## Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes (2004)

Venue: | In Selected Areas in Cryptography ’04, LNCS |

Citations: | 6 - 0 self |

### BibTeX

@INPROCEEDINGS{Fouque04blockwiseadversarial,

author = {Pierre-alain Fouque and Antoine Joux and Guillaume Poupard},

title = {Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes},

booktitle = {In Selected Areas in Cryptography ’04, LNCS},

year = {2004},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. On-line encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the on-line properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages block-by-block to the encryption machine and receive the corresponding ciphertext blocks on-the-fly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for on-line encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1

### Citations

1186 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...y goal and an attack model [4]. Different security goals have been proposed so far, such as indistinguishability of ciphertexts (IND), one-wayness, non-malleability,... For example, semantic security =-=[14]-=- formalizes the adversary’s inability to learn any information about a plaintext M underlying a challenge ciphertext C. This captures a strong notion of privacy and is also defined as indistinguishabi... |

631 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

455 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...the message is no longer used, in this last game, the advantage of the adversary is clearly 0. Putting together (1), (2), (3) we obtain Adv lorc XOR,A(k, t, q, µ) ≤ Adv prf q(q − 1) F,A (k, t, q) + 2 =-=(4)-=- 156 Conclusion In this paper we have analyzed the relations between the block adversary and the standard models for probabilistic and deterministic schemes. For probabilistic schemes, the relations ... |

356 | A concrete security treatment of symmetric encryption
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ... = (K, E ′ , D ′ ) is a slight modification of the encryption function E defined as follows: Algorithm E ′ k(M[i]) Algorithm D ′ k(C[i]) If i = 3 and M[2] = C[1] If i = 3 and M[2] = C[1] then return M=-=[3]-=- then return C[3] else return Ek(M[i]) else return Dk(C[i]) Clearly Π ′ is FTG-BCPA-P2 secure as Π as shown in the previous proofs. A BCPA adversary can choose the blocks of messages such that the rel... |

186 |
Foundations of Cryptography
- Goldreich
- 2004
(Show Context)
Citation Context ...umber of encrypted queries. We prove here in the BA model that this relation holds between FTG-BCPA-D and LORS-BCPA. The proof is an adaptation of [3] and uses the same hybrid argument (introduced in =-=[12]-=-) in the blockwise setting. It is given in appendix of the full version. Theorem 4. [LORS-BCPA ⇒ FTG-BCPA-D q → LORS-BCPA] For any scheme SE = (K, E, D), Adv ftg−bcpa−d SE (k, t, q, µ) ≤ Adv lors−bcpa... |

161 | A.: Concurrent zero-knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...rsaries Finally, we show that LORC-BCPA is the strongest security notion in the blockwise model. Concurrent adversaries have already been considered in other contexts such as zero-knowledge proofs in =-=[8]-=-. According to our knowledge, it is the first time that concurrent adversaries appear in encryption schemes. In the BA model and for the LOR game, this notion is natural. Theorem 5. [LORS-BCPA̸⇒ LORC-... |

138 | OCB: a block-cipher mode of operation for efficient authenticated encryption
- Rogaway, Bellare, et al.
- 2001
(Show Context)
Citation Context ...ypted message cannot be stored by the encryption machine. Indeed, usually in order to encrypt a message M with a symmetric scheme, M is first split into blocks of the length of the block cipher: M = M=-=[1]-=-M[2] . . . M[l]. An encryption scheme is said to be on-line if the encryption of the block M[i] only depends on the previous blocks M[1], M[2], . . . , M[i] and not on the next ones M[i + 1] . . . M[l... |

97 | OAEP Reconsidered
- Shoup
(Show Context)
Citation Context ...inst Π. Therefore, it is easy to show that if Π is secure, then so is Π ′: Adv ftg−cpa−p1 (k, t, q, µ) ≤ Advftg−cpa−p1(k, t, q, µ) + 2q/2n . We can prove this Π ′ Π result using different games as in =-=[21]-=-. The first game G0 is the real security game and in the next game G1, the simulation is stopped as soon as the relation M[2] = C[1] holds. The difference between the two games can be analyzed using t... |

92 | All-or-Nothing Encryption and the Package Transform
- Rivest
(Show Context)
Citation Context ... . M[l]. There exist a lot of on-line encryption schemes such as ECB, CBC, OFB, CFB [19] or OCB [1]. However, some schemesrequire a pre-treatment on the whole plaintext before the encryption process =-=[20]-=- or require two encryption passes in two directions [16], and thus are not on-line. In this paper, we propose to study the relations between the security notions in the standard and blockwise models f... |

63 | Complete characterization of security notions for probabilistic private-key encryption
- Katz, Yung
- 2000
(Show Context)
Citation Context ...ard model does not imply security in the blockwise model. We also show that an equivalence for probabilistic schemes does not hold for on-line encryption schemes against the new adversarial model. In =-=[18]-=-, Katz and Yung have mainly analyzed the relations between the non-malleability and the FTG notions for different adversaries having access or not to encryption or 3decryption oracles. For the FTG se... |

16 | On the construction of variable-input-length ciphers - Bellare, Rogaway - 1999 |

15 | Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models
- Joux, Martinet, et al.
- 2002
(Show Context)
Citation Context ...ermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1 Introduction In 2002, Joux, Martinet and Valette introduce the blockwise adaptive attacks (BA) in =-=[17]-=-, in order to better model attackers in the real world. This adversarial model is particularly relevant to study the security of on-line schemes where output blocks are viewed gradually by the adversa... |

14 | On-Line Ciphers and the Hash-CBC Construction
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ...cure. 8However a CPA adversary cannot choose the blocks. Then the relation holds with probability 1/2 n for each message queried if Ek is a pseudo-random permutation. Indeed, except if the relation M=-=[2]-=- = C[1] holds, the CPA adversary gains no additional advantage in winning the FTG game against Π ′ than against Π. Therefore, it is easy to show that if Π is secure, then so is Π ′: Adv ftg−cpa−p1 (k,... |

10 | Concealment and its applications to authenticated encryption
- DODIS, AN
- 2003
(Show Context)
Citation Context ...ack of places. 1.3 Our Results Several papers have considered blockwise adversaries either in order to attack some schemes such as in [17] or in order to prove security against such adversaries as in =-=[10, 9, 7]-=-. Our aim is to study the relations between the security notions in the standard model and in the blockwise model. Therefore, in section 2 we define more formally several security notions in order to ... |

9 | Practical Symmetric On-Line Encryption
- Fouque, Martinet, et al.
- 2003
(Show Context)
Citation Context ... at Crypto 2002 by Joux, Martinet and Valette in [17]. They show that several encryption schemes such as the CBC and IACBC are not secure in the BA model. At FSE 2003, Fouque, Martinet and Poupard in =-=[10]-=- show that a slight variant of the on-line CBC encryption scheme, and the CFB mode of operation can be proved secure against blockwise chosen plaintext attack. For this, they introduce a strong securi... |

7 |
Online Encryption Schemes: New Security Notions and Constructions
- Boldyreva, Taesombut
- 2004
(Show Context)
Citation Context ... authenticated on-line encryption mode against blockwise chosen ciphertext attacks. Finally, at RSA Conf 2004, Boldyreva and Taesombut introduced new security notions for chosen-ciphertext attacks in =-=[6]-=-. We will not here take into account such adversaries due to lack of places. 1.3 Our Results Several papers have considered blockwise adversaries either in order to attack some schemes such as in [17]... |

5 | Authenticated On-Line Encryption
- Fouque, Joux, et al.
- 2003
(Show Context)
Citation Context ...tion can be proved secure against blockwise chosen plaintext attack. For this, they introduce a strong security model. We show here that this model is the strongest one. At SAC 2003, Fouque et al. in =-=[9]-=- study the security of authenticated on-line encryption mode against blockwise chosen ciphertext attacks. Finally, at RSA Conf 2004, Boldyreva and Taesombut introduced new security notions for chosen-... |

1 | A Tweakable Enciphering Mode - Herzberg, Jarecki, et al. - 2003 |