Part I · 2 — Goals and adversary models

draft

Security is not an absolute property — it is always against a defined adversary. This section makes precise the goals from the previous chapter and introduces the yardstick by which a scheme is measured: the threat model.


2.1 Kerckhoffs's principle

Auguste Kerckhoffs, in La Cryptographie Militaire (1883), established the principle that underpins all modern cryptography:

The security of a system must depend only on the secrecy of the key — never on the secrecy of the algorithm.

The algorithm must be able to fall into the enemy's hands without compromising anything. The modern reformulations are famous: "the enemy knows the system" (Shannon) and "security through obscurity is no security" (Schneier).

The consequence is direct and counterintuitive for beginners: cryptographic algorithms must be public and scrutinized. Trust comes from decades of failed attacks under public light — not from hiding the design. It is also why "I invented my own cipher" is always a bad idea.


2.2 The goals, formally

The previous chapter listed the goals by the user's question. Here is what each one means to the cryptographer:

Goal Formal meaning (informal)
Confidentiality The ciphertext reveals no useful information about the plaintext to a bounded adversary.
Integrity Any alteration of the data is detectable with overwhelming probability.
Authenticity Only someone with the key can produce data that verifies — proving the origin.
Non-repudiation The proof of origin is verifiable by third parties (signatures only, not MACs).

Two advanced properties, required of modern protocols:

  • Forward secrecy (FS): compromising today's key does not reveal

    yesterday's traffic. Achieved by discarding ephemeral session keys.

  • Post-compromise security (PCS): after a compromise, the system recovers

    with a new key exchange. It is what Signal's double ratchet guarantees.

MAC vs. signature — the difference that confuses the most: both prove authenticity. But a MAC uses a shared key — whoever verifies could also have forged it, so it does not serve as proof to third parties. A signature uses the author's private key — only they could have produced it, so it gives non-repudiation. Need to prove to a judge who signed? Signature. Just need you to trust that it came from your peer? MAC (faster).


2.3 The adversary model

Proving security requires stating what the adversary can do. The models form a ladder of increasing power — a scheme secure against a strong model is secure against all the weaker ones.

The ladder of adversary models, from weakest to strongest

Model The adversary can… Standard required today
COA (ciphertext-only) See only ciphertexts. Historical minimum.
KPA (known-plaintext) See (plaintext, ciphertext) pairs.
CPA (chosen-plaintext) Choose plaintexts and see the ciphertexts. Basis of modern confidentiality.
CCA (chosen-ciphertext) Also choose ciphertexts and see the decryptions. Required of any serious cipher.

The modern security target for ciphers is IND-CCA2 (indistinguishability under adaptive chosen-ciphertext attack): the adversary cannot distinguish the encryption of two messages of their choosing, even while able to request decryptions of other ciphertexts. This is why AEAD (cipher + authentication together, like AES-GCM) is the default — encrypting without authenticating leaves real CCA holes.

Beyond the logical model, there is the physical adversary: side-channel attacks — execution time, power consumption, electromagnetic emanation, cache. A mathematically perfect cipher leaks the key if the implementation takes different time depending on the bits of the secret. Hence the requirement for constant-time code.


2.4 Perfect security vs. computational security

There are two levels of guarantee, and almost everything in practice is the second:

  • Perfect security (unconditional): the ciphertext gives no

    information about the plaintext, not even to an adversary with infinite computing power. The One-Time Pad achieves this — but Shannon's theorem proves the price: the key must be as long as the message, random, and used only once. Impractical at scale.

  • Computational security: breaking the scheme is possible in theory, but

    requires infeasible resources (e.g., \(2^{128}\) operations). It is what every real system uses. The security rests on problems we believe to be hard (factoring, discrete logarithm) — not on proven impossibility.

This distinction is the Achilles' heel of the post-quantum era: the hard problems that underpin RSA and elliptic curves stop being hard for a quantum computer (Shor's algorithm) — hence Part IV of this compendium.


2.5 Confusion and diffusion

How does a concrete cipher manage to look random? Shannon (1949) gave the two design principles that every modern block cipher follows:

  • Confusion: the relationship between the key and the ciphertext must be *omplex and

    non-linear — each output bit depends on many key bits. Implemented by S-boxes*(substitution).

  • Diffusion: the relationship between plaintext and ciphertext must be spread out

    changing one input bit changes half the output bits (the avalanche effect). Implemented by permutation/mixing.

Ciphers alternate layers of confusion and diffusion across several rounds. The two dominant structures are the substitution-permutation network (SPN — used by AES) and the Feistel network (used by DES). Part II details each one.


Where to go deeper: the formal definitions, the complete Shannon theorem, and the catalog of models are in the reference — 02-fundamentals. Part I ends here; Part II — Primitives (in progress) opens the black boxes: block and stream ciphers, hash functions, and the leap to asymmetry.