Questions tagged [security-definition]
Questions about formal definitions of "security" for various cryptographic schemes (e.g. perfect secrecy, semantic security, ciphertext indistinguishability, etc.)
332 questions
5
votes
2
answers
147
views
Do KEMs protect against malicious public (encapsulating) keys?
It is widely known that elliptic curve Diffie-Hellman is vulnerable to maliciously crafted public keys, where a honestly generated private key combined with a malicious public key may result in ...
1
vote
1
answer
130
views
Understanding CPA security game
if I understand correctly, there is a pre-challenge phase in the CPA security game in which the attacker sends messages to the encryption oracle and receives ciphertexts. Then there is a challenge ...
- 11
1
vote
0
answers
71
views
Simultaneous access to both encryption and decryption oracles for a symmetric encryption algorithm [duplicate]
I am investigating the security implications when an attacker has simultaneous access to both encryption and decryption oracles for a symmetric encryption algorithm.
Specifically, by "...
- 11
4
votes
2
answers
101
views
Key recovery security (KR-CPA) from IND-CPA for all message space sizes?
Intuitively, IND-CPA security should imply key recovery security (KR-CPA) for a symmetric encryption scheme $\Sigma$. Indeed, showing this is often given as a homework in various textbooks, such as ...
- 2,807
5
votes
1
answer
167
views
A lifestyle-based example of simulation-based security
The intuition behind simulation-based security proofs comes from the following idea — if any party participating in a protocol or system can fully simulate the entire interaction process without ...
- 331
4
votes
2
answers
185
views
Security strength of DRBG
The security strength of Hash based DRBG (Hash_DRBG and HMAC_DRBG) confuses me.
Which property of Hash determines the security strength of DRBG?
For example, which SHA2 algorithms can be used to ...
- 41
0
votes
0
answers
52
views
CPA secure scheme without circular security
Construct a public-key encryption scheme which is CPA secure
but not circularly secure, relying only on the existence of public-key encryption
schemes.
This is a problem from my cryptography course ...
3
votes
1
answer
484
views
Trapdoor functions and non-uniform adversaries
I'm familiar with proofs of security that assume a Probabilistic Polynomial-Time (PPT) adversary and formulate the cryptographic assumptions by saying that the adversary has a negligible probability ...
- 85
5
votes
3
answers
417
views
A definition for *unkeyed* collision-resistant hash functions?
This question asks if a certain definition of unkeyed collision-resistant hash functions makes sense (i.e., it can be employed in usual security proofs) or, if not, what are its flaws. Some context is ...
- 85
1
vote
1
answer
128
views
Security reduction advantage bounds
Suppose we have a hard problem, and a signature scheme based on that hard problem. Why do we try and bound the advantage of forger for the signature scheme above by the advantage of an adversary ...
1
vote
0
answers
67
views
How to locate and audit the Layer-3 scrambling (masking/hash/PRNG) function and seed in Pret-a-voter or similar secure voting system source code? [closed]
I am performing a cryptographic audit and reconstruction for a secure voting system inspired by Pret-a-voter.
I currently have access to deterministic PRF mapping (Layer-1) and modulo/checksum filter (...
- 11
1
vote
0
answers
101
views
Various X-based proofs in cryptography [duplicate]
I have read quite a lot about ZKPs, so I THINK to know what a simulation-based proof is (of course I have extensively meet them regarding zero-knowledge-ness), but I often also hear about game-based ...
- 830
1
vote
2
answers
368
views
What's the idea behind Kerckhoffs's principle?
Kerckhoffs's principle in cryptography says that one should design a cryptosystem under the assumption that everything about it, except the key, is public knowledge.
Is this principle really necessary?...
- 19
10
votes
1
answer
547
views
Signature schemes secure against re-signing
A signature scheme is secure against re-signing when knowledge of signature(s) of some unknown message under some honestly drawn key pair(s) with their public key(s) public does not allow ...
- 151k
1
vote
1
answer
79
views
Degree of Freedom in Secret Sharing
In Shamir secret sharing if we need to secret share a value such that if t+1 shares can reconstruct the secret then we use degree $t$ polynomial $f$. What happens if I share another secret using same ...
- 769