Simulatable Channels:Extended Security that is Universally Composable
and Easier to Prove.
ASIACRYPT 2018
M. FischlinJ. P. Degabriele
1
What this talk is about…
• We propose and explore new security definitions for symmetricencryption based on simulation.
• Our primary focus is on secure channels rather than nonce-basedencryption but it could be adapted to the latter.
• Conceptually interesting, non-trivial to formalise, allow simplerproofs, and imply universal composability.
2
Outline of this talk
• Background and Motivation
• The New Definitions and Relations
• SSH-CTR and Universal Composability
3
Background and Motivation
4
Extensions of Symmetric Encryption
• Stateful Security: protects against replay and reordering ofciphertexts [BKN02, KPB03, BHMS16].
• Leakage From Invalid Ciphertexts: protects against multipleerrors, release of unverified plaintext, and other forms of leakage[BDPS13, ABLMMY14, HKR14, BPS15].
• Encryption Supporting Fragmentation: encryption operatingover channels which may deliver ciphertexts in a fragmentedfashion [PW10, BDPS12, FGMP15, ADHP16].
5
The Price We Pay…
6
Compare to Nonce-based Encryption
• For nonce-based encryption, IND$-CPA and nAE are the securitynotions of choice.
• Conceptually simpler, easier to prove, and stronger security.
• Inapplicable to channels due to specially formatted ciphertexts,multiple errors, and don’t support fragmentation.
• Can IND$-CPA and nAE be generalized to more complex settings?
7IND$-CPA nAEA
<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>
EK(·)<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiiC4qWAf0IQwmUzboZNJmJkINRR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHHMYtEJkCSMctJUVDHSSQRBUcBIOxhe5377kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRcclNJUkQHqI+6WrKUUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF//zuqnqXXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0ggrHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiiC4qWAf0IQwmUzaoZNMmJkIMRR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I11/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA66OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGGGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV788l/SOW3YVsO+1W1cgBnK4BBUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phhpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmaacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w==</latexit>
$(·)<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AAAB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVVN91dYcqZNq775RRWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmGG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X666dXcG9Jd4C1JtVPyzNwBo9suffpSQTFBpCMda9zw3NUGOlWGE00nJzzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxxpFJ0PR7FDFFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AAAB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DDWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrrp1dwa4SrwFqTYq/sXLpJE1++VvP5I45UQYzJDWPc9NTJAjZShmZFzyU00ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhgg8XxSnDBoJp9/DiCqCDcssQVhReyvEQ6QQNjajkg3BW355lbQv655b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AAAB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq777ZTW1jc2t8rblZ3dvf2D6uFRR8tMEdomkkvVC7GmnCW0bZjhtJcqikXIaTcc38787hNVmsnkwUxSGgg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkkzQxBCOte57bmqCHCvDCKfTip9pmmIyxkPatzTBguognx88RedWiVAsla3EoLn6eyLHQuuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGccGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RRxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8OO/Ox6K15BQzx/AHzucPrzqPpw==</latexit>
DK(·)<latexit sha1_base64="TYEn3fxIJcDW0Yj5CtubMm95FCU=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7os6kJwU8E+oAlhMpm2QyeTMDMRaij+SjcuFHHrf7jzb5y0XWjrgYHDOfdyz5wgYVQq2/42Ciura+sbxc3S1vbO7p65f9CScSowaeKYxaITIEkY5aSpqGKkkwiCooCRdjC8zv32IxGSxvxBjRLiRajPaY9ipLTkm0duhNQAI5bdjP27qovDWJ36ZsWu2VNYy8SZk0q97J5NAKDhm19uGOM0IlxhhqTsOnaivAwJRTEj45KbSpIgPER90tWUo4hIL5umH1snWgmtXiz048qaqr83MhRJOYoCPZlnlYteLv7ndVPVu/QyypNUEY5nh3ops1Rs5VVYIRUEKzbSBGFBdVYLD5BAWOnCSroEZ/HLy6R1XnPsmnOv27iCGYpwDGWoggMXUIdbaEATMDzBBF7hzXg2Xox342M2WjDmO4fwB8bnDw0mlms=</latexit><latexit sha1_base64="yOmxWOF+TZC/1xTTnXTGrjMijB4=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7os6kJwU8E+oAlhMpm0QyeZMDMRYij+hB/gxoUibv0Pd/0bJ20XWj0wcDjnXu6Z4yeMSmVZE6O0tLyyulZer2xsbm3vmLt7HclTgUkbc8ZFz0eSMBqTtqKKkV4iCIp8Rrr+6LLwu/dESMrjO5UlxI3QIKYhxUhpyTMPnAipIUYsvxp7N3UHB1wde2bNalhTwL/EnpNas+qcPE2aWcszv5yA4zQiscIMSdm3rUS5ORKKYkbGFSeVJEF4hAakr2mMIiLdfJp+DI+0EsCQC/1iBafqz40cRVJmka8ni6xy0SvE/7x+qsJzN6dxkioS49mhMGVQcVhUAQMqCFYs0wRhQXVWiIdIIKx0YRVdgr345b+kc9qwrYZ9q9u4ADOUwSGogjqwwRlogmvQAm2AwQN4Bq/gzXg0Xox342M2WjLmO/vgF4zPbxaQl/E=</latexit><latexit sha1_base64="JjpN+gTLRwz/DiCd6uz9DPEgmQQ=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRF4KbCvYBTQiTyaQdOpkJMxOhhuKvuHGhiFv/w51/46TNQlsPDBzOuZd75oQpo0o7zre1tLyyurZe2ahubm3v7Np7+x0lMolJGwsmZC9EijDKSVtTzUgvlQQlISPdcHRV+N0HIhUV/F6PU+InaMBpTDHSRgrsQy9BeogRy68nwW3dw5HQp4FdcxrOFHCRuCWpgRKtwP7yIoGzhHCNGVKq7zqp9nMkNcWMTKpepkiK8AgNSN9QjhKi/HyafgJPjBLBWEjzuIZT9fdGjhKlxkloJousat4rxP+8fqbjCz+nPM004Xh2KM4Y1AIWVcCISoI1GxuCsKQmK8RDJBHWprCqKcGd//Ii6Zw1XKfh3jm15mVZRwUcgWNQBy44B01wA1qgDTB4BM/gFbxZT9aL9W59zEaXrHLnAPyB9fkD+piU4g==</latexit>
?(·)<latexit sha1_base64="vrLzqGHTnv+nej60jLWmmgjXGLU=">AAAB8nicbVDLSsNAFL3xWeur6tJNaBEqQknc6LLoxmUF+4AklMlk0g6dZMLMjVBCP8ONCx+49Wvc+TdOHwttPXDhcM693HtPmAmu0XG+rbX1jc2t7dJOeXdv/+CwcnTc0TJXlLWpFFL1QqKZ4ClrI0fBepliJAkF64aj26nffWRKc5k+4DhjQUIGKY85JWgkzw8l1n0aSTzvV2pOw5nBXiXugtSaVf/iDQBa/cqXH0maJyxFKojWnutkGBREIaeCTcp+rllG6IgMmGdoShKmg2J28sQ+M0pkx1KZStGeqb8nCpJoPU5C05kQHOplbyr+53k5xtdBwdMsR5bS+aI4FzZKe/q/HXHFKIqxIYQqbm616ZAoQtGkVDYhuMsvr5LOZcN1Gu69SeMG5ijBKVShDi5cQRPuoAVtoCDhCV7g1ULr2Xq3Puata9Zi5gT+wPr8AcuXkmU=</latexit><latexit sha1_base64="y3fB8khcv+DKumfMr5p9yjvZaTE=">AAAB8nicbVDLSsNAFJ3UV62vqks3Q4tQEUriRpdFNy4r2AckoUwmk3boJBNmboQQ+he6caGIW7/GXf/G6WOhrQcuHM65l3vvCVLBNdj21CptbG5t75R3K3v7B4dH1eOTrpaZoqxDpZCqHxDNBE9YBzgI1k8VI3EgWC8Y38383hNTmsvkEfKU+TEZJjzilICRXC+Q0PBoKOFiUK3bTXsOvE6cJam3at7l87SVtwfVby+UNItZAlQQrV3HTsEviAJOBZtUvEyzlNAxGTLX0ITETPvF/OQJPjdKiCOpTCWA5+rviYLEWudxYDpjAiO96s3E/zw3g+jGL3iSZsASulgUZQKDxLP/ccgVoyByQwhV3NyK6YgoQsGkVDEhOKsvr5PuVdOxm86DSeMWLVBGZ6iGGshB16iF7lEbdRBFEr2gN/RugfVqfVifi9aStZw5RX9gff0A1QGT6w==</latexit><latexit sha1_base64="Q5DvWNGTG5Q+1tt6IsQ5fKlcJVo=">AAAB8nicbVBNS8NAEN3Ur1q/qh69LBahXkriRY9FLx4r2A9IQtlsNu3SzW7YnQgl9Gd48aCIV3+NN/+N2zYHbX0w8Hhvhpl5USa4Adf9diobm1vbO9Xd2t7+weFR/fikZ1SuKetSJZQeRMQwwSXrAgfBBplmJI0E60eTu7nff2LacCUfYZqxMCUjyRNOCVjJDyIFzYDGCi6H9YbbchfA68QrSQOV6AzrX0GsaJ4yCVQQY3zPzSAsiAZOBZvVgtywjNAJGTHfUklSZsJicfIMX1glxonStiTghfp7oiCpMdM0sp0pgbFZ9ebif56fQ3ITFlxmOTBJl4uSXGBQeP4/jrlmFMTUEkI1t7diOiaaULAp1WwI3urL66R31fLclvfgNtq3ZRxVdIbOURN56Bq10T3qoC6iSKFn9IreHHBenHfnY9laccqZU/QHzucPuRiQ3A==</latexit>
A<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>
EK(·)<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiiC4qWAf0IQwmUzboZNJmJkINRR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHHMYtEJkCSMctJUVDHSSQRBUcBIOxhe5377kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRcclNJUkQHqI+6WrKUUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF//zuqnqXXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0ggrHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiiC4qWAf0IQwmUzaoZNMmJkIMRR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I11/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA66OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGGGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV788l/SOW3YVsO+1W1cgBnK4BBUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phhpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmaacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w==</latexit>
$(·)<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AAAB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVVN91dYcqZNq775RRWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmGG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X666dXcG9Jd4C1JtVPyzNwBo9suffpSQTFBpCMda9zw3NUGOlWGE00nJzzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxxpFJ0PR7FDFFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AAAB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DDWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrrp1dwa4SrwFqTYq/sXLpJE1++VvP5I45UQYzJDWPc9NTJAjZShmZFzyU00ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhgg8XxSnDBoJp9/DiCqCDcssQVhReyvEQ6QQNjajkg3BW355lbQv655b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AAAB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq777ZTW1jc2t8rblZ3dvf2D6uFRR8tMEdomkkvVC7GmnCW0bZjhtJcqikXIaTcc38787hNVmsnkwUxSGgg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkkzQxBCOte57bmqCHCvDCKfTip9pmmIyxkPatzTBguognx88RedWiVAsla3EoLn6eyLHQuuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGccGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RRxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8OO/Ox6K15BQzx/AHzucPrzqPpw==</latexit>
New Definitions and Relations
8
Syntax
• We consider two types of encryption schemes:
• Atomic: ! ← ℰ$(&) ; ((,&) ← *$(!)-where ( ∈ {⊤, ⊥} and & corresponds respectively to a message or a
leakage string.
• Supporting Ciphertext Fragmentation:
! ← ℰ$(&) ; (0,&0 … ((2,&2) ← *$(3)-where 4 ∈ {0,1,2, … }.
9
Encryption Simulatability (ES)
• IND$ can be viewed as requiring encryption to be simulatable, wherein this case the simulator is of a specific type.
• Then a natural generalization is to require the existence of an efficientsimulator ! such that "[$ℰ& ⋅ ⇒ 1] − "[$, ⋅ ⇒ 1] ≤ . .
• However this does not quite work, encryption could leak the messageand still be simulatable!
• Replacing ,(⋅) with ,(| ⋅ |) solves the issue.
10
Encryption Simulatability (ES)
IND$-CPA ⟹ ES ⟺ IND-CPA
• For any IND-CPA scheme, we can let # ℓ = ℰ'((*ℓ) for a key ',sampled independently (simulator is stateful).
• However the equivalence does not extend to chosen-ciphertext security:
ES-CCA ⟸ IND-CCA
• If we further require the simulator to be stateless we get key-privacy.
ES ∧ Stateless(#) ⟹ KP-CPA
11
Decryption Simulatability (DS)
• Similarly, we can consider a notion where we require decryption tobe simulatable.
• Then DS requires the existence of an efficient simulator ! such that"[$ℰ& ⋅ ,)& ⋅ ⇒ 1] − "[$ℰ& ⋅ ,. ⋅ ⇒ 1] ≤ 0 .
• To be satisfiable, we need, as usual, to suppress/prohibit queries fromℰ1 ⋅ to . ⋅ .
• Alternatively, in this case, we can give the simulator access to atranscript of the encryption queries.
12
Decryption Simulatability (DS)
• Intuitively, the information in the transcript is already known to theadversary and should not degrade security.
• However, if ! is given unrestricted access to the transcript then
IND-CPA ⋀ DS ⟹ IND-CCA.
13
S(·)<latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit>
W<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>
EK(·)<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiiC4qWAf0IQwmUzboZNJmJkINRR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHHMYtEJkCSMctJUVDHSSQRBUcBIOxhe5377kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRcclNJUkQHqI+6WrKUUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF//zuqnqXXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0ggrHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiiC4qWAf0IQwmUzaoZNMmJkIMRR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I11/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA66OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGGGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV788l/SOW3YVsO+1W1cgBnK4BBUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phhpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmaacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w==</latexit>
A<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>
T<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>
• Problem: The simulator can use thetranscript to answer queries notin the transcript!
• Solution: Control the simulator’saccess to the transcript via a fixedwrapper algorithm$.
Relations Between ES and DS
• As desired, DS reduces chosen-ciphertext security to chosen-plaintext security:
IND-CPA ∧DS ⟹ IND-CCA
where an ES version also holds.
• On the other hand:
IND-CCA⟹ DS but ES-CCA ⟹ DS
thereby establishing a relation between encryption simulatabilityand decryption simulatability.
14
DS and Ciphertext Integrity
• We can formulate ciphertext integrity as a special case of decryptionsimulatability by imposing an extra requirement on the simulator.
• Informally, a scheme is DS-I secure if it is DS secure, and thesimulator ! always returns outputs "# $%& #"'( (⊥,,).
• Thus if a scheme is shown to be DS, ciphertext integrity followssimply from the design of the simulator.
• As expected, it can be shown that:
DS-I ⟹ INT-CTXT
15
Combining ES and DS-I
• We can now combine encryption simulatability and decryptionsimulatability into a single notion (ES ∧ DS-I).
• ∃#$, #&∀( it holds )[(ℰ, ⋅ ,., ⋅ ⇒ 1]−)[(#3 |⋅| ,5[#6] ⋅ ⇒ 1] ≤ 8 .
• Intuitively it says that oracle access to the channel provides noadditional computational abilities to the adversary.
• It’s an IND-CCA/AE type of definition with no prohibited queries!
16
The Case of SSH
17
Encrypt
PRF-MAC
Payload
Ciphertext MAC tag
SequenceNumber 4
PacketLength 4
PadLen 1
Padding≥4
• Encode-then-Encrypt&MAC construction.
• Decryption: (a) decrypt the Packet Length field,(b) wait until that many bytes are received,(c) resume decrypting the rest of the ciphertext.
SSH Cannot Satisfy ES ∧ DS-I
• Problem: In the fragmentation setting "# needs to identify ciphertextboundaries in order to determine when to return an output.
• At the same time, for "$ to be a good simulator the contents of thelength field should remain hidden (if the encryption is good).
• Solution: Let "$ and "# share randomness or memory.
• We go a step further and replace them with a single simulator(with an encryption interface and a decryption interface).
18
Channel Simulatability
• This leads us to the following definition:
∃"∀$ such that +[$ℰ. ⋅ ,1. ⋅ ⇒ 1]−+[$" 6,|⋅| ,8["] 9,⋅ ⇒ 1] ≤ ; .
• Satisfiable by a larger class of schemes while retaining all thenice properties of ES ∧ DS-I.
CS-I ⟹ IND-CCA, INT-CTXT
• New proof goal: transform the scheme, through a sequence of gamehops, into an algorithm devoid of the secret key and the message.
19
SSH-CTR and Universal Composability
20
21
alg. SSH-CTR-EK(m)
1 : parse K as (Ke, Km, IV )2 : if e-seqnr = 03 : e-ctr Ω IV // initialise on first call
4 : mlen Ω |m|B
5 : // calculate padding length
6 : padlen Ω blocksize ≠ (5 + mlen)%blocksize7 : if padlen < 48 : padlen Ω padlen + blocksize9 : // encode the message
10 : pad ⌘ {0, 1}padlen·8
11 : len Ω 1 + mlen + padlen12 : ptxt Ω ÈlenÍ32 Î ÈpadlenÍ8 Î m Î pad13 : // encrypt and mac
14 : · Ω MAC(Km, Èe-seqnrÍ32 Î ptxt)15 : z Ω Á
16 : while |z| < |ptxt|17 : z Ω z Î BC(Ke, e-ctr)18 : e-ctr Ω e-ctr + 119 : c Ω (ptxt ü z) Î ·
20 : e-seqnr Ω e-seqnr + 121 : return c
alg. SSH-CTR-DK(f)
1 : parse K as (Ke, Km, IV )2 : if d-seqnr = 0 · – = Á
3 : d-ctr Ω IV // initialise on first call
4 : if closed5 : out Ω (‹, CONN_CLOSED); break6 : – Ω – Î f ; out Ω Á // update bu�er and reset output
7 : while (true) // process bu�er (–)
8 : if |–|B < blocksize9 : break // first ciphertext block is incomplete
10 : // decrypt first ciphertext block
11 : ptxtÕΩ –[1, blocksize] ü BC(Ke, d-ctr)
12 : d-ctr Ω d-ctr + 113 : clen Ω ÈptxtÕ[1, 32]Í≠1 + 4 + macsize14 : inRange Ω (16 + macsize Æ clen Æ 35000)15 : isMult Ω ((clen ≠ macsize)%blocksize ”= 0)16 : if ¬ inRange ‚ isMult // validate length
17 : out Ω out Î (‹, INVALID_LENGTH)18 : closed Ω true; break19 : if |–|B < clen20 : break // wait to complete ciphertext
21 : z Ω Á // decrypt and verify mac
22 : while |z| < (clen ≠ blocksize ≠ macsize)23 : z Ω z Î BC(Ke, e-ctr)24 : d-ctr Ω d-ctr + 125 : ptxtÕ
Ω ptxtÕÎ z ü –[blocksize + 1, clen ≠ macsize]B
26 : · ÕΩ –[clen ≠ macsize + 1, clen]B
27 : – Ω –[clen + 1, ú]B // remove decrypted ciphertext
28 : if · Õ”= MAC(Km, Èd-seqnrÍ32 Î ptxtÕ)
29 : out Ω out Î (‹, INVALID_MAC)30 : closed Ω true; break31 : padlen Ω ÈptxtÕ[5, 5]BÍ
≠1 // validate padding length
32 : mlenÕΩ clen ≠ padlen ≠ 4 ≠ 1 ≠ macsize
33 : if (mlenÕ > 32789) ‚ (mlenÕ < 1)34 : out Ω out Î (‹, INVALID_PAD_LENGTH)35 : closed Ω true; break36 : mÕ
Ω ptxtÕ[6, clen ≠ macsize ≠ padlen]B37 : out Ω out Î (€, mÕ)38 : d-seqnr Ω d-seqnr + 139 : return out
Fig. 6: The SSH-CTR scheme based on Dropbear’s implementation.36
• SSH-CTR in OpenSSH wasanalysed in [PW10] using adifferent security modelsupporting fragmentation.
• We provide a considerablysimpler proof showing thatSSH-CTR is CS-I secure.
• Corollary: SSH-CTR isuniversally composable.
UC Secure Channel [CK02]
22
[Channel]P1 P2mm
|m| deliver
Sim
Env
ℱSC [CE]
ℱSC
(EstCh,sid,P1,P2)
Ideal World(without corruptions)
Compare to Channel Simulatability
23A
<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>
T<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>
CS-I Simulated World
• The simulated world in CS-Icorresponds quite closely to theideal world in the UC setting.
• ⋅ + # + T ⟶ℱ&' [Channel]
( ⟶ Env + P1 + P2
)(+/-,⋅) ⟶ Sim
S(e, | · |)<latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit>
S(d, ·)<latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit>
W<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>
Summary and Concluding Remarks
• The aim was to generalize IND$ and reached a notion that isvery close to a UC secure channel (Channel Simulatability).
• Arguably, CS is easier to use and understand than UC.
• It is closer in spirit to AE/CCA but more versatile, devoid ofprohibited queries.
24