Cryptographic Agility and Its Relation to Circular Encryption

Abstract: Abstract. We initiate a provable-security treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weak-PRFs) are agile. The second, already posed several times in the literature, is whether every secure (IND-R) encryption… Show more

“…Thus we present a less detailed proof than that of Lemma (4). The proof of all parts of the lemma are entirely similar, so we give the proof for part (1).…”

“…Standard notions of secure encryption [32,48] ensure privacy of plaintexts chosen independently from the underlying secret key(s). It has long been known that a key encrypted under itself may no longer remain secret, and recent results [24,4] show that indeed for all k ≥ 1, k-circular security is not implied by standard security. Moreover, currently known techniques for standard security fall short when trying to prove non-trivial security statements against more adaptive adversaries.…”

“…Now we ask: if E a and E s provide IND-CCA2 security only, can we prove, at the end of the game, certain keys still maintain computational secrecy, in the sense they can securely be used in an encryption-based indistinguishability game 1 ? Several negative results [24,4] show certain key cycles may compromise the secrecy of their component keys, but on the positive side this problem (in a generic sense involving circular encryption) has not been considered much. Motivating the discussion, the results of [39] in the context of the above game (but where only symmetric encryption is used,) imply if all queries are made at once (i.e.…”

Computational Soundness of Coinductive Symbolic Security under Active Attacks

“…Thus we present a less detailed proof than that of Lemma (4). The proof of all parts of the lemma are entirely similar, so we give the proof for part (1).…”

“…Standard notions of secure encryption [32,48] ensure privacy of plaintexts chosen independently from the underlying secret key(s). It has long been known that a key encrypted under itself may no longer remain secret, and recent results [24,4] show that indeed for all k ≥ 1, k-circular security is not implied by standard security. Moreover, currently known techniques for standard security fall short when trying to prove non-trivial security statements against more adaptive adversaries.…”

“…Now we ask: if E a and E s provide IND-CCA2 security only, can we prove, at the end of the game, certain keys still maintain computational secrecy, in the sense they can securely be used in an encryption-based indistinguishability game 1 ? Several negative results [24,4] show certain key cycles may compromise the secrecy of their component keys, but on the positive side this problem (in a generic sense involving circular encryption) has not been considered much. Motivating the discussion, the results of [39] in the context of the above game (but where only symmetric encryption is used,) imply if all queries are made at once (i.e.…”

Computational Soundness of Coinductive Symbolic Security under Active Attacks

“…The notion of agility [6] considers a set of schemes, all meeting some base notion of security, and requires that security is maintained when multiple schemes use the same key. Agility is thus not a property of an individual scheme but of a set of schemes relative to some (standard) security notion.…”

“…However, the function subset {f1, f2, f3, f4, f5}, whilst distinct, all take the same key as input. Thus our requirement is that this set is "PRF Agile", where we use agile in the sense of Acar et al [6].…”

Anonymity guarantees of the UMTS/LTE authentication and connection protocol

Public‐Key Encryption and Security Notions