Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE

Often the simplest way of specifying game-based cryptographic definitions is apparently barred because the adversary would have some trivial win. Disallowing or invalidating these wins can lead to complex or unconvincing definitions. We suggest a generic way around this difficulty. We call it indistinguishability up to correctness, or IND\(\vert \)C. Given games \({{\text {G}}}\) and \({{\text {H}}}\) and a correctness condition \({{\text {C}}}\) we define an advantage measure \({\mathbf {Adv}_{{{\text {G}}},{{\text {H}}},{{\text {C}}}}^{{\text {indc}}}}\) wherein \({{{\text {G}}}}\)/\({{{\text {H}}}}\) distinguishing attacks are effaced to the extent that they are inevitable due to \({{\text {C}}}\). We formalize this in the language of oracle silencing, an alternative to exclusion-style and penalty-style definitions. We apply our ideas to a domain where game-based definitions have been cumbersome: stateful authenticated-encryption (sAE). We rework existing sAE notions and encompass new ones, like replay-free AE permitting a specified degree of out-of-order message delivery.

[1]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[2]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[3]  Britta Hale,et al.  From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS , 2015, CT-RSA.

[4]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[5]  Chanathip Namprempre,et al.  Secure Channels Based on Authenticated Encryption Schemes: A Simple Characterization , 2002, ASIACRYPT.

[6]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[7]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[8]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[9]  Mihir Bellare,et al.  Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed? , 2013, Journal of Cryptology.

[10]  Tadayoshi Kohno,et al.  Building Secure Cryptographic Transforms, or How to Encrypt and MAC , 2003, IACR Cryptol. ePrint Arch..

[11]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[12]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.