AdvCP A(k) < ε where ε is negligible and k is the
security parameter used in setting up the system.
In literature there are more powerful security notions for encryption schemes other than IND-CPA1. For example, we can give the adversary access to a decryption oracle that he queries a number of times before and after the challenge, as long as he does not use the challenge ciphertext for issuing a query. If Adam is given access to such an oracle then the encryption scheme is said to be IND-CCA secure. However we have chosen to explain the CPA scheme instead since it will be used as a building block for our provable security proofs in later chapters of this thesis. We have not used CCA since it was hard to integrate the oracles of IND-CCA model with the oracles required in our game models.
Provable Security in Digital Signature Schemes: We will give an example of unforgeability of signature schemes security proofs [94]. As in encryption many models exist. In this section we have chosen one example of such security models. We say a digital signature scheme is secure under an adaptive chosen message attack if there exist no polynomial time adversary Adam capable of winning the following game:
• Charles sets up the system by creating a public key pk, and a secret key sk . Charles gives pk to Adam and retains sk.
• Adam can query a signature oracle that Charles controls. To query such an oracle Adam sends a message M and Charles replies with a signature σ. • Adam outputs a pair (M, ¯σ) of message and signature as his forgery, if the message
has not been queried before.
• Charles verifies the signature ¯σ. If it is valid Adam wins and outputs 1 to indicate a successful experiment. Otherwise 0 is the output of the experiment implying Adam has failed.
If we refer to the game model as experiment Exp then the advantage of winning the game is represented as AdvCM A(k) = P r[Exp = 1] where k is the security parameter
used in setting up the system.
Definition 3.2.2. (Chosen Message Attack) A digital signature is secure against the chosen message attack if and only if AdvCM A(k) < ε where ε is negligible and k is the
security parameter used in setting up the system.
1
A large amount of research has been done on different game models for the various cryptosystems. In this thesis we will be using similar provable security techniques to prove our schemes secure. However, the two examples given in this section are sufficient to demonstrate the use of such techniques in our proposed proofs.