Cryptography Reference
In-Depth Information
is given input 1
n
and oracle access to
Enc
k
.
A
A
2. The adversary
asks a set of
Q
={
m
1
,
m
2
,...
m
q
}
queries
to the encryption oracle and receives ciphertexts
c
i
=
Enc
k
(
m
i
)
, which make up the set
QC
:= {
c
1
,...,
c
q
}
.
A
eventually outputs
a candidate ciphertext
c
.
3. The output of the experiment is defined to be 1 if and only if the following two
conditions hold:
a.
Dec
k
(
c
)
=⊥
.
b.
c
∈
QC
.
Otherwise, the output of the experiment is 0.
Now, the definition of ciphertext integrity formalizes the fact that the adversary
cannot succeed in the previous experiment with non-negligible probability:
Definition 5.5
A private-key encryption scheme
E
achieves
ciphertext integrity
(INT-CTXT, for short) if, for every PPT adversary
A
, there exists a negligible func-
tion
negl
such that
Auth
int-ctxt
Pr
(
A
,
E
(
n
)
=
1
)
≤
negl
(
n
).
Remarks 5.1
Adv
int-ctxt
1. As usual, we may call
A
's advantage in the experiment
A,E
(
n
)
Auth
int-ctxt
=
1). The scheme provides ciphertext integrity whenever
the advantage of any PPT adversary
Pr
(
A,E
(
n
)
=
is negligible.
2. A related concept is
plaintext integrity
(INT-PTXT) which requires that in the
experiment similar to the above one, an adversary can only produce a ciphertext
c
such that
Dec
k
(
A
)
∈
Q
with negligible probability. Plaintext integrity is weaker
than ciphertext integrity because there is the possibility that for a scheme
c
E
with
plaintext integrity, the adversary might still produce a ciphertext
c
such that
Enc
k
(
m
i
)
=
c
for some
i
=
1
...
q
,but
c
∈
QC
.
Ciphertext integrity provides the required notion of message integrity in the con-
text of an encryption scheme and is the analogue in this setting of UF-CMA for
MACs. Thus we will define authenticated encryption as follows:
Definition 5.6
A private-key encryption scheme
E
provides
authenticated encryp-
tion
if
E
is CPA secure and achieves ciphertext integrity.
Remarks 5.2
1. To motivate this definition we can give an informal argument that shows that
if
provides authenticated encryption, then it provides message integrity in
the sense that an adversary
E
cannot produce an encrypted message that was
not previously sent by an honest user. If
A
intercepts a ciphertext
c
sent by
an honest user and is able to construct a ciphertext
c
such that
Dec
k
(
A
c
)
=⊥
c
)
=
and
Dec
k
(
Dec
k
(
)
A
c
, then
has non-negligible advantage in Experiment
