Semantic security

In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message ${\displaystyle m}$ (taken from any distribution of messages), and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length (and not the ciphertext).^[1] This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.^{[2][3]: 378–381}

The notion of semantic security was first put forward by Goldwasser and Micali in 1982.^[1][4] However, the definition they initially proposed offered no straightforward means to prove the security of practical cryptosystems. Goldwasser/Micali subsequently demonstrated that semantic security is equivalent to another definition of security called ciphertext indistinguishability under chosen-plaintext attack.^[5] This latter definition is more common than the original definition of semantic security because it better facilitates proving the security of practical cryptosystems.

In the case of symmetric-key algorithm cryptosystems, an adversary must not be able to compute any information about a plaintext from its ciphertext. This may be posited as an adversary, given two plaintexts of equal length and their two respective ciphertexts, cannot determine which ciphertext belongs to which plaintext.

This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources in this section. Unsourced material may be challenged and removed. (September 2012) (Learn how and when to remove this message)

For an asymmetric key encryption algorithm cryptosystem to be semantically secure, it must be infeasible for a computationally bounded adversary to derive significant information about a message (plaintext) when given only its ciphertext and the corresponding public encryption key. Semantic security considers only the case of a "passive" attacker, i.e., one who generates and observes ciphertexts using the public key and plaintexts of their choice. Unlike other security definitions, semantic security does not consider the case of chosen ciphertext attack (CCA), where an attacker is able to request the decryption of chosen ciphertexts, and many semantically secure encryption schemes are demonstrably insecure against chosen ciphertext attack. Consequently, semantic security is now considered an insufficient condition for securing a general-purpose encryption scheme.

Indistinguishability under Chosen Plaintext Attack (IND-CPA) is commonly defined by the following experiment:^[6]

1. A random pair ${\displaystyle (pk,sk)}$ is generated by running ${\displaystyle Gen(1^{n})}$.
2. A probabilistic polynomial time-bounded adversary is given the public key ${\displaystyle pk}$ , which it may use to generate any number of ciphertexts (within polynomial bounds).
3. The adversary generates two equal-length messages ${\displaystyle m_{0}}$ and ${\displaystyle m_{1}}$, and transmits them to a challenge oracle along with the public key.
4. The challenge oracle selects one of the messages by flipping a fair coin (selecting a random bit ${\displaystyle b\in \{0,1\}}$), encrypts the message ${\displaystyle m_{b}}$ under the public key, and returns the resulting challenging ciphertext ${\displaystyle c}$ to the adversary.

The underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than ${\displaystyle 1/2}$ (the success rate of random guessing). Variants of this definition define indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack (IND-CCA, IND-CCA2).

Because the adversary possesses the public encryption key in the above game, a semantically secure encryption scheme must by definition be probabilistic, possessing a component of randomness; if this were not the case, the adversary could simply compute the deterministic encryption of ${\displaystyle m_{0}}$ and ${\displaystyle m_{1}}$ and compare these encryptions with the returned ciphertext ${\displaystyle c}$ to successfully guess the oracle's choice.

Randomness plays a key role in cryptography by preventing attackers from detecting patterns in ciphertexts. In a semantically secure cryptosystem, encrypting the same plaintext multiple times should produce different ciphertexts.^[7]

If encryption relies on predictable or weak randomness, it becomes easier to break.^[8] Poor randomness can lead to patterns that attackers can analyze, potentially allowing them to recover secret keys or decrypt messages. Because of this, cryptographic systems must use strong and unpredictable random values to maintain security.^[9]

Strong randomness is critical in:

• Key generation – Ensures cryptographic keys are unpredictable.^[10]
• Nonce Selection – Reusing a nonce in AES-GCM or ElGamal can break security.^[11]
• Probabilistic encryption – Some schemes, like Goldwasser–Micali, rely on randomness to ensure ciphertexts are indistinguishable.^[11]

Several cryptographic failures have resulted from weak randomness, allowing attackers to break encryption.

An error in Debian’s OpenSSL removed entropy collection, producing a small set of predictable keys. Attackers could guess SSH and TLS keys, allowing unauthorized access.^[12]

Sony’s PlayStation 3 misused the Elliptic Curve Digital Signature Algorithm (ECDSA) by reusing the same nonce - a random number used once in cryptographic signing - in multiple signatures. Since ECDSA relies on unique nonces for security, attackers recovered Sony’s private signing key, allowing them to sign unauthorized software.^[13]

A flaw in Infineon's RSA key generation created weak keys that attackers could efficiently factor. This vulnerability affected smart cards and Trusted Platform Modules (TPMs), requiring widespread key replacements.^[14]

To prevent such failures, cryptographic systems must generate unpredictable and high-quality random values.^[15]

CSPRNGs provide secure random numbers resistant to attacks. Common examples include:

• /dev/random and /dev/urandom (Unix)
• Windows CryptGenRandom
• NIST-approved DRBGs (Deterministic Random Bit Generators)^[15]

Secure randomness requires high entropy sources, such as:

• Hardware-based generators (e.g., Intel RDRAND)^[16]
• Physical sources, like keystroke timing^[16]
• Dedicated security hardware, including HSMs and TPMs^[16]

Some encryption schemes require added randomness to maintain security:

• RSA with OAEP padding introduces randomness to prevent deterministic encryption.^[17]
• Unique nonces in AES-GCM and ElGamal ensure encrypting the same message multiple times produces different ciphertexts.^[17]

To verify randomness quality, cryptographic implementations should undergo:

• NIST SP 800-90B randomness tests^[16]
• Diehard tests^[18]
• FIPS 140-2 compliance checks^[19]

Semantically secure encryption algorithms include Goldwasser-Micali, ElGamal and Paillier. These schemes are considered provably secure, as their semantic security can be reduced to solving some hard mathematical problem (e.g., Decisional Diffie-Hellman or the Quadratic Residuosity Problem). Other, semantically insecure algorithms such as RSA, can be made semantically secure (under stronger assumptions) through the use of random encryption padding schemes such as Optimal Asymmetric Encryption Padding (OAEP).