Code-Based Game-Playing Proofs and the Security of Triple Encryption

The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key tripleencryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary’s maximal advantage is small until it asks about 2 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC MAC, and the chosen-plaintext-attack security of OAEP.

[1]  Giovanni Di Crescenzo,et al.  Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers , 1998, CRYPTO.

[2]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[3]  Rajeev Motwani,et al.  Randomized Algorithms , 1995, SIGA.

[4]  Stefan Lucks,et al.  Attacking Triple Encryption , 1998, FSE.

[5]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[6]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption and A New Analysis of Kurosawa-Desmedt KEM , 2005, EUROCRYPT.

[7]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[8]  Martin E. Hellman,et al.  On the security of multiple encryption , 1981, CACM.

[9]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[10]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[11]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[12]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[13]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[14]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[15]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[16]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[17]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[18]  Victor Shoup,et al.  Using Hash Functions as a Hedge against Chosen Ciphertext Attack , 2000, EUROCRYPT.

[19]  Leonard M. Adleman,et al.  Two theorems on random polynomial time , 1978, 19th Annual Symposium on Foundations of Computer Science (sfcs 1978).

[20]  Mihir Bellare,et al.  The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) , 2004 .

[21]  Mihir Bellare,et al.  New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs , 1989, CRYPTO.

[22]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[23]  D. Bernstein A short proof of the unpredictability of cipher block chaining , .

[24]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[25]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[26]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[27]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[28]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[29]  Shai Halevi,et al.  A plausible approach to computer-aided cryptographic proofs , 2005, IACR Cryptol. ePrint Arch..

[30]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[31]  Victor Shoup,et al.  ACE: The Advanced Cryptographic Engine , 2000, IACR Cryptol. ePrint Arch..

[32]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[33]  Oded Goldreich,et al.  On the power of cascade ciphers , 1985, TOCS.

[34]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[35]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[36]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[37]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[38]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[39]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[40]  Serge Vaudenay Decorrelation over Infinite Domains: The Encrypted CBC-MAC Case , 2000, Selected Areas in Cryptography.

[41]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.

[42]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[43]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.