against chosen-plaintext and chosen-ciphertext attacks. To make life more
complicated, we have three different indistinguishability notions.
against chosen-plaintext and chosen-ciphertext attacks. To make life more
complicated, we have three different indistinguishability notions.
Now we show that we can't obtain a better reduction. Suppose that
$\mathcal{E} = (E, D)$ is $(t, q_E, q_D, \epsilon)$-secure in the FTG
Now we show that we can't obtain a better reduction. Suppose that
$\mathcal{E} = (E, D)$ is $(t, q_E, q_D, \epsilon)$-secure in the FTG
We define the scheme $\Xid{\mathcal{E}}{ECB}^E = (\Xid{E}{ECB}^E,
\Xid{D}{ECB}^E))$ by setting $\keys\Xid{\mathcal{E}}{ECB}^E = \{0, 1\}^k$
We define the scheme $\Xid{\mathcal{E}}{ECB}^E = (\Xid{E}{ECB}^E,
\Xid{D}{ECB}^E))$ by setting $\keys\Xid{\mathcal{E}}{ECB}^E = \{0, 1\}^k$
We define two schemes. Firstly, a stateful-sender scheme
$\Xid{\mathcal{E}}{CTRS}^E = (\Xid{E}{CTRS}^E, \Xid{D}{CTRS}^E))$. We set
We define two schemes. Firstly, a stateful-sender scheme
$\Xid{\mathcal{E}}{CTRS}^E = (\Xid{E}{CTRS}^E, \Xid{D}{CTRS}^E))$. We set
We write $q' = q\mu/l$ for the total number of blocks queried by the
adversary, and we restrict our attention to the case $n \le 2^l$.
We write $q' = q\mu/l$ for the total number of blocks queried by the
adversary, and we restrict our attention to the case $n \le 2^l$.
The randomized scheme $\Xid{\mathcal{E}}{CTR$\$$}^E = (\Xid{E}{CTR$\$$}^E,
\Xid{D}{CTR$\$$}^E))$ differs from the stateful scheme in the encryption
The randomized scheme $\Xid{\mathcal{E}}{CTR$\$$}^E = (\Xid{E}{CTR$\$$}^E,
\Xid{D}{CTR$\$$}^E))$ differs from the stateful scheme in the encryption
The randomized mode remains secure so long as a counter is never repeated.
This occurs with probability no greater than
The randomized mode remains secure so long as a counter is never repeated.
This occurs with probability no greater than
We define the scheme $\Xid{\mathcal{E}}{CBC}^E = (\Xid{E}{CBC}^E,
\Xid{D}{CBC}^E))$ by setting $\keys\Xid{\mathcal{E}}{CBC}^E = \{0, 1\}^k$
We define the scheme $\Xid{\mathcal{E}}{CBC}^E = (\Xid{E}{CBC}^E,
\Xid{D}{CBC}^E))$ by setting $\keys\Xid{\mathcal{E}}{CBC}^E = \{0, 1\}^k$
As before, we set $q' = q\mu/l$ as the number of blocks queried by an
adversary attacking the encryption scheme.
As before, we set $q' = q\mu/l$ as the number of blocks queried by an
adversary attacking the encryption scheme.
The initialization vector used in CBC encryption must be \emph{a priori}
unpredictable to the adversary. Suppose that $P(i)$, given an IV for a
The initialization vector used in CBC encryption must be \emph{a priori}
unpredictable to the adversary. Suppose that $P(i)$, given an IV for a
game in the definition looks very much like the forgery games we played
when we were thinking about MACs.
game in the definition looks very much like the forgery games we played
when we were thinking about MACs.
of an encryption scheme and MAC (since if they don't exist, the result is
vacuously true) and construct modified schemes whose individual security
relates tightly to the originals, but the combined scheme is weak.
of an encryption scheme and MAC (since if they don't exist, the result is
vacuously true) and construct modified schemes whose individual security
relates tightly to the originals, but the combined scheme is weak.
\ELSE \RETURN $V(x, \tau)$;
\end{program}
Here, $A$ simply simulates the environment expected by $A'$. It is clear
\ELSE \RETURN $V(x, \tau)$;
\end{program}
Here, $A$ simply simulates the environment expected by $A'$. It is clear
message. However, suppose that $A'$ returns a new tag $\tau'$ for some
old message $x$, for which the tag $\tau$ was returned by the tagging
oracle. Let $x_0$, $\tau_0$ and $\tau'_0$ be the first bits of $x$,
message. However, suppose that $A'$ returns a new tag $\tau'$ for some
old message $x$, for which the tag $\tau$ was returned by the tagging
oracle. Let $x_0$, $\tau_0$ and $\tau'_0$ be the first bits of $x$,