Ciphertext verification security of symmetric encryption schemes

Transcription

1 info.scichina.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing , China; 2 Institute of Software, Chinese Academy of Sciences, Beijing , China This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named IND-CVA (indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger than IND-CPA (indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA (indistinguishability under chosen-ciphertext attacks), and can be satisfied by most of the popular symmetric encryption schemes such as OTP (one-time-pad), CBC (cipher block chaining) and CTR (counter). An MAC (message authentication scheme) is usually combined with an encryption to guarantee secure communication (e.g. SSH, SSL and IPSec). However, with the notion of IND-CVA, this paper shows that a secure MAC can spoil the privacy in some cases. encryption, privacy, integrity, reaction attack, IND-CPA, IND-CCA 1 Introduction 1.1 Background and related works CPA (chosen plaintext attacks) security and CCA (chosen ciphertext attacks) security are two most important security measurements for encryption schemes. The CPA security allows an adversary to access to the encryption oracle and is the basic requirements for an encryption scheme in practice. However, CPA security is not strong enough when it is used to guarantee the secrecy of data transferred across Internet in terms of secure channel. One of the typical examples is that, though the composite scheme MAC-then-Encrypt can preserve the CPA security of the underlying encryption scheme, it may not be secure in the face of reaction attack [1]. CCA security is stronger than CPA security, which, besides the encryption oracle, allows the adversary to access to the decryption oracle, with the only restriction that the adversary is prohibited from querying the challenge ciphertext returned by the encryption oracle. While the CCA security can be used to guarantee the privacy of data transferred across Internet, it is the strongest notion for privacy and is too strong for the typical secure composite scheme Encrypt-then-MAC to generically satisfy. Moreover, the CCA security is not robust enough. If we modify a CCA-secure encryption scheme harmlessly (e.g. a useless bit Received July 16, 2008; accepted January 15, 2009 doi: /s x Corresponding author ( Hu zhyu@sina.com) Supported by the National Basic Research Program of China (Grant No. G2002cb312205) Citation: Hu Z Y, Sun F C, Jiang J C. Ciphertext verification security of symmetric encryption schemes. Sci China Ser F-Inf Sci, 2009, 52(9): , doi: /s x

2 is appended to the ciphertext), it may not be CCAsecure any more. Considering the insufficiency of CPA security and the unnecessary of CCA security when characterizing the privacy requirements of secure channel, it is not trivial to develop a new security notion that is stronger than CPA security but weaker than CCA security, and is applicable to fill up the gap between them. Reaction attack was first introduced by Hall et al. [2], which works by modifying a sender s ciphertexts and observing the receiver s response. In this kind of attacks, an attacker presents the owner of the private key with a ciphertext that may contain one or more errors that can be detected during decryption (that is, the ciphertext may decrypt to a plaintext which fails in a simple signature or checksum verification). By watching the reaction of the owner in order to determine whether or not the ciphertext decrypted correctly, the attacker can usually determine information about the plaintext or the private key. Different from the case of chosen plaintext attacks and chosen ciphertext attacks, when a receiver verifies a ciphertext, it provides the adversary information about whether the received ciphertext is valid. In fact, it is the integrity verification that may disclose the valuable information of the plaintext in the case of reaction attacks. So, the integrity verification should be taken for a special attack tool that can be used by an adversary to compromise the privacy of an encryption scheme, and a corresponding security notion should be introduced to capture the security under this type of attacks. With the spreading use of network, the data integrity and authentication are getting more and more attention, and lots of work has been done to strengthen the secrecy of communication with MAC or signature. While the combination of authentication (or signature) and encryption may enhance the privacy in some cases (e.g. Encryptionthen-MAC), can it possibly compromise the privacy in other case? We will give this problem a formal investigation. 1.2 Our contributions We formally discuss the security problem of encryption caused by the ciphertext verification, presenting a new security notion named IND-CVA to model the reaction attack. The new notion IND- CVA is slightly stronger than IND-CPA but much weaker than IND-CCA. Most of popular symmetric encryption schemes, such as OTP, CBC and CTR, are secure in the sense of IND-CVA, though they are neither NM-CPA (non-malleability under chosen-plaintext attacks) nor IND-CCA secure. We investigate the relationship between the new notion of IND-CVA and the conventional notions such as IND-CPA, IND-CCA and NM-CPA, showing that IND-CVA is applicable to fill up the gap between IND-CPA and IND-CCA. With the notion IND-CVA, we show how a secure MAC compromises the privacy of MAC-then- Encryption. Moreover, we discover that IND-CVA captures the exact (both sufficient and necessary) privacy requirements of secure channel, while the INT-PTXT captures the exact integrity requirements. IND-CVA reveals the negative influence of integrity verification on privacy, providing a practicable reference for protocol designers. 1.3 Comparison with related works Comparison with IND-gCCA security. An et al. [3] generalized the CCA attack with respect to some equivalence relation R(, ) on the ciphertexts. Relation R is defined as part of the encryption scheme, it depends on the public key pk, but must have the following property: if R(C 1,C 2 ) = true then D(C 1 ) = D(C 2 ). Such R is called decryptionrespecting. Now the adversary A is forbidden to ask any C equivalent to C, i.e. R(C,C ) = true. An encryption scheme is secure against generalized CCA (or gcca) if there exists some efficient decryption-respecting relation R with respect to which it is CCA-secure. Though the gcca-security may be sufficient for all applications where chosen ciphertext security matters, it is probably still a slight overkill in terms of a necessary and sufficient formalization of secure encryption from the application point of view. We would say that the gcca-security is still overly strong, since in network channel environments, an adversary may not be allowed to access the decryption oracle [4 6]. Indeed, the gcca HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

3 security is to try to relax the notion CCA-security to the minimum extent possible, just to avoid the syntactic (robust) problems of CCA-security. Contrary to the gcca-security, our CVAsecurity is to try to tighten the notion CPAsecurity to the minimum extent possible. As discussed in section 4, CVA-security is just slightly stronger than CPA-security whereas much weaker than gcca-security or CCA-security. In particular, we are saying that CVA-security seems both sufficient and necessary for implementing secure channels, and more applicable for studying generic properties of secure encryption Comparison with loose CUF security. To solve the syntactic issue of CCA-security, Krawczyk [1] has presented a notion of loose CUF. Like the notion of gcca-security, a decryptionrespecting relation ρ is proposed. If C and C are two valid ciphertexts computed under encryption function E K ( ), for some key K, and ρ(c,c ) holds then C and C decrypt to the same plaintext under K. An encryption scheme SE is CUF ρ - CPA (loose ciphertext unforgeability under chosen plaintext attacks) secure if for any valid ciphertext C that a ciphertext forger attacker F can feasibly produce there exists a ciphertext C output by the encryption oracle under one of F s queries such that ρ(c,c ). Note that valid ciphertexts produced by a loose CUF attacker always decrypt to plaintexts already queried to the encryption oracle, it is easy to determine which of the queried plaintexts they decrypt to. So we think loose CUF security has no significant difference from the INT- PTXT (integrity of plaintext) security. Moreover, while the loose CUF limits the ciphertext forgeries allowed to the attacker to decrypt to previously queried plaintexts, example attacker against the MtE scheme discussed in section 5 is able to break the security of channels without ever producing a valid ciphertext, which shows that the loose CUF is insufficient for guaranteeing secure channels Comparison with CCVA security. To characterize the privacy security of a secure channel, Namprempre [7] proposed a new notion, IND-CCVA (indistinguishability under chosen-ciphertext attacks with verification). In the sense of IND-CCVA security, an adversary is given access to an encryption oracle E K ( ) and a special decryption oracle D K (,M b ). Let b {0,1}, the oracle D K (,M b ) records the secret message M b that is randomly chosen from the message pair (M 0,M 1 ) to encrypt when the adversary to query. This oracle is the same as the standard decryption oracle D K ( ) except the following. If a given ciphertext decrypts to M b (i.e. the challenge message chosen by the encryption oracle to produce the challenge ciphertext), then the oracle D K (,M b ) returns a special symbol ±. Otherwise, it returns the decrypted message. As discussed by Namprempre, the so defined IND-CCVA security is even overly stronger such that an IND-CCA secure scheme may not be IND-CCVA secure. Besides the encryption oracle E K ( ) and decryption oracle D K ( ), an IND-CCVA adversary needs the third oracle access D K (,M b ). The oracle D K (,M b ) behaves exactly the same as the standard decryption oracle D K ( ), except that the given ciphertext decrypts to M b. At this point, the oracle D K (,M b ) returns a special symbol ±. Notice that, when the special symbol ± is returned by the oracle D K (C,M b ), it indicates the adversary that the corresponding plaintext of ciphertext C is the same as the challenge ciphertext C. If C = C, nothing more is provided to the adversary than to indicate that the queried ciphertext is the challenge ciphertext itself. However, if C C, it indicates more information than the CCA does (recall that the CCA attackers are not allowed to query the decryption oracle of the challenge ciphertext itself), the response of ± helps the adversary to confirm a decryption equivalence relation used in non-malleability security. Considering the CCA attacks, the attacker is allowed to query the decryption oracle with an arbitrary ciphertext C ( C ), and be returned the correct plaintext even if the corresponding plaintext is the challenge plaintext M b. We argue that even if the corresponding plaintext is the challenge plaintext M b, the returned value of D K (C ) does not disclose any information about the challenge plaintext. Because that, the D K (C ) just honestly tells what the corresponding plaintext is, rather than whether or not it is the challenge plaintext. For the adversary, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

4 when he receives the response of D K (C ) (where C C ), he would surprisedly say: Oh! It is one of the plaintexts that I have chosen to challenge. Then he will disappointedly find its null, because that an encryption algorithm is always randomized or stateful, and that any deterministic or stateless scheme is not secure in IND-CPA sense [8]. From this point, we say the IND-CCVA is even stronger than IND-CCA. 1.4 Outline of this paper The remainder of this paper is organized as follows. Section 2 presents some preliminaries of this paper, including the traditional security notions of symmetric encryption schemes. Section 3 introduces the new security notion IND-CVA and gives some familiar examples for IND-CVA. Section 4 discusses the relationship between the new notion IND-CVA and the traditional ones, showing that as a new criterion to measure the privacy of encryption schemes, it fills up the gap between the IND- CPA and the IND-CCA. Section 5 investigates the application impacts of IND-CVA. Section 6 provides the conclusion of our work. 2 Preliminary definitions 2.1 Notations Throughout this paper, we will use the symbol x to denote the bit length of x, x y to the concatenation of x and y. The symbol denotes the bitwise-exclusive-or operation. If n is a positive integer, then the symbol {0,1} n denotes the set of n-bit binary strings (we also use the symbol {0,1} to denote the set of binary strings with no fixed length). If f is a randomized (resp., deterministic) algorithm, then x R f(y) (resp., x f(y) ) denotes the process of running f on input y and assigning the result to x. However, if S is a set, then x R S denotes that x is randomly chosen from S. Further more, if A is an adversary, then A = x denotes the process of an oracle answers A with x after A queries to the oracle. 2.2 Syntax and security of message authentication scheme A message authentication scheme MA = (K, T, V) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)); the tagging algorithm T that could be either randomized or stateful, and takes the key K and a message M to return a tag σ (we write σ R T K (M). The verification algorithm V that is deterministic and takes the key K, a message M, and a candidate tag σ for M to return a bit v (we write v V K (M,σ)). We require that V K (M, T K (M)) = 1 for all M {0,1}. A message authentication scheme is sometimes called an MAC, and also sometimes the tag σ is called an MAC. To measure the security of an MAC, an adversary F is allowed to have accesses to the tagging oracle T K ( ) and verifying oracle V K (, ), and its goal is to make the verifying oracle V K (, ) accept a pair (M, σ) that was not legitimately produced (i.e. the pair is a forgery). If the message M is new, meaning F never made query M of its tagging oracle, the forgery is called a weak forgery. Otherwise, even if the message is not new, as long as the tag is new, the forgery is called a strong forgery. The strong forgery means that the adversary wins as long as σ was never returned by the tagging oracle in response to query M. Definition 1 (Security of message authentication scheme [9] ). Let MA = (K, T, V) be a message authentication scheme. Let k N, and let F W and F S be adversaries that are able to access to two oracles. Consider the following experiments: Exp wuf cma MA,F (k) W K R K(k). If F T K( ),V K (, ) W makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and M was never queried to the oracle T K ( ), then returns 1, else return 0. Exp suf cma MA,F (k) S K R K(k). If F T K( ),V K (, ) S makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and σ was never returned by the oracle T K ( ) in response to query M, then returns 1, else return HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

5 We define the advantages of the forgers via Adv wuf cma MA,F W (k) = Pr[Exp wuf cma MA,F W (k) = 1], Adv suf cma MA,F S (k) = Pr[Exp suf cma MA,F S (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q t,q v,u t,u v, Adv wuf cma MA (k,t,q t,q v,u t,u v ) = max {Adv wuf cma MA,F F W (k)}, W Adv suf cma MA (k,t,q t,q v,u t,u v ) = max F S {Adv suf cma MA,F S (k)}, where the maximum is over all F W, F S with time complexity t, making at most q t oracle queries to T K ( ) the sum of whose lengths is at most u t bits, and making at most q v oracle queries to V K (, ) the sum of whose lengths is at most u v bits. The scheme MA is said to be WUF-CMA (weak unforgeability under chosen-message attacks) secure resp. SUF-CMA (strong unforgeability under chosen-message attacks) secure if the function Adv wuf cma MA,F W (k) resp. Adv suf cma MA,F S (k) is negligible for any forger F whose time complexity is polynomial in k. 2.3 Syntax and security of symmetric encryption schemes A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)). The encryption algorithm E that could be randomized or stateful, and takes the key K and a plaintext M to return a ciphertext C(we write C R E K (M)). The decryption algorithm D that is deterministic and stateless, and takes the key K and a string C to return either the corresponding plaintext M or the invalid symbol (we write x D K (C) where x {0,1} { }). We require that D K (E K (M)) = M for all M {0,1} Privacy of symmetric encryption schemes. The privacy of encryption scheme is measured by indistinguishability via the left-or-right model of ref. [10]. The left-or-right encryption oracle E K (LR(,,b)), where b {0,1} is defined to take input (x 0, x 1 ), computes C E K (x b ) and returns C (if E is randomized, the oracle picks any coins that E might need, and if E is stateful then updates its state appropriately). The adversary is allowed to query the oracle E K (LR(,,b)) with the pair (x 0, x 1 ) of its chosen that consists of two equal length messages and gets the return of the oracle. Its goal is to guess the challenge bit b chosen at random by the oracle. An encryption scheme is IND-CPA (indistinguishability under chosen-plaintext attacks) secure, if a reasonable adversary cannot obtain significant advantage in distinguishing the cases b = 0 and b = 1 given access to the oracle. To model IND- CCA (indistinguishability under chosen-ciphertext attacks), the adversary is allowed also to access to the decryption oracle, with the only restriction that it cannot query the decryption oracle a ciphertext output by the left-or-right encryption oracle. Definition 2 (Indistinguishability of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cpa be an adversary that can access to one oracle and let A cca be an adversary that can access to two oracles. Now, we consider the following experiments: Exp ind cpa b SE,A cpa (k) K R K(k). b A E K(LR(,,b)) cpa (k) return b Exp ind cca b SE,A cca (k) K R K(k). b A E K(LR(,,b)),D K ( ) cca (k) return b Above it is mandated that A cca never queries D K ( ) on a ciphertext C output by the E K (LR(,,b)) oracle, and that the two messages queried of E K (LR(,,b)) always have equal length. We define the advantages of the adversaries via Adv ind cpa SE,A cpa (k) = Pr[Exp ind cpa 1 SE,A cpa (k) = 1] Pr[Exp ind cpa 0 SE,A cpa (k) = 1], Adv ind cca SE,A cca (k) = Pr[Exp ind cca 1 SE,A cca (k) = 1] Pr[Exp ind cca 0 SE,A cca (k) = 1]. HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

6 We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv ind cpa SE (k,t,q e,u e ) = max {Adv ind cpa SE,A A cpa (k)}, cpa Adv ind cca SE (k,t,q e,q d,u e,u d )=max {Adv ind cca SE,A A cca (k)}, cca where the maximum is over all A cpa, A cca with time-complexity t, each making to the oracle E K (LR(,,b)) at most q e queries the sum of whose lengths is at most u e bits, and, in the case of A cca, also making to the oracle D K ( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be IND-CPA (indistinguishability under chosen-plaintext attacks) secure resp. IND-CCA (indistinguishability under chosen-ciphertext attacks) secure if the function Adv ind cpa SE,A (k) resp. Advind cca SE,A (k) is negligible for any adversary A whose time-complexity is polynomial in k Integrity of symmetric encryption schemes. To characterize the integrity (authenticity) of an encryption scheme SE = (K, E, D), an algorithm D K( ), called ciphertext verification algorithm or ciphertext verification oracle, is defined as follows [9] : D K(C) If D K (C) then return 1, Else return 0. Similar to the security definition of MAC, the adversary is allowed to have accesses to the encryption oracle E K ( ) and the ciphertext verification oracle D K( ). Its goal is to make the verification oracle accept a ciphertext that was not legitimately produced (i.e. forgery). If the corresponding plaintext was never queried of the encryption oracle, we call the forgery a plaintext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of forgery is said to preserve the integrity of plaintexts. If the ciphertext was never returned by the encryption oracle, even if the corresponding plaintext was queried of the encryption oracle, then we call the forgery a ciphertext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of success is said to preserve the integrity of ciphertexts. Definition 3 (Integrity of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let k N. Let A ptxt and A ctxt be adversaries that can access to two oracles. Consider the following experiments: Exp int ptxt SE,A ptxt (k) K R K(k). If A E K( ),D K( ) ptxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and D K (C) was never queried to the oracle E K ( ), then returns 1, else return 0. Exp int ctxt SE,A ctxt (k) K R K(k). If A E K( ),D K( ) ctxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and C was never a response of E K ( ), then returns 1, else return 0. We define the advantages of the adversaries via Adv int ptxt SE,A ptxt (k) = Pr[Exp int ptxt SE,A ptxt (k) = 1], Adv int ctxt SE,A ctxt (k) = Pr[Exp int ctxt SE,A ctxt (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv int ptxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ptxt SE,A A ptxt (k)}, ptxt Adv int ctxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ctxt SE,A A ctxt (k)}, ctxt where the maximum is over all A ptxt, A ctxt with time-complexity t, each making to the oracle E K ( ) at most q e queries the sum of whose lengths is at most u e bits, and, each making to the oracle D K( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be INT- PTXT (integrity of plaintext) secure resp. INT- CTXT (integrity of ciphertext) secure if the function Adv int ptxt SE,A (k) resp. Adv int ctxt SE,A (k) is negligible for any adversary A whose time-complexity is polynomial in k. We notice that, while the verification algorithm or verification oracle D K(C) is to characterize the ability of an adversary in forging a legitimate ciphertext, it provides the adversary another ability to know whether a doctored ciphertext is valid. Different from the CPA and CCA, it is just this 1622 HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

7 simple Yes or No answer that may disclose the sensitive information of the challenge plaintext. We produce a new security notion IND-CVA (indistinguishability of an encryption scheme under ciphertext verification attacks) to describe the privacy of an encryption scheme under this situation. 3 The definition of IND-CVA security 3.1 Definition of IND-CVA security Like CPA-security and CCA-security, we measure CVA-security via the left-or-right model of ref. [10], too. The left-or-right encryption oracle E K (LR(,,b)) and the goal of the adversary is defined same as the CPA-security. To model ciphertext-verification attacks we allow the adversary to access to the ciphertext-verification oracle D K( ) besides the encryption oracle E K ( ). The detailed definition of CVA-security is as follows. Definition 4 (IND-CVA, indistinguishability of a symmetric encryption scheme under ciphertextverification attacks). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cva be an adversary that can access to the encryption oracle E K (LR(,,b)) and the ciphertext verification oracle D K( ). Consider the following experiment: Exp ind cva b SE,A cva (k) K R K(k). b A E K(LR(,,b)),DK ( ) cva (k), where b is a bit return b. Above it is mandated the two messages queried of E K (LR(,,b)) always have equal length. We define the advantage of the adversary A cva via Adv ind cva SE,A cva (k) = Pr[Exp ind cva 1 SE,A cva (k) = 1] Pr[Exp ind cva 0 SE,A cva (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q v,u e,u v, Adv ind cva SE (k,t,q e,q v,u e,u v ) = max {Adv ind cva SE,A A cva (k)}, cva where the maximum is over all A cva with timecomplexity t, each making to the E K (LR(,,b)) oracle at most q e queries the sum of whose lengths is at most u e bits, and, making to the D K( ) oracle at most q v queries the sum of whose lengths is at most u v bits. The scheme SE is said to be IND- CVA secure if the function Adv ind cva SE,A cva (k) is negligible for any adversary A cva whose time-complexity is polynomial in k. Comparing with the reaction attack, we allow the adversary of CVA to access the encryption oracle as well as the ciphertext verification oracle. There are two reasons for allowing the adversary to access the encryption oracle. One is to facilitate the description of relationship with other notions. The other is that accessing to the encryption oracle for adversary is easy to do, especially in the public environment. So we take it for granted. 3.2 Examples of CVA secure encryption schemes Example 1 (OTP mode scheme [1,8] ). Let F : {0,1} l {0,1} l be a family of functions with domain {0,1} l and range {0,1} l where l and l are positive integers. We define the encryption scheme OTP(F) to work on messages of length at most l as follows. A key in the encryption scheme is a description of a member f of the family F. The OTP encryption under f of plaintext M is performed by choosing r {0,1} l and computing c = f(r) M where f(r) is truncated to the length of M. The ciphertext is the pair (r, c). Decryption works in the obvious way. If F is the set of all functions with the above domain and range and f is chosen at random from this family we get perfect secrecy against chosenplaintext attacks as long as there are no repetitions in the values r chosen by the encryptor (after encrypting q different messages a repetition happens with probability q 2 /2 l ). If F is a family of pseudorandom functions then the same security is achieved but in a computational sense, i.e., up to the indistinguishability distance between the pseudorandom family and a truly random function. We now inspect the security of OTP(F) under the sense of IND-CVA security. Notice that, for any r {0,1} l and c {0,1} l, let m = f(r ) c, then m {0,1} l, that is, (r, c ) is a valid cipher- HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

8 text, which results the ciphertext verification oracle always returns 1 and tells nothing about the corresponding plaintext. In other words, the verification oracle cannot provide any help to the adversary. So, the OTP(F) is IND-CVA secure, if the F is a family of pseudorandom functions. Example 2 (CBC mode scheme [1,8] ). Let F be a family of permutations over {0,1} l where l is a positive integer. We define the encryption scheme CBC(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The CBC encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called initial vector, IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(c[i 1] x[i]), i = 1,...,p. Decryption works in the obvious inverse way. It has been proved that if F is the set of all permutations over {0, 1} l and f is chosen at random from F then CBC(F) is IND-CPA secure [8]. If F is the set of all permutations over {0,1} l, then for any f chosen at random from F, CBC(F) is a permutations over {0,1} nl, where n(> 1) is a positive integer. For any string c of length nl(n > 1), the decryption of c does not return the invalid symbol. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is the set of all permutations over {0,1} l and f is chosen at random from F then CBC(F) is IND-CVA secure. Example 3 (CTR mode scheme [8] ). Let l and L be positive integers, F : {0,1} l {0,1} L be a function family (Not necessarily a family of permutations). We define the encryption scheme CTR(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The R- CTR (randomized counter) mode encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(r + i) x[i], i = 1,...,p. Decryption works in the obvious way. The C-CTR (counter-based counter) mode maintains a counter ctr that is initially zero instead of the random string r. When encryption blocks x[1],...,x[p] of length l each, it computes the ciphertext c = c[0],c[1],...,c[p] as c[0] = ctr, c[i] = f(ctr + i) x[i] (i = 1,...,p), ctr = ctr + i. It has been proved that if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (R-CTR or C-CTR) is IND-CPA secure [8]. Notice the construction of CTR mode, the CTR(F) (R-CTR or C-CTR ) is an onto function. For any ciphertext of length nl(where n > 1 is a positive integer and L is the block length), there is a corresponding plaintext, if there is no integration verification. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (R-CTR or C-CTR) is IND-CVA secure. 4 Relation to other notions The notion IND-CVA is presented to depict the adversary who has access to the ciphertext verification oracle, and to characterize the reaction attack. It is interesting to compare the IND-CVA with other popular security notions. We use the notation A B to denote that the security notion A implies the security notion B, and A B that the security notion A does not imply security notion B. When we claim that A B, we will give a formal proof, whereas when we claim that A B, we will present a counter-example. Theorem 1 (IND-CCA IND-CVA). For any symmetric encryption scheme SE = (K, E, D), if it is IND-CCA secure, it is also IND-CVA secure. An IND-CCA attacker is more powerful than an IND-CVA attacker. For any ciphertext, an IND- CCA attacker will know not only whether it is valid, but also its corresponding plaintext. So, if an adversary, who can only access to ciphertext verification oracle, breaks the security, it can also break the security if it is given more power to access to the decryption oracle. So Theorem HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

9 holds obviously. Notice that, Theorem 1 also holds for the generalized chosen-ciphertext attack (INDgCCA) [3]. Theorem 2 (IND-CVA NM-CPA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not NM-CPA secure. Proof of Theorem 2. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), Returns M. It is obvious that, an adversary can flip the first bit of the challenge ciphertext C to get a new ciphertext that corresponds to the same the challenge plaintext m b. We claim that SE = (K, E, D ) preserves the IND-CVA security of the original scheme of SE = (K, E, D). According to the notion of verification oracle, the verification oracle D K(C) returns whatever the corresponding D K(C ) returns. That is, both of the verification oracles provide the identical information about the challenge message. If the original scheme of SE = (K, E, D) is IND-CVA secure, so is the new scheme SE = (K, E, D ). Theorem 3 (IND-CPA IND-CVA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CPA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CPA secure but is not IND-CVA secure. Proof of Theorem 3. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), If b = 0 then returns M, Else parses M as b M where b is a bit, If b = b then return, Else return M An adversary can flip the first bit of the challenge ciphertext C, then queries the verification oracle D K( ) with the new ciphertext. If the first bit of the challenge plaintext m b is 1, then D K( ) will returns 0, otherwise, returns 1. The IND-CPA security of SE = (K, E, D ) is obvious, we omit the proof for conciseness. Remark 1. This example shows exactly how the ciphertext verification compromises the privacy of encryption and how a CVA attacker works. Comparing with the CPA attacker, a CVA attacker needs slightly more power to know whether a ciphertext valid. On one hand, this requirement is commonly met in the network environment. For instance, when a user logs in a server for some service (e.g. ), he sends the server his password to verify his identification, and the server always responses him an invalid message if it fails in verification, which indeed provides a verification oracle to the user. On the other hand, verifying a ciphertext is much easier, and a simple hashing would be sufficient (e.g. HMAC). IND-CVA reveals the influence of integrity on privacy. Remark 2. We compare a CVA attacker with a CCA attacker. A CCA (or even gcca) attacker is more powerful than a CVA attacker. A CCA attacker needs to know exactly the corresponding plaintext of an arbitrary ciphertext, which implies that the attacker must know the validity of the ciphertext, too. Although it is possible for an adversary to have access to a decryption oracle in some cases, the fact is that in most cases, especially in common network environments, the adversary can only have access to the encryption oracle and verification oracle, rather than the exact decryption oracle [1,4 6]. In other words, while the IND-CCA security is a useful and important security notion, it is too strong and not necessary for some (fundamental) applications such as secure channels. Moreover, it is NOT present in the prevalent modes of symmetric encryption (such as in stream ciphers or CBC mode even when the underlying block cipher is chosen-ciphertext secure, see Section 6.11 of ref. [8]) and therefore assuming this strong property as the basic secrecy requirement of the encryption function would exclude the use of such standard efficient mechanisms. HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

10 In addition, an IND-CCA attacker usually uses more resources than an IND-CVA attacker. Take the Encrypt-then-MAC paradigm, for instance, an IND-CCA adversary will access to both the MAC verification oracle and decryption oracle. However, an IND-CVA adversary would possibly accesses to the MAC verification oracle only, which consumes resources less than an IND-CCA adversary (e.g. HMAC). Theorem 4 (INT-PTXT IND-CPA IND- CVA). For any authentication scheme MA = (K M, T, V) which is WUF-CMA secure, we can construct an authentication scheme MA = (K M, T, V ), and a symmetric encryption scheme SE = (K E, E, D) which is IND-CPA secure, but the MACthen-Encrypt scheme is not IND-CVA secure. Proof of Theorem 4. We take the example presented in ref. [1] as a counter example. Let MA be a secure single-valued MAC, and define MA to be identical to MA except that on the all-zeros string it allows the last bit of the tag to be set arbitrarily (i.e., for this string the verification function will accept as valid two different tags). An attacker against MtE(OT P, MA ) can distinguish between a ciphertext that encrypts the all-zeros message and the ciphertext of any other message as follows. It just flips the last bit of the ciphertext and watches for acceptance or rejection of the message; clearly, the message is accepted if and only if it was the all-zeros message. Theorem 5 (IND-CVA INT-PTXT). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not INT-PTXT secure. Figure 1 Relationship between the IND-CVA and other security conceptions. Theorem 5 can be easily proved with Theorem 1 and the relationship between IND-CCA and INT- PTXT [10]. But, to further illustrate the difference between IND-CVA and INT-PTXT, we give a more primary proof in Appendix. In summary, the relationship between IND-CVA and other conceptions are shown in Figure 1. 5 Practical impacts of IND-CVA 5.1 SSL and MAC-then-Encrypt The famous SSL protocol, which indeed works in the form of MAC-then-Encrypt, is not generally secure conditioning on a SUF-CMA secure MAC and an IND-CPA secure encryption scheme, due to the reaction attack. Then, how is it secure if the underlying encryption scheme is strengthened up to IND-CVA? We review the syntax of MACthen-Encrypt first. Definition 5 (Construction of MAC-then- Encrypt scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define MAC-then-Encrypt paradigm of MtE = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) t T KM (m), c E KE (m t), return c. DV KE,K M (c) d D KE (c), parse d as m t If V KM (m, t) = 1 return m else return. Theorem 6 (Integrity of MAC-then-Encrypt). Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication schemes respectively. Let MtE = (K, T E, DV) be the composite encryption scheme constructed as per Definition 5. If the underlying encryption scheme SE is IND-CVA secure and the underlying MAC is WUF-CMA secure, then the MAC-then-Encrypt is INT-PTXT secure. Concretely, Adv int ptxt MtE (k) Adv wuf cma MA (k) HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

11 While the above theorem holds obviously, the privacy may not be preserved in the MAC-then- Encrypt paradigm. Theorem 7 (MAC-then-Encrypt with a WUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OT P scheme mentioned in section 3.2 and a WUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct a message authentication scheme MA, such that MA is WUF-CMA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on OT P and MA is not IND-CVA secure. The counter example used in Theorem 4 can still take effect in proof of Theorem 7. We omit the proof for briefness. Then how about of the security of the MACthen-Encrypt if the underlying encryption scheme is IND-CVA secure and the underlying authentication scheme is SUF-CMA secure? The answer is still negative, as the following theorem says. Theorem 8 (MAC-then-Encrypt with a SUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OTP scheme mentioned in section 3.2 and a SUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct an encryption scheme SE, such that SE is IND-CVA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on SE and MA is not IND-CVA secure. The proof of Theorem 8 is tedious, so we put it in Appendix. Remark 3. It is an intuitive and popular way to combine a secure MAC with a secure encryption to guarantee a secure communication. While an authentication (or signature) scheme may indeed enhance the privacy in some mode (i.e. Encryptthen-MAC), Theorem 7 and Theorem 8 show that it may also compromise the privacy in other mode (i.e. MAC-then-Encrypt), due to the integrity verification. We believe the same problem exists in the case of Encrypt-and-MAC. Remark 4. Recall the problem mentioned in ref. [1], due to the reaction attack, an IND-CPA secure encryption scheme may not implement a secure channel by the form of MAC-then-Encrypt, no matter how secure the underlying MAC is. Theorem 8 tells us why the MAC-then-Encrypt is not secure generally, even if the underlying encryption scheme is enhanced up to IND-CVA. Then, is it possible for the MAC-then-Encrypt paradigm to implement secure channel? The answer is yes. As Hu et al. [11] had pointed out, if the underlying encryption scheme is NM-CPA secure, the MACthen-Encrypt can be IND-CCA secure. 5.2 IPSec and Encrypt-then-MAC Up to now, IPSec, which works in the Encryptthen-MAC form, is the unique protocol that works in the composite form and is generally secure in the network setting. While the Encrypt-then-MAC can implement secure channels, its security also shows that the CCA security is not necessary in terms of secure channel. In this section, we will discuss how secure the Encrypt-then-MAC is in the sense of CVA, showing that the CVA security may be sufficient to characterize the privacy requirements of secure channels. We recite the construction of Encrypt-then-MAC first: Definition 6 (Construction of Encryptthen-MAC scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define Encrypt-then-MAC paradigm of EtM = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) c E KE (m), t T KM (c ), return c t. DV KE,K M (c) parse c as c t If V KM (c, t ) = 1 then m D KE (c ), return m else return. Theorem 9 (Encrypt-then-MAC with a WUF- CMA secure MAC and an IND-CPA secure encryption is IND-CVA secure and INT-PTXT secure). HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

12 Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication scheme respectively. Let EtM = (K, T E, DV) be the composite encryption scheme constructed as per Definition 6. If the underlying encryption scheme SE is IND-CPA secure and the underlying MAC is WUF- CMA secure, then EtM is INT-PTXT secure and IND-CVA secure. Concretely, Adv ind cva EtM Adv int ptxt EtM (k) 2Advwuf cma(k) MA + Adv ind cpa SE (k), (1) (k) Advwuf cma MA (k). (2) For the proof of Theorem 9, we refer the reader to Appendix. Remark 5. Because of the reaction attack (recall Theorem 7 and Theorem 8), a MAC-then- Encrypt of IND-CPA secure may not be generally secure in terms of secure channel, which implies that IND-CPA is too weak to guarantee the security of secure channel. On the other hand, as some papers had discussed, while Encrypt-then- MAC can implement secure channels, it needs not be IND-CCA secure and INT-CTXT [1,3]. Then what degree of security should a scheme achieve to implement a secure channel? Theorem 9 shows that it should be both IND-CVA and INT-PTXT secure. Notice that the goal of a secure channel is to provide both integrity and privacy of data transmitted across networks [1,4]. The first goal means that any modification of messages produced by the attacker over the communication links, should be detected and rejected by the recipient; the second goal means that among the many messages exchanged in a session the attacker chooses a pair of test message of which only one is sent, the attacker cannot guess correctly which one was sent with probability significantly greater than 1/2. In other words, the attacker against a secure channel is granted to access to both the encryption oracle and ciphertext verification oracle. It is just the access to both encryption oracle and ciphertext verification oracle that make up the ability of an IND-CVA adversary. So we say IND-CVA as well as INT-PTXT captures exactly the privacy and integrity requirements of secure channel respectively. 6 Conclusions IND-CVA is slightly stronger than IND-CPA, yet much weaker than IND-CCA, and can be satisfied by many popular schemes (e.g. OTP, CBC and CTR). IND-CVA provides a new criterion to measure the privacy of encryption schemes. It fills up the gap between IND-CPA and IND-CCA, complementing the security measurements of encryption schemes. Especially it exactly characterizes the privacy requirements of secure channel, provides a practicable reference for protocol designers. Appendix Proof of some of the theorems Proof of Theorem 5. Let SE = (K, E, D) be the given symmetric encryption scheme. Following the idea of ref. [9], we construct the scheme SE = (K, E, D ) such that SE is IND-CVA secure but is not INT-PTXT secure. The idea is simple. A certain known string (or strings) will be viewed by D as valid and decrypted to certain known messages, so that forgery is easy. But these ciphertexts will never be produced by the encryption algorithm, so privacy will not be affected. Here are the details. The new scheme SE = (K, E, D ) has the same key generation algorithm as the old scheme and the following modified encryption and decryption algorithms: E K(M) D K(C) C E K (M), C 0 C where 0 is the bit 0, return C. parse C as b C where b is a bit, If b = 0 then M D K (C ), return M Else return 0 We present an attack on SE, in the form of an adversary A who defeats the integrity of plaintexts with probability 1 using resources polynomial in the security parameter k. It works as follows: A E K( ),D K( ) (k) Submits query 10 to oracle D K ( ) We observe that D K(10) = 0, meaning 10 is a valid ciphertext, and it decrypts to a message 1628 HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

13 (namely 0) that the adversary has not queried of its oracle. So Adv int ptxt SE,A (k) = 1. Also, A makes zero queries to E K( ) and one query to D K( ) totaling 2 bits, and is certainly poly(k)-time (i.e. time-complexity is polynomial in security parameter k). To prove that SE is IND-CVA secure, it suffices to associate with any poly(k)-time adversary A attacking SE in the IND-CVA sense a poly(k)-time adversary B attacking SE in the IND-CVA sense such that Adv ind cva SE,A (k) Advind cva SE,B (k). Adversary B simply simulates A and uses its oracles to answer A s oracle queries in a straightforward manner as follows: B E K(LR(,,b)),D K( ) (k) Runs A as follows: When A makes a query M i,0,m i,1 to its left-or-right encryption oracle, does A = 0 E K (LR(M i,0,m i,1, b)) When A makes a query C i to its ciphertext verification oracle, does Parses C i as b i C i where b i is a bit If b i = 0 then A = D K (C i) Else A = 1 Until A halts and returns b Returns b. The adversary B correctly simulates the oracles that A needs. As the code shows, it is easy for B to break the scheme if A can. Furthermore, the resource usage of both adversaries is clearly the same. Thus, if SE is IND-CVA secure, so is SE. Proof of Theorem 8. Given the OPT encryption scheme SE, as we have discussed in section 3.2, it is IND-CVA secure due to that it have not any verification to an arbitrary ciphertext. Now, we consider the following OR encoding scheme, which encodes a message x of n-bits into a 2n-bits string x by representing each bit x i (i = 1,...,n), in x with two bits in x as follows: 1. if bit x i = 0 then the pair of bits (x 2i 1,x 2i ) is set to (0, 0); 2. if bit x i = 1 then the pair of bits (x 2i 1,x 2i) is set to (0, 1) or to (1, 0) or to (1, 1) (by arbitrary random choice of the encrypting party). We construct an encryption function SE as follows: to encrypt a string x, the OR encoding scheme is applied to the x to obtain string x. Then the OTP scheme is applied to sting x. For decrypting y = SE (x), one first applies the decryption function of OTP to obtain x which is then decoded into x by mapping a pair (0, 0) into 0 and either pair (0, 1) or (1, 0) or (1, 1) into 1. It is easy to see that, if a string y is the ciphertext of x, then the decryption of y is identical with the plaintext string x, and the SE is IND-CVA secure just as the original SE is. For any SUF-CMA secure MAC (e.g. HMAC) and the above encryption scheme SE, we can construct an adversary A such that Adv ind cva MtE,A (k) = 2 3. The adversary A works as follows: A ind cva MtE (k) C SE (LR(0, 1, b)) Flips the first two bits of the ciphertext C to get C,submits C as a query to the verification oracle DV ( ). v DV (C ) If v = 1,then returns 1, Else returns 0. (A1) Next, we calculate the succeed probability of adversary A. Consider the decryption of the ciphertext C. Let M be the first intermediate plaintext of C decrypted by the original OTP scheme, M the second intermediate plaintext decoded from M (M would possibly not be the final plaintext, because it should be further verified by the MAC). Notice that, since the underlying MAC is SUF-CMA secure, v=1 means that the second intermediate plaintext M of C decrypted by SE is not new to the encryption scheme SE. Since C comes from C by flipping its first two bits, if b=0, the first two bits of M should be (1, 1) and the first bit of M should be 1, implying the chance of v=1 should be 0; if b=1, the first two bits of M should be (0, 1), (1, 0) or (0, 0), and the first bit of M should be 1 or 0 with the probability of 2 3 and 1 3 respectively. Thus Pr[v = 1 b = 1] = 2 3, (A2) HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

14 Notice that and Therefore and Pr[v = 1 b = 0] = 0. Pr[v = 1] = Pr[v = 1 b = 0] + Pr[v = 1 b = 1] = 0 + Pr[v = 1 b = 1] (A3) = Pr[v = 1 b = 1] Pr[b = 1] = = 1 3, (A4) Pr[v = 0] = 1 Pr[v = 1] = 2 3. Pr[b = 1 v = 1] = Pr[v = 1 b = 1]/Pr[v = 1] (A5) = Pr[v = 1 b = 1] Pr[b = 1]/Pr[v = 1] = /1 = 1, (A6) 3 Pr[b = 1 v = 0] = Pr[v = 0 b = 1]/Pr[v = 0] = Pr[v = 0 b = 1] Pr[b = 1]/Pr[v = 0] = /2 3 = 1 (A7) 4 Denote by b the return value of adversary A. From eqs. (A4) (A7), we have Pr[b = b] = Pr[b = b v = 0] + Pr[b = b v = 1] and Eq. (A1) holds. = Pr[b = b v = 0] Pr[v = 0] + Pr[b = b v = 1] Pr[v = 1] = = , Adv ind cva MtE,A (k) = 2 3. Proof of Theorem 9. Eq. (2) holds obviously, and we prove eq. (1) only. Let A be an effective attack algorithm against the IND-CVA of EtM, following the definition of IND-CVA, we consider the following attack games: 1 Krawczyk H. The order of encryption and authentication for protecting communications (or: How Security Is SSL?). In: Crypto 01, LNCS Vol Berlin: Springer-Verlag, Game 0, Game 1 K E K E (k);k M K M (k); Run A When A queries the encryption oracle T E KE,K M ( ) with (M 0,M 1 ), do c E KE (LR(M 0,M 1,b)) t T KM (c ); c c t A = c. When A queries the verification oracle DV K E,K M ( ) with c, do Parse c as c t if V KM (c, t ) = 0 then A = 0 else A = D K E (c )//replaced by A =1 in Game 1 If A output b, return b. Let S i (i=0,1) be the event that the adversary A success (i.e. b =b) in the Game i, then 1 2 Advind cva EtM,A (k) = Pr[S 0]. (A8) Next, we define E to be the event V KM (c,t )=1 and c is never be returned by the encryption oracle E KE ( ). When E(the complement of E) occurs, i.e. V KM (c,t )= 0 or V KM (c,t )=1 but c is already returned by the encryption oracle E KE ( ), Game 1 works exactly the same as Game 0. Thus by the results of refs. [12, 13] Pr[S 0 ] Pr[S 1 ] Pr[E]. (A9) Obviously, given A, we can construct two new adversary A and F such that the following lemmas hold. Pr[E] Adv wuf cma MA,F (k), (A10) Pr[S 1 ] Pr ind cpa SE,A [b = b]. (A11) Combining eqs. (A8) (A11), we have 1 2 Advind cva EtM,A (k) = Pr[S 0] Pr[E] + Pr[S 1 ] Adv wuf cma MA,F (k) + Pr ind cpa SE,A [b = b] = Adv wuf cma MA,F (k) Advind cpa SE,A (k) Some algebraic manipulation leads to eq. (1). 2 Hall C, Goldberg I, Schneier B. Reaction attacks against several public-key cryptosystems. In: Varadharajan V, Mu Y, eds. Proceedings of Information and Communication Security, ICICS 99, vol Berlin: Springer-Verlag, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

15 3 An J H, Dodis T, Rabin T. On the security of joint signature and encryption. In: Knudsen L, ed. Advances in Cryptology EUROCRYPT 2002, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B, ed. Advances in Cryptology EUROCRYPT 2001, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Extended version at /040 5 Canetti R, Krawczyk H. Universally composable notions of key exchange and secure channels. In: Eurocypt 02, LNCS Vol Extended version at oacr.ogr/2002/ Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, 2001, the latest full version available at 7 Namprempre C. Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng Y, ed. Advance in Cryptology-ASIACRYPT 2002, Lecture Notes in Computer Science. Berlin: Springer-Verlag, Goldwasser S, Bellare M. Lecture Notes on Cryptography. Summer course on cryptography, MIT, Available from 9 Bellare M, Namprempre C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto T, ed. Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Bellare M, Desai A, Jokipii E, et al. A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE Computer Society Press, Hu Z Y, Lin D D, Wu W L. Security notes on the MACthen-Encrypt paradigm. In: Proceedings of the Eighth International Conference for Young Computer Scientist, Beijing, China, Bellare M, Rogaway P. The game-playing technique. Cryptology eprint Archive 2004/332, December 1, Shoup V. Sequences of games: a tool for taming complexity in security proofs. Cryptology eprint Archive 2004/332, November 30, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no