# Questions tagged as ['semantic-security']

To encrypt a group element $P$ with public key $K$ and randomness $r$ using ElGamal on elliptic curves with base point $G$ we do the following $(c_1, c_2) = (r\cdot G; P+r\cdot K)$.

When we want to encrypt a free-form message $m$, we have to convert it to a group element $P$ first. For that, we can either use scalar multiplication $P=m\cdot G$ (additively homomorphic) or map the message $P = map(m) ...

I'm currently studying a paper (*Sequences of Games: A Tool for Taming Complexity in Security Proofs*) on proving semantic security using the Game Hopping technique by Victor Shoup.

On pages 9-11, he is using a sequence of three games, $Game 1$, $Game 2$, and $Game 3$ to deduct the semantic security of Hashed ElGamal to DDH and entropy smoothing assumptions. How does he combine the three probabilitie ...

Do I need to pay special attention to key recovery attack while focusing on semantic security?

The book "A Graduate Course in Applied Cryptography" by Dan Boneh and Victor Shoup doesn't focus on key recovery attack while talking about semantic security, but it does when mentioning on block cipher.

The Cipher Block Chaining algorithm for generating message authentication codes uses a 0 IV . So my understanding is that same messages will generate same MACs which seems to violate semantic security. An attacker may deduce that 2 messages are same by looking at the MAC. Is my intuition correct?

While reading tutorials on two-party computation I encountered two (at least formally) different definitions of security (with semi-honest adversaries). What I want to know is whether these definitions are actually different or can be shown to be equivalent. I suspect that they are different, but I might be missing something, considering that I have not read anywhere about different definitions.

...

I need help understanding semantic security, in particular, the part on the 'game'.

But first, from my understanding, is semantic security is a 'weaker' and more flexible way to determine that a cryptographic function is secure enough for use? I understand that the definition for perfect secrecy is often too rigid and hence semantic security gives some leeway in defining something that's secure e ...

Can Shamir secret sharing scheme (SSS) be verified using automated verification tools such as AVISPA? I read in the HLPSL manual that we cannot use arithmetic or relative operations such +,-,< ...etc in the HLPSL description of the protocol. Thus, we cannot implement LaGrange's interpolation formula?!! Do all protocol verification have this limitation?

(There are other protocol verification to ...