Ciphertext verification security of symmetric encryption schemes  被引量：4

作　　者：HU ZhenYu SUN FuChun JIANG JianChun 

机构地区：[1]National Laboratory of Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China [2]Institute of Software, Chinese Academy of Sciences, Beijing 100080, China

出　　处：《Science in China(Series F)》2009年第9期1617-1631,共15页中国科学（F辑英文版）

基　　金：the National Basic Research Program of China (Grant No. G2002cb312205)

摘　　要：This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named IND-CVA （indistinguishability under ciphertext verification attacks） to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger than IND-CPA （indistinguishability under chosen-plaintext attacks） but much weaker than IND-CCA （indistin- guishability under chosen-ciphertext attacks）, and can be satisfied by most of the popular symmetric encryption schemes such as OTP （one-time-pad）, CBC （cipher block chaining） and CTR （counter）. An MAC （message authentication scheme） is usually combined with an encryption to guarantee secure communication （e.g. SSH, SSL and IPSec）. However, with the notion of IND-CVA, this paper shows that a secure MAC can spoil the privacy in some cases.This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named IND-CVA （indistinguishability under ciphertext verification attacks） to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger than IND-CPA （indistinguishability under chosen-plaintext attacks） but much weaker than IND-CCA （indistin- guishability under chosen-ciphertext attacks）, and can be satisfied by most of the popular symmetric encryption schemes such as OTP （one-time-pad）, CBC （cipher block chaining） and CTR （counter）. An MAC （message authentication scheme） is usually combined with an encryption to guarantee secure communication （e.g. SSH, SSL and IPSec）. However, with the notion of IND-CVA, this paper shows that a secure MAC can spoil the privacy in some cases.

关 键 词：ENCRYPTION PRIVACY INTEGRITY reaction attack IND-CPA IND-CCA 

分 类 号：TP309[自动化与计算机技术—计算机系统结构] X913[自动化与计算机技术—计算机科学与技术]