Re: Provable security of independent encryptions

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 11/21/05

• Next message: Douglas A. Gwyn: "Re: can we find one-way trapdoor funcation family from the theory of calculus"
• Previous message: Andrew Swallow: "Re: can we find one-way trapdoor funcation family from the theory of calculus"
• In reply to: silentser_at_gmail.com: "Re: Provable security of independent encryptions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 21 Nov 2005 21:27:29 +0000 (UTC)

silentser@gmail.com wrote:
>How to measure security of the following construction:
>E'_k(x)=E_{f_k(x)}(x), where E - IND-CPA (IND-CCA2) and f - PRF? It is
>not really an encryption function, since no decryption can be
>performed, so can I use the standard indistinguishability definitions
>for E'_k(x) in order to check whether E'_k(x) leaks information about x
>or not?

The first place to start would be to try to identify what security
requirements you need E' to satisfy. The best place to start would
be to look at your application and see what your application actually
needs out of E'. Since I don't know your application, I don't know
what security goals are appropriate for E'. Once you can spell out
a precise security notion that E' needs to satisfy, you can then check
whether your particular construction meets that requirement through
standard "provable security" proof techniques.

For instance, one plausible requirement might be that, for all x,y
of the same length, we have E'_k(x) ~ E'_k(y). I think this notion
is achieved by your construction, assuming E is IND-CPA and f is a
PRF. Since f is a PRF, E_{f_k(x)}(x) ~ E_{R(x)}(x) ~ E_{R(x)}(y) ~
E_{R(y)}(y) ~ E_{f_k(y)}(y), where R is a uniform random function.

However, if this is the requirement you need, why not just use
f_k(x) directly instead of E'_k(x)? So probably I am not understanding
something about your application.

---

• Next message: Douglas A. Gwyn: "Re: can we find one-way trapdoor funcation family from the theory of calculus"
• Previous message: Andrew Swallow: "Re: can we find one-way trapdoor funcation family from the theory of calculus"
• In reply to: silentser_at_gmail.com: "Re: Provable security of independent encryptions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Olympics ... and tax and security costs have risen." ... The best fit is "Construction" plus ... ps The tax cost hasn't "risen" except in a usenet pedant sort of way. ... (uk.railway) Re: Israel capitalizing on an international demand ... >The Russian government is mulling the construction of a security barrier ... >along the border with Chechnya similar to Israel's West Bank security fence ... >security fence and Israel's overall success in fighting Palestinian terror. ... >back in Russia and recommend it as a viable means to fight terror. ... (alt.religion.islam) Re: Provable security of independent encryptions ... How to measure security of the following construction: ... not really an encryption function, since no decryption can be ... (sci.crypt) Re: Event id 627 ... The site is still under construction, ... > it's got nothing to do with Windows security. ... >> Type Failure Audit ... >> Audit message for a Change Password Attempt operation. ... (microsoft.public.win2000.security) Re: bootstrapping a secure channel ... >> that Alice and Bob recognize each others voices. ... The security of this rests on an assumption ... >> There is another standard approach to this kind of problem, ... Sharing this secret would require a secure channel, ... (sci.crypt)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2005-11