Abstract

Key-dependent message (KDM) security was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in Dolev–Yao models, i.e., symbolic abstractions of cryptography by term alge bras, and a corresponding computational soundness result was later shown by Adão et al. However, both the KDM definition and this soundness result do not allow the general active attacks typical for Dolev–Yao models or for security protocols in general. We extend these definitions to obtain a soundness result under active attacks. We first present a definition AKDM (adaptive KDM) as a KDM equivalent of authenticated symmetric encryption, i.e., it provides chosen-ciphertext security and integrity of ciphertexts for key cycles. However, this is not yet sufficient for the desired computational soundness result and thus we define DKDM (dynamic KDM) that additionally allows limited dynamic revelation of keys. We show that DKDM is sufficient for computational soundness, even in the strong sense of blackbox reactive simulatability (BRSIM)/UC and in cases with joint terms with other operators. We also build on current KDM-secure schemes to construct schemes secure under the new definitions. Moreover, we prove implications or construct separating examples, respectively, for new definitions and existing ones for symmetric encryption.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.