Computational Soundness, Co-induction, and Encryption Cycles

Abstract: Abstract. We analyze the relation between induction, co-induction and the presence of encryption cycles in the context of computationally sound symbolic equivalence of cryptographic expressions. Our main finding is that the use of co-induction in the symbolic definition of the adversarial knowledge allows to prove soundness results without the need to require syntactic restrictions, like the absence of encryption cycles, common to most previous work in the area. Encryption cycles are relevant only to the exten… Show more

“…For these reasons, most existing computational soundness results are restricted in their assumptions, which include excluding key cycles altogether in the presence of passive adversaries [3,2,33], posing certain encryption orderings in the presence of passive-but-adaptive adversaries [40,41], and disallowing symmetric encryption in the presence of active adversaries [42,27,9,23]. As a resolution to the problems created by key cycles, Micciancio [39] proposes a coinductive method for modeling symbolic security, and obtains computational soundness in the setting of message indistinguishability for passive adversaries, while allowing key cycles and assuming only semantic security for the underlying encryption function. Coinductive symbolic security corresponds to a greatest-fixedpoint-based definition of adversarial knowledge, as opposed to the least-fixedpoint-based definition adopted by conventional inductive methods.…”

“…Coinductive symbolic security corresponds to a greatest-fixedpoint-based definition of adversarial knowledge, as opposed to the least-fixedpoint-based definition adopted by conventional inductive methods. From a cryptographic perspective, [39] implicitly characterizes a provably benign form of circular encryption, in particular the equivalence of standard security to secure encryption under a variant of the multiple-key-based game described above in which the adversary may obtain the (single or nested) encryption of any ck i under arbitrary keys, provided at least one of them is in {ck 1 , . .…”

“…, ck i−1 }, resulting in a (possibly) cyclic encryption ordering. To obtain soundness, [39] shows that for an a priori known sequence of exchanged symbolic messages (which is the case in the passive setting), one may order all coinductively irrecoverable keys from this sequence as k 1 , . .…”

“…In this paper we investigate the question left open in [39]; namely, whether a coinductive approach provides similar soundness guarantees when applied in the setting of active adversaries. We consider a symbolic/computational trace-based execution model [42], including asymmetric and symmetric encryption.…”

“…Several negative results [24,4] show certain key cycles may compromise the secrecy of their component keys, but on the positive side this problem (in a generic sense involving circular encryption) has not been considered much. Motivating the discussion, the results of [39] in the context of the above game (but where only symmetric encryption is used,) imply if all queries are made at once (i.e. nonadaptively), then any ck i , whose symbolic key k i remains coinductively irrecoverable (irrecoverable for short), even if used in key cycles, maintains computational secrecy.…”

Computational Soundness of Coinductive Symbolic Security under Active Attacks

“…For these reasons, most existing computational soundness results are restricted in their assumptions, which include excluding key cycles altogether in the presence of passive adversaries [3,2,33], posing certain encryption orderings in the presence of passive-but-adaptive adversaries [40,41], and disallowing symmetric encryption in the presence of active adversaries [42,27,9,23]. As a resolution to the problems created by key cycles, Micciancio [39] proposes a coinductive method for modeling symbolic security, and obtains computational soundness in the setting of message indistinguishability for passive adversaries, while allowing key cycles and assuming only semantic security for the underlying encryption function. Coinductive symbolic security corresponds to a greatest-fixedpoint-based definition of adversarial knowledge, as opposed to the least-fixedpoint-based definition adopted by conventional inductive methods.…”

“…Coinductive symbolic security corresponds to a greatest-fixedpoint-based definition of adversarial knowledge, as opposed to the least-fixedpoint-based definition adopted by conventional inductive methods. From a cryptographic perspective, [39] implicitly characterizes a provably benign form of circular encryption, in particular the equivalence of standard security to secure encryption under a variant of the multiple-key-based game described above in which the adversary may obtain the (single or nested) encryption of any ck i under arbitrary keys, provided at least one of them is in {ck 1 , . .…”

“…, ck i−1 }, resulting in a (possibly) cyclic encryption ordering. To obtain soundness, [39] shows that for an a priori known sequence of exchanged symbolic messages (which is the case in the passive setting), one may order all coinductively irrecoverable keys from this sequence as k 1 , . .…”

“…In this paper we investigate the question left open in [39]; namely, whether a coinductive approach provides similar soundness guarantees when applied in the setting of active adversaries. We consider a symbolic/computational trace-based execution model [42], including asymmetric and symmetric encryption.…”

“…Several negative results [24,4] show certain key cycles may compromise the secrecy of their component keys, but on the positive side this problem (in a generic sense involving circular encryption) has not been considered much. Motivating the discussion, the results of [39] in the context of the above game (but where only symmetric encryption is used,) imply if all queries are made at once (i.e. nonadaptively), then any ck i , whose symbolic key k i remains coinductively irrecoverable (irrecoverable for short), even if used in key cycles, maintains computational secrecy.…”

Computational Soundness of Coinductive Symbolic Security under Active Attacks

Symbolic Encryption with Pseudorandom Keys

SoK: Learning with Errors, Circular Security, and Fully Homomorphic Encryption