Questions tagged [security-definition]
Questions about formal definitions of "security" for various cryptographic schemes (e.g. perfect secrecy, semantic security, ciphertext indistinguishability, etc.)
328 questions
5 votes
1 answer
134 views
A lifestyle-based example of simulation-based security
The intuition behind simulation-based security proofs comes from the following idea — if any party participating in a protocol or system can fully simulate the entire interaction process without ...
- 321
4 votes
2 answers
128 views
Security strength of DRBG
The security strength of Hash based DRBG (Hash_DRBG and HMAC_DRBG) confuses me. Which property of Hash determines the security strength of DRBG? For example, which SHA2 algorithms can be used to ...
- 41
3 votes
1 answer
458 views
Trapdoor functions and non-uniform adversaries
I'm familiar with proofs of security that assume a Probabilistic Polynomial-Time (PPT) adversary and formulate the cryptographic assumptions by saying that the adversary has a negligible probability ...
- 85
5 votes
3 answers
387 views
A definition for *unkeyed* collision-resistant hash functions?
This question asks if a certain definition of unkeyed collision-resistant hash functions makes sense (i.e., it can be employed in usual security proofs) or, if not, what are its flaws. Some context is ...
- 85
1 vote
0 answers
60 views
How to locate and audit the Layer-3 scrambling (masking/hash/PRNG) function and seed in Pret-a-voter or similar secure voting system source code? [closed]
I am performing a cryptographic audit and reconstruction for a secure voting system inspired by Pret-a-voter. I currently have access to deterministic PRF mapping (Layer-1) and modulo/checksum filter (...
- 11
1 vote
0 answers
97 views
Various X-based proofs in cryptography [duplicate]
I have read quite a lot about ZKPs, so I THINK to know what a simulation-based proof is (of course I have extensively meet them regarding zero-knowledge-ness), but I often also hear about game-based ...
- 800
1 vote
1 answer
115 views
Security reduction advantage bounds
Suppose we have a hard problem, and a signature scheme based on that hard problem. Why do we try and bound the advantage of forger for the signature scheme above by the advantage of an adversary ...
1 vote
1 answer
75 views
Degree of Freedom in Secret Sharing
In Shamir secret sharing if we need to secret share a value such that if t+1 shares can reconstruct the secret then we use degree $t$ polynomial $f$. What happens if I share another secret using same ...
- 769
0 votes
0 answers
37 views
Difference between non-collusion and single-party corruption assumptions
In the context of secure multi-party computation (MPC), I often see different assumptions about the adversary. What is the difference between the non-colluding assumption and the assumption that the ...
- 73
1 vote
2 answers
271 views
What's the idea behind Kerckhoffs's principle?
Kerckhoffs's principle in cryptography says that one should design a cryptosystem under the assumption that everything about it, except the key, is public knowledge. Is this principle really necessary?...
- 19
1 vote
0 answers
47 views
Simulation Based Proofs in 2-Party Computation
I was reading the paper How to simute it - A Tutorial on the Simulation Proof Technique by Yehuda Lindell, where he considers the Oblivious Transfer problem. (page 11) Basically, Oblivious Transfer is ...
- 11
10 votes
1 answer
525 views
Signature schemes secure against re-signing
A signature scheme is secure against re-signing when knowledge of signature(s) of some unknown message under some honestly drawn key pair(s) with their public key(s) public does not allow ...
- 151k
1 vote
1 answer
104 views
How indistinguishability obfuscation implies unintelligibility of a program?
Given an obfuscator $O$ that takes as input a circuit $C$ and outputs its obfuscated version $O(C)$, we expect, informally, that the obfuscated version should be somehow "unintelligible" for ...
0 votes
0 answers
30 views
Signature Schemes in Multiuser setting
The security of signature schemes in single user setting is expected to satisfy existential unforgeability under a chosen message attack (EUF-CMA). The following paper has given the notion of security ...
- 769
2 votes
0 answers
75 views
Why are OO-secure ID-schemes IMP-PA?
Consider the paper From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security published by Abdalla, An, Bellare, Namprempre. In their ...
- 101