Cryptography Reference
In-Depth Information
addressed in Parts II (unkeyed cryptosystems), III (secret key cryptosystems), and IV
(public key cryptosystems) of this topic. In these parts, we also provide definitions
that are mathematically more precise.
1.2.2
Secure Cryptographic Systems
The goal of cryptography is to design, implement, deploy, and make use of crypto-
graphic systems that are secure in some meaningful way. In order to make precise
statements about the security of a cryptographic system, one must formally define
what the term “security” really means. Unfortunately, reality looks a little bit differ-
ent, and the literature is full of cryptographic systems that are claimed to be secure
without providing an appropriate definition for the term
security
. This is unfortunate,
because anything can be claimed to be secure, unless its meaning is defined and
precisely nailed down.
In general, a security definition must answer (at least) the following two
questions:
1.
What are the capabilities of the adversary?
An answer to this question must
specifiy, for example, the adversary's computing power, available memory,
available time, types of feasible attacks, and access to a priori or side in-
formation. For some of these parameters, it must be specified whether they
are finite or not. Most importantly, it may be reasonable to assume that there
are adversaries with infinite computing power at their disposal, meaning that
they can perform infinitely many computations in a given amount of time.
The alternative is to consider adversaries with finite computing power at their
disposal. Obviously, these adversaries can only perform a finite number of
computations in a given amount of time. A similar distinction can be made
with respect to the available memory and available time. Note, however, that
it is reasonable to assume that no adversary has an infinite amount of time
at disposal. Furthermore, the types of feasible attacks depend on the crypto-
graphic system in question. For example, in Sections 10.1 and 14.1 we say
that ciphertext-only, known-plaintext, (adaptive) chosen-plaintext, and (adap-
tive) chosen-ciphertext attacks are relevant for (symmetric and asymmetric)
encryption systems. Other cryptosystems may be subject to other types of
attacks.
2.
What is the task the adversary must solve in order to be successful (i.e.,
to break the security of the system)?
In a typical setting, the adversary's
task is to find (i.e., compute, guess, or otherwise determine) one or several
pieces of information he or she should not be able to know. For example,
if the adversary is able to determine the cryptographic key used to encrypt
