Simulatable Channels: Extended Security that is Universally - - PowerPoint PPT Presentation

SLIDE 1

Simulatable Channels:

Extended Security that is Universally Composable and Easier to Prove.

ASIACRYPT 2018

• M. Fischlin
• J. P. Degabriele

1

SLIDE 2

What this talk is about…

• We propose and explore new security definitions for symmetric

encryption based on simulation.

• Our primary focus is on secure channels rather than nonce-based

encryption but it could be adapted to the latter.

• Conceptually

interesting, non-trivial to formalise, allow simpler proofs, and imply universal composability.

2

SLIDE 3

Outline of this talk

• Background and Motivation
• The New Definitions and Relations
• SSH-CTR and Universal Composability

3

SLIDE 4

Background and Motivation

4

SLIDE 5

Extensions of Symmetric Encryption

• Stateful Security: protects against replay and reordering of

ciphertexts [BKN02, KPB03, BHMS16].

• Leakage From Invalid Ciphertexts: protects against multiple

errors, release of unverified plaintext, and other forms of leakage [BDPS13, ABLMMY14, HKR14, BPS15].

• Encryption Supporting Fragmentation: encryption operating
• ver channels which may deliver ciphertexts in a fragmented

fashion [PW10, BDPS12, FGMP15, ADHP16].

5

SLIDE 6

The Price We Pay…

6

SLIDE 7

Compare to Nonce-based Encryption

• For nonce-based encryption, IND$-CPA and nAE are the security

notions of choice.

• Conceptually simpler, easier to prove, and stronger security.
• Inapplicable to channels due to specially formatted ciphertexts,

multiple errors, and don’t support fragmentation.

• Can IND$-CPA and nAE be generalized to more complex settings?

7

IND$-CPA nAE

A

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AB8nicbVA9SwNBEJ3zM5fUubxSBYhTsbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm5b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUrDBPcFixnBxkpBJ8FmQDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/k8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM4MhIV96MeU5QYPrIE8VsVkQGWGFi7Jdc+wR/uRF0jyt+l7Vv/MqtWuYogSHcAQn4MZ1OAW6tAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA=</latexit><latexit sha1_base64="fbCHEFfi3oPmzn90JPU1PpoQqo=">AB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX8G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm8gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICgmd4hTcHnRfn3flYjFacucY/sD5/AFvDpFT</latexit>

EK(·)

<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiC4qWAf0IQwmUzboZNJmJkINR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHMYtEJkCSMctJUVDHSQRBUcBIOxhe537kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRclNJUkQHqI+6WrKUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF/zuqnqXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0grHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiC4qWAf0IQwmUzaoZNMmJkIMR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I1/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA6OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV78l/SOW3YVsO+1W1cgBnK4BUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w=</latexit>

$(·)

<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVN91dYcqZNq75RWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X6dXcG9Jd4C1JtVPyzNwBo9sufpSQTFBpCMda9zw3NUGOlWGE0nJzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxpFJ0PR7FDFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrp1dwa4SrwFqTYq/sXLpJE1+VvP5I45UQYzJDWPc9NTJAjZShmZFzyU0ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhg8XxSnDBoJp9/DiCqCDcsQVhReyvEQ6QNjajkg3BW35lbQv65b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq7ZTW1jc2t8rblZ3dvf2D6uFR8tMEdomkvVC7GmnCW0bZjhtJcqikXIaTc38787hNVmsnkwUxSGg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkzQxBCOte57bmqCHCvDCKfTip9pmIyxkPatzTBguognx8RedWiVAsla3EoLn6eyLHQuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGcGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8O/Ox6K15BQzx/AHzucPrzqPpw=</latexit>

DK(·)

<latexit sha1_base64="TYEn3fxIJcDW0Yj5CtubMm95FCU=">AB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7os6kJwU8E+oAlhMpm2QyeTMDMRaij+SjcuFHrf7jzb5y0XWjrgYHDOfdyz5wgYVQq2/42Ciura+sbxc3S1vbO7p65f9CScSowaeKYxaITIEkY5aSpqGKkwiCoCRdjC8zv32IxGSxvxBjRLiRajPaY9ipLTkm0duhNQAI5bdjP27qovDWJ36ZsWu2VNYy8SZk0q97J5NAKDhm19uGOM0IlxhqTsOnaivAwJRTEj45KbSpIgPER90tWUo4hIL5umH1snWgmtXiz048qaqr83MhRJOYoCPZlnlYteLv7ndVPVu/QypNUEY5nh3ops1Rs5VYIRUEKzbSBGFBdVYLD5BAWOnCSroEZ/HLy6R1XnPsmnOv27iCGYpwDGWogMXUIdbaEATMDzBF7hzXg2Xox342M2WjDmO4fwB8bnDw0mlms=</latexit><latexit sha1_base64="yOmxWOF+TZC/1xTnXTGrjMijB4=">AB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7os6kJwU8E+oAlhMpm0QyeZMDMRYij+hB/gxoUibv0Pd/0bJ20XWj0wcDjnXu6Z4yeMSmVZE6O0tLyulZer2xsbm3vmLt7HclTgUkbc8ZFz0eSMBqTtqKkV4iCIp8Rr+6Lwu/dESMrjO5UlxI3QIKYhxUhpyTMPnAipIUYsvxp7N3UHB1wde2bNalhTwL/EnpNas+qcPE2aWcszv5yA4zQiscIMSdm3rUS5ORKYkbGFSeVJEF4hAakr2mMIiLdfJp+DI+0EsCQC/1iBafqz40cRVJmka8ni6xy0SvE/7x+qsJzN6dxkioS49mhMGVQcVhUAQMqCFYs0wRhQXVWiIdIKx0YRVdgr345b+kc9qwrYZ9q9u4ADOUwSGogjqwRlogmvQAm2AwQN4Bq/gzXg0Xox342M2WjLmO/vgF4zPbxaQl/E=</latexit><latexit sha1_base64="JjpN+gTLRwz/DiCd6uz9DPEgmQ=">AB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRF4KbCvYBTQiTyaQdOpkJMxOhuKvuHGhiFv/w51/46TNQlsPDBzOuZd75oQpo0o7zre1tLyurZe2ahubm3v7Np7+x0lMolJGwsmZC9EijDKSVtTzUgvlQlISPdcHRV+N0HIhUV/F6PU+InaMBpTDHSRgrsQy9BeogRy68nwW3dw5HQp4FdcxrOFHCRuCWpgRKtwP7yIoGzhHCNGVKq7zqp9nMkNcWMTKpepkiK8AgNSN9QjhKi/HyafgJPjBLBWEjzuIZT9fdGjhKlxkloJousat4rxP+8fqbjCz+nPM04Xh2KM4Y1AIWVcCISoI1GxuCsKQmK8RDJBHWprCqKcGd/Ii6Zw1XKfh3jm15mVZRwUcgWNQBy4B01wA1qgDTB4BM/gFbxZT9aL9W59zEaXrHLnAPyB9fkD+piU4g=</latexit>

⊥(·)

<latexit sha1_base64="vrLzqGHTnv+nej60jLWmgjXGLU=">AB8nicbVDLSsNAFL3xWeur6tJNaBEqQknc6LoxmUF+4AklMlk0g6dZMLMjVBCP8ONCx+49Wvc+TdOHwtPXDhcM693HtPmAmu0XG+rbX1jc2t7dJOeXdv/+CwcnTc0TJXlLWpFL1QqKZ4ClrI0fBepliJAkF64aj26nfWRKc5k+4DhjQUIGKY85JWgkzw8l1n0aSTzvV2pOw5nBXiXugtSaVf/iDQBa/cqXH0maJyxFKojWnutkGBREIaeCTcp+rlG6IgMmGdoShKmg2J28sQ+M0pkx1KZStGeqb8nCpJoPU5C05kQHOplbyr+53k5xtdBwdMsR5bS+aI4FzZKe/q/HXHFKIqxIYQqbm616ZAoQtGkVDYhuMsvr5LOZcN1Gu69SeMG5ijBKVShDi5cQRPuoAVtoCDhCV7g1ULr2Xq3Puata9Zi5gT+wPr8AcuXkmU=</latexit><latexit sha1_base64="y3fB8khcv+DKumfMr5p9yjvZaTE=">AB8nicbVDLSsNAFJ3UV62vqks3Q4tQEUriRpdFNy4r2AckoUwmk3boJBNmboQ+he6caGIW7/GXf/G6WOhrQcuHM65l3vCVLBNdj21CptbG5t75R3K3v7B4dH1eOTrpaZoqxDpZCqHxDNBE9YBzgI1k8VI3EgWC8Y38383hNTmsvkEfKU+TEZJjzilICRXC+Q0PBoKOFiUK3bTXsOvE6cJam3at7l87SVtwfVby+UNItZAlQrV3HTsEviAJOBZtUvEyzlNAxGTLX0ITETPvF/OQJPjdKiCOpTCWA5+rviYLEWudxYDpjAiO96s3E/zw3g+jGL3iSZsASulgUZQKDxLP/cgVoyByQwhV3NyK6YgoQsGkVDEhOKsvr5PuVdOxm86DSeMWLVBGZ6iGshB16iF7lEbdRBFEr2gN/RugfVqfVifi9aStZw5RX9gf0A1QGT6w=</latexit><latexit sha1_base64="Q5DvWNGTG5Q+1t6IsQ5fKlcJVo=">AB8nicbVBNS8NAEN3Ur1q/qh69LBahXkriRY9FLx4r2A9IQtlsNu3SzW7YnQgl9Gd48aCIV3+N/+N2zYHbX0w8Hhvhpl5USa4Adf9diobm1vbO9Xd2t7+weFR/fikZ1SuKetSJZQeRMQwSXrAgfBplmJI0E60eTu7nf2LacCUfYZqxMCUjyRNOCVjJDyIFzYDGCi6H9YbchfA68QrSQOV6AzrX0GsaJ4yCVQY3zPzSAsiAZOBZvVgtywjNAJGTHfUklSZsJicfIMX1glxonStiTghfp7oiCpMdM0sp0pgbFZ9ebif56fQ3ITFlxmOTBJl4uSXGBQeP4/jrlmFMTUEkI1t7diOiaULAp1WwI3urL6R31fLclvfgNtq3ZRxVdIbOURN56Bq10T3qoC6iSKFn9IreHBenHfnY9lacqZU/QHzucPuRiQ3A=</latexit>

A

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AB8nicbVA9SwNBEJ3zM5fUubxSBYhTsbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm5b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUrDBPcFixnBxkpBJ8FmQDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/k8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM4MhIV96MeU5QYPrIE8VsVkQGWGFi7Jdc+wR/uRF0jyt+l7Vv/MqtWuYogSHcAQn4MZ1OAW6tAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA=</latexit><latexit sha1_base64="fbCHEFfi3oPmzn90JPU1PpoQqo=">AB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX8G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm8gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICgmd4hTcHnRfn3flYjFacucY/sD5/AFvDpFT</latexit>

EK(·)

<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiC4qWAf0IQwmUzboZNJmJkINR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHMYtEJkCSMctJUVDHSQRBUcBIOxhe537kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRclNJUkQHqI+6WrKUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF/zuqnqXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0grHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiC4qWAf0IQwmUzaoZNMmJkIMR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I1/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA6OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV78l/SOW3YVsO+1W1cgBnK4BUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w=</latexit>

$(·)

<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVN91dYcqZNq75RWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X6dXcG9Jd4C1JtVPyzNwBo9sufpSQTFBpCMda9zw3NUGOlWGE0nJzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxpFJ0PR7FDFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrp1dwa4SrwFqTYq/sXLpJE1+VvP5I45UQYzJDWPc9NTJAjZShmZFzyU0ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhg8XxSnDBoJp9/DiCqCDcsQVhReyvEQ6QNjajkg3BW35lbQv65b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq7ZTW1jc2t8rblZ3dvf2D6uFR8tMEdomkvVC7GmnCW0bZjhtJcqikXIaTc38787hNVmsnkwUxSGg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkzQxBCOte57bmqCHCvDCKfTip9pmIyxkPatzTBguognx8RedWiVAsla3EoLn6eyLHQuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGcGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8O/Ox6K15BQzx/AHzucPrzqPpw=</latexit>

SLIDE 8

New Definitions and Relations

8

SLIDE 9

Syntax

• We consider two types of encryption schemes:
• Atomic:

! ← ℰ$(&) ; ((, &) ← *$(!)

• where ( ∈ {⊤, ⊥} and & corresponds respectively to a message or a

leakage string.

• Supporting Ciphertext Fragmentation:

! ← ℰ$(&) ; (0, &0 … ((2, &2) ← *$(3)

• where 4 ∈ {0,1,2, … }.

9

SLIDE 10

Encryption Simulatability (ES)

• IND$ can be viewed as requiring encryption to be simulatable, where

in this case the simulator is of a specific type.

• Then a natural generalization is to require the existence of an efficient

simulator ! such that "[$ℰ& ⋅ ⇒ 1] − "[$, ⋅ ⇒ 1] ≤ . .

• However this does not quite work, encryption could leak the message

and still be simulatable!

• Replacing ,(⋅) with ,(| ⋅ |) solves the issue.

10

SLIDE 11

Encryption Simulatability (ES)

IND$-CPA ⟹ ES ⟺ IND-CPA

• For any IND-CPA scheme, we can let # ℓ = ℰ'

((*ℓ) for a key '

, sampled independently (simulator is stateful).

• However the equivalence does not extend to chosen-ciphertext security:

ES-CCA ⟸ IND-CCA

• If we further require the simulator to be stateless we get key-privacy.

ES ∧ Stateless(#) ⟹ KP-CPA

11

SLIDE 12

Decryption Simulatability (DS)

• Similarly, we can consider a notion where we require decryption to

be simulatable.

• Then DS requires the existence of an efficient simulator ! such that

"[$ℰ& ⋅ ,)& ⋅ ⇒ 1] − "[$ℰ& ⋅ ,. ⋅ ⇒ 1] ≤ 0 .

• To be satisfiable, we need, as usual, to suppress/prohibit queries from

ℰ1 ⋅ to . ⋅ .

• Alternatively, in this case, we can give the simulator access to a

transcript of the encryption queries.

12

SLIDE 13

Decryption Simulatability (DS)

• Intuitively, the information in the transcript is already known to the

adversary and should not degrade security.

• However, if ! is given unrestricted access to the transcript then

IND-CPA ⋀ DS ⟹ IND-CCA.

13

S(·)

<latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJUBw0g+mN4XfyRSUcEf9CwhfozGnEYUI2kV3YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJUBw0g+mN4XfyRSUcEf9CwhfozGnEYUI2kV3YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJUBw0g+mN4XfyRSUcEf9CwhfozGnEYUI2kV3YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit>

W

<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>

EK(·)

<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiC4qWAf0IQwmUzboZNJmJkINR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHMYtEJkCSMctJUVDHSQRBUcBIOxhe537kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRclNJUkQHqI+6WrKUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF/zuqnqXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0grHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiC4qWAf0IQwmUzaoZNMmJkIMR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I1/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA6OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV78l/SOW3YVsO+1W1cgBnK4BUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w=</latexit>

A

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AB8nicbVA9SwNBEJ3zM5fUubxSBYhTsbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm5b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUrDBPcFixnBxkpBJ8FmQDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/k8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM4MhIV96MeU5QYPrIE8VsVkQGWGFi7Jdc+wR/uRF0jyt+l7Vv/MqtWuYogSHcAQn4MZ1OAW6tAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA=</latexit><latexit sha1_base64="fbCHEFfi3oPmzn90JPU1PpoQqo=">AB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX8G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm8gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICgmd4hTcHnRfn3flYjFacucY/sD5/AFvDpFT</latexit>

T

<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>

• Problem: The simulator can use the

transcript to answer queries not in the transcript!

• Solution: Control the simulator’s

access to the transcript via a fixed wrapper algorithm $.

SLIDE 14

Relations Between ES and DS

• As desired, DS reduces chosen-ciphertext security to chosen-

plaintext security: IND-CPA ∧ DS ⟹ IND-CCA where an ES version also holds.

• On the other hand:

IND-CCA ⟹ DS but ES-CCA ⟹ DS thereby establishing a relation between encryption simulatability and decryption simulatability.

14

SLIDE 15

DS and Ciphertext Integrity

• We can formulate ciphertext integrity as a special case of decryption

simulatability by imposing an extra requirement on the simulator.

• Informally, a scheme is DS-I secure if it is DS secure, and the

simulator ! always returns outputs "# $%& #"'( (⊥, ,).

• Thus if a scheme is shown to be DS, ciphertext integrity follows

simply from the design of the simulator.

• As expected, it can be shown that:

DS-I ⟹ INT-CTXT

15

SLIDE 16

Combining ES and DS-I

• We can now combine encryption simulatability and decryption

simulatability into a single notion (ES ∧ DS-I).

• ∃#$, #&∀( it holds )[(ℰ, ⋅ ,., ⋅ ⇒ 1]−)[(#3 |⋅| ,5[#6] ⋅ ⇒ 1] ≤ 8 .
• Intuitively it says that oracle access to the channel provides no

additional computational abilities to the adversary.

• It’s an IND-CCA/AE type of definition with no prohibited queries!

16

SLIDE 17

The Case of SSH

17

Encrypt PRF-MAC

Payload Ciphertext MAC tag Sequence Number

4

Packet Length

4

Pad Len 1 Padding

≥4

• Encode-then-Encrypt&MAC construction.
• Decryption: (a) decrypt the Packet Length field,

(b) wait until that many bytes are received, (c) resume decrypting the rest of the ciphertext.

SLIDE 18

SSH Cannot Satisfy ES ∧ DS-I

• Problem: In the fragmentation setting "# needs to identify ciphertext

boundaries in order to determine when to return an output.

• At the same time, for "$ to be a good simulator the contents of the

length field should remain hidden (if the encryption is good).

• Solution: Let "$ and "# share randomness or memory.
• We go a step further and replace them with a single simulator

(with an encryption interface and a decryption interface).

18

SLIDE 19

Channel Simulatability

• This leads us to the following definition:

∃"∀$ such that +[$ℰ. ⋅ ,1. ⋅ ⇒ 1]−+[$" 6,|⋅| ,8["] 9,⋅ ⇒ 1] ≤ ; .

• Satisfiable by a larger class of schemes while retaining all the

nice properties of ES ∧ DS-I. CS-I ⟹ IND-CCA, INT-CTXT

• New proof goal: transform the scheme, through a sequence of game

hops, into an algorithm devoid of the secret key and the message.

19

SLIDE 20

SSH-CTR and Universal Composability

20

SLIDE 21

21

• alg. SSH-CTR-EK(m)

1 :

parse K as (Ke, Km, IV )

2 :

if e-seqnr = 0

3 :

e-ctr Ω IV / / initialise on first call

4 :

mlen Ω |m|B

5 :

/ / calculate padding length

6 :

padlen Ω blocksize ≠ (5 + mlen)%blocksize

7 :

if padlen < 4

8 :

padlen Ω padlen + blocksize

9 :

/ / encode the message

10 :

pad ⌘ {0, 1}padlen·8

11 :

len Ω 1 + mlen + padlen

12 :

ptxt Ω ÈlenÍ32 Î ÈpadlenÍ8 Î m Î pad

13 :

/ / encrypt and mac

14 :

τ Ω MAC(Km, Èe-seqnrÍ32 Î ptxt)

15 :

z Ω ε

16 :

while |z| < |ptxt|

17 :

z Ω z Î BC(Ke, e-ctr)

18 :

e-ctr Ω e-ctr + 1

19 :

c Ω (ptxt ü z) Î τ

20 :

e-seqnr Ω e-seqnr + 1

21 :

return c

• alg. SSH-CTR-DK(f)

1 :

parse K as (Ke, Km, IV )

2 :

if d-seqnr = 0 · α = ε

3 :

d-ctr Ω IV / / initialise on first call

4 :

if closed

5 :

• ut Ω (‹, CONN_CLOSED); break

6 :

α Ω α Î f; out Ω ε / / update buffer and reset output

7 :

while (true) / / process buffer (α)

8 :

if |α|B < blocksize

9 :

break / / first ciphertext block is incomplete

10 :

/ / decrypt first ciphertext block

11 :

ptxtÕ Ω α[1, blocksize] ü BC(Ke, d-ctr)

12 :

d-ctr Ω d-ctr + 1

13 :

clen Ω ÈptxtÕ[1, 32]Í≠1 + 4 + macsize

14 :

inRange Ω (16 + macsize Æ clen Æ 35000)

15 :

isMult Ω ((clen ≠ macsize)%blocksize ”= 0)

16 :

if ¬ inRange ‚ isMult / / validate length

17 :

• ut Ω out Î (‹, INVALID_LENGTH)

18 :

closed Ω true; break

19 :

if |α|B < clen

20 :

break / / wait to complete ciphertext

21 :

z Ω ε / / decrypt and verify mac

22 :

while |z| < (clen ≠ blocksize ≠ macsize)

23 :

z Ω z Î BC(Ke, e-ctr)

24 :

d-ctr Ω d-ctr + 1

25 :

ptxtÕ Ω ptxtÕ Î z ü α[blocksize + 1, clen ≠ macsize]B

26 :

τ Õ Ω α[clen ≠ macsize + 1, clen]B

27 :

α Ω α[clen + 1, ú]B / / remove decrypted ciphertext

28 :

if τ Õ ”= MAC(Km, Èd-seqnrÍ32 Î ptxtÕ)

29 :

• ut Ω out Î (‹, INVALID_MAC)

30 :

closed Ω true; break

31 :

padlen Ω ÈptxtÕ[5, 5]BÍ≠1 / / validate padding length

32 :

mlenÕ Ω clen ≠ padlen ≠ 4 ≠ 1 ≠ macsize

33 :

if (mlenÕ > 32789) ‚ (mlenÕ < 1)

34 :

• ut Ω out Î (‹, INVALID_PAD_LENGTH)

35 :

closed Ω true; break

36 :

mÕ Ω ptxtÕ[6, clen ≠ macsize ≠ padlen]B

37 :

• ut Ω out Î (€, mÕ)

38 :

d-seqnr Ω d-seqnr + 1

39 :

return out

36

• SSH-CTR in OpenSSH was

analysed in [PW10] using a different security model supporting fragmentation.

• We provide a considerably

simpler proof showing that SSH-CTR is CS-I secure.

• Corollary: SSH-CTR is

universally composable.

SLIDE 22

UC Secure Channel [CK02]

22

[Channel] P1 P2 m m |m| deliver Sim Env ℱSC [CE] ℱSC (EstCh,sid,P1,P2) Ideal World (without corruptions)

SLIDE 23

Compare to Channel Simulatability

23

A

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AB8nicbVA9SwNBEJ3zM5fUubxSBYhTsbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm5b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUrDBPcFixnBxkpBJ8FmQDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/k8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM4MhIV96MeU5QYPrIE8VsVkQGWGFi7Jdc+wR/uRF0jyt+l7Vv/MqtWuYogSHcAQn4MZ1OAW6tAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA=</latexit><latexit sha1_base64="fbCHEFfi3oPmzn90JPU1PpoQqo=">AB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX8G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm8gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICgmd4hTcHnRfn3flYjFacucY/sD5/AFvDpFT</latexit>

T

<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYJq3fPcxPgZVYzgbNyP9WYUDahI+xZKmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>

CS-I Simulated World

• The

simulated world in CS-I corresponds quite closely to the ideal world in the UC setting.

• ⋅ + # + T ⟶ ℱ&' [Channel]

( ⟶ Env + P1 + P2 )(+/-,⋅) ⟶ Sim

S(e, | · |)

<latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCv5n4=">AB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakpiRacVLFUkQHqEB6RnKUyUn83yT+GxUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md16m7t+fVxlVRxkcgiNQAy64A1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A=</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCv5n4=">AB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakpiRacVLFUkQHqEB6RnKUyUn83yT+GxUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md16m7t+fVxlVRxkcgiNQAy64A1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A=</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCv5n4=">AB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakpiRacVLFUkQHqEB6RnKUyUn83yT+GxUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md16m7t+fVxlVRxkcgiNQAy64A1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A=</latexit>

S(d, ·)

<latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOfmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr271YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte53kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w=</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOfmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr271YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte53kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w=</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOfmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr271YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte53kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w=</latexit>

W

<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTJi5EUroZ7hxoYhbv8adf+OkzUJbDwczrmXOfeEqRQGXfbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk8gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>

SLIDE 24

Summary and Concluding Remarks

• The aim was to generalize IND$ and reached a notion that is

very close to a UC secure channel (Channel Simulatability).

• Arguably, CS is easier to use and understand than UC.
• It is closer in spirit to AE/CCA but more versatile, devoid of

prohibited queries. 24