SimulatableChannels - AsiacryptSimulatableChannels: Extended Security that is Universally Composable...

Simulatable Channels:Extended Security that is Universally Composable

and Easier to Prove.

ASIACRYPT 2018

M. FischlinJ. P. Degabriele

1

What this talk is about…

• We propose and explore new security definitions for symmetricencryption based on simulation.

• Our primary focus is on secure channels rather than nonce-basedencryption but it could be adapted to the latter.

• Conceptually interesting, non-trivial to formalise, allow simplerproofs, and imply universal composability.

2

Outline of this talk

• Background and Motivation

• The New Definitions and Relations

• SSH-CTR and Universal Composability

3

Background and Motivation

4

Extensions of Symmetric Encryption

• Stateful Security: protects against replay and reordering ofciphertexts [BKN02, KPB03, BHMS16].

• Leakage From Invalid Ciphertexts: protects against multipleerrors, release of unverified plaintext, and other forms of leakage[BDPS13, ABLMMY14, HKR14, BPS15].

• Encryption Supporting Fragmentation: encryption operatingover channels which may deliver ciphertexts in a fragmentedfashion [PW10, BDPS12, FGMP15, ADHP16].

5

The Price We Pay…

6

Compare to Nonce-based Encryption

• For nonce-based encryption, IND$-CPA and nAE are the securitynotions of choice.

• Conceptually simpler, easier to prove, and stronger security.

• Inapplicable to channels due to specially formatted ciphertexts,multiple errors, and don’t support fragmentation.

• Can IND$-CPA and nAE be generalized to more complex settings?

7IND$-CPA nAEA

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>

EK(·)<latexit sha1_base64="0rtwkuk8resCpcvauL8ag73Ipio=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7osiiC4qWAf0IQwmUzboZNJmJkINRR/pRsXirj1P9z5N07aLrT1wMDhnHu5Z06QMCqVbX8bhZXVtfWN4mZpa3tnd8/cP2jJOBWYNHHMYtEJkCSMctJUVDHSSQRBUcBIOxhe5377kQhJY/6gRgnxItTntEcxUlryzSM3QmqAEctuxv5d1cVhrE59s2LX7CmsZeLMSaVeds8mANDwzS83jHEaEa4wQ1J2HTtRXoaEopiRcclNJUkQHqI+6WrKUUSkl03Tj60TrYRWLxb6cWVN1d8bGYqkHEWBnsyzykUvF//zuqnqXXoZ5UmqCMezQ72UWSq28iqskAqCFRtpgrCgOquFB0ggrHRhJV2Cs/jlZdI6rzl2zbnXbVzBDEU4hjJUwYELqMMtNKAJGJ5gAq/wZjwbL8a78TEbLRjznUP4A+PzBw60lmw=</latexit><latexit sha1_base64="tCcEX2Wi24AgEOxZt8WcZ3jAQ/E=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7osiiC4qWAf0IQwmUzaoZNMmJkIMRR/wg9w40IRt/6Hu/6Nk7YLrR4YOJxzL/fM8RNGpbKsiVFaWl5ZXSuvVzY2t7Z3zN29juSpwKSNOeOi5yNJGI1JW1HFSC8RBEU+I11/dFn43XsiJOXxncoS4kZoENOQYqS05JkHToTUECOWX429m7qDA66OPbNmNawp4F9iz0mtWXVOnibNrOWZX07AcRqRWGGGpOzbVqLcHAlFMSPjipNKkiA8QgPS1zRGEZFuPk0/hkdaCWDIhX6xglP150aOIimzyNeTRVa56BXif14/VeG5m9M4SRWJ8exQmDKoOCyqgAEVBCuWaYKwoDorxEMkEFa6sIouwV788l/SOW3YVsO+1W1cgBnK4BBUQR3Y4Aw0wTVogTbA4AE8g1fwZjwaL8a78TEbLRnznX3wC8bnNxgel/I=</latexit><latexit sha1_base64="chCBvIZpOxOC+lpqXgz2RhVkUfI=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRBMFNBfuAJoTJZNIOncyEmYlQQ/FX3LhQxK3/4c6/cdJmoa0HBg7n3Ms9c8KUUaUd59taWl5ZXVuvbFQ3t7Z3du29/Y4SmcSkjQUTshciRRjlpK2pZqSXSoKSkJFuOLoq/O4DkYoKfq/HKfETNOA0phhpIwX2oZcgPcSI5deT4Lbu4Ujo08CuOQ1nCrhI3JLUQIlWYH95kcBZQrjGDCnVd51U+zmSmmJGJlUvUyRFeIQGpG8oRwlRfj5NP4EnRolgLKR5XMOp+nsjR4lS4yQ0k0VWNe8V4n9eP9PxhZ9TnmaacDw7FGcMagGLKmBEJcGajQ1BWFKTFeIhkghrU1jVlODOf3mRdM4artNw75xa87KsowKOwDGoAxecgya4AS3QBhg8gmfwCt6sJ+vFerc+ZqNLVrlzAP7A+vwB/CaU4w==</latexit>

$(·)<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AAAB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVVN91dYcqZNq775RRWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmGG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X666dXcG9Jd4C1JtVPyzNwBo9suffpSQTFBpCMda9zw3NUGOlWGE00nJzzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxxpFJ0PR7FDFFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AAAB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DDWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrrp1dwa4SrwFqTYq/sXLpJE1++VvP5I45UQYzJDWPc9NTJAjZShmZFzyU00ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhgg8XxSnDBoJp9/DiCqCDcssQVhReyvEQ6QQNjajkg3BW355lbQv655b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AAAB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq777ZTW1jc2t8rblZ3dvf2D6uFRR8tMEdomkkvVC7GmnCW0bZjhtJcqikXIaTcc38787hNVmsnkwUxSGgg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkkzQxBCOte57bmqCHCvDCKfTip9pmmIyxkPatzTBguognx88RedWiVAsla3EoLn6eyLHQuuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGccGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RRxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8OO/Ox6K15BQzx/AHzucPrzqPpw==</latexit>

DK(·)<latexit sha1_base64="TYEn3fxIJcDW0Yj5CtubMm95FCU=">AAAB/XicbVDLSsNAFL2pr1pf8bFzE1qEilASN7os6kJwU8E+oAlhMpm2QyeTMDMRaij+SjcuFHHrf7jzb5y0XWjrgYHDOfdyz5wgYVQq2/42Ciura+sbxc3S1vbO7p65f9CScSowaeKYxaITIEkY5aSpqGKkkwiCooCRdjC8zv32IxGSxvxBjRLiRajPaY9ipLTkm0duhNQAI5bdjP27qovDWJ36ZsWu2VNYy8SZk0q97J5NAKDhm19uGOM0IlxhhqTsOnaivAwJRTEj45KbSpIgPER90tWUo4hIL5umH1snWgmtXiz048qaqr83MhRJOYoCPZlnlYteLv7ndVPVu/QyypNUEY5nh3ops1Rs5VVYIRUEKzbSBGFBdVYLD5BAWOnCSroEZ/HLy6R1XnPsmnOv27iCGYpwDGWoggMXUIdbaEATMDzBBF7hzXg2Xox342M2WjDmO4fwB8bnDw0mlms=</latexit><latexit sha1_base64="yOmxWOF+TZC/1xTTnXTGrjMijB4=">AAAB/XicbVDLSsNAFJ3UV62v+Ni5GVqEilASN7os6kJwU8E+oAlhMpm0QyeZMDMRYij+hB/gxoUibv0Pd/0bJ20XWj0wcDjnXu6Z4yeMSmVZE6O0tLyyulZer2xsbm3vmLt7HclTgUkbc8ZFz0eSMBqTtqKKkV4iCIp8Rrr+6LLwu/dESMrjO5UlxI3QIKYhxUhpyTMPnAipIUYsvxp7N3UHB1wde2bNalhTwL/EnpNas+qcPE2aWcszv5yA4zQiscIMSdm3rUS5ORKKYkbGFSeVJEF4hAakr2mMIiLdfJp+DI+0EsCQC/1iBafqz40cRVJmka8ni6xy0SvE/7x+qsJzN6dxkioS49mhMGVQcVhUAQMqCFYs0wRhQXVWiIdIIKx0YRVdgr345b+kc9qwrYZ9q9u4ADOUwSGogjqwwRlogmvQAm2AwQN4Bq/gzXg0Xox342M2WjLmO/vgF4zPbxaQl/E=</latexit><latexit sha1_base64="JjpN+gTLRwz/DiCd6uz9DPEgmQQ=">AAAB/XicbVDLSsNAFJ34rPUVHzs3g0Wom5K40WVRF4KbCvYBTQiTyaQdOpkJMxOhhuKvuHGhiFv/w51/46TNQlsPDBzOuZd75oQpo0o7zre1tLyyurZe2ahubm3v7Np7+x0lMolJGwsmZC9EijDKSVtTzUgvlQQlISPdcHRV+N0HIhUV/F6PU+InaMBpTDHSRgrsQy9BeogRy68nwW3dw5HQp4FdcxrOFHCRuCWpgRKtwP7yIoGzhHCNGVKq7zqp9nMkNcWMTKpepkiK8AgNSN9QjhKi/HyafgJPjBLBWEjzuIZT9fdGjhKlxkloJousat4rxP+8fqbjCz+nPM004Xh2KM4Y1AIWVcCISoI1GxuCsKQmK8RDJBHWprCqKcGd//Ii6Zw1XKfh3jm15mVZRwUcgWNQBy44B01wA1qgDTB4BM/gFbxZT9aL9W59zEaXrHLnAPyB9fkD+piU4g==</latexit>

?(·)<latexit sha1_base64="vrLzqGHTnv+nej60jLWmmgjXGLU=">AAAB8nicbVDLSsNAFL3xWeur6tJNaBEqQknc6LLoxmUF+4AklMlk0g6dZMLMjVBCP8ONCx+49Wvc+TdOHwttPXDhcM693HtPmAmu0XG+rbX1jc2t7dJOeXdv/+CwcnTc0TJXlLWpFFL1QqKZ4ClrI0fBepliJAkF64aj26nffWRKc5k+4DhjQUIGKY85JWgkzw8l1n0aSTzvV2pOw5nBXiXugtSaVf/iDQBa/cqXH0maJyxFKojWnutkGBREIaeCTcp+rllG6IgMmGdoShKmg2J28sQ+M0pkx1KZStGeqb8nCpJoPU5C05kQHOplbyr+53k5xtdBwdMsR5bS+aI4FzZKe/q/HXHFKIqxIYQqbm616ZAoQtGkVDYhuMsvr5LOZcN1Gu69SeMG5ijBKVShDi5cQRPuoAVtoCDhCV7g1ULr2Xq3Puata9Zi5gT+wPr8AcuXkmU=</latexit><latexit sha1_base64="y3fB8khcv+DKumfMr5p9yjvZaTE=">AAAB8nicbVDLSsNAFJ3UV62vqks3Q4tQEUriRpdFNy4r2AckoUwmk3boJBNmboQQ+he6caGIW7/GXf/G6WOhrQcuHM65l3vvCVLBNdj21CptbG5t75R3K3v7B4dH1eOTrpaZoqxDpZCqHxDNBE9YBzgI1k8VI3EgWC8Y38383hNTmsvkEfKU+TEZJjzilICRXC+Q0PBoKOFiUK3bTXsOvE6cJam3at7l87SVtwfVby+UNItZAlQQrV3HTsEviAJOBZtUvEyzlNAxGTLX0ITETPvF/OQJPjdKiCOpTCWA5+rviYLEWudxYDpjAiO96s3E/zw3g+jGL3iSZsASulgUZQKDxLP/ccgVoyByQwhV3NyK6YgoQsGkVDEhOKsvr5PuVdOxm86DSeMWLVBGZ6iGGshB16iF7lEbdRBFEr2gN/RugfVqfVifi9aStZw5RX9gff0A1QGT6w==</latexit><latexit sha1_base64="Q5DvWNGTG5Q+1tt6IsQ5fKlcJVo=">AAAB8nicbVBNS8NAEN3Ur1q/qh69LBahXkriRY9FLx4r2A9IQtlsNu3SzW7YnQgl9Gd48aCIV3+NN/+N2zYHbX0w8Hhvhpl5USa4Adf9diobm1vbO9Xd2t7+weFR/fikZ1SuKetSJZQeRMQwwSXrAgfBBplmJI0E60eTu7nff2LacCUfYZqxMCUjyRNOCVjJDyIFzYDGCi6H9YbbchfA68QrSQOV6AzrX0GsaJ4yCVQQY3zPzSAsiAZOBZvVgtywjNAJGTHfUklSZsJicfIMX1glxonStiTghfp7oiCpMdM0sp0pgbFZ9ebif56fQ3ITFlxmOTBJl4uSXGBQeP4/jrlmFMTUEkI1t7diOiaaULAp1WwI3urL66R31fLclvfgNtq3ZRxVdIbOURN56Bq10T3qoC6iSKFn9IreHHBenHfnY9laccqZU/QHzucPuRiQ3A==</latexit>

A<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>


$(·)<latexit sha1_base64="wAaWJAREnXWA/0As7em8yUePHpE=">AAAB8HicbVDLSgNBEOyNrxhfUY9ehkQhIoRdL3oMevEYwTwku4TZ2dlkyMzsMjMrhCVf4cWDol79HG/+jZPHQaMFDUVVN91dYcqZNq775RRWVtfWN4qbpa3tnd298v5BWyeZIrRFEp6obog15UzSlmGG026qKBYhp51wdD31Ow9UaZbIOzNOaSDwQLKYEWysdO8f13wSJea0X666dXcG9Jd4C1JtVPyzNwBo9suffpSQTFBpCMda9zw3NUGOlWGE00nJzzRNMRnhAe1ZKrGgOshnB0/QiVUiFCfKljRopv6cyLHQeixC2ymwGeplbyr+5/UyE18GOZNpZqgk80VxxpFJ0PR7FDFFieFjSzBRzN6KyBArTIzNqGRD8JZf/kva53XPrXu3No0rmKMIR1CBGnhwAQ24gSa0gICAR3iGF0c5T86r8z5vLTiLmUP4BefjG8G5kTA=</latexit><latexit sha1_base64="kvQbR64bC6S3d89fMu3KEMlKz7A=">AAAB8HicbVDLSsNAFJ3UV62vqks3Q6tQEUriRpdFNy4r2Ic0oUwmk3boPMLMRAihX6ELF4q49XPc9W+cPhbaeuDC4Zx7ufeeMGFUG9edOIW19Y3NreJ2aWd3b/+gfHjU1jJVmLSwZFJ1Q6QJo4K0DDWMdBNFEA8Z6YSj26nfeSJKUykeTJaQgKOBoDHFyFjp0T+t+TiS5rxfrrp1dwa4SrwFqTYq/sXLpJE1++VvP5I45UQYzJDWPc9NTJAjZShmZFzyU00ShEdoQHqWCsSJDvLZwWN4ZpUIxlLZEgbO1N8TOeJaZzy0nRyZoV72puJ/Xi818XWQU5Gkhgg8XxSnDBoJp9/DiCqCDcssQVhReyvEQ6QQNjajkg3BW355lbQv655b9+5tGjdgjiI4ARVQAx64Ag1wB5qgBTDg4Bm8gXdHOa/Oh/M5by04i5lj8AfO1w/LI5K2</latexit><latexit sha1_base64="gnMABHM74XK8Olxb3FDm3ImjLs8=">AAAB8HicbVA9T8MwEL2Ur1K+CowsFgWpLFXCAmMFC2OR6AdqospxnNaqHUe2g1RF/RUsDCDEys9h49/gthmg5UknPb13p7t7YcqZNq777ZTW1jc2t8rblZ3dvf2D6uFRR8tMEdomkkvVC7GmnCW0bZjhtJcqikXIaTcc38787hNVmsnkwUxSGgg8TFjMCDZWevTP6j6JpLkYVGtuw50DrRKvIDUo0BpUv/xIkkzQxBCOte57bmqCHCvDCKfTip9pmmIyxkPatzTBguognx88RedWiVAsla3EoLn6eyLHQuuJCG2nwGakl72Z+J/Xz0x8HeQsSTNDE7JYFGccGYlm36OIKUoMn1iCiWL2VkRGWGFibEYVG4K3/PIq6Vw2PLfh3bu15k0RRxlO4BTq4MEVNOEOWtAGAgKe4RXeHOW8OO/Ox6K15BQzx/AHzucPrzqPpw==</latexit>

New Definitions and Relations

8

Syntax

• We consider two types of encryption schemes:

• Atomic: ! ← ℰ$(&) ; ((,&) ← *$(!)-where ( ∈ {⊤, ⊥} and & corresponds respectively to a message or a

leakage string.

• Supporting Ciphertext Fragmentation:

! ← ℰ$(&) ; (0,&0 … ((2,&2) ← *$(3)-where 4 ∈ {0,1,2, … }.

9

Encryption Simulatability (ES)

• IND$ can be viewed as requiring encryption to be simulatable, wherein this case the simulator is of a specific type.

• Then a natural generalization is to require the existence of an efficientsimulator ! such that "[$ℰ& ⋅ ⇒ 1] − "[$, ⋅ ⇒ 1] ≤ . .

• However this does not quite work, encryption could leak the messageand still be simulatable!

• Replacing ,(⋅) with ,(| ⋅ |) solves the issue.

10

Encryption Simulatability (ES)

IND$-CPA ⟹ ES ⟺ IND-CPA

• For any IND-CPA scheme, we can let # ℓ = ℰ'((*ℓ) for a key ',sampled independently (simulator is stateful).

• However the equivalence does not extend to chosen-ciphertext security:

ES-CCA ⟸ IND-CCA

• If we further require the simulator to be stateless we get key-privacy.

ES ∧ Stateless(#) ⟹ KP-CPA

11

Decryption Simulatability (DS)

• Similarly, we can consider a notion where we require decryption tobe simulatable.

• Then DS requires the existence of an efficient simulator ! such that"[$ℰ& ⋅ ,)& ⋅ ⇒ 1] − "[$ℰ& ⋅ ,. ⋅ ⇒ 1] ≤ 0 .

• To be satisfiable, we need, as usual, to suppress/prohibit queries fromℰ1 ⋅ to . ⋅ .

• Alternatively, in this case, we can give the simulator access to atranscript of the encryption queries.

12

Decryption Simulatability (DS)

• Intuitively, the information in the transcript is already known to theadversary and should not degrade security.

• However, if ! is given unrestricted access to the transcript then

IND-CPA ⋀ DS ⟹ IND-CCA.

13

S(·)<latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit><latexit sha1_base64="oMxs8D4Zg5uN8PE4sJitHjc1naE=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQNyURQZdFNy4r2gc0oUwmk3boZCbMTMQS8ituXCji1h9x5984abPQ1gMDh3Pu5Z45QcKo0o7zbVXW1jc2t6rbtZ3dvf0D+7DeUyKVmHSxYEIOAqQIo5x0NdWMDBJJUBww0g+mN4XffyRSUcEf9CwhfozGnEYUI22kkV33YqQnGLHsPm96OBT6bGQ3nJYzB1wlbkkaoERnZH95ocBpTLjGDCk1dJ1E+xmSmmJG8pqXKpIgPEVjMjSUo5goP5tnz+GpUUIYCWke13Cu/t7IUKzULA7MZJFULXuF+J83THV05WeUJ6kmHC8ORSmDWsCiCBhSSbBmM0MQltRkhXiCJMLa1FUzJbjLX14lvfOW67Tcu4tG+7qsowqOwQloAhdcgja4BR3QBRg8gWfwCt6s3Hqx3q2PxWjFKneOwB9Ynz+5IJQ3</latexit>

W<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>


A<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>

T<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>

• Problem: The simulator can use thetranscript to answer queries notin the transcript!

• Solution: Control the simulator’saccess to the transcript via a fixedwrapper algorithm$.

Relations Between ES and DS

• As desired, DS reduces chosen-ciphertext security to chosen-plaintext security:

IND-CPA ∧DS ⟹ IND-CCA

where an ES version also holds.

• On the other hand:

IND-CCA⟹ DS but ES-CCA ⟹ DS

thereby establishing a relation between encryption simulatabilityand decryption simulatability.

14

DS and Ciphertext Integrity

• We can formulate ciphertext integrity as a special case of decryptionsimulatability by imposing an extra requirement on the simulator.

• Informally, a scheme is DS-I secure if it is DS secure, and thesimulator ! always returns outputs "# $%& #"'( (⊥,,).

• Thus if a scheme is shown to be DS, ciphertext integrity followssimply from the design of the simulator.

• As expected, it can be shown that:

DS-I ⟹ INT-CTXT

15

Combining ES and DS-I

• We can now combine encryption simulatability and decryptionsimulatability into a single notion (ES ∧ DS-I).

• ∃#$, #&∀( it holds )[(ℰ, ⋅ ,., ⋅ ⇒ 1]−)[(#3 |⋅| ,5[#6] ⋅ ⇒ 1] ≤ 8 .

• Intuitively it says that oracle access to the channel provides noadditional computational abilities to the adversary.

• It’s an IND-CCA/AE type of definition with no prohibited queries!

16

The Case of SSH

17

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

SequenceNumber 4

PacketLength 4

PadLen 1

Padding≥4

• Encode-then-Encrypt&MAC construction.

• Decryption: (a) decrypt the Packet Length field,(b) wait until that many bytes are received,(c) resume decrypting the rest of the ciphertext.

SSH Cannot Satisfy ES ∧ DS-I

• Problem: In the fragmentation setting "# needs to identify ciphertextboundaries in order to determine when to return an output.

• At the same time, for "$ to be a good simulator the contents of thelength field should remain hidden (if the encryption is good).

• Solution: Let "$ and "# share randomness or memory.

• We go a step further and replace them with a single simulator(with an encryption interface and a decryption interface).

18

Channel Simulatability

• This leads us to the following definition:

∃"∀$ such that +[$ℰ. ⋅ ,1. ⋅ ⇒ 1]−+[$" 6,|⋅| ,8["] 9,⋅ ⇒ 1] ≤ ; .

• Satisfiable by a larger class of schemes while retaining all thenice properties of ES ∧ DS-I.

CS-I ⟹ IND-CCA, INT-CTXT

• New proof goal: transform the scheme, through a sequence of gamehops, into an algorithm devoid of the secret key and the message.

19

SSH-CTR and Universal Composability

20

21

alg. SSH-CTR-EK(m)

1 : parse K as (Ke, Km, IV )2 : if e-seqnr = 03 : e-ctr Ω IV // initialise on first call

4 : mlen Ω |m|B

5 : // calculate padding length

6 : padlen Ω blocksize ≠ (5 + mlen)%blocksize7 : if padlen < 48 : padlen Ω padlen + blocksize9 : // encode the message

10 : pad ⌘ {0, 1}padlen·8

11 : len Ω 1 + mlen + padlen12 : ptxt Ω ÈlenÍ32 Î ÈpadlenÍ8 Î m Î pad13 : // encrypt and mac

14 : · Ω MAC(Km, Èe-seqnrÍ32 Î ptxt)15 : z Ω Á

16 : while |z| < |ptxt|17 : z Ω z Î BC(Ke, e-ctr)18 : e-ctr Ω e-ctr + 119 : c Ω (ptxt ü z) Î ·

20 : e-seqnr Ω e-seqnr + 121 : return c

alg. SSH-CTR-DK(f)

1 : parse K as (Ke, Km, IV )2 : if d-seqnr = 0 · – = Á

3 : d-ctr Ω IV // initialise on first call

4 : if closed5 : out Ω (‹, CONN_CLOSED); break6 : – Ω – Î f ; out Ω Á // update bu�er and reset output

7 : while (true) // process bu�er (–)

8 : if |–|B < blocksize9 : break // first ciphertext block is incomplete

10 : // decrypt first ciphertext block

11 : ptxtÕΩ –[1, blocksize] ü BC(Ke, d-ctr)

12 : d-ctr Ω d-ctr + 113 : clen Ω ÈptxtÕ[1, 32]Í≠1 + 4 + macsize14 : inRange Ω (16 + macsize Æ clen Æ 35000)15 : isMult Ω ((clen ≠ macsize)%blocksize ”= 0)16 : if ¬ inRange ‚ isMult // validate length

17 : out Ω out Î (‹, INVALID_LENGTH)18 : closed Ω true; break19 : if |–|B < clen20 : break // wait to complete ciphertext

21 : z Ω Á // decrypt and verify mac

22 : while |z| < (clen ≠ blocksize ≠ macsize)23 : z Ω z Î BC(Ke, e-ctr)24 : d-ctr Ω d-ctr + 125 : ptxtÕ

Ω ptxtÕÎ z ü –[blocksize + 1, clen ≠ macsize]B

26 : · ÕΩ –[clen ≠ macsize + 1, clen]B

27 : – Ω –[clen + 1, ú]B // remove decrypted ciphertext

28 : if · Õ”= MAC(Km, Èd-seqnrÍ32 Î ptxtÕ)

29 : out Ω out Î (‹, INVALID_MAC)30 : closed Ω true; break31 : padlen Ω ÈptxtÕ[5, 5]BÍ

≠1 // validate padding length

32 : mlenÕΩ clen ≠ padlen ≠ 4 ≠ 1 ≠ macsize

33 : if (mlenÕ > 32789) ‚ (mlenÕ < 1)34 : out Ω out Î (‹, INVALID_PAD_LENGTH)35 : closed Ω true; break36 : mÕ

Ω ptxtÕ[6, clen ≠ macsize ≠ padlen]B37 : out Ω out Î (€, mÕ)38 : d-seqnr Ω d-seqnr + 139 : return out

Fig. 6: The SSH-CTR scheme based on Dropbear’s implementation.36

• SSH-CTR in OpenSSH wasanalysed in [PW10] using adifferent security modelsupporting fragmentation.

• We provide a considerablysimpler proof showing thatSSH-CTR is CS-I secure.

• Corollary: SSH-CTR isuniversally composable.

UC Secure Channel [CK02]

22

[Channel]P1 P2mm

|m| deliver

Sim

Env

ℱSC [CE]

ℱSC

(EstCh,sid,P1,P2)

Ideal World(without corruptions)

Compare to Channel Simulatability

23A

<latexit sha1_base64="UpkVrI1pixmFtBfzMYKGSAqLG8M=">AAAB8nicbVA9SwNBEJ3zM55fUUubxSBYhTsbbcSojWUE8wGXI+xt9pIle7vH7p4QjoB/wsZCEVv/h72d/8a9JIUmPhh4vDfDvJko5Uwbz/t2lpZXVtfWSxvu5tb2zm55b7+pZaYIbRDJpWpHWFPOBG0YZjhtp4riJOK0FQ1vCr/1QJVmUtybUUrDBPcFixnBxkpBJ8FmQDDPr8bdcsWrehOgReLPSOXy0714BIB6t/zV6UmSJVQYwrHWge+lJsyxMoxwOnY7maYpJkPcp4GlAidUh/kk8hgdW6WHYqlsCYMm6u+JHCdaj5LIdhYR9bxXiP95QWbi8zBnIs0MFWS6KM44MhIV96MeU5QYPrIEE8VsVkQGWGFi7Jdc+wR//uRF0jyt+l7Vv/MqtWuYogSHcAQn4MMZ1OAW6tAAAhKe4AVeHeM8O2/O+7R1yZnNHMAfOB8/3kaTIA==</latexit><latexit sha1_base64="fbCHEFfi3oPmznn90JPU1PpoQqo=">AAAB8nicbVA9SwNBEN2LX/H8ilraLAbBKtzZaCNGbSwjmA9IjrC32UuW7O0eu3NCOPIzbCwUSev/sLcR/417SQpNfDDweG+GeTNhIrgBz/t2Ciura+sbxU13a3tnd6+0f9AwKtWU1akSSrdCYpjgktWBg2CtRDMSh4I1w+Ft7jcfmTZcyQcYJSyISV/yiFMCVmp3YgIDSkR2Pe6Wyl7FmwIvE39Oylcf7mUy+XJr3dJnp6doGjMJVBBj2r6XQJARDZwKNnY7qWEJoUPSZ21LJYmZCbJp5DE+sUoPR0rbkoCn6u+JjMTGjOLQduYRzaKXi/957RSiiyDjMkmBSTpbFKUCg8L5/bjHNaMgRpYQqrnNiumAaELBfsm1T/AXT14mjbOK71X8e69cvUEzFNEROkanyEfnqIruUA3VEUUKPaEX9OqA8+y8OZNZa8GZzxyiP3DefwDP1ZSU</latexit><latexit sha1_base64="3AcGxZGU5HnJQ5DIvLkY9qLBGSU=">AAAB8nicbVBNS8NAFHypX7V+VT16CRbBU0m86LHqxWMFWwtpKJvtpl262Q27L0IJ/RlePCji1V/jzX/jps1BWwcWhpn32HkTpYIb9Lxvp7K2vrG5Vd2u7ezu7R/UD4+6RmWasg5VQuleRAwTXLIOchSsl2pGkkiwx2hyW/iPT0wbruQDTlMWJmQkecwpQSsF/YTgmBKRX88G9YbX9OZwV4lfkgaUaA/qX/2holnCJFJBjAl8L8UwJxo5FWxW62eGpYROyIgFlkqSMBPm88gz98wqQzdW2j6J7lz9vZGTxJhpEtnJIqJZ9grxPy/IML4Kcy7TDJmki4/iTLio3OJ+d8g1oyimlhCquc3q0jHRhKJtqWZL8JdPXiXdi6bvNf17r9G6Keuowgmcwjn4cAktuIM2dICCgmd4hTcHnRfn3flYjFaccucY/sD5/AFvDpFT</latexit>

T<latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit><latexit sha1_base64="l9OzyDoB0c9X6RCJgDt1ntHKcg4=">AAAB8XicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKzQF7ahTKY37dDJJMxMhBL6F25cKOLWv3Hn3zhNs9DWAwOHc+5lzj1BIrg2rvvtrK1vbG5tl3bKu3v7B4eVo+O2jlPFsMViEatuQDUKLrFluBHYTRTSKBDYCSZ3c7/zhErzWDbNNEE/oiPJQ86osdJjP6JmrMOsORtUqm7NzUFWiVeQKhRoDCpf/WHM0gilYYJq3fPcxPgZVYYzgbNyP9WYUDahI+xZKmmE2s/yxDNybpUhCWNlnzQkV39vZDTSehoFdjJPuOzNxf+8XmrCGz/jMkkNSrb4KEwFMTGZn0+GXCEzYmoJZYrbrISNqaLM2JLKtgRv+eRV0r6seW7Ne7iq1m+LOkpwCmdwAR5cQx3uoQEtYCDhGV7hzdHOi/PufCxG15xi5wT+wPn8AeCNkQk=</latexit>

CS-I Simulated World

• The simulated world in CS-Icorresponds quite closely to theideal world in the UC setting.

• ⋅ + # + T ⟶ℱ&' [Channel]

( ⟶ Env + P1 + P2

)(+/-,⋅) ⟶ Sim

S(e, | · |)<latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit><latexit sha1_base64="YeaL7+KaImfgqSzaA20sGCvv5n4=">AAAB/3icbVDLSgMxFM3UV62vUcGNm2ARKkiZEUGXRTcuK9oHdIaSyWTa0EwyJBmhTLvwV9y4UMStv+HOvzHTzkKrBwKHc+7lnpwgYVRpx/mySkvLK6tr5fXKxubW9o69u9dWIpWYtLBgQnYDpAijnLQ01Yx0E0lQHDDSCUbXud95IFJRwe/1OCF+jAacRhQjbaS+feDFSA8xYtndtEZOJx4OhZ6c9O2qU3dmgH+JW5AqKNDs259eKHAaE64xQ0r1XCfRfoakppiRacVLFUkQHqEB6RnKUUyUn83yT+GxUUIYCWke13Cm/tzIUKzUOA7MZJ5WLXq5+J/XS3V06WeUJ6kmHM8PRSmDWsC8DBhSSbBmY0MQltRkhXiIJMLaVFYxJbiLX/5L2md116m7t+fVxlVRRxkcgiNQAy64AA1wA5qgBTCYgCfwAl6tR+vZerPe56Mlq9jZB79gfXwDvwiV6A==</latexit>

S(d, ·)<latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit><latexit sha1_base64="KdLcJjXgzVBD3+uDV2WbCoaRSFg=">AAAB/XicbVDLSgMxFM3UV62v8bFzEyxCBSkzIuiy6MZlRfuAzlAymUwbmkmGJCPUofgrblwo4tb/cOffmGlnoa0HAodz7uWenCBhVGnH+bZKS8srq2vl9crG5tb2jr2711YilZi0sGBCdgOkCKOctDTVjHQTSVAcMNIJRte533kgUlHB7/U4IX6MBpxGFCNtpL594MVIDzFi2d2kFp56OBT6pG9XnbozBVwkbkGqoECzb395ocBpTLjGDCnVc51E+xmSmmJGJhUvVSRBeIQGpGcoRzFRfjZNP4HHRglhJKR5XMOp+nsjQ7FS4zgwk3lWNe/l4n9eL9XRpZ9RnqSacDw7FKUMagHzKmBIJcGajQ1BWFKTFeIhkghrU1jFlODOf3mRtM/qrlN3b8+rjauijjI4BEegBlxwARrgBjRBC2DwCJ7BK3iznqwX6936mI2WrGJnH/yB9fkD6tGU2w==</latexit>

W<latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit><latexit sha1_base64="sd+iVzwavP6tMk0XI2E+m0uk9j0=">AAAB8nicbVDLSsNAFL3xWeur6tLNYBFclUQEXRbduKxgH5CGMplO2qGTTJi5EUroZ7hxoYhbv8adf+OkzUJbDwwczrmXOfeEqRQGXffbWVvf2NzaruxUd/f2Dw5rR8cdozLNeJspqXQvpIZLkfA2CpS8l2pO41Dybji5K/zuE9dGqOQRpykPYjpKRCQYRSv5/ZjimFGZd2eDWt1tuHOQVeKVpA4lWoPaV3+oWBbzBJmkxviem2KQU42CST6r9jPDU8omdMR9SxMacxPk88gzcm6VIYmUti9BMld/b+Q0NmYah3ayiGiWvUL8z/MzjG6CXCRphjxhi4+iTBJUpLifDIXmDOXUEsq0sFkJG1NNGdqWqrYEb/nkVdK5bHhuw3u4qjdvyzoqcApncAEeXEMT7qEFbWCg4Ble4c1B58V5dz4Wo2tOuXMCf+B8/gCRvJFt</latexit>

Summary and Concluding Remarks

• The aim was to generalize IND$ and reached a notion that isvery close to a UC secure channel (Channel Simulatability).

• Arguably, CS is easier to use and understand than UC.

• It is closer in spirit to AE/CCA but more versatile, devoid ofprohibited queries.

24

SimulatableChannels - AsiacryptSimulatableChannels: Extended Security that is Universally Composable...

Documents

Transcript of SimulatableChannels - AsiacryptSimulatableChannels: Extended Security that is Universally Composable...