Ciphertext verification security of symmetric encryption schemes

www.scichina.cominfo.scichina.com

www.springerlink.com

Ciphertext verification security of symmetric

encryption schemes

HU ZhenYu1†, SUN FuChun1 & JIANG JianChun2

1 National Laboratory of Information Science and Technology, Department of Computer Science and Technology, Tsinghua University,

Beijing 100084, China;2 Institute of Software, Chinese Academy of Sciences, Beijing 100080, China

This paper formally discusses the security problem caused by the ciphertext verification, presenting anew security notion named IND-CVA (indistinguishability under ciphertext verification attacks) to char-acterize the privacy of encryption schemes in this situation. Allowing the adversary to access to bothencryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger thanIND-CPA (indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA (indistin-guishability under chosen-ciphertext attacks), and can be satisfied by most of the popular symmetricencryption schemes such as OTP (one-time-pad), CBC (cipher block chaining) and CTR (counter). AnMAC (message authentication scheme) is usually combined with an encryption to guarantee securecommunication (e.g. SSH, SSL and IPSec). However, with the notion of IND-CVA, this paper shows thata secure MAC can spoil the privacy in some cases.

encryption, privacy, integrity, reaction attack, IND-CPA, IND-CCA

1 Introduction

1.1 Background and related works

CPA (chosen plaintext attacks) security and CCA(chosen ciphertext attacks) security are two mostimportant security measurements for encryptionschemes. The CPA security allows an adversaryto access to the encryption oracle and is the ba-sic requirements for an encryption scheme in prac-tice. However, CPA security is not strong enoughwhen it is used to guarantee the secrecy of datatransferred across Internet in terms of secure chan-nel. One of the typical examples is that, thoughthe composite scheme MAC-then-Encrypt can pre-serve the CPA security of the underlying encryp-

tion scheme, it may not be secure in the face of“reaction attack”[1]. CCA security is stronger thanCPA security, which, besides the encryption oracle,allows the adversary to access to the decryption or-acle, with the only restriction that the adversary isprohibited from querying the challenge ciphertextreturned by the encryption oracle. While the CCAsecurity can be used to guarantee the privacy ofdata transferred across Internet, it is the strongestnotion for privacy and is too strong for the typ-ical secure composite scheme Encrypt-then-MACto generically satisfy. Moreover, the CCA securityis not robust enough. If we modify a CCA-secureencryption scheme “harmlessly” (e.g. a useless bit

Received July 16, 2008; accepted January 15, 2009

doi: 10.1007/s11432-009-0158-x†Corresponding author (email: Hu [email protected])

Supported by the National Basic Research Program of China (Grant No. G2002cb312205)

Citation: Hu Z Y, Sun F C, Jiang J C. Ciphertext verification security of symmetric encryption schemes. Sci China Ser F-Inf Sci, 2009,

52(9): 1617–1631, doi: 10.1007/s11432-009-0158-x

is appended to the ciphertext), it may not be CCA-secure any more. Considering the insufficiency ofCPA security and the unnecessary of CCA secu-rity when characterizing the privacy requirementsof secure channel, it is not trivial to develop a newsecurity notion that is stronger than CPA securitybut weaker than CCA security, and is applicableto fill up the gap between them.

“Reaction attack” was first introduced by Hall etal.[2], which works by modifying a sender’s cipher-texts and observing the receiver’s response. In thiskind of attacks, an attacker presents the owner ofthe private key with a ciphertext that may containone or more errors that can be detected during de-cryption (that is, the ciphertext may decrypt to aplaintext which fails in a simple signature or check-sum verification). By watching the reaction of theowner in order to determine whether or not the ci-phertext decrypted correctly, the attacker can usu-ally determine information about the plaintext orthe private key. Different from the case of chosenplaintext attacks and chosen ciphertext attacks,when a receiver verifies a ciphertext, it provides theadversary information about whether the receivedciphertext is valid. In fact, it is the integrity veri-fication that may disclose the valuable informationof the plaintext in the case of reaction attacks. So,the integrity verification should be taken for a spe-cial attack tool that can be used by an adversary tocompromise the privacy of an encryption scheme,and a corresponding security notion should be in-troduced to capture the security under this type ofattacks.

With the spreading use of network, the data in-tegrity and authentication are getting more andmore attention, and lots of work has been doneto strengthen the secrecy of communication withMAC or signature. While the combination of au-thentication (or signature) and encryption may en-hance the privacy in some cases (e.g. Encryption-then-MAC), can it possibly compromise the pri-vacy in other case? We will give this problem aformal investigation.

1.2 Our contributions

We formally discuss the security problem of en-cryption caused by the ciphertext verification, pre-

senting a new security notion named IND-CVA tomodel the reaction attack. The new notion IND-CVA is slightly stronger than IND-CPA but muchweaker than IND-CCA. Most of popular symmet-ric encryption schemes, such as OTP, CBC andCTR, are secure in the sense of IND-CVA, thoughthey are neither NM-CPA (non-malleability underchosen-plaintext attacks) nor IND-CCA secure.

We investigate the relationship between the newnotion of IND-CVA and the conventional notionssuch as IND-CPA, IND-CCA and NM-CPA, show-ing that IND-CVA is applicable to fill up the gapbetween IND-CPA and IND-CCA.

With the notion IND-CVA, we show how a se-cure MAC compromises the privacy of MAC-then-Encryption. Moreover, we discover that IND-CVAcaptures the exact (both sufficient and necessary)privacy requirements of secure channel, while theINT-PTXT captures the exact integrity require-ments.

IND-CVA reveals the negative influence of in-tegrity verification on privacy, providing a practi-cable reference for protocol designers.

1.3 Comparison with related works

1.3.1 Comparison with IND-gCCA security. Anet al.[3] generalized the CCA attack with respect tosome equivalence relationR(·, ·) on the ciphertexts.Relation R is defined as part of the encryptionscheme, it depends on the public key pk, but musthave the following property: if R(C1, C2) = truethen D(C1) = D(C2). Such R is called decryption-respecting. Now the adversary A is forbidden toask any C ′ equivalent to C, i.e. R(C,C ′) = true.An encryption scheme is secure against general-ized CCA (or gCCA) if there exists some efficientdecryption-respecting relation R with respect towhich it is CCA-secure.

Though the gCCA-security may be sufficient forall applications where chosen ciphertext securitymatters, it is probably still a slight overkill interms of a necessary and sufficient formalizationof “secure encryption” from the application pointof view. We would say that the gCCA-security isstill overly strong, since in network channel envi-ronments, an adversary may not be allowed to ac-cess the decryption oracle[4−6]. Indeed, the gCCA-

1618 HU Z Y et al. Sci China Ser F-Inf Sci | Sep. 2009 | vol. 52 | no. 9 | 1617-1631

security is to try to relax the notion CCA-securityto the minimum extent possible, just to avoid thesyntactic (robust) problems of CCA-security.

Contrary to the gCCA-security, our CVA-security is to try to tighten the notion CPA-security to the minimum extent possible. As dis-cussed in section 4, CVA-security is just slightlystronger than CPA-security whereas much weakerthan gCCA-security or CCA-security. In particu-lar, we are saying that CVA-security seems bothsufficient and necessary for implementing securechannels, and more applicable for studying genericproperties of “secure encryption”.1.3.2 Comparison with loose CUF security.To solve the syntactic issue of CCA-security,Krawczyk[1] has presented a notion of loose CUF.Like the notion of gCCA-security, a decryption-respecting relation ρ is proposed. If C and C ′

are two valid ciphertexts computed under encryp-tion function EK(·), for some key K, and ρ(C,C ′)holds then C and C ′ decrypt to the same plain-text under K. An encryption scheme SE is CUFρ-CPA (loose ciphertext unforgeability under chosenplaintext attacks) secure if for any valid cipher-text C that a ciphertext forger attacker F can fea-sibly produce there exists a ciphertext C ′ outputby the encryption oracle under one of F ’s queriessuch that ρ(C,C ′). Note that valid ciphertexts pro-duced by a “loose CUF” attacker always decrypt toplaintexts already queried to the encryption oracle,it is easy to determine which of the queried plain-texts they decrypt to. So we think “loose CUF”security has no significant difference from the INT-PTXT (integrity of plaintext) security. Moreover,while the loose CUF limits the ciphertext forgeriesallowed to the attacker to decrypt to previouslyqueried plaintexts, example attacker against theMtE scheme discussed in section 5 is able to breakthe security of channels without ever producing avalid ciphertext, which shows that the loose CUFis insufficient for guaranteeing secure channels.1.3.3 Comparison with CCVA security. To char-acterize the privacy security of a secure channel,Namprempre[7] proposed a new notion, IND-CCVA(indistinguishability under chosen-ciphertext at-tacks with verification). In the sense of IND-CCVA

security, an adversary is given access to an encryp-tion oracle EK(·) and a special decryption oracleDK(·,Mb). Let b ∈ {0, 1}, the oracle DK(·,Mb)records the secret message Mb that is randomlychosen from the message pair (M0,M1) to encryptwhen the adversary to query. This oracle is thesame as the standard decryption oracle DK(·) ex-cept the following. If a given ciphertext decryptsto Mb (i.e. the challenge message chosen by theencryption oracle to produce the challenge cipher-text), then the oracle DK(·,Mb) returns a specialsymbol “±”. Otherwise, it returns the decryptedmessage. As discussed by Namprempre, the so de-fined IND-CCVA security is even overly strongersuch that an IND-CCA secure scheme may not beIND-CCVA secure. Besides the encryption oracleEK(·) and decryption oracle DK(·), an IND-CCVAadversary needs the third oracle access–DK(·,Mb).The oracle DK(·,Mb) behaves exactly the sameas the standard decryption oracle DK(·), exceptthat the given ciphertext decrypts to Mb. At thispoint, the oracle DK(·,Mb) returns a special sym-bol “±”. Notice that, when the special symbol ±is returned by the oracle DK(C ′,Mb), it indicatesthe adversary that the corresponding plaintext ofciphertext C ′ is the same as the challenge cipher-text C∗. If C ′ = C∗, nothing more is providedto the adversary than to indicate that the queriedciphertext is the challenge ciphertext itself. How-ever, if C ′ �= C∗, it indicates more information thanthe CCA does (recall that the CCA attackers arenot allowed to query the decryption oracle of thechallenge ciphertext itself), the response of ± helpsthe adversary to confirm a decryption equivalencerelation used in non-malleability security. Consid-ering the CCA attacks, the attacker is allowed toquery the decryption oracle with an arbitrary ci-phertext C ′ (�= C∗), and be returned the correctplaintext even if the corresponding plaintext is thechallenge plaintext Mb. We argue that even if thecorresponding plaintext is the challenge plaintextMb, the returned value of DK(C ′) does not discloseany information about the challenge plaintext. Be-cause that, the DK(C ′) just honestly tells what thecorresponding plaintext is, rather than whether ornot it is the challenge plaintext. For the adversary,

HU Z Y et al. Sci China Ser F-Inf Sci | Sep. 2009 | vol. 52 | no. 9 | 1617-1631 1619

when he receives the response of DK(C ′) (whereC ′ �= C∗), he would surprisedly say: “Oh! It is oneof the plaintexts that I have chosen to challenge.”Then he will disappointedly find its null, becausethat an encryption algorithm is always randomizedor stateful, and that any deterministic or statelessscheme is not secure in IND-CPA sense[8]. Fromthis point, we say the IND-CCVA is even strongerthan IND-CCA.

1.4 Outline of this paper

The remainder of this paper is organized as fol-lows. Section 2 presents some preliminaries of thispaper, including the traditional security notions ofsymmetric encryption schemes. Section 3 intro-duces the new security notion IND-CVA and givessome familiar examples for IND-CVA. Section 4discusses the relationship between the new notionIND-CVA and the traditional ones, showing that asa new criterion to measure the privacy of encryp-tion schemes, it fills up the gap between the IND-CPA and the IND-CCA. Section 5 investigates theapplication impacts of IND-CVA. Section 6 pro-vides the conclusion of our work.

2 Preliminary definitions

2.1 Notations

Throughout this paper, we will use the symbol“|x|” to denote the bit length of x, “x‖y” to theconcatenation of x and y. The symbol “⊕” denotesthe bitwise-exclusive-OR operation. If n is a pos-itive integer, then the symbol {0, 1}n denotes theset of n-bit binary strings (we also use the symbol{0, 1}∗ to denote the set of binary strings with nofixed length). If f is a randomized (resp., determin-istic) algorithm, then “x R←− f(y)”(resp.,“x ←−f(y)”) denotes the process of running f on inputy and assigning the result to x. However, if S isa set, then “x R←− S” denotes that x is randomlychosen from S. Further more, if A is an adversary,then “A ⇐= x” denotes the process of an oracleanswers A with x after A queries to the oracle.

2.2 Syntax and security of messageauthentication scheme

A message authentication schemeMA = (K,T ,V)

consists of three algorithms: The randomized keygeneration algorithm K that takes input a secu-rity parameter k ∈ N and returns a key K (wewrite K

R←− K(k)); the tagging algorithm T thatcould be either randomized or stateful, and takesthe key K and a message M to return a tag σ (wewrite σ

R←− TK(M). The verification algorithm Vthat is deterministic and takes the key K, a mes-sage M , and a candidate tag σ for M to return abit v (we write v ←− VK(M,σ)). We require thatVK(M,TK(M)) = 1 for all M ∈ {0, 1}∗. A mes-sage authentication scheme is sometimes called anMAC, and also sometimes the tag σ is called anMAC.

To measure the security of an MAC, an adver-sary F is allowed to have accesses to the tagging or-acle TK(·) and verifying oracle VK(·, ·), and its goalis to make the verifying oracle VK(·, ·) accept a pair(M , σ) that was not “legitimately produced”(i.e.the pair is a forgery). If the message M is “new”,meaning F never made query M of its tagging ora-cle, the forgery is called a weak forgery. Otherwise,even if the message is not new, as long as the tagis new, the forgery is called a strong forgery. Thestrong forgery means that the adversary wins aslong as σ was never returned by the tagging oraclein response to query M .

Definition 1 (Security of message authentica-tion scheme[9]). Let MA = (K,T ,V) be a mes-sage authentication scheme. Let k ∈ N , and letFW and FS be adversaries that are able to accessto two oracles. Consider the following experiments:

Expwuf−cmaMA,FW

(k)

KR←− K(k).

If FTK (·),VK(·,·)W makes a query (M, σ)

to the oracle VK(·, ·), such that

VK(M, σ) return 1, and

M was never queried to the oracle TK(·),then returns 1, else return 0.

Expsuf−cmaMA,FS

(k)

KR←− K(k).

If FTK (·),VK(·,·)S makes a query (M, σ)

to the oracle VK(·, ·), such that

VK(M, σ) return 1, and

σ was never returned by the oracle TK(·)in response to query M ,

then returns 1, else return 0.


We define the advantages of the forgers via

Advwuf−cmaMA,FW

(k) = Pr[Expwuf−cmaMA,FW

(k) = 1],

Advsuf−cmaMA,FS

(k) = Pr[Expsuf−cmaMA,FS

(k) = 1].

We define the advantage functions of the schemeas follows. For any integers t, qt, qv, ut, uv,

Advwuf−cmaMA (k, t, qt, qv, ut, uv)

= maxFW

{Advwuf−cmaMA,FW

(k)},

Advsuf−cmaMA (k, t, qt, qv, ut, uv)

= maxFS

{Advsuf−cmaMA,FS

(k)},

where the maximum is over all FW , FS withtime complexity t, making at most qt oraclequeries to TK(·) the sum of whose lengths isat most ut bits, and making at most qv ora-cle queries to VK(·, ·) the sum of whose lengthsis at most uv bits. The scheme MA is saidto be WUF-CMA (weak unforgeability underchosen-message attacks) secure—resp. SUF-CMA(strong unforgeability under chosen-message at-tacks) secure—if the function Advwuf−cma

MA,FW(k)—

resp. Advsuf−cmaMA,FS

(k)—is negligible for any forgerF whose time complexity is polynomial in k.

2.3 Syntax and security of symmetricencryption schemes

A symmetric encryption scheme SE = (K, E ,D)consists of three algorithms: The randomized keygeneration algorithm K that takes input a securityparameter k ∈ N and returns a key K (we writeK

R←− K(k)). The encryption algorithm E thatcould be randomized or stateful, and takes the keyK and a plaintext M to return a ciphertext C(wewrite C

R←− EK(M)). The decryption algorithm Dthat is deterministic and stateless, and takes thekey K and a string C to return either the corre-sponding plaintext M or the invalid symbol “⊥”(we write x ←− DK(C) where x ∈ {0, 1}∗ ∪ {⊥}).We require that DK(EK(M)) = M for all M ∈{0, 1}∗.2.3.1 Privacy of symmetric encryption schemes.The privacy of encryption scheme is measured byindistinguishability via the “left-or-right” modelof ref. [10]. The left-or-right encryption oracleEK(LR(·, ·, b)), where b ∈ {0, 1} is defined to take

input (x0, x1), computes C ←− EK(xb) and re-turns C (if E is randomized, the oracle picks anycoins that E might need, and if E is stateful thenupdates its state appropriately). The adversaryis allowed to query the oracle EK(LR(·, ·, b)) withthe pair (x0, x1) of its chosen that consists oftwo equal length messages and gets the return ofthe oracle. Its goal is to guess the “challenge”bit b chosen at random by the oracle. An en-cryption scheme is IND-CPA (indistinguishabilityunder chosen-plaintext attacks) secure, if a “rea-sonable” adversary cannot obtain “significant” ad-vantage in distinguishing the cases b = 0 and b

= 1 given access to the oracle. To model IND-CCA (indistinguishability under chosen-ciphertextattacks), the adversary is allowed also to access tothe decryption oracle, with the only restriction thatit cannot query the decryption oracle a ciphertextoutput by the left-or-right encryption oracle.

Definition 2 (Indistinguishability of a symmet-ric encryption scheme[9]). Let SE = (K, E ,D) bea symmetric encryption scheme. Let b ∈ {0, 1},k ∈ N . Let Acpa be an adversary that can accessto one oracle and let Acca be an adversary thatcan access to two oracles. Now, we consider thefollowing experiments:

Expind−cpa−bSE,Acpa

(k)

KR←− K(k).

b′ ←− AEK (LR(·,·,b))cpa (k)

return b′

Expind−cca−bSE,Acca

(k)

KR←− K(k).

b′ ←− AEK (LR(·,·,b)),DK(·)cca (k)

return b′

Above it is mandated that Acca never queriesDK(·) on a ciphertext C output by theEK(LR(·, ·, b)) oracle, and that the two messagesqueried of EK(LR(·, ·, b)) always have equal length.We define the advantages of the adversaries via

Advind−cpaSE,Acpa

(k) = Pr[Expind−cpa−1SE,Acpa

(k) = 1]

− Pr[Expind−cpa−0SE,Acpa

(k) = 1],

Advind−ccaSE,Acca

(k) = Pr[Expind−cca−1SE,Acca

(k) = 1]

− Pr[Expind−cca−0SE,Acca

(k) = 1].


We define the advantage functions of the schemeas follows. For any integers t, qe, qd, ue, ud,

Advind−cpaSE (k, t, qe, ue) = max

Acpa

{Advind−cpaSE,Acpa

(k)},

Advind−ccaSE (k, t, qe, qd, ue, ud)=max

Acca

{Advind−ccaSE ,Acca

(k)},

where the maximum is over all Acpa, Acca withtime-complexity t, each making to the oracleEK(LR(·, ·, b)) at most qe queries the sum of whoselengths is at most ue bits, and, in the case ofAcca, also making to the oracle DK(·) at most qd

queries the sum of whose lengths is at most ud

bits. The scheme SE is said to be IND-CPA (in-distinguishability under chosen-plaintext attacks)secure—resp. IND-CCA (indistinguishability un-der chosen-ciphertext attacks) secure—if the func-tion Advind−cpa

SE ,A (k)—resp. Advind−ccaSE ,A (k)—is negli-

gible for any adversary A whose time-complexityis polynomial in k.2.3.2 Integrity of symmetric encryption schemes.To characterize the integrity (authenticity) of anencryption scheme SE = (K, E ,D), an algorithmD∗

K(·), called ciphertext verification algorithmor ciphertext verification oracle, is defined asfollows[9]:

D∗K(C)

If DK(C) �=⊥ then return 1,

Else return 0.

Similar to the security definition of MAC, theadversary is allowed to have accesses to the en-cryption oracle EK(·) and the ciphertext verifica-tion oracle D∗

K(·). Its goal is to make the verifica-tion oracle accept a ciphertext that was not “legiti-mately produced” (i.e. forgery). If the correspond-ing plaintext was never queried of the encryptionoracle, we call the forgery a plaintext forgery. Ascheme in which it is computationally infeasible forthe adversary to achieve this type of forgery is saidto preserve the integrity of plaintexts. If the cipher-text was never returned by the encryption oracle,even if the corresponding plaintext was queried ofthe encryption oracle, then we call the forgery aciphertext forgery. A scheme in which it is com-putationally infeasible for the adversary to achievethis type of success is said to preserve the integrityof ciphertexts.

Definition 3 (Integrity of a symmetric encryp-tion scheme[9]). Let SE = (K, E ,D) be a symmet-ric encryption scheme. Let k ∈ N . Let Aptxt andActxt be adversaries that can access to two oracles.Consider the following experiments:

Expint−ptxtSE,Aptxt

(k)

KR←− K(k).

If AEK (·),D∗K(·)

ptxt (k) makes a query C

to the oracle D∗K(·), such that

D∗K(C) return 1, and

DK(C) was never queried to the oracle EK(·),then returns 1, else return 0.

Expint−ctxtSE,Actxt

(k)

KR←− K(k).

If AEK (·),D∗K(·)

ctxt (k) makes a query C

to the oracle D∗K(·), such that

D∗K(C) return 1, and

C was never a response of EK(·),then returns 1, else return 0.

We define the advantages of the adversaries viaAdvint−ptxt

SE,Aptxt(k) = Pr[Expint−ptxt

SE,Aptxt(k) = 1],

Advint−ctxtSE,Actxt

(k) = Pr[Expint−ctxtSE,Actxt

(k) = 1].

We define the advantage functions of the schemeas follows. For any integers t, qe, qd, ue, ud,

Advint−ptxtSE (k, t, qe, qd, ue, ud)

= maxAptxt

{Advint−ptxtSE ,Aptxt

(k)},

Advint−ctxtSE (k, t, qe, qd, ue, ud)

= maxActxt

{Advint−ctxtSE,Actxt

(k)},where the maximum is over all Aptxt, Actxt withtime-complexity t, each making to the oracle EK(·)at most qe queries the sum of whose lengths is atmost ue bits, and, each making to the oracle D∗

K(·)at most qd queries the sum of whose lengths is atmost ud bits. The scheme SE is said to be INT-PTXT (integrity of plaintext) secure—resp. INT-CTXT (integrity of ciphertext) secure—if the func-tion Advint−ptxt

SE,A (k)—resp. Advint−ctxtSE ,A (k)—is negli-

gible for any adversary A whose time-complexityis polynomial in k.

We notice that, while the verification algorithmor verification oracle D∗

K(C) is to characterize theability of an adversary in forging a legitimate ci-phertext, it provides the adversary another abil-ity to know whether a doctored ciphertext is valid.Different from the CPA and CCA, it is just this


simple “Yes” or “No” answer that may disclosethe sensitive information of the challenge plaintext.We produce a new security notion IND-CVA (in-distinguishability of an encryption scheme underciphertext verification attacks) to describe the pri-vacy of an encryption scheme under this situation.

3 The definition of IND-CVA security

3.1 Definition of IND-CVA security

Like CPA-security and CCA-security, we mea-sure CVA-security via the “left-or-right” model ofref. [10], too. The left-or-right encryption oracleEK(LR(·, ·, b)) and the goal of the adversary isdefined same as the CPA-security. To modelciphertext-verification attacks we allow the adver-sary to access to the ciphertext-verification oracleD∗

K(·) besides the encryption oracle EK(·). Thedetailed definition of CVA-security is as follows.

Definition 4 (IND-CVA, indistinguishability ofa symmetric encryption scheme under ciphertext-verification attacks). Let SE = (K, E ,D) be asymmetric encryption scheme. Let b ∈ {0, 1},k ∈ N . Let Acva be an adversary that can accessto the encryption oracle EK(LR(·, ·, b)) and the ci-phertext verification oracle D∗

K(·). Consider thefollowing experiment:

Expind−cva−bSE,Acva

(k)

KR←− K(k).

b′ ←− AEK (LR(·,·,b)),D∗K(·)

cva (k), where b′ is a bit

return b′.

Above it is mandated the two messages queriedof EK(LR(·, ·, b)) always have equal length. We de-fine the advantage of the adversary Acva via

Advind−cvaSE,Acva

(k) = Pr[Expind−cva−1SE,Acva

(k) = 1]

− Pr[Expind−cva−0SE,Acva

(k) = 1].

We define the advantage functions of the schemeas follows. For any integers t, qe, qv, ue, uv,

Advind−cvaSE (k, t, qe, qv, ue, uv)

= maxAcva

{Advind−cvaSE ,Acva

(k)},

where the maximum is over all Acva with time-complexity t, each making to the EK(LR(·, ·, b))oracle at most qe queries the sum of whose lengths

is at most ue bits, and, making to the D∗K(·) ora-

cle at most qv queries the sum of whose lengths isat most uv bits. The scheme SE is said to be IND-CVA secure if the function Advind−cva

SE,Acva(k) is negligi-

ble for any adversary Acva whose time-complexityis polynomial in k.

Comparing with the reaction attack, we allowthe adversary of CVA to access the encryption or-acle as well as the ciphertext verification oracle.There are two reasons for allowing the adversaryto access the encryption oracle. One is to facilitatethe description of relationship with other notions.The other is that accessing to the encryption oraclefor adversary is easy to do, especially in the publicenvironment. So we take it for granted.

3.2 Examples of CVA secure encryptionschemes

Example 1 (OTP mode scheme[1,8]). Let F :{0, 1}l −→ {0, 1}l′ be a family of functions withdomain {0, 1}l and range {0, 1}l′ where l and l′ arepositive integers. We define the encryption schemeOTP(F) to work on messages of length at most l′

as follows.A key in the encryption scheme is a description

of a member f of the family F . The OTP en-cryption under f of plaintext M is performed bychoosing r ∈ {0, 1}l and computing c = f(r) ⊕M

where f(r) is truncated to the length of M . Theciphertext is the pair (r, c). Decryption works inthe obvious way.

If F is the set of all functions with the abovedomain and range and f is chosen at random fromthis family we get perfect secrecy against chosen-plaintext attacks as long as there are no repeti-tions in the values r chosen by the encryptor (afterencrypting q different messages a repetition hap-pens with probability q2/2l). If F is a family ofpseudorandom functions then the same securityis achieved but in a computational sense, i.e., upto the “indistinguishability distance” between thepseudorandom family and a truly random function.

We now inspect the security of OTP(F) underthe sense of IND-CVA security. Notice that, forany r′ ∈ {0, 1}l and c′ ∈ {0, 1}l

′, let m′ = f(r′)⊕c′,

then m′ ∈ {0, 1}l′ , that is, (r′, c′) is a valid cipher-


text, which results the ciphertext verification or-acle always returns 1 and tells nothing about thecorresponding plaintext. In other words, the verifi-cation oracle cannot provide any help to the adver-sary. So, the OTP(F) is IND-CVA secure, if theF is a family of pseudorandom functions.

Example 2 (CBC mode scheme[1,8]). Let Fbe a family of permutations over {0, 1}l where l isa positive integer. We define the encryption schemeCBC(F) to work on messages of length a multipleof l.

A key in the encryption scheme is a descriptionof a member f of the family F . The CBC encryp-tion under f of plaintext x is performed by parti-tioning x into blocks x[1], . . . , x[p] of length l each,then choosing r ∈ {0, 1}l (called initial vector, IV )and computing the ciphertext c = c[0], c[1], . . . , c[p]as c[0] = r, c[i] = f(c[i − 1] ⊕ x[i]), i = 1, . . . , p.Decryption works in the obvious inverse way.

It has been proved that if F is the set of all per-mutations over {0, 1}l and f is chosen at randomfrom F then CBC(F) is IND-CPA secure[8].

If F is the set of all permutations over {0, 1}l,then for any f chosen at random from F , CBC(F)is a permutations over {0, 1}nl, where n(> 1) isa positive integer. For any string c′ of lengthnl(n > 1), the decryption of c′ does not return theinvalid symbol ⊥. That is, all the query of verifi-cation oracle returns 1, which tells nothing aboutthe corresponding plaintexts. So if F is the setof all permutations over {0, 1}l and f is chosen atrandom from F then CBC (F) is IND-CVA secure.

Example 3 (CTR mode scheme[8]). Let l andL be positive integers, F : {0, 1}l −→ {0, 1}L

be a function family (Not necessarily a family ofpermutations). We define the encryption schemeCTR(F) to work on messages of length a multipleof l.

A key in the encryption scheme is a descrip-tion of a member f of the family F . The R-CTR (randomized counter) mode encryption un-der f of plaintext x is performed by partitioningx into blocks x[1], . . . , x[p] of length l each, thenchoosing r ∈ {0, 1}l (called IV ) and computingthe ciphertext c = c[0], c[1], . . . , c[p] as c[0] = r,c[i] = f(r + i) ⊕ x[i], i = 1, . . . , p. Decryption

works in the obvious way.The C-CTR (counter-based counter) mode

maintains a counter ctr that is initially zero in-stead of the random string r. When encryptionblocks x[1], . . . , x[p] of length l each, it computesthe ciphertext c = c[0], c[1], . . . , c[p] as c[0] = ctr,c[i] = f(ctr + i)⊕ x[i] (i = 1, . . . , p), ctr = ctr + i.

It has been proved that if F is a set of pseu-dorandom function over {0, 1}l and f is chosen atrandom from F then CTR(F) (R-CTR or C-CTR)is IND-CPA secure[8].

Notice the construction of CTR mode, theCTR(F) (R-CTR or C-CTR ) is an onto function.For any ciphertext of length nL(where n > 1 is apositive integer and L is the block length), thereis a corresponding plaintext, if there is no integra-tion verification. That is, all the query of verifica-tion oracle returns 1, which tells nothing about thecorresponding plaintexts. So if F is a set of pseu-dorandom function over {0, 1}l and f is chosen atrandom from F then CTR(F) (R-CTR or C-CTR)is IND-CVA secure.

4 Relation to other notions

The notion IND-CVA is presented to depict theadversary who has access to the ciphertext verifi-cation oracle, and to characterize the reaction at-tack. It is interesting to compare the IND-CVAwith other popular security notions. We use thenotation A→ B to denote that the security notionA implies the security notion B, and A � B thatthe security notion A does not imply security no-tion B. When we claim that A→ B, we will give aformal proof, whereas when we claim that A � B,we will present a counter-example.

Theorem 1 (IND-CCA → IND-CVA). Forany symmetric encryption scheme SE = (K, E ,D),if it is IND-CCA secure, it is also IND-CVA secure.

An IND-CCA attacker is more powerful than anIND-CVA attacker. For any ciphertext, an IND-CCA attacker will know not only whether it isvalid, but also its corresponding plaintext. So, ifan adversary, who can only access to ciphertextverification oracle, breaks the security, it can alsobreak the security if it is given more power toaccess to the decryption oracle. So Theorem 1


holds obviously. Notice that, Theorem 1 also holdsfor the generalized chosen-ciphertext attack (IND-gCCA)[3].

Theorem 2 (IND-CVA�NM-CPA). For anysymmetric encryption scheme SE = (K, E ,D)which is IND-CVA secure, we can construct a sym-metric encryption scheme SE ′ = (K, E ′,D′) whichis also IND-CVA secure but is not NM-CPA se-cure.

Proof of Theorem 2. The SE ′ = (K, E ′,D′)is constructed as follows:

E ′K(M)C′ ←− EK(M),C ←− 0‖C′ where 0 is a bit 0,Returns C.

D′K(C)Parse C as b‖C′ where b is a bit,M ←− DK(C′),Returns M .

It is obvious that, an adversary can flip the firstbit of the challenge ciphertext C∗ to get a newciphertext that corresponds to the same the chal-lenge plaintext mb.

We claim that SE ′ = (K, E ′,D′) preserves theIND-CVA security of the original scheme ofSE = (K, E ,D). According to the notion of ver-ification oracle, the verification oracle D′∗

K(C)returns whatever the corresponding D∗

K(C ′) re-turns. That is, both of the verification ora-cles provide the identical information about thechallenge message. If the original scheme ofSE = (K, E ,D) is IND-CVA secure, so is the newscheme SE ′ = (K, E ′,D′).

Theorem 3 (IND-CPA� IND-CVA). Forany symmetric encryption scheme SE = (K, E ,D)which is IND-CPA secure, we can construct a sym-metric encryption scheme SE ′ = (K, E ′,D′) whichis also IND-CPA secure but is not IND-CVA se-cure.

Proof of Theorem 3. The SE ′ = (K, E ′,D′)is constructed as follows:

E ′K(M)C′ ←− EK(M),C ←− 0‖C′ where 0 is a bit 0,Returns C.

D′K(C)Parse C as b‖C′ where b is a bit,M ←− DK(C′),If b = 0 then returns M ,Else parses M as b′‖M ′ where b′ is a bit,

If b = b′ then return ⊥,Else return M

An adversary can flip the first bit of the chal-lenge ciphertext C∗, then queries the verificationoracle D′∗

K(·) with the new ciphertext. If the firstbit of the challenge plaintext mb is 1, then D′∗

K(·)will returns 0, otherwise, returns 1.

The IND-CPA security of SE ′ = (K, E ′,D′) is ob-vious, we omit the proof for conciseness.

Remark 1. This example shows exactly howthe ciphertext verification compromises the pri-vacy of encryption and how a CVA attacker works.Comparing with the CPA attacker, a CVA attackerneeds slightly more power to know whether a ci-phertext valid. On one hand, this requirement iscommonly met in the network environment. Forinstance, when a user logs in a server for some ser-vice (e.g. Email), he sends the server his passwordto verify his identification, and the server alwaysresponses him an invalid message if it fails in veri-fication, which indeed provides a verification oracleto the user. On the other hand, verifying a cipher-text is much easier, and a simple hashing wouldbe sufficient (e.g. HMAC). IND-CVA reveals theinfluence of integrity on privacy.

Remark 2. We compare a CVA attacker witha CCA attacker. A CCA (or even gCCA) attackeris more powerful than a CVA attacker. A CCAattacker needs to know exactly the correspondingplaintext of an arbitrary ciphertext, which impliesthat the attacker must know the validity of theciphertext, too. Although it is possible for an ad-versary to have access to a decryption oracle insome cases, the fact is that in most cases, espe-cially in common network environments, the ad-versary can only have access to the encryption or-acle and verification oracle, rather than the exactdecryption oracle [1,4−6]. In other words, while theIND-CCA security is a useful and important se-curity notion, it is too strong and not necessaryfor some (fundamental) applications such as se-cure channels. Moreover, it is NOT present in theprevalent modes of symmetric encryption (such asin stream ciphers or CBC mode even when the un-derlying block cipher is chosen-ciphertext secure,see Section 6.11 of ref. [8]) and therefore assumingthis strong property as the basic secrecy require-ment of the encryption function would exclude theuse of such standard efficient mechanisms.


In addition, an IND-CCA attacker usually usesmore resources than an IND-CVA attacker. Takethe Encrypt-then-MAC paradigm, for instance, anIND-CCA adversary will access to both the MACverification oracle and decryption oracle. However,an IND-CVA adversary would possibly accesses tothe MAC verification oracle only, which consumesresources less than an IND-CCA adversary (e.g.HMAC).

Theorem 4 (INT-PTXT ∧ IND-CPA�IND-CVA). For any authentication scheme MA =(KM,T ,V) which is WUF-CMA secure, we canconstruct an authentication scheme MA′ = (KM,

T ′,V ′), and a symmetric encryption scheme SE =(KE , E ,D) which is IND-CPA secure, but the MAC-then-Encrypt scheme is not IND-CVA secure.

Proof of Theorem 4. We take the examplepresented in ref. [1] as a counter example. LetMA be a secure single-valued MAC, and defineMA′ to be identical to MA except that on theall-zeros string it allows the last bit of the tag tobe set arbitrarily (i.e., for this string the verifi-cation function will accept as valid two differenttags). An attacker against MtE(OT P,MA′) candistinguish between a ciphertext that encrypts theall-zeros message and the ciphertext of any othermessage as follows. It just flips the last bit of theciphertext and watches for acceptance or rejectionof the message; clearly, the message is accepted ifand only if it was the all-zeros message.

Theorem 5 (IND-CVA�INT-PTXT). Forany symmetric encryption scheme SE = (K, E ,D)which is IND-CVA secure, we can construct a sym-metric encryption scheme SE ′ = (K, E ′,D′) whichis also IND-CVA secure but is not INT-PTXT se-cure.

Figure 1 Relationship between the IND-CVA and other secu-

rity conceptions.

Theorem 5 can be easily proved with Theorem 1and the relationship between IND-CCA and INT-PTXT[10]. But, to further illustrate the difference

between IND-CVA and INT-PTXT, we give a moreprimary proof in Appendix.

In summary, the relationship between IND-CVAand other conceptions are shown in Figure 1.

5 Practical impacts of IND-CVA

5.1 SSL and MAC-then-Encrypt

The famous SSL protocol, which indeed works inthe form of MAC-then-Encrypt, is not generallysecure conditioning on a SUF-CMA secure MACand an IND-CPA secure encryption scheme, dueto the reaction attack. Then, how is it secure ifthe underlying encryption scheme is strengthenedup to IND-CVA? We review the syntax of MAC-then-Encrypt first.

Definition 5 (Construction of MAC-then-Encrypt scheme). Let SE = (KE , E ,D) andMA = (KM,T ,V) be the underlying encryp-tion and authentication scheme respectively,we define MAC-then-Encrypt paradigm ofMtE = (K,T E ,DV) as follows:

K(k)

KE ←− KE(k)

KM ←− KM (k)

Returns KE , KM .

T EKE ,KM(m)

t←− TKM(m),

c←− EKE(m‖t),

return c.

DVKE ,KM(c)

d←− DKE(c),

parse d as m‖tIf VKM

(m, t) = 1 return m

else return ⊥.

Theorem 6 (Integrity of MAC-then-Encrypt).Let SE = (KE , E ,D) and MA = (KM,T ,V) be anencryption scheme and an authentication schemesrespectively. Let MtE = (K,T E ,DV) be the com-posite encryption scheme constructed as per Defi-nition 5. If the underlying encryption scheme SEis IND-CVA secure and the underlying MAC isWUF-CMA secure, then the MAC-then-Encryptis INT-PTXT secure. Concretely,

Advint−ptxtMtE (k) � Advwuf−cma

MA (k).


While the above theorem holds obviously, theprivacy may not be preserved in the MAC-then-Encrypt paradigm.

Theorem 7 (MAC-then-Encrypt with a WUF-CMA secure MAC and an IND-CVA secure en-cryption is not IND-CVA secure). Given theIND-CVA secure OT P scheme mentioned in sec-tion 3.2 and a WUF-CMA secure message authen-tication scheme MA = (KM,T ,V), we can con-struct a message authentication schemeMA′, suchthatMA′ is WUF-CMA secure, but the compositescheme MtE = (K,T E ,DV) formed as per Defini-tion 5 based on OT P and MA′ is not IND-CVAsecure.

The counter example used in Theorem 4 can stilltake effect in proof of Theorem 7. We omit theproof for briefness.

Then how about of the security of the MAC-then-Encrypt if the underlying encryption schemeis IND-CVA secure and the underlying authentica-tion scheme is SUF-CMA secure? The answer isstill negative, as the following theorem says.

Theorem 8 (MAC-then-Encrypt with a SUF-CMA secure MAC and an IND-CVA secure en-cryption is not IND-CVA secure). Given theIND-CVA secure OTP scheme mentioned in sec-tion 3.2 and a SUF-CMA secure message authen-tication scheme MA = (KM,T ,V), we can con-struct an encryption scheme SE ′, such that SE ′is IND-CVA secure, but the composite schemeMtE = (K,T E ,DV) formed as per Definition 5based on SE ′ and MA is not IND-CVA secure.

The proof of Theorem 8 is tedious, so we put itin Appendix.

Remark 3. It is an intuitive and popular wayto combine a secure MAC with a secure encryptionto guarantee a secure communication. While anauthentication (or signature) scheme may indeedenhance the privacy in some mode (i.e. Encrypt-then-MAC), Theorem 7 and Theorem 8 show thatit may also compromise the privacy in other mode(i.e. MAC-then-Encrypt), due to the integrity ver-ification. We believe the same problem exists inthe case of “Encrypt-and-MAC”.

Remark 4. Recall the problem mentioned inref. [1], due to the reaction attack, an IND-CPA

secure encryption scheme may not implement a se-cure channel by the form of MAC-then-Encrypt, nomatter how secure the underlying MAC is. Theo-rem 8 tells us why the MAC-then-Encrypt is notsecure generally, even if the underlying encryptionscheme is enhanced up to IND-CVA. Then, is itpossible for the MAC-then-Encrypt paradigm toimplement secure channel? The answer is “yes”.As Hu et al.[11] had pointed out, if the underlyingencryption scheme is NM-CPA secure, the MAC-then-Encrypt can be IND-CCA secure.

5.2 IPSec and Encrypt-then-MAC

Up to now, IPSec, which works in the Encrypt-then-MAC form, is the unique protocol that worksin the composite form and is generally secure inthe network setting. While the Encrypt-then-MACcan implement secure channels, its security alsoshows that the CCA security is not necessary interms of secure channel. In this section, we willdiscuss how secure the Encrypt-then-MAC is inthe sense of CVA, showing that the CVA securitymay be sufficient to characterize the privacy re-quirements of secure channels. We recite the con-struction of Encrypt-then-MAC first:

Definition 6 (Construction of Encrypt-then-MAC scheme). Let SE = (KE , E ,D) andMA = (KM,T ,V) be the underlying encryp-tion and authentication scheme respectively,we define Encrypt-then-MAC paradigm ofEtM = (K,T E ,DV) as follows:

K(k)

KE ←− KE(k)

KM ←− KM (k)

Returns KE , KM .

T EKE ,KM(m)

c′ ←− EKE(m),

t′ ←− TKM(c′),

return c′‖t′.DVKE ,KM

(c)

parse c as c′‖t′

If VKM(c′, t′) = 1 then

m←− DKE(c′), return m

else return ⊥.

Theorem 9 (Encrypt-then-MAC with a WUF-CMA secure MAC and an IND-CPA secure encryp-tion is IND-CVA secure and INT-PTXT secure).


Let SE = (KE , E ,D) and MA = (KM,T ,V) be anencryption scheme and an authentication schemerespectively. Let EtM = (K,T E ,DV) be the com-posite encryption scheme constructed as per Defi-nition 6. If the underlying encryption scheme SE isIND-CPA secure and the underlying MAC is WUF-CMA secure, then EtM is INT-PTXT secure andIND-CVA secure. Concretely,

Advind−cvaEtM (k) � 2Advwuf−cma

MA (k)

+ Advind−cpaSE (k), (1)

Advint−ptxtEtM (k) � Advwuf−cma

MA (k). (2)

For the proof of Theorem 9, we refer the readerto Appendix.

Remark 5. Because of the reaction attack(recall Theorem 7 and Theorem 8), a MAC-then-Encrypt of IND-CPA secure may not be generallysecure in terms of secure channel, which impliesthat IND-CPA is too weak to guarantee the se-curity of secure channel. On the other hand, assome papers had discussed, while Encrypt-then-MAC can implement secure channels, it needs notbe IND-CCA secure and INT-CTXT[1,3]. Thenwhat degree of security should a scheme achieveto implement a secure channel? Theorem 9 showsthat it should be both IND-CVA and INT-PTXTsecure. Notice that the goal of a secure channel isto provide both integrity and privacy of data trans-mitted across networks[1,4]. The first goal meansthat any modification of messages produced by theattacker over the communication links, should bedetected and rejected by the recipient; the sec-ond goal means that among the many messagesexchanged in a session the attacker chooses a pairof “test message” of which only one is sent, the at-tacker cannot guess correctly which one was sentwith probability significantly greater than 1/2. Inother words, the attacker against a secure chan-nel is granted to access to both the encryption or-acle and ciphertext verification oracle. It is justthe access to both encryption oracle and ciphertextverification oracle that make up the ability of anIND-CVA adversary. So we say IND-CVA as wellas INT-PTXT captures exactly the privacy and in-tegrity requirements of secure channel respectively.

6 Conclusions

IND-CVA is slightly stronger than IND-CPA, yetmuch weaker than IND-CCA, and can be satisfiedby many popular schemes (e.g. OTP, CBC andCTR). IND-CVA provides a new criterion to mea-sure the privacy of encryption schemes. It fills upthe gap between IND-CPA and IND-CCA, comple-menting the security measurements of encryptionschemes. Especially it exactly characterizes theprivacy requirements of secure channel, providesa practicable reference for protocol designers.

Appendix Proof of some of the theorems

Proof of Theorem 5. Let SE = (K, E ,D) bethe given symmetric encryption scheme. Follow-ing the idea of ref. [9], we construct the schemeSE ′ = (K, E ′,D′) such that SE ′ is IND-CVA securebut is not INT-PTXT secure. The idea is simple.A certain known string (or strings) will be viewedby D′ as valid and decrypted to certain known mes-sages, so that forgery is easy. But these “cipher-texts” will never be produced by the encryptionalgorithm, so privacy will not be affected. Hereare the details.

The new scheme SE ′ = (K, E ′,D′) has the samekey generation algorithm as the old scheme andthe following modified encryption and decryptionalgorithms:

E ′K(M)

C′ ←− EK(M),

C ←− 0‖C′ where 0 is the bit 0,

return C.

D′K(C)

parse C as b‖C′ where b is a bit,

If b = 0 then M ←− DK(C′), return M

Else return 0

We present an attack on SE ′, in the form of anadversary A who defeats the integrity of plaintextswith probability 1 using resources polynomial inthe security parameter k. It works as follows:

AE′K(·),D′

K(·)(k)

Submits query 10 to oracle D′∗K(·)

We observe that D′K(10) = 0, meaning 10 is

a valid ciphertext, and it decrypts to a message


(namely 0) that the adversary has not queried ofits oracle. So

Advint−ptxtSE′,A (k) = 1.

Also, A makes zero queries to E ′K(·) and onequery to D′∗

K(·) totaling 2 bits, and is certainlypoly(k)-time (i.e. time-complexity is polynomialin security parameter k).

To prove that SE ′ is IND-CVA secure, it sufficesto associate with any poly(k)-time adversary A at-tacking SE ′ in the IND-CVA sense a poly(k)-timeadversary B attacking SE in the IND-CVA sensesuch that

Advind−cvaSE′,A (k) � Advind−cva

SE,B (k).

Adversary B simply simulates A and uses its or-acles to answer A’s oracle queries in a straight-forward manner as follows:

BEK(LR(·,·,b)),D∗K(·)(k)

Runs A as follows:

When A makes a query Mi,0,Mi,1 to its

left-or-right encryption oracle, does

A ⇐= 0‖EK(LR(Mi,0, Mi,1, b))

When A makes a query Ci to its ciphertext

verification oracle, does

Parses Ci as bi‖C’i where bi is a bit

If bi = 0 then A ⇐= D∗K(C’i)

Else A ⇐= 1

Until A halts and returns b’

Returns b’.

The adversary B correctly simulates the oraclesthat A needs. As the code shows, it is easy for Bto break the scheme if A can. Furthermore, theresource usage of both adversaries is clearly thesame. Thus, if SE is IND-CVA secure, so is SE ′.

Proof of Theorem 8. Given the OPT en-cryption scheme SE , as we have discussed in sec-tion 3.2, it is IND-CVA secure due to that ithave not any verification to an arbitrary cipher-text. Now, we consider the following “OR” encod-ing scheme, which encodes a message x of n-bitsinto a 2n-bits string x′ by representing each bitxi(i = 1, . . . , n), in x with two bits in x′ as follows:

1. if bit xi = 0 then the pair of bits (x′2i−1, x

′2i)

is set to (0, 0);2. if bit xi = 1 then the pair of bits (x′

2i−1, x′2i)

is set to (0, 1) or to (1, 0) or to (1, 1) (by arbitraryrandom choice of the encrypting party).

We construct an encryption function SE ′ as fol-lows: to encrypt a string x, the “OR” encodingscheme is applied to the x to obtain string x′. Thenthe OTP scheme is applied to sting x′. For de-crypting y = SE ′(x), one first applies the decryp-tion function of OTP to obtain x′ which is thendecoded into x by mapping a pair (0, 0) into 0 andeither pair (0, 1) or (1, 0) or (1, 1) into 1.

It is easy to see that, if a string y is the cipher-text of x, then the decryption of y is identical withthe plaintext string x, and the SE ′ is IND-CVAsecure just as the original SE is.

For any SUF-CMA secure MAC (e.g. HMAC)and the above encryption scheme SE ′, we can con-struct an adversary A such that

Advind−cvaMtE,A (k) =

23. (A1)

The adversary A works as follows:

Aind−cvaMtE (k)

C ←− SE ′(LR(0, 1, b))

Flips the first two bits of the ciphertext C

to get C′,submits C′ as a query to the

verification oracle DV∗(·).v ←− DV∗(C′)

If v = 1,then returns 1,

Else returns 0.

Next, we calculate the succeed probability of ad-versary A.

Consider the decryption of the ciphertext C ′.Let M ′ be the first intermediate plaintext of C ′ de-crypted by the original OTP scheme, M ′′ the sec-ond intermediate plaintext decoded from M ′(M ′′

would possibly not be the final plaintext, becauseit should be further verified by the MAC). No-tice that, since the underlying MAC is SUF-CMAsecure, v=1 means that the second intermediateplaintext M ′′ of C ′ decrypted by SE ′ is not new tothe encryption scheme SE ′. Since C ′ comes fromC by flipping its first two bits, if b=0, the first twobits of M ′ should be (1, 1) and the first bit of M ′′

should be 1, implying the chance of v=1 should be0; if b=1, the first two bits of M ′ should be (0, 1),(1, 0) or (0, 0), and the first bit of M ′′ should be1 or 0 with the probability of 2

3and 1

3respectively.

Thus

Pr[v = 1|b = 1] =23, (A2)


Pr[v = 1|b = 0] = 0. (A3)

Notice that

Pr[v = 1] = Pr[v = 1 ∧ b = 0]

+ Pr[v = 1 ∧ b = 1]

= 0 + Pr[v = 1 ∧ b = 1]

= Pr[v = 1|b = 1] · Pr[b = 1]

=23· 12

=13, (A4)

andPr[v = 0] = 1− Pr[v = 1] =

23. (A5)

Therefore

Pr[b = 1 |v = 1]

= Pr[v = 1 ∧ b = 1]/Pr[v = 1]

= Pr[v = 1|b = 1] · Pr[b = 1]/Pr[v = 1]

=23· 12/13

= 1, (A6)

and

Pr[b = 1 |v = 0]

= Pr[v = 0 ∧ b = 1]/Pr[v = 0]

= Pr[v = 0|b = 1] · Pr[b = 1]/Pr[v = 0]

=13· 12/23

=14

(A7)

Denote by b′ the return value of adversary A. Fromeqs. (A4)–(A7), we have

Pr[b′ = b] = Pr[b′ = b ∧ v = 0] + Pr[b′ = b ∧ v = 1]

= Pr[b′ = b|v = 0] · Pr[v = 0]

+ Pr[b′ = b|v = 1] · Pr[v = 1]

=34· 23

+ 1 · 13

=12

+13,

andAdvind−cva

MtE,A (k) =23.

Eq. (A1) holds.

Proof of Theorem 9. Eq. (2) holds obvi-ously, and we prove eq. (1) only. Let A be aneffective attack algorithm against the IND-CVA ofEtM, following the definition of IND-CVA, we con-sider the following attack games:

Game0, Game1

KE ←− KE(k);KM ←− KM (k);

Run AWhen A queries the encryption oracle T EKE ,KM

(·)with (M0, M1), do

c′ ←− EKE(LR(M0,M1, b))

t′ ←− TKM(c′); c←− c′‖t′

A ⇐= c.

When A queries the verification oracle DV∗KE ,KM

(·)with c, do

Parse c as c′‖t′

if VKM(c′, t′) = 0 then A ⇐= 0

else A ⇐= D∗KE

(c′)//replaced by A ⇐=1 in Game1

If A output b′, return b′.

Let Si(i=0,1) be the event that the adversary Asuccess (i.e. b′=b) in the Gamei, then

12·Advind−cva

EtM,A (k) +12

= Pr[S0]. (A8)

Next, we define E to be the event VKM(c′, t′)=1

and c′ is never be returned by the encryption oracleEKE

(·). When ¬E(the complement of E) occurs,i.e. VKM

(c′, t′)= 0 or VKM(c′, t′)=1 but c′ is already

returned by the encryption oracle EKE(·), Game1

works exactly the same as Game0. Thus by theresults of refs. [12, 13]

Pr[S0]− Pr[S1] � Pr[E]. (A9)

Obviously, given A, we can construct two new ad-versary A′ and F such that the following lemmashold.

Pr[E] � Advwuf−cmaMA,F (k), (A10)

Pr[S1] � Prind−cpaSE,A′ [b′ = b]. (A11)

Combining eqs. (A8)–(A11), we have12· Advind−cva

EtM,A (k) +12

= Pr[S0]

� Pr[E] + Pr[S1]

� Advwuf−cmaMA,F (k) + Prind−cpa

SE,A′ [b′ = b]

= Advwuf−cmaMA,F (k) +

12·Advind−cpa

SE,A′ (k) +12.

Some algebraic manipulation leads to eq. (1).

1 Krawczyk H. The order of encryption and authentication for

protecting communications (or: How Security Is SSL?). In:

Crypto’01, LNCS Vol. 2139. Berlin: Springer-Verlag, 2001.

310–331

2 Hall C, Goldberg I, Schneier B. Reaction attacks against sev-

eral public-key cryptosystems. In: Varadharajan V, Mu Y,

eds. Proceedings of Information and Communication Security,

ICICS’99, vol. 1726. Berlin: Springer-Verlag, 1999. 2–12


3 An J H, Dodis T, Rabin T. On the security of joint signature

and encryption. In: Knudsen L, ed. Advances in Cryptology–

EUROCRYPT 2002, vol. 2332 of Lecture Notes in Computer

Science. Berlin: Springer-Verlag, 2002. 83–107

4 Canetti R, Krawczyk H. Analysis of key-exchange protocols

and their use for building secure channels. In: Pfitzmann B,

ed. Advances in Cryptology–EUROCRYPT 2001, vol. 2045 of

Lecture Notes in Computer Science. Berlin: Springer-Verlag,

2001. 453–474. Extended version at http://eprint.oacr.ogr/

2001/040

5 Canetti R, Krawczyk H. Universally composable notions of

key exchange and secure channels. In: Eurocypt’02, LNCS

Vol. 2332. 2003. 337–351. Extended version at http://eprint.

oacr.ogr/2002/059.

6 Canetti R. Universally composable security: a new paradigm

for cryptographic protocols. In: 42nd FOCS, 2001, the latest

full version available at http://eprint.iacr.org/2000/067

7 Namprempre C. Secure channels based on authenticated en-

cryption schemes: a simple characterization. In: Zheng Y, ed.

Advance in Cryptology-ASIACRYPT 2002, Lecture Notes in

Computer Science. Berlin: Springer-Verlag, 2002

8 Goldwasser S, Bellare M. Lecture Notes on Cryptography.

Summer course on cryptography, MIT, 1996–2001. Available

from Http://theory.lcs.mit.edu/shafi.

9 Bellare M, Namprempre C. Authenticated encryption: Rela-

tions among notions and analysis of the generic composition

paradigm. In: Okamoto T, ed. Advances in Cryptology–

ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer

Science. Berlin: Springer-Verlag, 2000. 531–545

10 Bellare M, Desai A, Jokipii E, et al. A concrete security treat-

ment of symmetric encryption: Analysis of the DES modes of

operation. In: Proceedings of the 38th Symposium on Foun-

dations of Computer Science, IEEE Computer Society Press,

1997. 394–403

11 Hu Z Y, Lin D D, Wu W L. Security notes on the MAC-

then-Encrypt paradigm. In: Proceedings of the Eighth Inter-

national Conference for Young Computer Scientist, Beijing,

China, 2005

12 Bellare M, Rogaway P. The game-playing technique.

Cryptology ePrint Archive 2004/332, December 1, 2004.

http://eprint.iacr.org/2004/331

13 Shoup V. Sequences of games: a tool for taming complexity in

security proofs. Cryptology ePrint Archive 2004/332, Novem-

ber 30,2004. http://eprint.iacr.org/2004/332


Ciphertext verification security of symmetric encryption schemes

Documents

Transcript of Ciphertext verification security of symmetric encryption schemes