Fact-checked by Grok 2 weeks ago

Semantic security

Semantic security is a cryptographic notion that defines the security of an scheme against passive adversaries who can eavesdrop on ciphertexts but cannot actively influence the process. Introduced by and Silvio Micali in their seminal 1984 paper on probabilistic , it requires that no computationally bounded adversary can learn any partial about the from the beyond what is already known from the message distribution or auxiliary . Formally, for a symmetric-key scheme, semantic security holds if, for every efficient adversary A and every message distribution, there exists an efficient simulator that produces outputs indistinguishable from those of A given the , ensuring the adversary gains negligible in computing any function of the . In the context of public-key , semantic is equivalently defined through the indistinguishability under (IND-CPA) , where an adversary given the public key and a for one of two chosen cannot distinguish which was encrypted with more than negligible probability. This , established in the original paper, simplifies proofs of by allowing cryptographers to use either interchangeably. The concept originated to address limitations of deterministic , promoting probabilistic schemes like the Goldwasser-Micali cryptosystem based on quadratic residuosity, which hides all partial information about the message. Semantic security serves as a foundational in modern , underpinning secure protocols such as , zero-knowledge proofs, and hybrid encryption systems. It models realistic threats from eavesdroppers in scenarios like over public channels, but does not protect against active attacks like chosen-ciphertext scenarios, for which stronger notions like IND-CCA are required. Ongoing research extends semantic security to quantum settings and to ensure robustness against advanced adversaries.

Fundamentals

Definition

Semantic security, also known as probabilistic polynomial-time indistinguishability, is a fundamental security notion for schemes in . It ensures that an algorithm conceals all about the from an adversary who observes the , beyond what can be inferred from auxiliary already known to the attacker. Introduced by and Silvio Micali, this concept requires that the be probabilistic to prevent deterministic mappings that could leak partial details about the message. Semantically secure protects against passive adversaries who can only eavesdrop on ciphertexts, making it a cornerstone for protocols. Formally, an encryption scheme is semantically secure if, for any probabilistic polynomial-time (PPT) adversary A, there exists a PPT simulator S such that, for any efficient distribution over messages M, any polynomial-time computable functions f and h (where h represents auxiliary information), the difference in probabilities is negligible: \left| \Pr\left[ A(\text{Enc}(M), h(M)) = f(M) \right] - \Pr\left[ S(h(M)) = f(M) \right] \right| \leq \epsilon(n), where \epsilon(n) is a in the security parameter n, and \text{Enc} denotes the algorithm. This simulation paradigm captures the intuition that no efficient computation on the plaintext can be meaningfully advanced by access to the ciphertext. Goldwasser and Micali proved that semantic security is equivalent to the indistinguishability of encryptions under (IND-CPA), where an adversary cannot distinguish with non-negligible advantage between encryptions of two plaintexts of equal length. This , later refined in subsequent works, allows for more tractable proofs using the indistinguishability game, while preserving the semantic intuition of information-theoretic hiding. Seminal constructions achieving this include the Goldwasser-Micali cryptosystem based on quadratic residuosity and under the decisional Diffie-Hellman assumption.

Formal Security Model

The formal security model for semantic security, introduced by and Micali, captures the intuition that a ciphertext should reveal no partial information about the underlying to any computationally bounded adversary, beyond what is inherent in the plaintext's length or structure. This model applies to probabilistic encryption schemes and is defined for public-key cryptosystems, where an encryption algorithm \mathcal{E} uses a public key pk to produce ciphertexts that are computationally indistinguishable for different plaintexts. The security is formalized via the indistinguishability under (IND-CPA) experiment, which is equivalent to the original semantic security definition and has become the standard game-based formalism. In this two-stage game, a probabilistic polynomial-time adversary \mathcal{A} interacts with a challenger as follows:
  1. Setup: The challenger generates a key pair (pk, sk) for security parameter \lambda and provides pk to \mathcal{A}. The adversary may query the oracle \mathcal{E}_{pk}(\cdot) adaptively on chosen plaintexts of its choice.
  2. Challenge: At some point, \mathcal{A} submits two equal-length plaintexts m_0, m_1. The challenger selects a random bit b \in \{0,1\}, computes the challenge ciphertext c^* = \mathcal{E}_{pk}(m_b), and sends c^* to \mathcal{A}. The adversary continues querying the encryption but cannot query on m_0 or m_1.
  3. Guess: Finally, \mathcal{A} outputs a guess b' \in \{0,1\} for b.
The adversary's advantage is defined as \text{Adv}^{\text{IND-CPA}}_{\mathcal{E},\mathcal{A}}(\lambda) = \left| \Pr[b' = b] - \frac{1}{2} \right|, where the probability is taken over the random coins of the challenger and \mathcal{A}. A scheme \mathcal{E} is semantically secure (IND-CPA secure) if for all PPT adversaries \mathcal{A}, the advantage is negligible in \lambda, i.e., \text{Adv}^{\text{IND-CPA}}_{\mathcal{E},\mathcal{A}}(\lambda) \leq \nu(\lambda) for some negligible function \nu (smaller than any inverse polynomial $1/\lambda^c for constant c > 0 and sufficiently large \lambda). This model ensures that no efficient adversary can distinguish between encryptions of two messages with non-negligible probability, thereby preventing extraction of any semantic information about the . Goldwasser and Micali proved that semantic security implies the inability of any PPT adversary to compute any of the plaintext from the with better than negligible, formalizing the "semantic" aspect through a paradigm where the adversary's view is indistinguishable from one generated without knowledge of the plaintext.

Historical Development

Origins

The concept of semantic security emerged in the early 1980s as a foundational notion in modern , specifically aimed at addressing the limitations of deterministic encryption schemes in revealing partial about plaintexts. It was first introduced by and Silvio Micali in their seminal 1982 paper titled "Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information," presented at the Symposium on Theory of Computing (STOC). A full journal version appeared in 1984. In this work, the authors sought to formalize a security model for public-key cryptosystems that ensures an adversary gains no useful from a ciphertext, even when equipped with computational power polynomial in the security parameter. This marked a shift from earlier perfect secrecy definitions, such as Claude Shannon's 1949 model, which required information-theoretic indistinguishability but were impractical for computational settings. Goldwasser and Micali defined semantic security intuitively as a property where, for any probabilistic polynomial-time adversary, the view of the conveys negligible information about the underlying , beyond its length. Formally, they described it through a game where an adversary attempts to compute any function of the after observing the , succeeding only with negligible probability over random choices. This definition was motivated by the need to protect against passive eavesdroppers in public-key settings, where keys are publicly known, contrasting with symmetric schemes. Their paper also proposed the first probabilistic scheme achieving semantic security: the -Micali cryptosystem, based on the hardness of distinguishing residues modulo a . This construction demonstrated the feasibility of semantic security under standard computational assumptions, influencing subsequent developments in provable . The introduction of semantic security catalyzed broader advancements in cryptographic definitions, including its equivalence to the indistinguishability (IND) model established by Micali, Rackoff, and others in the mid-1980s. Initially tailored for public-key encryption, the notion quickly extended to symmetric primitives, underscoring its versatility. Goldwasser and Micali's work, which earned them the 2012 partly for this contribution, laid the groundwork for modern standards like IND-CPA security in schemes such as ElGamal and RSA-OAEP.

Formalization and Evolution

The concept of semantic security was introduced by and Silvio Micali in their 1982 STOC paper, with a formal journal version in 1984 on probabilistic , marking a pivotal shift in cryptographic security modeling from perfect secrecy to computational notions suitable for public-key systems. In this work, they defined semantic security as a criterion ensuring that, for any efficient adversary, the view of the provides no additional information about the beyond what the adversary already knows from the message distribution. Formally, this means that no polynomial-time algorithm can compute any polynomially verifiable function of the with advantage beyond a negligible probability, given only the and auxiliary information. and Micali motivated this definition to capture the intuition that should preserve the semantic content of messages against passive adversaries, contrasting with earlier deterministic schemes like textbook , which leak partial information such as the least significant bit. Alongside semantic security, and Micali proposed an alternative notion called "polynomial security," which requires that encryptions of two distinct messages are computationally indistinguishable by any efficient distinguisher. They proved that polynomial security implies semantic security, establishing the former as a sufficient condition for the latter. Subsequently, in the same paper, they demonstrated the equivalence between semantic security and indistinguishability under (IND-CPA), showing that the two notions are interchangeable for public-key encryption schemes. This equivalence, later revisited and streamlined in a analysis by Dodis and Ruhl, simplified proofs by reducing the security loss from n^{-2c} to n^{-c/2} in the asymptotic setting, where n is the security parameter and c is a constant. The evolution of semantic security in the following decades refined its foundational role within the broader paradigm of provable security. In the late , researchers extended the model to symmetric-key settings and incorporated concrete security bounds, moving beyond to quantify adversary resources explicitly. A landmark contribution came in 1998 from Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway, who systematically compared semantic security with related notions like non-malleability and indistinguishability under (), confirming its position as the minimal standard for basic while highlighting separations from stronger guarantees. This work solidified IND-CPA (equivalent to semantic security) as the benchmark for evaluating encryption schemes, influencing standards like those in TLS and paving the way for hybrid constructions that achieve higher security levels under standard assumptions. By the 2000s, semantic security had become integral to game-based frameworks, enabling modular proofs for complex protocols while emphasizing the need for randomness to prevent deterministic leakages.

Symmetric-Key Applications

Encryption Modes

In symmetric-key encryption, modes of operation define how a processes messages longer than the block size to achieve desired properties, including semantic . Semantic in this context, equivalent to indistinguishability under (IND-CPA), requires that ciphertexts reveal no partial information about the , even when the adversary can obtain encryptions of chosen messages. Deterministic modes fail this due to their predictability, while probabilistic modes using random initialization vectors (IVs) or unique nonces can achieve it, assuming the underlying is a secure (PRP). The Electronic Codebook (ECB) mode encrypts each block independently and deterministically, producing identical ciphertexts for identical blocks. This leaks structural information about the plaintext, such as patterns in images, violating IND-CPA security; an adversary can distinguish encryptions of two messages differing in only one block with advantage 1. ECB is thus unsuitable for semantic security. In contrast, Cipher Block Chaining (CBC) mode achieves IND-CPA security when prefixed with a random IV, where each block's depends on the previous one via XOR. The security proof reduces to the PRP security of the , with adversary advantage bounded by approximately \sigma^2 / 2^{n}, where \sigma is the total number of blocks encrypted and n is the block size (up to the birthday bound). requires for non-multiples of the block size and is malleable, but provides semantic security against chosen-plaintext attacks with proper IV . Counter (CTR) mode turns a into a by encrypting a (initialized with a unique nonce or random ) and XORing the keystream with the . It achieves IND-CPA security if nonces are unique across messages, with advantage bounded similarly by \sigma^2 / 2^{n+1}, reducible to the PRP assumption. CTR supports parallel /decryption and , making it efficient for large data, though nonce reuse catastrophically leaks information. Output Feedback (OFB) and Cipher Feedback (CFB) modes also provide IND-CPA with random s. OFB generates a keystream by repeatedly encrypting the IV and previous output, akin to a , with security proven via PRP reduction and advantage \sigma^2 / 2^{n}. CFB operates similarly but feeds back, offering self-synchronization after errors; its security follows analogous proofs. Both modes avoid but propagate errors in CFB, and they are less parallelizable than CTR.
ModeIND-CPA Secure?IV/Nonce RequirementKey Security Bound (Advantage)Notes
ECBNoNoneN/A (advantage = 1 for pattern detection)Deterministic; leaks block structure.
Random per message\approx \sigma^2 / 2^nChaining provides diffusion; padding needed.
CTRYesUnique \approx \sigma^2 / 2^{n+1}Stream-like; parallelizable.
OFBYesRandom IV\approx \sigma^2 / 2^nKeystream generation; no error propagation.
YesRandom IV\approx \sigma^2 / 2^nFeedback from ; error propagation.
These modes assume a secure PRP like ; real-world implementations must ensure IV/nonce unpredictability to maintain semantic security.

Security Proofs

Security proofs for semantic security in symmetric-key typically establish indistinguishability under (IND-CPA), where an adversary cannot distinguish encryptions of two plaintexts with non-negligible advantage. These proofs reduce the security of the encryption scheme to the assumed hardness of the underlying , such as a (PRP) or pseudorandom function (PRF), using game-based or simulation-based arguments. Seminal work formalized concrete security bounds for common modes of operation, quantifying the adversary's advantage in terms of query complexity and the block cipher's security. For cipher chaining (CBC) mode, semantic is proven under the assumption that the is a PRP. The proof proceeds by a sequence of hybrid s, where the real encryption is transformed into an ideal one, with each step bounded by the PRP or a collision probability term. Specifically, the IND-CPA of an adversary making q queries on messages of total ℓ blocks is at most σ · Adv_PRP(A) + σ^2 / 2^{n+1}, where σ is the total number of encryptions (approximately ℓ), Adv_PRP is the PRP distinguishing , and n is the size. This bound highlights the mode's against recovery but also its vulnerability to padding attacks if not properly implemented. Counter (CTR) mode achieves semantic security assuming the acts as a PRF when keyed. The proof uses a hybrid argument showing that the keystream generated by CTR is indistinguishable from random, directly tying the 's IND-CPA security to the PRF . For an adversary issuing q queries with total σ blocks across all queries, the is bounded by Adv_PRF(σ) + σ^2 / 2^{n+1}, making CTR suitable for parallelizable with security independent of message length beyond nonce uniqueness. Nonce reuse, however, can degrade security to that of a with keystream reuse, potentially allowing . Other modes, such as output feedback (OFB), follow similar PRF-based proofs for IND-CPA security, with advantages bounded by the PRF distinguishing probability over σ block queries plus σ^2 / 2^n. These proofs emphasize the need for fresh keys or nonces to avoid birthday-bound limitations, as seen in the quadratic terms for permutation-based modes. Later extensions, including automated verification tools, have confirmed these results for , CFB, and OFB using relational program logics, ensuring exact bounds without manual constructions.

Public-Key Applications

IND-CPA Experiment

The IND-CPA (Indistinguishability under ) experiment formalizes a security model for public-key schemes, ensuring that an adversary cannot distinguish between encryptions of two chosen plaintexts, even after obtaining ciphertexts for other chosen plaintexts. This notion captures in the public-key setting, where the adversary has access to the public key and can perform chosen-plaintext queries but lacks the secret key. The experiment pits a probabilistic polynomial-time adversary \mathcal{A} against a challenger, measuring \mathcal{A}'s ability to guess which of two challenge messages was encrypted. In the experiment, the challenger first runs the algorithm \mathsf{Gen}(1^\lambda) to produce a public-secret key pair (pk, sk), where \lambda is the security parameter, and sends pk to \mathcal{A}. The adversary \mathcal{A} may then adaptively query an oracle up to a number q(\lambda) times, submitting plaintexts m_i and receiving c_i \leftarrow \mathsf{Enc}(pk, m_i). After these queries, \mathcal{A} selects two equal-length messages m_0, m_1 \in \mathcal{M} (the message space) and sends them to the challenger. The challenger flips a random bit b \leftarrow \{0,1\}, computes the ciphertext c^* \leftarrow \mathsf{Enc}(pk, m_b), and sends c^* to \mathcal{A}. Finally, \mathcal{A} outputs a guess \hat{b} \in \{0,1\}. The adversary wins if \hat{b} = b. The scheme is IND-CPA-secure if, for all efficient adversaries \mathcal{A}, the advantage \mathsf{Adv}^{\mathsf{IND-CPA}}_{\mathcal{A},\Pi}(\lambda) = \left| \Pr[\hat{b} = b] - \frac{1}{2} \right| is negligible in \lambda, where the probability is taken over the random choice of b and the randomness of the experiment. This measures how much better than random guessing (probability 1/2) the adversary performs. The chosen-plaintext queries model realistic attacks where the adversary can generate encryptions using the public key, distinguishing IND-CPA from weaker notions like indistinguishability under passive attacks. In public-key encryption, IND-CPA security is equivalent to , meaning no efficient adversary can learn any partial information about the plaintext from the ciphertext beyond its length. This experiment underpins the security of widely used public-key schemes like ElGamal and -OAEP, where proofs reduce IND-CPA security to underlying hard problems (e.g., decisional Diffie-Hellman or RSA assumption). Extensions like IND-CCA incorporate decryption queries, but IND-CPA suffices for basic semantic security in non-malleable settings. The model's emphasis on ensures fresh ciphertexts, preventing deterministic vulnerabilities.

Constructions and Examples

One of the earliest and most influential constructions achieving semantic security in public-key is the Goldwasser-Micali (GM) , introduced in as the first probabilistic public-key scheme proven secure under a standard computational assumption. This scheme encrypts individual bits and is based on the hardness of distinguishing quadratic residues a composite n = pq, where p and q are large primes, assuming the quadratic residuosity problem is intractable. In the GM scheme, key generation involves selecting primes p and q of equal size, computing n = pq, and choosing a random y \in \mathbb{Z}_n^* that is a quadratic non-residue modulo both p and q but has Jacobi symbol 1 (i.e., \left( \frac{y}{n} \right) = 1). The public key is (n, y), and the private key is (p, q). To encrypt a bit b \in \{0, 1\}, a random x \in \mathbb{Z}_n^* is chosen, and the ciphertext is c = x^2 \cdot y^b \mod n; thus, c = x^2 \mod n for b=0 (a quadratic residue) and c = x^2 y \mod n for b=1 (a non-residue). Decryption uses the private key to compute the Legendre symbols \left( \frac{c}{p} \right) and \left( \frac{c}{q} \right), yielding b=0 if c is a quadratic residue modulo n and b=1 otherwise. The scheme's semantic security follows from the assumption that no efficient algorithm can distinguish quadratic residues from non-residues with Jacobi symbol 1, ensuring that ciphertexts for 0 and 1 are indistinguishable. While efficient for bits, GM requires concatenating multiple ciphertexts for longer messages, leading to a message expansion factor equal to the modulus size (e.g., 1024 bits per bit for a 1024-bit modulus). A widely adopted construction is the ElGamal encryption scheme, proposed in 1985, which achieves semantic security under the decisional Diffie-Hellman (DDH) assumption in a cyclic group of prime order q. Key generation selects a group \mathbb{G} of order q with generator g, a random secret x \in \mathbb{Z}_q^*, and computes h = g^x; the public key is pk = (g, h), and the secret key is sk = x. To encrypt a message m \in \mathbb{G}, a random y \in \mathbb{Z}_q^* is chosen, yielding ciphertext c = (g^y, m \cdot h^y). Decryption recovers m = c_2 \cdot c_1^{-x}, where c_1 = g^y and c_2 = m \cdot h^y, since h^y = (g^x)^y = (g^y)^x = c_1^x. Semantic security holds because, under DDH, the adversary cannot distinguish (g^y, h^y) from a random pair, making encryptions of distinct messages indistinguishable. ElGamal is multiplicatively homomorphic and serves as a building block for many protocols, though it requires messages to be group elements and doubles the ciphertext size compared to the message. The , introduced in , provides another example of a semantically secure scheme that is additively homomorphic, based on the decisional composite residuosity assumption (DCRA). chooses primes p and q, sets n = pq, and selects g \in \mathbb{Z}_{n^2}^* (often g = n+1); the public key is (n, g), and the secret key enables computation of \lambda = \mathrm{lcm}(p-1, q-1). of m \in \mathbb{Z}_n uses a random r \in \mathbb{Z}_n^*, computing c = g^m \cdot r^n \mod n^2. Decryption applies the function L(u) = (u-1)/n to c^\lambda \mod n^2 and g^\lambda \mod n^2, yielding m = L(c^\lambda \mod n^2) / L(g^\lambda \mod n^2) \mod n. Under DCRA, which posits that n-th residues n^2 are indistinguishable from random elements, Paillier achieves semantic security while allowing homomorphic of plaintexts via . This property makes it suitable for applications like secure voting, with size roughly twice the .

Randomness Requirements

Importance of Randomness

In semantic security, also known as indistinguishability under (IND-CPA), randomness is essential to ensure that an encryption scheme conceals all information about the beyond its length, preventing adversaries from gaining any partial of the . Without , would be deterministic, mapping each uniquely to a fixed under the same . This allows an adversary to distinguish between encryptions of different messages by simply computing the ciphertexts themselves, as the public encryption enables anyone to perform encryptions. For instance, in the IND-CPA security game, an adversary selects two plaintexts m_0 and m_1; a deterministic scheme would produce distinct ciphertexts c_0 = \text{Enc}(pk, m_0) and c_1 = \text{Enc}(pk, m_1), allowing perfect identification of which message was encrypted in the challenge, yielding an advantage of 1. The foundational work by and Micali formalized this requirement in their introduction of probabilistic , emphasizing that randomness must be incorporated into the process to produce multiple possible ciphertexts for any given . By flipping a or using random bits during , the scheme generates varied outputs for the same input, such as in their quadratic residuosity-based construction where the ciphertext depends on both the message and a sequence of coin tosses. This variability ensures that even if an adversary observes multiple encryptions of the same message, they appear indistinguishable from encryptions of other messages, thwarting pattern recognition and frequency analysis attacks. Seminal theorems prove that any semantically secure public-key scheme must be randomized; deterministic alternatives fail outright because the adversary can exploit the injective mapping between plaintexts and ciphertexts to break with non-negligible probability. Randomness not only underpins the core definition of semantic security but also extends its robustness in practical applications, such as hybrid encryption schemes like ElGamal, where random ephemeral keys mask the message during . In these constructions, the security reduction relies on computational assumptions like the Decisional Diffie-Hellman problem, but the randomization step is what elevates the scheme from mere confidentiality to semantic security by ensuring . Failure to use sufficient , such as reusing nonces or predictable seeds, can degrade security to that of deterministic , enabling chosen-plaintext attacks that reveal message contents. Thus, serves as the cryptographic "fuel" that transforms potentially insecure mappings into secure, information-theoretically hiding mechanisms.

Failure Case Studies

One prominent failure in achieving semantic security arises from the use of Electronic Codebook (ECB) mode for block cipher encryption, which processes each plaintext block independently without incorporating randomness. In ECB mode, identical plaintext blocks produce identical ciphertext blocks, allowing an adversary to discern patterns in the plaintext from the ciphertext alone, directly violating the indistinguishability requirement of semantic security. This vulnerability enables trivial attacks, such as encrypting two known plaintext blocks and observing matching ciphertext blocks to infer structural information about the data. Real-world implementations have suffered due to ECB adoption. For instance, in the Bouncy Castle cryptographic library (CVE-2016-1000344), the use of ECB mode for encrypting sensitive data exposed patterns, facilitating potential recovery of information. Similarly, Jenkins server (CVE-2017-2598) employed ECB to protect secrets, allowing attackers to detect repetitions in configuration data through ciphertext analysis. Another case is Zoom's video conferencing software (CVE-2020-11500), where ECB encryption of video and audio streams leaked patterns such as participant positions or movements, compromising in large-scale deployments. These incidents highlight how ECB's lack of and undermines semantic security in practical symmetric-key systems. Initialization vector (IV) reuse or predictability in modes like Cipher Block Chaining (CBC) represents another critical failure mode, as CBC relies on a unique, unpredictable IV to ensure randomization and semantic security. When the same IV is reused with the same key for multiple plaintexts, an adversary can XOR corresponding ciphertext blocks to recover the XOR of the underlying plaintext blocks, leaking partial information about the messages and breaking indistinguishability under chosen-plaintext attacks. Even predictable IVs, such as those derived from previous ciphertexts, enable similar deductions by allowing attackers to anticipate and manipulate encryption inputs. A notable real-world example is the attack on TLS 1.0 (CVE-2011-3389), where mode used the last block of the previous record as the , creating predictable IVs across sessions. This allowed attackers to perform chosen-plaintext queries via in browsers, injecting blocks to gradually decrypt cookies and other secrets, effectively bypassing semantic security protections in widespread web encryption. The vulnerability affected millions of sites until TLS 1.0 was deprecated, underscoring the dangers of non-random IVs in network protocols. In public-key settings, textbook —raw without or —exemplifies a deterministic scheme that inherently fails semantic security. Since the same always yields the same , an adversary can distinguish encryptions of two different messages (e.g., by checking which ciphertext matches a known encryption), succeeding in the IND-CPA with probability 1. This lack of randomness exposes plaintext structure, such as distinguishing even from odd values or detecting repetitions. Early cryptographic deployments occasionally relied on unpadded for simplicity, leading to exploitable systems where semantic security was assumed but absent. For example, in some legacy protocols before standardized like OAEP, attackers could exploit to infer message contents from multiple encryptions under the same public key, as formalized in the original semantic security definition where deterministic public-key schemes cannot achieve indistinguishability against adaptive adversaries. Modern constructions mitigate this via randomized , but historical failures emphasize the necessity of for semantic security in public-key .

Implementation Best Practices

To achieve semantic security in cryptographic implementations, particularly for encryption schemes, the generation and use of must adhere to established standards to prevent predictability that could leak information about plaintexts. High-quality random bits are essential for elements like initialization vectors (IVs), nonces, and keys, as deterministic or biased can enable adversaries to distinguish ciphertexts from random strings, violating indistinguishability under (IND-CPA). NIST recommends using deterministic random bit generators (DRBGs) seeded with sufficient from approved sources to produce pseudorandom outputs suitable for cryptographic purposes. These DRBGs, such as those based on functions, , or counter modes, must be instantiated with mechanisms validated under standards like or higher to ensure resistance to state compromise. A core is to source from hardware-based true generators (TRNGs) or non-deterministic events, such as noise, disk timing variations, or inter-keystroke intervals, before feeding them into a DRBG. RFC 4086 emphasizes combining multiple uncorrelated sources and applying de-skewing techniques (e.g., extractors) to mitigate , aiming for at least 256 bits of for AES-256 keys. In symmetric modes like , IVs must be generated freshly for each using a FIPS-approved generator, ensuring uniqueness and unpredictability to maintain semantic security; reuse of IVs with the same key can expose patterns. For authenticated modes like GCM, nonces should be at least 96 bits and constructed deterministically (e.g., via a counter) or randomly, with the probability of repetition kept below 2^{-32} to avoid forgery risks that indirectly undermine . Implementations should incorporate periodic reseeding of DRBGs—every 2^{19} to 2^{48} outputs depending on the mechanism—to counter potential depletion or attacks on the generator state. practices include generating keys with full matching the security strength (e.g., 256 bits for AES-256) and storing them securely without caching in vulnerable locations like states, which has led to reset-based attacks in cloud environments. For public-key schemes like ElGamal, in ephemeral keys must similarly be drawn from secure generators to prevent partial leakage. Testing implementations with tools like NIST's Statistical (STS) is advised to verify quality, ensuring no deviations that could compromise semantic security. Common pitfalls to avoid include relying on software-only pseudorandom number generators without seeding (e.g., linear congruential generators), which produce predictable sequences exploitable in semantic security experiments. In resource-constrained devices, hybrid approaches—using hardware when available and falling back to DRBGs—help maintain compliance, but all outputs must be conditioned to extract full . Adopting these practices, aligned with NIST SP 800-90 series and 4086, ensures robust protection against information-theoretic breaches in semantically secure systems.

References

  1. [1]
    [PDF] Notes for Lecture 2 - Stanford CS Theory
    Jan 22, 2009 · Definition 10 (Semantic Security – Asymptotic Definition) An encryption scheme. (Enc, Dec) is semantically secure if for every polynomial p ...
  2. [2]
    [PDF] Probabilistic Encryption - Semantic Scholar
    An introduction to probabilistic encryption is given, presenting the first probabilistic cryptosystem by Goldwasser and Micali. ... Rackoff. Computer ...
  3. [3]
    [PDF] Public Key Encryption 1 Semantic Security 2 Public Key Encryption
    Oct 3, 2016 · We began lecture by formalizing the definition of Semantic Security for secret-key encryption as follows: Definition 1 A secret-key encryption ...
  4. [4]
    [PDF] 8 Encryption: Semantic Security and Practical Issues
    Semantic security helps prove various cryptographic constructs that use encryption as part of a larger protocol.
  5. [5]
    [PDF] Semantic Security and Indistinguishability in the Quantum World
    We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes ...
  6. [6]
    Probabilistic encryption & how to play mental poker keeping secret ...
    This paper proposes an Encryption Scheme that possess the following property : An adversary, who knows the encryption algorithm and is given the cyphertext, ...
  7. [7]
    None
    Error: Could not load webpage.<|control11|><|separator|>
  8. [8]
    [PDF] GM-Security and Semantic Security Revisited
    Feb 5, 1999 · In their seminal paper on notions of security for public-key cryptosystems [2], Goldwasser and Micali introduced two security definitions which ...
  9. [9]
    [PDF] A Concrete Security Treatment of Symmetric Encryption
    Specifically, they presented two notions of security for asymmetric encryption, "semantic security" and "polynomial security," and proved them equivalent with ...<|control11|><|separator|>
  10. [10]
    [PDF] Relations Among Notions of Security for Public-Key Encryption ...
    Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. First ACM Conference on Computer and Communications Security ...
  11. [11]
    [PDF] Lectures 2+3: Provable Security - Brown CS
    In cryptography, we typically use one of two approaches to formalize security intuitions. We'll discuss both. Game-based definitions. In a game-based definition ...
  12. [12]
    [PDF] Symmetric Encryption: Modes of Operation, Semantic Security
    CBC Mode: Encryption. ▫ Identical blocks of plaintext encrypted differently ... This includes ECB mode of common block ciphers! Attacker A interacts ...
  13. [13]
    [PDF] A Graduate Course in Applied Cryptography
    ... semantic security . . . . . . . . . . . . . . . . . . . . . . . . . 15. 2.2.3 ... modes of operation . . . . . . . . . . . . . . . . . . . 327. 8.10.4 ...
  14. [14]
    [PDF] Evaluation of Some Blockcipher Modes of Operation
    Feb 10, 2011 · Provable security of CBC, CFB, and OFB when the IV is random. All of these modes achieves SemCPA security when the IV is random. Indeed they ...
  15. [15]
    [PDF] Relations Among Notions of Security for Public-Key Encryption ...
    Abstract. We compare the relative strengths of popular notions of security for public-key encryption schemes. We consider the goals of privacy and ...
  16. [16]
    [PDF] Chapter 11 - Public key encryption - UPenn CIS
    We next define the notion of semantic security for a public-key encryption scheme. We stress that this notion of security only models an eavesdropping adversary ...
  17. [17]
    [PDF] Cryptography CS 555 - Computer Science Purdue
    The Goldwasser-Micali Probablistic. Encryption Scheme. • First provably semantically secure public key encryption scheme, security based on the hardness of ...
  18. [18]
    [PDF] A public key cryptosystem and a signature scheme based on ...
    ElGamal, A Subexponential-Time Algorithm for Computing Discrete Logarithms over ... and its cryptographic significance, IEEE Transactions on Information Theory It ...<|control11|><|separator|>
  19. [19]
    [PDF] Week 13 Topic 1: El-Gamal Encryption - Cryptography CS 555
    Theorem 11.18: Let Π = GGGGGG,EEGGcc,DDGGcc be the El-Gamal Encryption scheme (above) then if DDH is hard relative to GG then Π is CPA-Secure.
  20. [20]
    [PDF] Public-Key Cryptosystems Based on Composite Degree Residuosity ...
    More specifically,. Page 4. 4. Pascal Paillier. Lemma 1. If the order of g is a nonzero multiple of n then Eg is bijective. We denote by Bα ⊂ Z∗ n2.
  21. [21]
    [PDF] A Comparison of El Gamal and Paillier Cryptosystems - Koc Lab
    This paper will examine the concepts behind both the El Gamal and Paillier style of public key cryptography. I will compare and contrast the size and complexity ...
  22. [22]
    [PDF] A Graduate Course in Applied Cryptography
    Page 1. A Graduate Course in Applied Cryptography. Dan Boneh and Victor Shoup. Version 0.4, September 2017. Page 2. Preface. Cryptography is an indispensable ...
  23. [23]
    [PDF] Report on the Block Cipher Modes of Operation in the NIST SP 800 ...
    In the case of the ECB mode, a trivial attack against semantic security can be mounted by encrypting only two blocks of data [14]. The analysis so far assumes ...
  24. [24]
    CWE-329: Generation of Predictable IV with CBC Mode
    If IVs are reused, then identical plaintexts would be encrypted to identical ciphertexts. However, even if IVs are not identical but are predictable, then they ...Missing: semantic | Show results with:semantic
  25. [25]
    https://nvd.nist.gov/vuln/detail/CVE-2011-3389
  26. [26]
    [PDF] CCA Secure Encryption - University of Illinois Urbana-Champaign
    An imporant realization about the textbook RSA system is that it is not semantically secure because it is deterministic. Consider a semantic security attack ...
  27. [27]
    https://doi.org/10.6028/NIST.SP.800-90Ar1
  28. [28]
    RFC 4086: Randomness Requirements for Security
    Summary of each segment:
  29. [29]
    None
    Summary of each segment:
  30. [30]
    None
    ### Summary of Security Properties and Implementation Recommendations for GCM Mode (NIST SP 800-38D)