Complete characterization of security notions for probabilistic private-key encryption

Understanding the security of encryption methods has been a major area of research in both modern and tradit ional cryptography. We investigate the relation between notions of security for symmetric (private) key encryption. The security goals of both indistinguishabili ty and non-malleabili ty are considered, each under all possible combinations of adaptive or n0n-adaptive chosen-plaintext and chosen-ciphertext attacks. We are thus able to construct a complete hierarchy of private-key security notions indicating equivalences, separations, and incomparabilities. Perhaps the most surprising result, which has no analogue in the public-key setting, is that adaptive access to an encryption oracle does not help the adversary. That is, any scheme which can be broken (in polynomial time) with an adaptive chosen plaintext at tack can be broken (in polynomial time) with a non-adaptive chosen plaintext attack. This holds under all security notions.

[1]  G. S. Vernam,et al.  Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications , 1926, Transactions of the American Institute of Electrical Engineers.

[2]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[3]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[4]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[5]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[6]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[7]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[8]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[9]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[10]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[11]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[12]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[13]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[14]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[15]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[16]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[17]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[18]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[19]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[20]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[21]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[22]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[23]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[24]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[25]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[26]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[27]  Mihir Bellare,et al.  Lecture Notes on Cryptography , 2001 .

[28]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[29]  Moti Yung,et al.  On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC , 2001, CT-RSA.

[30]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[31]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[32]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[33]  Moni Naor,et al.  On Chosen Ciphertext Security of Multiple Encryptions , 2002, IACR Cryptol. ePrint Arch..

[34]  Chanathip Namprempre,et al.  Secure Channels Based on Authenticated Encryption Schemes: A Simple Characterization , 2002, ASIACRYPT.

[35]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.