Yeah, welcome back to the lecture.

Last week we looked at definitions.

So the big goal was to understand how definitions work and understand how far they are systematic

and how far there is a methodology.

So system and method.

We had that in the tutorial a second ago, but just to keep that also for the lecture

on record.

Such a definition consists of five steps.

The first one is defining the syntax, inputs and outputs of the algorithms and just basically

specifying the algorithms.

The second step is correctness.

So specifying what type of functionality we expect when there is no adversary that tries

to change anything or be malicious.

We just look at in an honest execution what type of input and output behavior do we expect.

The third step is to specify for an adversary which type of capabilities it has.

So which strength, which power, how far can the adversary control what the victims are

doing.

So for encryption we just saw that we want to model then an adversary that an adversary

can let the victims choose particular messages because as I said, messages do not typically

just contain free bits that the victims can choose, but rather there is padding that is

added to the message.

There is a certain encoding scheme that is used by the victims that they can't choose

by themselves.

The messages that they send are not full of entropy, but they basically are context dependent.

So in order to model all those things we basically let the adversary choose which messages are

encrypted or signed or mapped or whatever.

So this is one of the ways to capture that an adversary should, we should consider adversaries

as strong as possible to say something meaningful about the security of constructions that are

executed in such environments in which we have strong adversaries.

The fourth step is to specify what the adversary's goal is.

So for encryption it is typically breaking confidentiality.

Confidentiality is typically modeled via indistinguishability of ciphertexts or one-way security, meaning

that the adversary cannot extract the full message of a ciphertext or the full key of

a cam ciphertext and so on and so forth.

In the exercise we saw two different types of definitions for primitives that protect

authenticity and integrity.

So for signatures and for message authentication codes we have the capabilities that the adversaries

can choose messages arbitrarily.

So this is the reason why those definitions have CMA, so chosen message attacks as capability

specification and we have a different goal.

The adversary does not want to find out which message is encrypted in a ciphertext or which

key but rather which the adversary has to come up with a forgery for a tag, for a signature

and so on.

And so these definitions have the name strong unforgeability or existential unforgeability.

So we talked about the differences in the exercise.

And the fifth step is at least for me sometimes the most interesting one because it challenges

yourself to find all the trivial attacks.

Trivial attacks is the one that we're talking about, trivial attacks.

And those attacks are trivial because they work against every construction that is correct.

So as long as a construction is correct we can basically determine from syntax correctness,