Editing Semantic security

{{Short description|Cryptography method}}
In [[cryptography]], a '''semantically secure''' [[cryptosystem]] is one where only negligible information about the [[plaintext]] can be feasibly extracted from the [[ciphertext]]. Specifically, any [[PP (complexity)|probabilistic, polynomial-time algorithm]] (PPTA) that is given the ciphertext of a certain message <math>m</math> (taken from any distribution of messages), and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length (and not the ciphertext).<ref name="goldwasser-micali 1982">[[Shafi Goldwasser|S. Goldwasser]] and [[Silvio Micali|S. Micali]], [http://portal.acm.org/citation.cfm?id=802212 Probabilistic encryption & how to play mental poker keeping secret all partial information], Annual ACM Symposium on Theory of Computing, 1982.</ref> This concept is the computational complexity analogue to [[Claude Shannon|Shannon's]] concept of [[perfect secrecy]]. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.<ref name="shannon">{{cite journal| last=Shannon| first=Claude| title=Communication Theory of Secrecy Systems| journal=Bell System Technical Journal| volume=28| issue=4| pages=656–715| year=1949| doi=10.1002/j.1538-7305.1949.tb00928.x| hdl=10338.dmlcz/119717| hdl-access=free}}</ref><ref name=Goldreich>[[Oded Goldreich|Goldreich, Oded.]] Foundations of Cryptography: Volume 2, Basic Applications. Vol. 2. Cambridge university press, 2004.</ref>{{rp|378–381}}

==History==
The notion of semantic security was first put forward by [[Shafi Goldwasser|Goldwasser]] and [[Silvio Micali|Micali]] in 1982.<ref name="goldwasser-micali 1982" /><ref>{{Cite journal |last1=Goldwasser |first1=Shafi |last2=Micali |first2=Silvio |date=1984-04-01 |title=Probabilistic encryption |url=https://dx.doi.org/10.1016/0022-0000%2884%2990070-9 |journal=Journal of Computer and System Sciences |volume=28 |issue=2 |pages=270–299 |doi=10.1016/0022-0000(84)90070-9 |issn=0022-0000}}</ref>  However, the definition they initially proposed offered no straightforward means to prove the security of practical cryptosystems.  Goldwasser/Micali subsequently demonstrated that semantic security is equivalent to another definition of security called [[ciphertext indistinguishability]] under chosen-plaintext attack.<ref name="goldwasser-micali 1984">[[Shafi Goldwasser|S. Goldwasser]] and [[Silvio Micali|S. Micali]], [https://dx.doi.org/10.1016/0022-0000(84)90070-9 Probabilistic encryption]. Journal of Computer and System Sciences, 28:270-299, 1984.</ref>  This latter definition is more common than the original definition of semantic security because it better facilitates proving the security of practical cryptosystems.

==Symmetric-key cryptography==
In the case of [[symmetric-key algorithm]] cryptosystems, an adversary must not be able to compute any information about a plaintext from its ciphertext. This may be posited as an adversary, given two plaintexts of equal length and their two respective ciphertexts, cannot determine which ciphertext belongs to which plaintext.

==Public-key cryptography==
{{Refimprove section|date=September 2012}}

For an [[asymmetric key encryption algorithm]] cryptosystem to be semantically secure, it must be infeasible for a [[Analysis of algorithms|computationally bounded]] adversary to derive significant information about a message (plaintext) when given only its [[ciphertext]] and the corresponding public encryption key.  Semantic security considers only the case of a "passive" attacker, i.e., one who generates and observes ciphertexts using the public key and plaintexts of their choice.  Unlike other security definitions, semantic security does not consider the case of [[chosen ciphertext attack]] (CCA), where an attacker is able to request the decryption of chosen ciphertexts, and many semantically secure encryption schemes are demonstrably insecure against chosen ciphertext attack.  Consequently, semantic security is now considered an insufficient condition for securing a general-purpose encryption scheme.

Indistinguishability under [[chosen plaintext attack|Chosen Plaintext Attack]] ([[IND-CPA]]) is commonly defined by the following experiment:<ref>{{cite book|last1=Katz|first1=Jonathan|last2=Lindell|first2=Yehuda|title=Introduction to Modern Cryptography: Principles and Protocols|date=2007|publisher=Chapman and Hall/CRC|isbn=978-1584885511}}</ref>

# A random pair <math>(pk,sk)</math> is generated by running <math>\mathrm{Gen}(1^n)</math>.
#  A probabilistic polynomial time-bounded adversary is given the public key <math>pk</math> , which it may use to generate any number of ciphertexts (within polynomial bounds).
# The adversary generates two equal-length messages <math>m_0</math> and <math>m_1</math>, and transmits them to a challenge oracle along with the public key.
# The challenge oracle selects one of the messages by flipping a fair coin (selecting a random bit <math>b \in \{0,1\}</math>), encrypts the message <math>m_b</math> under the public key, and returns the resulting ''challenging ciphertext'' <math>c</math> to the adversary.

The underlying [[cryptosystem]] is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than <math>1/2</math> (the success rate of random guessing).  Variants of this definition define indistinguishability under [[chosen ciphertext attack]] and [[adaptive chosen ciphertext attack]] ([[IND-CCA]], [[IND-CCA2]]).

Because the adversary possesses the public encryption key in the above game, a semantically secure encryption scheme must by definition be [[probabilistic encryption|probabilistic]], possessing a component of [[randomness]]; if this were not the case, the adversary could simply compute the deterministic encryption of <math>m_0</math> and <math>m_1</math> and compare these encryptions with the returned ciphertext <math>c</math> to successfully guess the oracle's choice.

== The Role of Randomness in Semantic Security ==
Randomness plays a key role in [[cryptography]] by preventing attackers from detecting patterns in ciphertexts. In a semantically secure cryptosystem, encrypting the same plaintext multiple times should produce different ciphertexts.<ref name="HAC2">{{cite book |last1=Menezes |first1=Alfred |url=https://cacr.uwaterloo.ca/hac/ |title=Handbook of Applied Cryptography |last2=Van Oorschot |first2=Paul C. |last3=Vanstone |first3=Scott |publisher=CRC Press |year=1996 |access-date=}}</ref>

If encryption relies on predictable or weak randomness, it becomes easier to break.<ref name="HAC">{{cite book |last1=Menezes |first1=Alfred |url=https://cacr.uwaterloo.ca/hac/ |title=Handbook of Applied Cryptography |last2=Van Oorschot |first2=Paul C. |last3=Vanstone |first3=Scott |publisher=CRC Press |year=1996 |access-date=}}</ref> Poor randomness can lead to patterns that attackers can analyze, potentially allowing them to recover secret [[Key (cryptography)|keys]] or decrypt messages. Because of this, cryptographic systems must use strong and unpredictable random values to maintain security.<ref name="Katz">{{cite book |last1=Katz |first1=Jonathan |title=Introduction to Modern Cryptography: Principles and Protocols |last2=Lindell |first2=Yehuda |publisher=Chapman and Hall/CRC |year=2007 |isbn=978-1584885511}}</ref>

=== Why Randomness Is Important ===
Strong randomness is critical in:

* [[Key generation]] – Ensures cryptographic keys are unpredictable.<ref name="Katz2">{{cite book |last1=Katz |first1=Jonathan |title=Introduction to Modern Cryptography: Principles and Protocols |last2=Lindell |first2=Yehuda |publisher=Chapman and Hall/CRC |year=2007 |isbn=978-1584885511}}</ref>
* Nonce Selection – Reusing a nonce in [[AES-GCM]] or [[ElGamal encryption|ElGamal]] can break security.<ref name="Katz4">{{cite book |last1=Katz |first1=Jonathan |title=Introduction to Modern Cryptography: Principles and Protocols |last2=Lindell |first2=Yehuda |publisher=Chapman and Hall/CRC |year=2007 |isbn=978-1584885511}}</ref>
* [[Probabilistic encryption]] – Some schemes, like [[Goldwasser–Micali cryptosystem|Goldwasser–Micali]], rely on randomness to ensure ciphertexts are indistinguishable.<ref name="Katz4" />

=== Failures of Randomness in the Past ===
Several cryptographic failures have resulted from weak randomness, allowing attackers to break encryption.

==== Debian OpenSSL Vulnerability (2008) ====
An error in Debian’s [[OpenSSL]] removed entropy collection, producing a small set of predictable keys. Attackers could guess [[Secure Shell|SSH]] and [[Transport Layer Security|TLS]] keys, allowing unauthorized access.<ref>{{cite web |last=Bello |first=Luciano |date=2008-05-13 |title=Debian OpenSSL Predictable Random Number Generator |url=https://www.debian.org/security/2008/dsa-1571 |access-date= |publisher=Debian Security Advisory}}</ref>

==== Sony PlayStation 3 ECDSA Failure (2011) ====
Sony’s [[PlayStation 3]] misused the [[Elliptic Curve Digital Signature Algorithm]] (ECDSA) by reusing the same [[Cryptographic nonce|nonce]] - a random number used once in cryptographic signing - in multiple signatures. Since ECDSA relies on unique nonces for security, attackers recovered Sony’s private signing key, allowing them to sign unauthorized software.<ref>{{cite web |last=Schneier |first=Bruce |date=2011-01-06 |title=Sony PS3 Security Broken |url=https://www.schneier.com/blog/archives/2011/01/sony_ps3_securi.html |access-date= |publisher=Schneier on Security}}</ref>

==== ROCA Vulnerability (2017) ====
A flaw in [[Infineon Technologies|Infineon's]] [[RSA (cryptosystem)|RSA]] key generation created weak keys that attackers could efficiently factor. This vulnerability affected smart cards and [[Trusted Platform Module|Trusted Platform Modules]] (TPMs), requiring widespread key replacements.<ref>{{cite web |date=2017-10-17 |title=ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance |url=https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance |access-date= |publisher=National Cyber Security Centre}}</ref>

=== How to Ensure Strong Randomness ===
To prevent such failures, cryptographic systems must generate unpredictable and high-quality random values.<ref name="NIST90A">{{cite web |date=2012-06-11 |title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators |url=https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final |access-date= |publisher=National Institute of Standards and Technology (NIST)}}</ref>

==== Use of Cryptographically Secure Pseudorandom Number Generators (CSPRNGs) ====
CSPRNGs provide secure random numbers resistant to attacks. Common examples include:

* /dev/random and /dev/urandom (Unix)
* Windows CryptGenRandom
* NIST-approved DRBGs (Deterministic Random Bit Generators)<ref name="NIST90A" />

==== Entropy Collection ====
Secure randomness requires high entropy sources, such as:

* Hardware-based generators (e.g., Intel [[RDRAND]])<ref name="NIST90B">{{cite web |date=2018-01-10 |title=Recommendation for the Entropy Sources Used for Random Bit Generation |url=https://csrc.nist.gov/publications/detail/sp/800-90b/final |access-date= |publisher=National Institute of Standards and Technology (NIST)}}</ref>
* Physical sources, like keystroke timing<ref name="NIST90B" />
* Dedicated security hardware, including [[Hardware security module|HSMs]] and [[Trusted Platform Module|TPMs]]<ref name="NIST90B" />

==== Avoiding Deterministic Encryption Without Randomness ====
Some encryption schemes require added randomness to maintain security:

* [[RSA (cryptosystem)|RSA]] with [[Optimal asymmetric encryption padding|OAEP]] padding introduces randomness to prevent deterministic encryption.<ref name="NIST56B">{{cite web |date=2019-05-23 |title=Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography |url=https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final |access-date= |publisher=National Institute of Standards and Technology (NIST)}}</ref>
* Unique nonces in [[AES-GCM]] and [[ElGamal encryption|ElGamal]] ensure encrypting the same message multiple times produces different ciphertexts.<ref name="NIST56B" />

==== Testing and Auditing Randomness ====
To verify randomness quality, cryptographic implementations should undergo:

* [[National Institute of Standards and Technology|NIST]] SP 800-90B randomness tests<ref name="NIST90B" />
* [[Diehard tests]]<ref name="NIST22">{{cite web |date=2010-04-01 |title=A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications |url=https://csrc.nist.gov/publications/detail/sp/800-22/rev-1a/final |access-date= |publisher=National Institute of Standards and Technology (NIST)}}</ref>
* [[FIPS 140-2]] compliance checks<ref name="FIPS140">{{cite web |date=2002-05-25 |title=Security Requirements for Cryptographic Modules |url=https://csrc.nist.gov/publications/detail/fips/140/2/final |access-date= |publisher=National Institute of Standards and Technology (NIST)}}</ref>

Semantically secure encryption algorithms include [[Goldwasser-Micali cryptosystem|Goldwasser-Micali]], [[ElGamal encryption|ElGamal]] and [[Paillier]].  These schemes are considered [[provable security|provably secure]], as their semantic security can be reduced to solving some hard mathematical problem (e.g., [[Decisional Diffie-Hellman assumption|Decisional Diffie-Hellman]] or the [[Quadratic Residuosity Problem]]).  Other, semantically insecure algorithms such as [[RSA (algorithm)|RSA]], can be made semantically secure (under stronger assumptions) through the use of random encryption padding schemes such as [[Optimal Asymmetric Encryption Padding]] (OAEP).

==References==
<references />

[[Category:Theory of cryptography]]