Ciphertext indistinguishability

Last updated May 23, 2024

Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of indistinguishability under chosen plaintext attack is considered a basic requirement for most provably secure public key cryptosystems, though some schemes also provide indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack. Indistinguishability under chosen plaintext attack is equivalent to the property of semantic security, and many cryptographic proofs use these definitions interchangeably.

A cryptosystem is considered secure in terms of indistinguishability if no adversary, given an encryption of a message randomly chosen from a two-element message space determined by the adversary, can identify the message choice with probability significantly better than that of random guessing (1⁄2). If any adversary can succeed in distinguishing the chosen ciphertext with a probability significantly greater than 1⁄2, then this adversary is considered to have an "advantage" in distinguishing the ciphertext, and the scheme is not considered secure in terms of indistinguishability. This definition encompasses the notion that in a secure scheme, the adversary should learn no information from seeing a ciphertext. Therefore, the adversary should be able to do no better than if it guessed randomly.

Formal definitions

Security in terms of indistinguishability has many definitions, depending on assumptions made about the capabilities of the attacker. It is normally presented as a game, where the cryptosystem is considered secure if no adversary can win the game with significantly greater probability than an adversary who must guess randomly. The most common definitions used in cryptography are indistinguishability under chosen plaintext attack (abbreviated IND-CPA), indistinguishability under (non-adaptive) chosen ciphertext attack (IND-CCA1), and indistinguishability under adaptive chosen ciphertext attack (IND-CCA2). Security under either of the latter definition implies security under the previous ones: a scheme which is IND-CCA1 secure is also IND-CPA secure, and a scheme which is IND-CCA2 secure is both IND-CCA1 and IND-CPA secure. Thus, IND-CCA2 is the strongest of the three definitions of security.

Indistinguishability under chosen-plaintext attack (IND-CPA)

For a probabilistic asymmetric key encryption algorithm, indistinguishability under chosen plaintext attack (IND-CPA) is defined by the following game between an adversary and a challenger. For schemes based on computational security, the adversary is modeled by a probabilistic polynomial time Turing machine, meaning that it must complete the game and output a guess within a polynomial number of time steps. In this definition E(PK, M) represents the encryption of a message M under the key PK:

The challenger generates a key pair PK, SK based on some security parameter k (e.g., a key size in bits), and publishes PK to the adversary. The challenger retains SK.
The adversary may perform a polynomially bounded number of encryptions or other operations.
Eventually, the adversary submits two distinct chosen plaintexts $\scriptstyle M_{0},M_{1}$ to the challenger.
The challenger selects a bit b $\scriptstyle \in$ {0, 1} uniformly at random, and sends the challenge ciphertext C = E(PK, $\scriptstyle M_{b}$ ) back to the adversary.
The adversary is free to perform any number of additional computations or encryptions.
Finally, the adversary outputs a guess for the value of b.

A cryptosystem is indistinguishable under chosen plaintext attack if every probabilistic polynomial time adversary has only a negligible "advantage" over random guessing. An adversary is said to have a negligible "advantage" if it wins the above game with probability $\scriptstyle \left({\frac {1}{2}}\right)\,+\,\epsilon (k)$ , where $\scriptstyle \epsilon (k)$ is a negligible function in the security parameter k, that is for every (nonzero) polynomial function $\scriptstyle poly()$ there exists $\scriptstyle k_{0}$ such that $\scriptstyle |\epsilon (k)|\;<\;\left|{\frac {1}{poly(k)}}\right|$ for all $\scriptstyle k\;>\;k_{0}$ .

Although the adversary knows $\scriptstyle M_{0}$ , $\scriptstyle M_{1}$ and PK, the probabilistic nature of E means that the encryption of $\scriptstyle M_{b}$ will be only one of many valid ciphertexts, and therefore encrypting $\scriptstyle M_{0}$ , $\scriptstyle M_{1}$ and comparing the resulting ciphertexts with the challenge ciphertext does not afford any non-negligible advantage to the adversary.

While the above definition is specific to an asymmetric key cryptosystem, it can be adapted to the symmetric case by replacing the public key encryption function with an encryption oracle, which retains the secret encryption key and encrypts arbitrary plaintexts at the adversary's request.

Symmetric IND-CPA Game, Formalized

The adversarial process of performing a chosen-plaintext attack is usually outlined in the form of a Cryptographic Game. To test for symmetric IND-CPA, the game described above is defined.^[1] Let ${\mathcal {K}}$ be a key generation function, ${\mathcal {E}}$ be an encryption function, and ${\mathcal {D}}$ be a decryption function. Let ${\mathcal {S}}{\mathcal {E}}=({\mathcal {K}},{\mathcal {E}},{\mathcal {D}})$ be a symmetric encryption scheme. The game $Guess$ is defined as:

As many times as it would like, an adversary selects two plaintext messages of its own choosing and provides them to the LR oracle which returns a ciphertext encrypting one of the messages. An adversary's advantage is determined by its probability of guessing the value of b, a value chosen at random at the beginning of the game which determines the message that is encrypted in the LR oracle. Therefore, its advantage is defined as:^[1]

\operatorname {Adv} _{\mathcal {SE}}^{\mathrm {ind-cpa} }(A)=2\cdot \Pr \left[\mathrm {Guess} _{\mathcal {SE}}^{A}\Rightarrow \mathrm {true} \right]-1

Indistinguishability under chosen ciphertext attack/adaptive chosen ciphertext attack (IND-CCA1, IND-CCA2)

Indistinguishability under non-adaptive and adaptive Chosen Ciphertext Attack (IND-CCA1, IND-CCA2) uses a definition similar to that of IND-CPA. However, in addition to the public key (or encryption oracle, in the symmetric case), the adversary is given access to a decryption oracle which decrypts arbitrary ciphertexts at the adversary's request, returning the plaintext. In the non-adaptive definition, the adversary is allowed to query this oracle only up until it receives the challenge ciphertext. In the adaptive definition, the adversary may continue to query the decryption oracle even after it has received a challenge ciphertext, with the caveat that it may not pass the challenge ciphertext for decryption (otherwise, the definition would be trivial).

The challenger generates a key pair PK, SK based on some security parameter k (e.g., a key size in bits), and publishes PK to the adversary. The challenger retains SK.
The adversary may perform any number of calls to the encryptions and decryption oracle based on arbitrary ciphertexts, or other operations.
Eventually, the adversary submits two distinct chosen plaintexts $\scriptstyle M_{0},\,M_{1}$ to the challenger.
The challenger selects a bit b ∈ {0, 1} uniformly at random, and sends the "challenge" ciphertext C = E(PK, $\scriptstyle M_{b}$ ) back to the adversary.
The adversary is free to perform any number of additional computations or encryptions.
1. In the non-adaptive case (IND-CCA1), the adversary may not make further calls to the decryption oracle.
2. In the adaptive case (IND-CCA2), the adversary may make further calls to the decryption oracle, but may not submit the challenge ciphertext C.
Finally, the adversary outputs a guess for the value of b.

A scheme is IND-CCA1/IND-CCA2 secure if no adversary has a non-negligible advantage in winning the above game.

Indistinguishable from random noise

Sometimes we need encryption schemes in which the ciphertext string is indistinguishable from a random string by the adversary.^[2]

If an adversary is unable to tell if a message even exists, it gives the person who wrote the message plausible deniability.

Some people building encrypted communication links prefer to make the contents of each encrypted datagram indistinguishable from random data, in order to make traffic analysis more difficult.^[3]

Some people building systems to store encrypted data prefer to make the data indistinguishable from random data in order to make data hiding easier. For example, some kinds of disk encryption such as TrueCrypt attempt to hide data in the innocent random data left over from some kinds of data erasure. As another example, some kinds of steganography attempt to hide data by making it match the statistical characteristics of the innocent "random" image noise in digital photos.

To support such deniable encryption systems, a few cryptographic algorithms are specifically designed to make ciphertext messages indistinguishable from random bit strings.^[4]^[5]^[6]

Most applications don't require an encryption algorithm to produce encrypted messages that are indistinguishable from random bits. However, some authors consider such encryption algorithms to be conceptually simpler and easier to work with, and more versatile in practice—and most IND-CPA encryption algorithms apparently do, in fact, produce encrypted messages that are indistinguishable from random bits.^[7]

Equivalences and implications

Indistinguishability is an important property for maintaining the confidentiality of encrypted communications. However, the property of indistinguishability has in some cases been found to imply other, apparently unrelated security properties. Sometimes these implications go in both directions, making two definitions equivalent; for example, it is known that the property of indistinguishability under adaptive chosen ciphertext attack (IND-CCA2) is equivalent to the property of non-malleability under the same attack scenario (NM-CCA2). This equivalence is not immediately obvious, as non-malleability is a property dealing with message integrity, rather than confidentiality. In other cases, it has been demonstrated that indistinguishability can be combined with certain other definitions, in order to imply still other useful definitions, and vice versa. The following list summarizes a few known implications, though it is by no means complete.

The notation $\scriptstyle A\;\Rightarrow \;B$ means that property A implies property B. $\scriptstyle A\;\Leftrightarrow \;B$ means that properties A and B are equivalent. $\scriptstyle A\;\not \Rightarrow \;B$ means that property A does not necessarily imply property B.

IND-CPA $\scriptstyle \Leftrightarrow$ semantic security under CPA.
NM-CPA (non-malleability under chosen plaintext attack) $\scriptstyle \Rightarrow$ IND-CPA.
NM-CPA (non-malleability under chosen plaintext attack) $\scriptstyle \not \Rightarrow$ IND-CCA2.
NM-CCA2 (non-malleability under adaptive chosen ciphertext attack) $\scriptstyle \Leftrightarrow$ IND-CCA2.

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme.

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext $, it is possible to generate another ciphertext which decrypts to, for a known function, without necessarily knowing or learning .$

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

An adaptive chosen-ciphertext attack is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed. It is extending the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

In cryptography, a cryptosystem is a suite of cryptographic algorithms needed to implement a particular security service, such as confidentiality (encryption).

In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message $, and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length. This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.$

Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term "probabilistic encryption" is typically used in reference to public key encryption algorithms; however various symmetric key encryption algorithms achieve a similar property, and stream ciphers such as Freestyle which are inherently random. To be semantically secure, that is, to hide even partial information about the plaintext, an encryption algorithm must be probabilistic.

The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the Decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.

In cryptography, Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway, and subsequently standardized in PKCS#1 v2 and RFC 2437.

A deterministic encryption scheme is a cryptosystem which always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm. Examples of deterministic encryption algorithms include RSA cryptosystem, and many block ciphers when used in ECB mode or with a constant initialization vector.

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

In cryptanalysis, attack models or attack types are a classification of cryptographic attacks specifying the kind of access a cryptanalyst has to a system under attack when attempting to "break" an encrypted message generated by the system. The greater the access the cryptanalyst has to the system, the more useful information they can get to utilize for breaking the cypher.

Plaintext-awareness is a notion of security for public-key encryption. A cryptosystem is plaintext-aware if it is difficult for any efficient algorithm to come up with a valid ciphertext without being aware of the corresponding plaintext.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and outsourced to commercial cloud environments for processing, all while encrypted.

References

1 2 Bellare, Mihir; Rogaway, Phillip (May 11, 2005). "Introduction to Modern Cryptography, Chapter 5: Symmetric Encryption" (PDF). p. 93. Retrieved 6 April 2020.
↑ Chakraborty, Debrup; Rodríguez-Henríquez., Francisco (2008). Çetin Kaya Koç (ed.). Cryptographic Engineering. p. 340. ISBN 9780387718170.
↑ iang (2006-05-20). "Indistinguishable from random" . Retrieved 2014-08-06.
↑ Bernstein, Daniel J.; Hamburg, Mike; Krasnova, Anna; Lange, Tanja (2013-08-28). "Elligator: Elliptic-curve points indistinguishable from uniform random strings" (PDF). Retrieved 2015-01-23.
↑ Möller, Bodo (2004). "A Public-Key Encryption Scheme with Pseudo-random Ciphertexts". Computer Security – ESORICS 2004. Lecture Notes in Computer Science. Vol. 3193. pp. 335–351. doi:10.1007/978-3-540-30108-0_21. ISBN 978-3-540-22987-2.
↑ Moore, Cristopher; Mertens, Stephan (2011). The Nature of Computation. ISBN 9780191620805.
↑ Rogaway, Phillip (2004-02-01). "Nonce-Based Symmetric Encryption" (PDF). pp. 5–6. Retrieved 2014-08-07.

Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman & Hall / CRC Press. ISBN 978-1584885511.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Bellare, Mihir; Rogaway, Phillip (May 11, 2005). "Introduction to Modern Cryptography, Chapter 5: Symmetric Encryption" (PDF). p. 93. Retrieved 6 April 2020.

[2] Chakraborty, Debrup; Rodríguez-Henríquez., Francisco (2008). Çetin Kaya Koç (ed.). Cryptographic Engineering. p. 340. ISBN 9780387718170.

[3] (2006-05-20). "Indistinguishable from random" . Retrieved 2014-08-06.

[4] Bernstein, Daniel J.; Hamburg, Mike; Krasnova, Anna; Lange, Tanja (2013-08-28). "Elligator: Elliptic-curve points indistinguishable from uniform random strings" (PDF). Retrieved 2015-01-23.

[5] Möller, Bodo (2004). "A Public-Key Encryption Scheme with Pseudo-random Ciphertexts". Computer Security – ESORICS 2004. Lecture Notes in Computer Science. Vol. 3193. pp. 335–351. doi:10.1007/978-3-540-30108-0_21. ISBN 978-3-540-22987-2.

[6] Moore, Cristopher; Mertens, Stephan (2011). The Nature of Computation. ISBN 9780191620805.

[7] Rogaway, Phillip (2004-02-01). "Nonce-Based Symmetric Encryption" (PDF). pp. 5–6. Retrieved 2014-08-07.

[1]

[2]

[3]

[4]

[5]

[6]

[7]