2

Let $G$ be a secure PRG and let $s$ be a private key. We can define $\mathrm{Enc}(s,m) = G(s)\oplus m$. As long as we know only one encrypted message this scheme is secure, since $G(s)\oplus m \sim r\oplus m \sim r$, where $r$ is a random string. I have several questions:

  • If we know two encrypted messages $G(s)\oplus m_{1}$ and $G(s)\oplus m_{2}$, then clearly we know $m_{1}\oplus m_{2}$. Does it follow that this scheme is not secure, when using two times (in terms of computational indistinguishability)? We do leak $m_{1}\oplus m_{2}$, but how much information do we get?
  • Is there a way to construct a scheme, such that it is secure for one and two messages, but fails to be secure for three messages?
matheg
  • 131
  • 2
  • One starting point is to define what is a secure encryption scheme. Which will bring more clarity to the question. And as always, a definition is just a definition, and there can be many. Some attacks are possible outside the security definition, meaning that a cryptanalytic attack many reveal weaknesses on the scheme. Speaking of which, you'll find cryptanalytic treatment of equivalent schemes on this forum if you search for two-time pad. – Marc Ilunga Jan 14 '24 at 21:43
  • @Marc Ilunga Is it true that many-time pad is still perfectly secure? If so, does there exist a t-time key, which is secure, but not secure for t+1 times? When I say secure I mean that $\mathrm{Enc}(k,x_{n}^{1}),\ldots,\mathrm{Enc}(k,x_{n}^{q(n)})$ are computationally indistinguishable from $\mathrm{Enc}(k,y_{n}^{1}),\ldots,\mathrm{Enc}(k,y_{n}^{q(n)})$ for any polynomials $p,q$ and for any sequences ${x_{n}},{y_{n}}$ of words of length $p(n)$ – matheg Jan 14 '24 at 22:24
  • Of course, we should suppose that there exists secure poly-time encrypting algorithm (meaning that knowing polynomial number of encrypted messages doesn't leak anyhting in the above sense) – matheg Jan 14 '24 at 23:23
  • Ok so, from your first comment, your notion of security is indistinguishability (without further encryption queries). Now, in such notions the adversary is allowed to choose the pairs $(x_n, y_n)$. Can you see how the proposed scheme is broken in this case, according to the definition ? – Marc Ilunga Jan 14 '24 at 23:41
  • 1
    I guess we can take $x_{n}^{1} = 0^{n},;x_{n}^{2} = 1^{n}$ and $y_{n}^{1} = 1^{n},;y_{n}^{2} = 1^{n}$, so $(k\oplus x_{n}^{1},k\oplus x_{n}^{2}) = (k,\overline{k})$ and $(k\oplus y_{n}^{1},k\oplus y_{n}^{2}) = (\overline{k},\overline{k})$ and these are clearly distinguishable, since always $k\neq \overline{k}$ – matheg Jan 14 '24 at 23:55
  • 1
    Indeed, this attack breaks the claimed security property of this encryption. In general, a scheme that is deterministic fails to achieve this notion. Furthermore, this isn't just about breaking some security definition, practical attacks on a similar scheme are detailed here: https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse – Marc Ilunga Jan 15 '24 at 13:25
  • So, the presented scheme is one-time secure (again, in the sense of indistinguishability), but not two-time. How to construct scheme, which is two-time secure, but not three? And maybe one can generalize to k-time secure, but not k+1-time? – matheg Jan 15 '24 at 19:13
  • Let us continue this discussion in chat. – Marc Ilunga Jan 15 '24 at 19:44

1 Answers1

3

Here is a symmetric-key encryption scheme that is secure for $t$ encryptions but not $t+1$. Suppose $\textsf{Enc}$ is a CPA-secure symmetric encryption scheme with $\lambda$-bit secret keys. We will use $\textsf{Enc}$ to construct the following scheme $\textsf{Enc}^*$:

  • The key is a vector $\langle K_0, K_1, \ldots, K_t\rangle$ where each $K_i \in \{0,1\}^\lambda$. (These can all be derived from a single, short key using a PRG, if you prefer.)
  • To encrypt a plaintext $M$:
    • Sample $R \gets \{0,1\}^\lambda$
    • Compute $U = K_0 + K_1 \cdot R + K_2 \cdot R^2 + \cdots + K_t \cdot R^t$. In other words, treat the key vector as coefficients of a degree-$t$ polynomial, and evaluate that polynomial at point $R$ (in the finite field of $2^\lambda$ elements).
    • Output ciphertext $(R, U, \textsf{Enc}(K_0, M))$.

Each $(R,U)$ is a secret share in a threshold-$t$ Shamir secret sharing scheme, and $K_0$ (used as the key for $\textsf{Enc}$) is the corresponding secret. So, given only $t$ shares, nothing is leaked about $K_0$, and the scheme inherits the CPA security of $\textsf{Enc}$. But given any $t+1$ shares (with overwhelming probability, avoiding a collision in the $R$ values), we can reconstruct $K_0$ and security is lost.

Mikero
  • 13,187
  • 2
  • 33
  • 51
  • What if we want scheme to be secure in terms of indistinguishability (I provided the definition in the comments to the question)? So, if $\textbf{Enc}^{\ast}$ is secure in that sense (for polynomial many messages), will $\textbf{Enc}$ be secure for $t$ encryptions? – matheg Jan 15 '24 at 21:53
  • 2
    CPA security is stronger than your definition, so yes. – Mikero Jan 16 '24 at 00:26
  • This is a very elegant solution, and a nice application of Shamir SSS. I suppose this scheme could also be nonce-based instead? Which would remove the collision prob. from the advantage? But it's negligible anyway, and this collision would anyway be advantageous for the adversary. Anyway, this is quite refreshing compared to the usual sabotaging strategies : ) – Marc Ilunga Jan 16 '24 at 11:47