Security Definitions and Adversary Models

Definition

A security definition formally states the goal a scheme must achieve and the model of the adversary it must achieve it against, typically as a game or an ideal-functionality comparison in which the adversary's success probability must be negligible.

Scope

This topic covers how security goals and threats are formalized: the goal definitions (semantic security, indistinguishability, unforgeability) and the attack models that grant adversaries increasing power (chosen-plaintext, chosen-ciphertext, adaptive attacks), the ideal/real and game-based frameworks, and the gap between modeled and real-world adversaries (side channels). It excludes the reductions and hardness assumptions used to satisfy these definitions, treated in sibling topics.

Core questions

• Why must security goals be defined precisely rather than intuitively?
• What distinguishes confidentiality goals (semantic security) from integrity goals (unforgeability)?
• How do attack models (CPA, CCA, adaptive) capture an adversary's capabilities?
• How do game-based and ideal/real definitions express security?
• Why can a scheme provably secure in its model still fail to real-world attacks like side channels?

Key concepts

• semantic security
• ciphertext indistinguishability (IND)
• chosen-plaintext attack (CPA)
• chosen-ciphertext attack (CCA)
• existential unforgeability
• adaptive adversaries
• game-based definitions
• ideal/real paradigm
• side-channel gap

Key theories

Semantic security and indistinguishability

Confidentiality is defined so that ciphertexts leak nothing useful: an adversary cannot distinguish encryptions of two chosen messages, a definition introduced by Goldwasser and Micali that anchors all modern encryption security.

Attack models and adversary power

Security is stated relative to what the adversary can do — passively observe, mount chosen-plaintext or adaptive chosen-ciphertext attacks — with stronger models (CCA security) required for schemes used in adversarial, interactive settings.

Mechanisms

A game-based definition pits a challenger against an adversary: for IND-CPA security, the adversary submits two messages, the challenger encrypts one at random, and security requires the adversary cannot guess which beyond chance. Stronger CCA definitions also give the adversary a decryption oracle. The ideal/real paradigm instead deems a scheme secure if interacting with it is indistinguishable from interacting with an idealized trusted functionality. Real adversaries may exploit timing or power leakage outside these models, motivating side-channel-aware definitions.

Clinical relevance

Choosing the right definition is consequential: encryption used in interactive protocols needs CCA security, not just CPA, and padding-oracle attacks on real systems (such as early TLS) directly resulted from deploying schemes that met too weak a definition. Adversary models also clarify what a deployment does not protect against — for example, models that ignore side channels explain why timing and power attacks succeed against otherwise 'secure' implementations.

Evidence & guidelines

Modern standards require schemes to meet strong definitions: authenticated encryption (IND-CCA plus integrity) is the default for confidentiality, and signatures must be existentially unforgeable under adaptive chosen-message attack. The Universal Composability framework provides definitions that remain secure under arbitrary composition. Implementations additionally require side-channel-resistant (constant-time) coding beyond the formal model.

History

Before the 1980s, security was judged informally. Goldwasser and Micali's semantic security (1982-1984) introduced rigorous, indistinguishability-based definitions, soon extended to chosen-ciphertext models and to unforgeability for signatures and MACs. The ideal/real simulation paradigm and Canetti's Universal Composability framework (2001) addressed security under composition, completing a definitional foundation that now governs all serious cryptographic analysis.

Key figures

• Shafi Goldwasser
• Silvio Micali
• Oded Goldreich
• Ran Canetti
• Mihir Bellare

Related topics

• Provable Security and Reductions
• Computational Hardness Assumptions
• Cryptographic Protocols

Seminal works

• goldwasser1984
• katz2020
• goldreich2004

Frequently asked questions

What is the difference between CPA and CCA security?

Chosen-plaintext-attack (CPA) security assumes the adversary can obtain encryptions of messages it chooses. Chosen-ciphertext-attack (CCA) security additionally lets it obtain decryptions of ciphertexts it chooses, a stronger model needed whenever an attacker can submit ciphertexts and observe how the system reacts.

If a scheme is provably secure, why do side-channel attacks work?

Security definitions model an adversary that sees inputs and outputs, not physical leakage like timing, power consumption, or electromagnetic emissions. A real implementation can leak secrets through these channels even though the abstract scheme meets its definition, which is why constant-time, leakage-resistant implementations are also required.

Methods for this concept

• Symmetric Key Cryptanalysis
• Zero-Knowledge Proof
• Side-Channel Analysis
• Differential Cryptanalysis
• Post-Quantum Cryptography (Kyber)
• RSA Cryptosystem Analysis
• Secure Multi-Party Computation
• Digital Signature Scheme

Related concepts

• Foundations of Security
• Provable Security and Reductions
• Cryptographic Protocols
• Randomness and Pseudorandomness
• Secure Multiparty Computation
• Computational Hardness Assumptions