Proofs of Security for ECIES A.W Dent
III.1. DEFINITIONS AND PRELIMINARIES 43 attacker has to the scheme These days we only really consider attackers who
are trying to do one of two things: either an attacker is trying to invert a ciphertext to find the message it represents (the one-way game) or they are trying to tell which of two messages a ciphertext is the encryption of (the indistinguishability game).
In both cases the attacker plays a game against a challenger. The chal- lenger isn’t a real person or even a computer program, it is simply a conve- nient way of describing the way in which the attacker’s inputs are constructed. Take, for example, the one-way game. Here a challenger picks a message uni- formly at random from the set Mof all possible messages, encrypts it, and gives the resulting ciphertext to the attacker to attempt to decrypt. In re- ality the “challenger” does not exist – who would implement a cryptosystem and include a program that just encrypts random messages for no appar- ent purpose? – it is simply a convenient way for us to explain the precise mathematical model that we used to assess the security of the scheme.
DefinitionIII.2. The one-way (OW) game for an attacker A = (A1,A2) consists of four major steps:
1. A challenger generates a random key-pair (pk, sk)by running the key generation algorithmG.
2. The attacker runsA1 on the input pk. It returns some state informa-
tions.
3. The challenger chooses a message m uniformly at random from the message spaceM. It computes the challenge ciphertextC∗=E(m, pk).
4. The attacker runs A2 on the input (C∗, pk, s). It returns a guess m
for m.
The attacker wins the game ifm=m.
The one-way game is a fairly weak notion of security. There are many schemes that are secure against attackers playing the one-way game that are still not secure enough to be used in practice. The indistinguishability game is a much stronger notion of security.
In the indistinguishability game the attacker is asked to provide two mes- sages (usually termed m0 and m1). The challenger picks one of these mes- sages at random and encrypts it, giving the resulting ciphertext C∗ back to the attacker. The attacker then has to guess which message the challenger encrypted. This may initially seem to be quite easy for the attacker to do: surely the attacker can just encrypt both of the messages and compare their encryptions to C∗? Well, of course the attacker can do this but this may not help. We must remember here that the encryption algorithm may be probabilistic, which means that if the same message is encrypted twice we are unlikely to get the same ciphertext both times, and knowing one encryp- tion of a message may not help us recognise another encryption of the same message.
DefinitionIII.3. The indistinguishability (IND) game for an attacker A= (A1,A2)consists of four major steps:
1. A challenger generates a random key-pair (pk, sk)by running the key generation algorithmG.
2. The attacker runsA1 on the inputpk. It returns two messagesm0and m1, as well as some state information s.
3. The challenger chooses a bitσ ∈ {0,1}uniformly at random. It com- putes the challenge ciphertextC∗=E(mσ, pk).
4. The attacker runsA2 on the input(C∗, pk, s). It returns a guessσfor σ.
The attacker wins the game ifσ=σ.
The advantage of the attackerAin playing the IND game is defined to be
AdvA=|P r[σ=σ]−1/2|.
The advantage of an attacker is a measure of how much better the at- tacker Ais than the attacker who simply guessesσat random. An attacker who guesses σuniformly at random has a success probability of 1/2 and an advantage of 0. It should be noted that some authors prefer to define the advantage of an attacker to be twice this value so that it is nicely scaled as a value between 0 and 1.
Another aspect that frequently causes some confusion is the state infor- mation s. The state information s that A1 passes to A2 can contain any information that may be of help toA2. This could include the messages m0 and m1 or information about the way in which A1 chose them, information about the decryptions of certain messages or any other information that A1 thinks may be of use to A2 in winning the game. It is nothing mysterious, it is simply a way of making sure thatA2 knows whatA1 was doing when it chose m0 andm1.
The indistinguishability game is a strong notion of security. Suppose there was some algorithm A that could, given a ciphertext, deduce whether the decryption of that ciphertext would pass or fail some testT, the testT could be something like whether the last bit of the message is 0 or 1, or whether the sum of the bits in the message is even or odd. We could then construct an attacker that could win the indistinguishability game by choosing the two messagesm0 andm1 such thatm0 passes the testT andm1 fails the testT. The attacker could then tell if the challenge ciphertext is an encryption ofm0 or m1 by running the algorithm A to see if the decryption of the challenge ciphertext would pass or fail the testT.
This means that if a cryptosystem is secure against attackers playing the indistinguishability game, then an attacker can gain no meaningful results (i.e., any information about whether it would pass or fail any kind of test) about a message from its encryption.
III.1. DEFINITIONS AND PRELIMINARIES 45