Re: Provable security of independent encryptions

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 11/21/05

```Date: Mon, 21 Nov 2005 21:27:29 +0000 (UTC)

```

silentser@gmail.com wrote:
>How to measure security of the following construction:
>E'_k(x)=E_{f_k(x)}(x), where E - IND-CPA (IND-CCA2) and f - PRF? It is
>not really an encryption function, since no decryption can be
>performed, so can I use the standard indistinguishability definitions
>for E'_k(x) in order to check whether E'_k(x) leaks information about x
>or not?

The first place to start would be to try to identify what security
requirements you need E' to satisfy. The best place to start would
be to look at your application and see what your application actually
needs out of E'. Since I don't know your application, I don't know
what security goals are appropriate for E'. Once you can spell out
a precise security notion that E' needs to satisfy, you can then check
whether your particular construction meets that requirement through
standard "provable security" proof techniques.

For instance, one plausible requirement might be that, for all x,y
of the same length, we have E'_k(x) ~ E'_k(y). I think this notion
is achieved by your construction, assuming E is IND-CPA and f is a
PRF. Since f is a PRF, E_{f_k(x)}(x) ~ E_{R(x)}(x) ~ E_{R(x)}(y) ~
E_{R(y)}(y) ~ E_{f_k(y)}(y), where R is a uniform random function.

However, if this is the requirement you need, why not just use
f_k(x) directly instead of E'_k(x)? So probably I am not understanding

Relevant Pages

• Re: Olympics
... and tax and security costs have risen." ... The best fit is "Construction" plus ... ps The tax cost hasn't "risen" except in a usenet pedant sort of way. ...
(uk.railway)
• Re: Israel capitalizing on an international demand
... >The Russian government is mulling the construction of a security barrier ... >along the border with Chechnya similar to Israel's West Bank security fence ... >security fence and Israel's overall success in fighting Palestinian terror. ... >back in Russia and recommend it as a viable means to fight terror. ...
(alt.religion.islam)
• Re: Provable security of independent encryptions
... How to measure security of the following construction: ... not really an encryption function, since no decryption can be ...
(sci.crypt)
• Re: Event id 627
... The site is still under construction, ... > it's got nothing to do with Windows security. ... >> Type Failure Audit ... >> Audit message for a Change Password Attempt operation. ...
(microsoft.public.win2000.security)
• Re: bootstrapping a secure channel
... >> that Alice and Bob recognize each others voices. ... The security of this rests on an assumption ... >> There is another standard approach to this kind of problem, ... Sharing this secret would require a secure channel, ...
(sci.crypt)