Cryptographic schemes are often designed as a combination of multiple component cryptographic modules. Such a combiner design is robust for a (security) specification if it meets the specification, provided that a sufficient subset of the components meet their specifications. A folklore combiner for encryption is cascade, i.e. c = E e (E e (m)). We show that cascade is a robust combiner for cryptosystems, under three important indistinguishability specifications: chosen plaintext attack (IND-CPA), non-adaptive chosen ciphertext attack (IND-CCA1), and replayable chosen ciphertext attack (IND-rCCA). We also show that cascade is not robust for the important specifications adaptive CCA (IND-CCA2) and generalized CCA (IND-gCCA). The IND-rCCA and IND-gCCA specifications are closely related, and this is an interesting difference between them. All specifications are defined within.We also analyze few other basic and folklore combiners. In particular, we show that the following are robust combiners: the parallel combiner f (x) = f (x) f (x) for one-way functions, the XORinput combiner c = (E e (m ⊕ r), E e (r)) for cryptosystems, and the copy combinerfor integrity tasks such as Message Authentication Codes (MAC) and signature schemes. Cascade is also robust for the hiding property of commitment schemes, and the copy combiner is robust for the binding property, but neither is a robust combiner for both properties.We present (new) robust combiners for commitment schemes; these new combiners can be viewed as a composition of the cascade and the copy combiners. Our combiners are simple, efficient and practical.
A. Herzberg / Folklore, practice and theory of robust combinersThis motivates the usage, and study, of robust combiners for cryptographic mechanisms. A robust combiner 1 combines several cryptographic modules, such that the combined mechanism is secure even if some of the modules turn out to be insecure. In particular, the robust combiner remains secure following successful cryptanalysis of some of its modules, refutation of one or few of the assumptions underlying its security (e.g. the assumption that factoring is a hard problem), or attempts to exploit a vulnerability in some of the modules, due to implementation error, design errors, or even an intentional trapdoor in the design or implementation. Using a robustcombiner does not guarantee security; however, it would hopefully provide sufficient advance-warning time to replace the broken cryptographic modules.Many cryptographic systems combine redundant components in hope of achieving robustness (tolerance). There are several known (often folklore) combiners of cryptographic modules, often with the stated or implicit goal of achieving robustness (tolerance) or even improving security. Possibly the most well known combiner is the cascade combiner, applied e.g. to block ciphers and encryption schemes. Cascading of cryptosystems and ciphers has been a common practice in cryptography for hundreds of years.However, there were not many publications, prior to this work, an...