现代密码学(Introduction to Modern Cryptography)

1. 现代密码学三个基本原则

2. Provable Security

3. Negligible

4. Semantically secure

5. Unknown key share attack

6. SEUF-CMA

7. ROR(real or random) model

8. FTG(find then guess) model

9. Outsider KCI resilience

10. Insider KCI resilience

11. IND CCA1 and IND CCA2

12. Extended eCK model

13. Matching conversations

14. Partner sessions

15. PFS

16. wPFS

17. min-entropy

1. 现代密码学三个基本原则：

1.Formulation of exact definitions
2.Reliance on precise assumptions
3.Rigorous proofs of security

2. Provable Security

1.security definition(model)
2.assumptions
2.proof: prove the scheme satisfies definition if assumption holds.

安全性证明模型分为两类： Ideal Model and Standard model.
Ideal Model: Random Oracle Model and Ideal Cipher Model.

Random Oracle${}^{[15,16]}$: In the random oracle model, one assumes that some hash function is replaced by a publicly accessible random function (the random oracle). This means that the adversary cannot compute the result of the hash function by himself: he must query the random oracle.

Ideal Cipher${}^{[16]}$: Instead of having a publicly accessible random function, one has a publicly accessible random block cipher (or ideal cipher). This is a block cipher with a $\kappa$-bit key and a $n$-bit input/output,that is chosen uniformly at random among all block ciphers of this form; this is equivalent to having a family of $2^{\kappa }$ independent random permutations. All parties including the adversary can make both encryption and decryption queries to the ideal block cipher, for any given key.

Coron et al.${}^{[17]}$ proposed a slight variant of the Merkel-Damg$\mathring{a}$rd construction to inistantiate a random oracle.

Coron et al.${}^{[15]}$ showed that the Luby-Rackoff construction with 6 rounds is sufficient to instantiate an ideal cipher.

3. Negligible

approaches 0 faster than the inverse of any polynomial
Formally:
A function $\mu$ : N$\to$ R is negligible in n if for every positive polynomial $p(\cdot )$ there exists an integer N such that for all n > N
$$|\mu (n)|<\frac{1}{p(n)}$$
we call such a function negligible in n: negl(n)

4. Semantically secure:

we say a PKE is semantically secure, if for all PPT adversaries, we have: Pr[b=b’] <= 0.5 + negl(n).

5. Unknown key share attack

  为更好地理解“未知密钥共享攻击”，研究团队举了一个形象的例子：

  Bart想耍耍他的朋友Milhouse。Bart知道Milhouse会用TextSecure邀请他来自己的生日派对，于是他用Nelson的公钥替换他自己的公钥，并让Milhouse验证他的新公钥指纹(fingerprint)。这个恶作剧可以做的合情合理，比如Bart可以编造理由说：自己买了个新手机，需要重新验证指纹……

  那么，当Milhouse邀请Bart参加他的生日聚会，Bart只需转发此消息给Nelson，Nelson就会认为这条消息来自Milhouse。而Milhouse那边也被耍了：他本以为邀请了Bart参加他的生日派对，而实际上邀请的是Nelson。

6. SEUF-CMA

  strong existential unforgeability under weak chosen message attacks.

7. ROR(real or random) model: [ 1