Semantic security

Semantic security is a widely-used definition for security in an asymmetric key encryption algorithm. For a cryptosystem to be semantically secure, it must be infeasible for a computationally-bounded adversary to derive significant information about a message (plaintext) when given only its ciphertext and the corresponding public encryption key. Semantic security considers only the case of a "passive" attacker, i.e., one who generates and observes ciphertexts using the public key and plaintexts of her choice. Unlike other security definitions, semantic security does not consider the case of chosen ciphertext attack (CCA), where an attacker is able to request the decryption of chosen ciphertexts, and many semantically-secure encryption schemes are demonstrably insecure against chosen ciphertext attack. Consequently, semantic security is now considered an insufficient condition for securing a general-purpose encryption scheme.

The notion of semantic security was first put forward by Goldwasser and Micali in 1982.S. Goldwasser and S. Micali, [http://portal.acm.org/citation.cfm?id=802212 Probabilistic encryption & how to play mental poker keeping secret all partial information] , Annual ACM Symposium on Theory of Computing, 1982.] However, the definition they initially proposed offered no straightforward means to prove the security of practical cryptosystems. Goldwasser/Micali subsequently demonstrated that semantic security is equivalent to the property of ciphertext indistinguishability.S. Goldwasser and S. Micali, [http://dx.doi.org/10.1016/0022-0000(84)90070-9 Probabilistic encryption] . Journal of Computer and System Sciences, 28:270-299, 1984.] This equivalence allowed for security proofs of practical cryptosystems, and consequently the indistinguishability definition is used more commonly than the original definition of semantic security.

Indistinguishability under Chosen Plaintext Attack (IND-CPA) is commonly defined by the following game:

# A probabilistic polynomial time-bounded adversary is given a public key, which it may use to generate any number of ciphertexts (within polynomial bounds).
# The adversary generates two equal-length messages $m\_0$ and $m\_1$, and transmits them to a challenge oracle along with the public key.
# The challenge oracle selects one of the messages by flipping a fair coin, encrypts the message under the public key, and returns the resulting ciphertext $c$ to the adversary.

The underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than $1/2$ (the success rate of random guessing). Variants of this definition define indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack (IND-CCA, IND-CCA2).

Because the adversary possesses the public encryption key in the above game, a semantically secure encryption scheme must by definition be probabilistic, possessing a component of randomness; if this were not the case, the adversary could simply compute the deterministic encryption of $m\_0$ and $m\_1$ and compare these encryptions with the returned ciphertext $c$ to successfully guess the oracle's choice.

Semantically secure encryption algorithms include Goldwasser-Micali, El Gamal and Paillier. These schemes are considered provably secure, as their semantic security can be reduced to solving some hard mathematical problem (e.g., Decisional Diffie-Hellman or the Quadratic Residuosity Problem). Other, non-semantically-secure algorithms such as RSA, can be made semantically secure (under stronger assumptions) through the use of random encryption padding schemes such as Optimal Asymmetric Encryption Padding (OAEP).

References