Security of Symmetric Primitives against Key-Correlated Attacks

We study the security of symmetric primitives against key-correlated attacks (KCA), whereby an adversary can arbitrarily correlate keys, messages, and ciphertexts. Security against KCA is required whenever a primitive should securely encrypt key-dependent data, even when it is used under related keys. KCA is a strengthening of the previously considered notions of related-key attack (RKA) and key-dependent message (KDM) security. This strengthening is strict, as we show that 2-round Even–Mansour fails to be KCA secure even though it is both RKA and KDM secure. We provide feasibility results in the ideal-cipher model for KCAs and show that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model. We also give a natural transformation that converts any authenticated encryption scheme to a KCA-secure one in the random-oracle model. Conceptually, our results allow for a unified treatment of RKA and KDM security in idealized models of computation.


Introduction
Cryptographic algorithms are subject to a multitude of threats.Many of these threats are accounted for in the theoretical security analysis carried out by cryptographers, but not all.For example, early on, the seminal paper of Goldwasser and Micali [GM84] pointed out that guarantees of semantic security may break down if the adversary sees encryptions of the secret key.Formal analyses of protocols can also become moot [Bih94b,Bih94a] when the assumption that cryptosystems are run on independently generated keys no longer holds.A number of works have analyzed the security of cryptosystems in the presence of key-dependent messages or when different keys are generated in dependent ways (see the related work section below).We continue this line of work and ask to what extent basic cryptosystems (such as blockciphers and symmetric encryption) can resist attacks that exploit correlated inputs.

Motivation
Our motivation for studying correlated-input security is twofold.We are interested in settings where a cryptosystem may be run on related keys-either by design or due to attacks-to securely encrypt messages that depend on the encryption key.Suppose a user stores a secret key K on its hard drive.An adversary may be able to tamper with this key, for example flip some of its bits and change it to K ⊕ ∆ for some bit string ∆.It may then obtain a full-disk encryption under this key.It is not clear what security assertions can be made, as this setting falls outside both the related-key attack (RKA) and the key-dependent message (KDM) models.Indeed, the RKA model only allows the adversary to obtain encryptions of the form Enc(φ(K), M ), for functions φ mapping keys to keys, but for key-independent messages, while KDM accounts for key-dependent encryptions of type Enc(K, ψ(K)), for functions ψ mapping keys to messages, but under untampered keys.In the described attack, the adversary obtains Enc(K ⊕ ∆, K ⊕ ∆).This is not covered by either of these models since both the key and the message are correlated with the original key.Other applications of KCAs include efficient garbling of XORs [App16], where KCA security (called RK-KDM there) with respect to linear functions or the form α • K ⊕ ∆ for a bit α are used.
These settings require a stronger security notion, which is what we introduce here.The Key-Correlated Attacks (KCAs) model lets the adversary obtain encryptions of keydependent messages under related keys.Generally, wherever there is a possibility of both RKAs and KDM attacks, i.e., key-correlated encryptions of the form Enc(φ(K), ψ(K)), there is good chance that the actual security needed is KCA security.A typical use case is when the round functions of a block cipher are keyed via related keys, and the construction is used to encrypt key-dependent data.
In our model, for generality, simplicity and strength, we symmetrically allow for keydependent ciphertexts, that is, the adversary can see Dec(φ(K), ψ(K)).Such settings arise when the decryption algorithm of a blockcipher is run during encryption, which is for example the case in the triple DES construction [BR06], the ElmD construction [BDMN16], or in amplification theorems for blockciphers [MP04,CPS14].
Our second motivation is conceptual in that KCA provides a unified approach to RKA and KDM security analyses of symmetric primitives.More concretely, our goal is to prove KCA feasibility theorems and then derive RKA and KDM security as simple corollaries.This allows for reuse of security proofs and identifies classes of permitted attacks more generally, while leading to stronger security results.

Related work
RKA security.Knudsen and Biham [Knu93,Bih94b,Bih94a] initiated the study of RKAs and Bellare and Kohno [BK03] gave a theoretical treatment.High-profile RKAs on AES were discovered by Biryukov et al. [BKN09,BK09].The RKA model was extended by Albrecht et al. [AFPW11] to account for attacks that depend on an ideal primitive [Har09,Ber10].The RKA security of Feistel networks [BF15] and Even-Mansour ciphers [FP15,CS15] have been studied.Bellare,Cash,and Miller [BCM11] present a comprehensive treatment of RKA security for various cryptographic primitives.KDM security.Goldwasser and Micali [GM84] already hinted at the need for KDM security.The first use of KDM security appears in the work of Camenisch and Lyskanskaya [CL01] for anonymous credentials.Black, Rogaway, and Shrimpton [BRS03] formulated KDM security for symmetric encryption and proved its feasibility in the random-oracle model.Halevi and Krawczyk [HK07] later gave feasibility results in the standard model.Bellare and Keelveedhi [BK11] studied KDM in the context of authenticated encryption.Bellare, Cash, and Keelveedhi [BCK11] give a generic construction of a tweakable blockcipher from a blockcipher which is KDM secure.More recently, Farshim, Khati, and Vergnaud [FKV17] studied KDM security for the ideal cipher and the iterated Even-Mansour constructions.In the asymmetric setting the first feasibility result in the standard model for rich classes of functions was by Boneh et al. [BHHO08].Camenisch, Chandran and Shoup [CCS09] gave a KDM-CCA secure public-key encryption scheme.
Correlated inputs.Study of security under correlated inputs goes back to the work of Ishai et al. [IKNP03] as correlation-robustness in the design of oblivious transfer protocols.
From a technical point of view, the novelty of our KCA proof for 3-round Even-Mansour is that we keep the outer permutations partially consistent with the replaced forgetful oracles as well as the permutation oracles.For legal queries we show this can be done with overwhelming probability, while a detection algorithm will allow us to identify illegal queries and reject them.This proof thus deviates from previous works in which oracles are fully decoupled.As a result we also obtain a different (albeit somewhat more complex) way to prove the RKA security of 3-round Even-Mansour against key offsets by replacing the outer (rather the inner) permutation [FP15].
We end the paper by showing how to generically transform any AE-secure AEAD scheme to one which is a KCA-secure in the random-oracle model by hashing the key with nonces.For this result we only require the set of allowed functions to be unpredictable, as nonces automatically prevent repetitions due to claws in the functions.In contrast to previous work by Bellare and Keelveedhi [BK11] on similar transforms for achieving KDM-security, our scheme is secure with key-dependent nonces and headers.Although key-dependent headers are briefly discussed in [BK11], security with respect to key-dependent nonces is not considered at all.Arguably, however, there is a stronger case for the key-dependency of nonces than of headers: when nonces are randomly chosen they might become correlated with the key due to, e.g., bad generation of random numbers.For key-dependent headers, Bellare and Keelveedhi give a negative result, by having the adversary exploit the pattern of decryption errors (either ⊥ for an illegal query or 0 for failure in authenticity) to recover the key.In our setting, however, the decryption oracle only returns a single error symbol, which enables security under key-dependent inputs.If our model were modified to also have distinct error symbols, an attack similar to that in [BK11] would arise.We note that in these settings one might be able to obtain non-trivial feasibility results by requiring a form claw-freeness. 2  Our work leaves a number of open questions to be addressed in this area: How many rounds are needed for other ciphers (such as Feistel networks) in order to achieve provable KCA security?Do modes of operation (such as CBC) provide KCA security assuming that their underlying blockciphers are KCA secure?Does KCA help in the cryptanalysis of concrete blockciphers?
Organization.We start with basic notation and preliminaries in Sec. 2. In Sec. 3, we define KCA security for blockciphers and study its relation to RKA and KDM security before showing two separation results in Sec. 4. In Sec. 5 we study KCA in the ideal-cipher model and in Sec.6 we prove 3-round Even-Mansour KC-CCA secure for offsets.Sec.7 contains our generic construction of a KCA-secure authenticated encryption scheme from any AE-secure one.

Preliminaries
Notation.We let {0, 1} n denote the set of bit strings of length n and {0, 1} * the set of all finite-length bit strings.For two bit strings X and Y , X|Y denotes their concatenation and (X, Y ) denotes a uniquely (and efficiently) decodable encoding of X and Y .The length of X is denoted by |X|.By x ← ← S we mean sampling x uniformly from set S, whereas by y ← ← A(x) we mean the action of assigning the output of the randomized algorithm A on input x to y.We denote appending element X (resp., a list L ) to a list L by L : X (resp., L : L ).
We adopt the code-based game-playing language of Bellare and Rogaway [BR06], for which all lists are initialized to empty and all bad flags to false.Following the concrete security approach, we will primarily content ourselves with defining advantages and providing concrete reductions, without dwelling too much on the question when a 2 Consistently, the attack in [BK11] exploits claws in the key-dependent headers.
scheme is actually deemed secure or not (e.g., for a sufficiently large class of adversaries, the advantages are sufficiently small).One can of course easily recast our work in an asymptotic framework (where for all probabilistic polynomial-time adversaries advantages should be negligible in the security parameter λ, i.e., in λ −ω(1) ).
Blockciphers.Given a non-empty finite set K and a non-empty set M, called the key space and the message space respectively, we let Block(K, M) denote the set of all functions E : K × M → M such that for each K ∈ K the map E(K , •) is (1) a permutation on M and (2) length-preserving in the sense that for all M ∈ M we have that Such an E uniquely defines its inverse D : K × M → M. A blockcipher for key space K and message space M is a tuple of efficient algorithms BC := (E, D) such that E ∈ Block(K, M) and D is its inverse.We assume that the keys of a blockcipher are chosen uniformly from the key space K, which is typically {0, 1} k for some k ∈ N called the key length.Algorithm E is the deterministic encryption algorithm A (public) permutation on M is a blockcipher with a singleton key space K = {ε}.For variable input length blockciphers, we require that for each n, {0, 1} n is either contained in M, or {0, 1} n ∩ M = ∅.We denote a permutation with P and its inverse with P − .Ideal ciphers.The ideal cipher for key space K and message space M is the uniform distribution over Block(K, M).The ideal-cipher model (ICM) for given key and message spaces K, M is a model of computation where all parties, honest or otherwise, have oracle access to a uniformly random element in Block(K, M) and its inverse.The ideal-cipher model when restricted to K = {ε} gives rise to the random-permutation model (RPM).We abbreviate Block({0, 1} k , {0, 1} n ) by Block(k, n) and Block({ε}, {0, 1} n ) by Perm(n).

Correlation-derivation function (CDF). A correlation-derivation function (CDF) is a circuit of the form
A set of such functions is called a CDF set.Throughout the paper we denote CDF sets by Ξ and require that membership of a CDF set can be efficiently decided.We will define key-correlated security primitives relative to two CDF sets Ξ e and Ξ d that describe allowed encryption and decryption queries, respectively.
KCA-secure blockciphers.Let BC be a blockcipher with key space K = {0, 1} k and message (and ciphertext) space M = {0, 1} n .Let Ξ e and Ξ d be CDF sets for the input space K × M. The KC-CCA advantage of an adversary A against BC is defined by where game KC-CCA Ξ e , Ξ d , A BC is given in Fig. 1.In this game, the adversary's goal is to decide whether (case b = 1) its oracles are using the blockcipher BC = (E, D) or (case b = 0, the ideal case) a random permutation iE and its inverse iD.Lists ML and CL prevent the adversary from trivially winning the game.Otherwise the adversary could, for instance, recover the challenge key K * by querying an encryption (or decryption) of K * and subsequently ask for decryption (or encryption) of the oracle's reply.We note that for two sets Ξ Note.Analogues of KCA security can be formulated for hash functions and pseudorandom generators, which become equivalent to correlated-input security for hash functions [GOR11] and RKA security for PRGs [BCM11].

Examples
As examples of KC functions, suppose that related keys, described by functions from some set Φ, are used within the specification of an encryption scheme (an example are the 3GPP protocols [IK04]).Suppose further that the scheme is used to encrypt messages that depend on the key in ways represented by functions from a set Ψ.The overall effect is that an adversary has access to ciphertexts corresponding to key-dependent messages under related keys.In other words, the adversary can see key-correlated ciphertexts for functions: ξ : K → (φ(K), ψ(K)) with φ ∈ Φ and ψ ∈ Ψ , and Alternatively, suppose an adversary has access to encryptions under related keys with respect to Φ through, say, injection of faults that change bits of a hardware-stored encryption key [BDL97,BS97]. 3If the scheme is used to encrypt key-dependent messages with respect to Ψ, the adversary would be able to launch a KCA for the functions: ξ : K → φ(K), ψ(φ(K)) with φ ∈ Φ and ψ ∈ Ψ , and The KCA model thus captures, among other things, a variety of joint RKA and KDM attacks on a blockcipher.

Relation with RKA and KDM
Let id denote the identity function on a key space K and let Γ denote the set of all constant functions K → M for M ∈ M. We identify a pair of functions (φ, ψ), with ranges K and M respectively, with the correlation-derivation function K → (φ(K ), ψ(K )).
RKA/KDM-only sets.We call a pair (Ξ e , Ξ d ) RKA-only if Ξ e = Ξ d = Φ × Γ for an RKA set Φ of functions mapping keys to keys.We call (Ξ e , Ξ d ) KDM-only if Ξ e = {id} × Ψ and Ξ d = {id} × Γ (i.e., no key-dependent ciphertexts allowed [FKV17]) for a KDM set Ψ of functions mapping keys to messages.(The CPA versions are defined analogously by demanding that Ξ d = ∅.)We assume that any KDM set Ψ contains Γ, as it is natural to always allow for chosen plaintexts.
We show that our definition of KC security extends the standard RKA and KDM definitions for blockciphers, which we recall in Appendix A. In particular, for KDM-only sets we have that KCA and KDM security are equivalent and similarly for RKA-only sets KCA and RKA security are equivalent.For two of the four implications, we assume claw-freeness of the correlation-derivation functions.This requires that it is hard to find two different functions that have the same output given a random input and is defined formally in Sec. 5 (p.202).Claw-freeness is required because the KCA game returns ⊥ whenever claws are detected whereas the RKA game does not.The proof of the following proposition can be found in Appendix A.
Proposition 1.Let BC be a blockcipher.Let Ξ e and Ξ d be two CDF sets.
In particular, let n be the block length, A be an adversary and q the maximum number of its queries.Then there exists an adversary B such that Moreover, there exist adversaries B and B cf such that )-KC-CCA-secure and Ξ e is claw-free then BC is Ψ-KDM-CCA-secure.
In particular, for every adversary A there exists an adversary B such that and there exist adversaries B and B cf such that where q is the maximum number of queries adversary A makes.Analogous implications hold in the CPA setting.

Key-Correlated Attacks
In this section we show that even if a blockcipher simultaneously achieves security against RK and KDM attacks, it may still fail to achieve security against concurrent RK/KDM attacks, and hence also fail to achieve KCA security.We provide two separations, one artificial and one natural, to demonstrate this.

A generic separation result
Let K = M = {0, 1} n and define the following sets of functions: Figure 2: Blockcipher (E , D ) that is both KDM and RKA secure but not KCA secure.Note that min(K , K ) = min(K , K ), thus Given a Φ ⊕ -RKA secure and Ψ ⊕ -KDM secure blockcipher (E, D), consider the modified cipher (E , D ) shown in Fig. 2, where min is the lexicographic minimum and K := K ⊕ 1 k .Note that (E , D ) is again a blockcipher, i.e., a permutation for each value of the key (we simply swapped E(K, K) and C * in the image space).
To see that (E , D ) is not (Ξ ⊕ , ∅)-KC-CCA secure, consider an adversary that queries K → (K , K ) and K → (K , K ) = (K ⊕ 1 n , K ⊕ 1 n ) to its KCEnc oracle.For the modified cipher both queries yield the same result: while for the ideal cipher this would only happen with probability 1/2 n .On the other hand, the modified cipher (E , D ) remains both RKA and KDM secure as it essentially behaves like (E, D) when no joint RKA and KDM attacks as above can be mounted.We kept this discussion informal as our second separating example below is more natural and practically relevant.

Attack on 2-round Even-Mansour
The r-round Even-Mansour cipher [EM97, DR01, BKL + 12] is defined by r permutations P 1 , . . ., P r , has key space K = {0, 1} (r+1)n , domain M = {0, 1} n and encryption and decryption algorithms (cf.Fig. 3) The EM ciphers can also be considered in configurations where (some of the) keys and/or (some of the) permutations are reused in different rounds.We denote the EM cipher where P i and K i+1 are used in round i by EM P1,...,Pr [K 1 , K 2 , . . ., K r+1 ].
Recall the function sets Φ ⊕ , Ψ ⊕ , and Ξ ⊕ from (2).The 2-round Even-Mansour cipher with key reuse and independent permutations E(K , M ) := EM P1,P2 [K , K , K ] was shown to be Φ ⊕ -RK-CPA secure in [FP15] and Ψ ⊕ -KDM-CCA secure in [FKV17].We now show that this construction fails to be (Ξ ⊕ , ∅)-KC-CCA secure.Consider the KDM encryption (3) Now let ∆ * := P 1 (0 n ) ⊕ P 1 (1 n ) and consider the key-correlated encryption Thus the two key-correlated ciphertexts C 1 and E(K , K ) differ by a known value ∆ * .For the ideal cipher this event only occurs with probability 1/2 n since ∆ * = 0 n and the two ciphertexts would be randomly and independently distributed among 2 n values.An attacker thus merely needs to make two queries K → (K, K) and K → (K ⊕ ∆ * , K ⊕ ∆ * ⊕ 1 n ) and check whether the answers differ by ∆ * .The advantage of this attacker is 1 − 1/2 n .

KCA Security of the Ideal Cipher
In this section we study the feasibility of achieving security against key-correlated attacks in the ideal-cipher model.In this setting the adversary has oracle access to the ideal cipher in both the forward and backward direction.
KCA security of the ideal cipher.We begin by extending the standard notion of CCA security to the KCA setting, where key-dependent messages may be enciphered under related keys.Consider game KC-CCA Ξ e , Ξ d , A Block(k,n) shown in Fig. 4. The KC-CCA advantage of an adversary A against the ideal cipher with key length k and block length n is defined by We now prove a feasibility theorem for the ideal cipher that generalizes and extends those of both Bellare and Kohno [BK03] and of Farshim et al. [FKV17].We define four conditions on CDF sets, which exclude trivial attacks.
Unpredictability.The unpredictability advantage of an adversary A against a CDF set Ξ is defined as where we require that ξ ∈ Ξ. Informally, we say Ξ is unpredictable if the above advantage is "small" for every "reasonable" A.
We also define a multi-shot version of this game where A outputs a list L 1 of candidates for ξ and a list L 2 of predicted values (K 0 , M 0 ).Adversary A wins if some ξ in L 1 evaluates to some (K 0 , M 0 ) in L 2 when run on a random key K .Denoting the advantage in this game by Adv m-up Ξ (A), a simple guessing argument shows that for any A there exists B with where 1 and 2 are upper bounds on the sizes of L 1 and L 2 respectively.4 Key-unpredictability. The key-unpredictability advantage of an adversary A against a CDF set Ξ is defined as where we require that ξ ∈ Ξ.Here ξ| 1 (K ) denotes the projection to the first coordinate of ξ(K ).Informally we say Ξ is key-unpredictable if the above advantage is "small" for every "reasonable" A.
We also define a multi-shot version of this game where A outputs a list L 1 of candidates ξ and a list L 2 of predicted values K 0 .Adversary A wins if for a random key K , for some ξ in L 1 we have ξ| 1 (K ) = K 0 for some K 0 in L 2 .If we denote the advantage in this game by Adv m-kup Ξ (A), again we have that there exists a single-shot B such that where 1 and 2 are upper bounds on the sizes of L 1 and L 2 respectively.Note that key-unpredictability implies unpredictability.The converse does not hold as ξ : K → (0, K ) is unpredictable but not key-unpredictable.
Claw-freeness.This requires that it is hard to find two distinct functions that output the same on a random input.Formally, the claw-free advantage of an adversary A against a CDF set Ξ is defined as where we require that ξ, ξ ∈ Ξ.We say Ξ is claw-free if the above advantage is "small" for every "reasonable" A. Once again, a multi-shot version of the game with lists of candidates L 1 and L 2 for ξ and ξ can be defined, and as before there exists B with Cross-key-claw-detectability.We introduce a new notion and call a pair of CDF sets (Ξ e , Ξ d ) cross-key-claw-detectable (xkcd)5 if there is an efficient detection algorithm Det such that for any A the advantage below is small.
We require that ξ e ∈ Ξ e and ξ d ∈ Ξ d .Roughly speaking, xkcd provides a way to treat legality of queries across encryption and decryption queries in the KCA game.For example, in an illegal decryption query the output of an earlier encryption query (stored by the game in list CL, cf.Fig. 1) is sent to the decryption oracle through a CDF function whose key component matches that used in encryption.Det allows us to decide when such cases occur and deal with them appropriately in the security analysis.
A generalization of this notion considers lists L 1 for pairs (ξ e , C ) and L 2 for (ξ d , M ) and A wins if Det fails for any given tuple (ξ e , C , ξ d , M ) in the product of the lists.Again, a guessing argument shows that for every A there exists B with Remark.We can modify claw-freeness to claw-freeness of keys over the union Ξ e ∪ Ξ d .This would immediately imply xkcd, as Det can always return "No".But in this case the reach of our feasibility result below will not extend to the KDM setting, since under KDM a single key is used in encryption and decryption and hence they always collide.
We will now state and prove our first feasibility result, which identifies a set of sufficient conditions on the pair (Ξ e , Ξ d ) so that the ideal cipher is KCA secure with respect to it.
Theorem 1 (KCA security of the ideal cipher).Fix a key length k and block length n and let Ξ e and Ξ d be two sets of CDFs with signature ξ : {0, 1} k → {0, 1} k × {0, 1} n .Then for any (Ξ e , Ξ d )-KC-CCA adversary A against the ideal cipher making at most q direct ideal cipher queries, q e encryption and q d decryption queries, and for any detection algorithm Det, there are (multi-shot) adversaries B 1 , . . ., B 5 such that Ξ e ,Ξ d ,Det (B 5 ) + qq e + qq d + q 2 e + q 2 d + q e q d /2 n .Algorithm B 1 outputs two lists of sizes at most 1 ≤ q e and 2 ≤ q; B 2 outputs lists of sizes at most 1 ≤ q d and 2 ≤ q; B 3 's lists are of sizes at most 1 , 2 ≤ q e ; B 4 's lists are of sizes at most 1 , 2 ≤ q d , and B 5 's lists of sizes at most 1 ≤ q e and 2 ≤ q d .Proof.The idea of the proof is that we will gradually modify KC-CCA of Fig. 4 so that KCEnc and KCDec oracles run with two independent and forgetful random oracles, denoted by $ + and $ − respectively, and further the validity checks are performed by the detection algorithm Det.These modifications ensure that we arrive at a game which does not depend on the explicit key-correlated keys, messages, or ciphertexts.
Pictorially, in this intermediate game with forgetful oracles the adversary can make queries that correspond to 1 (corresponding to iE), 2 (corresponding to iD), 3 and 4: We now describe the transitional steps; the details can be found in Figs. 5 and 6.
Game 0 : This is the KC-CCA game with respect to b = 1 and where the four oracles lazily sample the ideal cipher.The same ideal cipher is used in iE and iD as those used in KCEnc and KCDec oracles.Consistency is ensured via shared lists T + , T − , Im + , and Im − used in lazy sampling.
Game 1 : This game differs from Game 0 in that different lists are used in iE and iD and in KCEnc and KCDec.The game still ensures consistency across the lists and hence there are no functional changes.This game also sets a flag Bad kup preparing us to decouple the two lists.More precisely, whenever a call to iE or iD needs to use the lists of KCEnc and KCDec, or vice versa, Bad kup is set.This game also sets a bad flag Bad col1 whenever it samples a ciphertext (resp.plaintext) that was sampled before and hence appears on . Game 2 : This game omits the code after Bad kup or Bad col1 is set.Thus Game 1 and Game 2 are identical until Bad kup or Bad col1 is set.We defer the analysis of this event to a later game.As a result the two ideal ciphers used in iE and iD and KCEnc and KCDec are decoupled.
Game 3 : This game checks for repeat queries to the ideal cipher used within the KCEnc and KCDec oracles.(Note that the queries to these oracles are assumed, without loss of generality, to be distinct.)The game sets a flag Bad cf when this takes place.This game also sets a bad flag Bad col2 whenever it samples a ciphertext (resp.plaintext) that was sampled before in a previous KCEnc or KCDec query (resp., also in a previous KCEnc and KCDec query).By dropping the code after Bad cf and Bad col2 , we transition to a game where the ideal cipher within KCEnc and KCDec act as forgetful random oracles.
Game 4 : This game uses the detection algorithm Det to check whether or not queries to KCEnc or those to KCDec are valid.More explicitly: (1) For each decryption query ξ d , oracle KCDec runs Det(ξ e , C , ξ d , 0 n , 1) for all previous queries ξ e to KCEnc, which were answered with C .(Intuitively, Det checks whether ξ d (K ) = (ξ e | 1 (K ), C ); the input 0 n is arbitrary.) (2) Analogously, for each query ξ e , oracle KCEnc runs Det(ξ e , 0 n , ξ d , M , 2) for all previous queries ξ d to KCDec which resulted in output M .If Det (which intuitively checks if ξ e (K ) = (ξ d | 1 (K ), M )) returns "Yes" for any of these, KCEnc returns ⊥, else it answers randomly.
Note that this game introduces no functional changes since it still computes the validity of a query using the lists.However it sets a bad flag Bad xkcd when the validity check determined by Det is different from the (true) value of validity determined using the lists ML and CL.This then prepares us to drop the explicit check using the lists and only use Det in the next game.
Game 5 : This game drops the code after Bad xkcd , and so is identical to Game 4 unless Bad xkcd has been set.
Note that in Game 5 the iE and iD oracles implement an ideal cipher whereas the KCEnc and KCDec oracles implement two forgetful random oracles, except that sometimes they might return ⊥ if the Det says that a query is invalid.To signify these, in what follows we refer to KCEnc by $ and KCDec by $ − .We also use iE + for iE and iE − for iD.
Note also that the above games are all identical unless one of the bad flags is set.Thus we analyze the probability of setting any of the bad flags in the final game Game 5 , where the behavior of the oracles are independent of the secret key K * .We start by analyzing the probability of setting Bad kup and Bad col1 .Flag Bad kup can be set under iE if a query (K , M ) to iE appears on T + 2 .Since only KCEnc and KCDec write to T + 2 , this would be the case if (a) (K , M ) = ξ e (K * ) for some query ξ e to KCEnc or (b) (K , M ) = (ξ d | 1 (K * ), M ) for M a randomly chosen output of KCDec.
In case (a) we can build an adversary that wins the multi-shot unpredictability of Ξ e by simulating the oracles as in Game 5 (without the need for K * , as all dependencies on K * are eliminated by Game 5 ) and outputting two lists L 1 and L 2 consisting of all tuples (K , M ) that were submitted to iE and ξ e that were submitted to KCEnc.These lists are of sizes q and q e respectively.
In case (b), however, we build an adversary that wins the multi-shot key unpredictability of Ξ d (note the exponent d).The four oracles are simulated as in Game 5 (once again without the need for K * ), but now the adversary outputs two lists L 1 and L 2 consisting of all keys K for tuples (K , M ) submitted to iE and ξ e that were submitted to KCDec.These lists are of sizes q and q d respectively.
We now look at the probability of setting Bad col1 .A straightforward analysis shows that this probability is upper bounded by q(q e + q d )/2 n .
The probability of setting Bad kup under iD is analyzed similarly to cases (a) and (b) above via reductions to the multi-shot unpredictability of Ξ d and the multi-shot key unpredictability of Ξ e .The probability of setting Bad col1 under iD is at most q(q e +q d )/2 n .6 Next we consider the probability of setting Bad cf or Bad col2 .Flag Bad cf can be set under KCEnc as a result of a query ξ e 0 if either (a) a previous distinct query ξ e 1 to KCEnc resulted in ξ e 0 (K * ) = ξ e 1 (K * ), or (b), a previous query where M is a random value chosen by KCDec in a previous query.In case (a) by collecting the list of ξ e queried to KCEnc we can break the multi-shot claw-freeness of Ξ e (simulating the oracles as in Game 5 ).For case (b) to take place it must be that Det classified the query as valid.However, this leads to setting Bad xkcd since M was returned from the KCDec oracle and hence (ξ d 1 | 1 (K * ), M ) appears on ML but Det did not detect this.We analyze the probability of setting Bad xkcd below.The probability of setting Bad col2 in KCEnc can be upper bounded by q e (q e + q d )/2 n .
The probability of setting Bad cf under KCDec is analyzed as above by a reduction to the multi-shot claw-freeness of Ξ d (or setting Bad xkcd ).The probability of setting Bad col2 in KCDec is upper bounded by q d (q e + q d )/2 n .
Finally we consider the probability of setting Bad xkcd .Flag Bad xkcd is set exactly when ξ e (K * ) appears on ML as a result of a query ξ d to KCDec with response M and Det says it does not, or that it does not and Det says it does.We can bound the probability of setting Bad xkcd under KCEnc by a reduction to the multi-shot xkcd property by collecting all queries ξ e made to KCEnc and all query-answer pairs (ξ d , M ) made to and received form KCDec in two lists and outputting them lists in the multi-shot xkcd game.The probability of setting of Bad xkcd under KCDec is analyzed analogously.
The theorem now follows by putting the bounds established above together.
The above theorem shows that key-unpredictability, claw-freeness, and xkcd are sufficient for achieving KCA security in the ideal-cipher model.This raises the question whether or not they are also necessary.Key-unpredictability is.Any adversary that can predict the key output of ξ e can be used to win the KC game as follows: (1) ask for an encryption under ξ e (K * ) to get a ciphertext C ; It is easily seen that this attack returns b = 1 with the same probability of predicting keys when b = 1.On the other hand, it only succeeds with negligible probability when b = 0 as the encryption oracle and the challenge oracle use independent ideal ciphers.We deal with such attacks in case (b) of ($ + , iE ± ) in the proof.
Claw-freeness, on the other hand, is not necessary.Consider a CDF set consisting of exactly two functions that collide with probability 1/2, e.g., K → K and K → min(K , K ).Then a security proof for the ideal cipher can be easily given: guess with probability 1/2 if min(K , K ) = K .Next depending on the guess simulate the key-correlated oracles either using the same set of ideal cipher oracles or independent ones.However, one can also exhibit CDF sets that are not claw-free and do lead to a KCA on the ideal cipher.Indeed, any set of k + 1 functions that has claws with the identity function depending on whether or not K i , the i-th bit of the key, is 1 can be used to recover the key one bit at a time.In practice this translates to recovering the key by observing the repetition patterns in the outputs.
Finally, there is also a pair of CDF sets which are not xkcd and can be used to attack the ideal cipher.Let ξ e (K ) := (K , 0 n ) and Let C be the answer to KCEnc(ξ e ).Now for i = 1, . . ., k, by checking whether KCDec(ξ d [i, C ]) returns ⊥ or not, one can again recover the key one bit at a time.In practice this translates to observing the equality pattern of the decrypted ciphertexts with 0 n .Theorem 1 and Proposition 1 can be used to recover known feasibility results for RKA and KDM security of the ideal cipher as follows.
RKA security.An RKA-only CDF set Ξ associated to a set Φ is key-unpredictable iff Φ is unpredictable in the sense of [BK03].Indeed, a predictor for a related-key derivation function φ can be converted to a key-predictor for ξ : K → (φ(K ), M ) for any fixed M .Conversely, a key-predictor for (φ(K ), M ) in particular predicts φ(K ).Similarly, Ξ is claw-free iff Φ is claw-free in the sense of [BK03].A claw in Φ can be immediately converted defined in Sec.4.2, is (Ξ ⊕ , Ξ ⊕ )-KC-CCA secure, with Ξ ⊕ as defined in (4).We note that, for Φ ⊕ , Ψ ⊕ as in (2), this construction is known to be both Φ ⊕ -RK-CCA and Ψ ⊕ -KDM-CCA secure [FP15,FKV17].We build on these works to show KC-CCA security in the theorem.
Theorem 2 (KCA security of 3-round EM).EM P1,P2,P3 [K, K, K, K ] is (Ξ ⊕ , Ξ ⊕ )-KC-CCA secure in the random-permutation model for P i .More precisely, for any adversary A against the (Ξ ⊕ , Ξ ⊕ )-KC-CCA security of EM P1,P2,P3 [K, K, K, K ] we have where q is the maximum number of queries of A to P ± i (over all i = 1, 2, 3) and q e and q d are the maximum number of encryption and decryption queries of A, respectively.Proof.To analyze the KC-CCA security of Even-Mansour, our strategy will be similar to that in Theorem 1 and those in [FP15,FKV17].As in these proofs, we replace the last-round permutation P + 3 in KCEnc queries with a forgetful random oracle and also replace the first-round permutation P − 1 in KCDec with another forgetful random oracle.After these replacements the outputs of KCEnc and KCDec will be fully randomized and independent of the inputs; the game is thus independent of the challenge bit b.
(1) For each decryption query ξ d , oracle KCDec runs Det ⊕ (ξ e , C , ξ d , 0 n , 1) for all previous queries ξ e to KCEnc, which were answered with C .If Det says "Yes" for any of these, KCDec ⊕ returns ⊥, else it outputs a random value from the domain.
(2) For each encryption query ξ e , oracle KCEnc runs Det ⊕ (ξ e , 0 n , ξ d , M , 2) for all previous queries ξ d to KCDec, which were answered with M .If Det ⊕ says "Yes" for any of these, KCEnc returns ⊥, else it answers with a random value.
These replacements, however, raise the question how P + 1 in KCEnc and P − 3 in KCDec are treated (since their respective counterparts in KCDec and KCEnc were replaced).Previous works simply leave these oracles unchanged.Our proof diverges in this aspect, because the key-dependency of both keys and messages gives rise to queries that cannot be guaranteed to be disjoint from the forgetful oracle, or discarded as trivial/illegal as in the KDM setting [FKV17], or not result in inconsistency due to the middle permutation P 2 being replaced in the RKA setting [FP15].
For the KCA setting we will replace P − 3 in KCDec (and analogously for P + 1 in KCEnc) as follows.When Det ⊕ says "No" on a query ), the game checks if each previous query ξ e = (∆ e 1 , ∆ e 2 , α e ) to KCEnc with output value C satisfies If so, oracle P− 3 outputs the input U to $ + that was used to compute C .If multiple values are found, P− 3 returns ⊥.If the latter is not the case, P− 3 is sampled as an independent permutation and consistent with P 3 .Permutation P ± 3 , when directly queried, is also sampled consistently with P− 3 on all those entries that are not kept consistent with $ + .More precisely, oracles $ + , P ± 3 and P− 3 write to independent lists L 1 , L 2 and L 3 .Oracle $ + checks consistency with none of the lists, oracle P ± 3 checks consistency with L 2 and L 3 and oracle P− 3 checks consistency with L 1 , L 2 and L 3 .
1 and outputting the input U to $ − that was used to compute M .As a result of the above replacements, the following inconsistencies could arise: (a) Identical queries to a permutation oracle are answered differently due to a replacement.
(b) Different queries to a permutation oracle and its replacement are answered identically (and hence do not respect permutativity).
(c) Multiple candidates for U are found when sampling P− 3 or P+ 1 .
We now bound the probabilities of these events.
Multiple candidates This event will happen due to: (1) a collision in the outputs of $ + , which happens with probability 1/2 n for each pair of queries to KCEnc; or (2) a collision in the output of $ + and an output entry in P ± 3 .This event is equivalent to a collision in the outputs of $ + and P ± 3 , which pertains to case (b) and is analyzed next.

($ + , P ±
3 ) A direct P ± 3 call in either direction collides with a point queried to P + 3 due to a query ξ e = (∆ 1 , ∆ 2 , α) to KCEnc.Suppose the direct query results in V = P + 3 (U ) or U = P − 3 (V ).There are now two cases.(a) The inputs collide, i.e., which is only possible with probability 1/2 n , since the key remains information-theoretically hidden.If it was not queried, the probability that (6) holds is also 1/(2 n − q), since P 2 is a random permutation, where outputs are chosen in a set of size at least 2 n − q.
The other case is that (b) the outputs collide.If the $ + query comes after the direct query, the probability of this event is 1/2 n .Now suppose the $ + query comes first and outputs C ; thus due to the collision we have that C = V ⊕ K * ⊕ ∆ 1 .But in this case the adversary can compute K * = V ⊕ ∆ 1 , which happens with probability at most 1/2 n (as the key remains information theoretically hidden).
($ − , P ± 1 ) A direct P ± 1 call in either direction collides with a point queried to $ − due to a query ξ d to KCDec.This event is analyzed analogously to case ($ + , P ± 3 ) above.
($ + , $ + ) The are two cases: (a) two inputs collide or (b) two outputs collide.In case (a) two distinct calls ξ e = (∆ 1 , ∆ 2 , α) and (ξ e ) = (∆ 1 , ∆ 2 , α ) to the KCEnc oracle result in querying $ + on the same input.For this event to occur we must have that ⊕ ∆ 1 and from (7) we get ∆ 1 = ∆ 1 .Since P 1 is a permutation, this implies that X = X .If further α = α then we would also have ∆ 2 = ∆ 2 , which means ξ e = (ξ e ) , contradicting distinctness of queries.Thus α = α and hence ∆ 2 ⊕ ∆ 2 = K * (since X = X ), which only happens with probability 1/2 n as it leads to guessing the key.Assume now that Y = Y . where 1 is the value input to $ − and output by P + 1 due to the consistency check in KCEnc.Rearranging and applying P − 2 to the above equality yields Y ⊕ K * ⊕ ∆ e 1 = P − 2 (U ⊕ K * ⊕ ∆ e 1 ).Substituting the expression for Y we get that . Since P − 2 is a permutation, this would happen iff ∆ d 1 = ∆ e 1 , which is an illegal query.
The theorem follows by putting the above bounds together.
Remark.A potential strengthening of the above theorem would be to consider a wider class of KCA attacks for which the ideal cipher is known to be secure.One possibility would be the class of key-unpredictable, claw-free, and xkcd-secure CDF sets as shown in Theorem 1.Although feasibility of this level of security claim for iterated Even-Mansour ciphers would follow from known indifferentiability [LS13,DSST17], this would require a larger number of rounds and also comes at the cost of lower levels of security.It remains an interesting open question to find the minimal number of rounds needed in the Even-Mansour ciphers that yields (Ξ e , Ξ d )-KC-CCA security with respect to any pair (Ξ e , Ξ d ) for which the ideal cipher is also (Ξ e , Ξ d )-KC-CCA secure.
Remark.We note that our model does not consider the possibility of preprocessing attacks, and establishing security bounds based on the size of non-uniform advice and the number of on-line queries remains an interesting line of research for future work.

Authenticated Encryption
We have seen that it is possible to achieve KCA-secure blockciphers.Given this, we now turn our attention to higher-level primitives and investigate the possibility of constructing KCA-secure primitives which rely on blockciphers.A natural first step is to explore symmetric encryption.Specifically, we consider the notion of authenticated encryption with associated data (AEAD).
AE syntax.An AEAD scheme is a 3-tuple of algorithms SE = (Gen, Enc, Dec), where (1) Gen is the randomized key generation algorithm that returns a bit string K from a finite key-space K (which is typically {0, 1} k for some k ∈ N).
(2) Enc : K × M × N × H → C is the deterministic encryption algorithm which takes as input a key K , a message M from message space M, a nonce N from nonce space N , and possibly some associated AE security.We define the AE-security of SE = (Gen, Enc, Dec) by considering the game described on the left in Fig. 7.The AE advantage of an adversary A against an AEAD scheme is defined by We require that A is nonce-respecting in that it does not repeat nonces in its encryption queries (but it may repeat them in decryption or across encryption and decryption queries).
KC-AE security.Let SE be an AEAD scheme as defined above.Let Ξ e and Ξ d be CDF sets with signatures ξ e : K −→ K × M × N × H and ξ d : As is in the blockcipher case, Ξ e is used to generate correlated keys and key-correlated messages.In addition to this, for authenticated encryption, we allow all inputs to the encryption algorithm to be key-correlated.Unlike the blockcipher case however, we restrict the use of Ξ d to generate correlated keys, nonces, and headers as it seems unnatural to derive a key-correlated ciphertext for decryption.If ξ e ∈ Ξ e and ξ d ∈ Ξ d we note that the syntactical difference to SE when considering KC-AE security is that the encryption oracle in the scheme only takes ξ e as input, while the decryption oracle takes (ξ d , C ) as described in the KC-AE Ξ e ,Ξ d ,A SE game on the right in Fig. 7.The KC-AE advantage of an adversary A against AEAD is defined by We require that nonces are not repeated in KCEnc queries.Security against key-correlated attacks is a strengthening of the standard notion of AE-security for a symmetric encryption scheme.As the syntax shows, the input to SE consists of K , M , N , and H .A natural question may arise as to which inputs we allow to be key-correlated.Although we would like to provide guarantees against any correlated inputs, there are two immediate issues with header security.It can (sometimes) be the case that headers are not private, and if they are heavily key-correlated, an adversary could trivially retrieve the key.For this reason, we require that header data is private.But a more subtle point, as shown in [BK11], is that even with private headers, it is possible for an adversary to perform a full key-recovery attack by taking advantage of the pattern of errors returned while list-checking during the decryption process which may be key-dependent.This attack does not apply in our setting, as we return only one error symbol (⊥) for both illegal queries and a failed decryption process, and as such, an adversary cannot use this to gain advantage. 7hen headers or nonces are public-formally this means revealing the header H or N under the KCEnc and KCDec oracles-we can achieve security by requiring that headers or nonces are key-uncorrelated in the sense that their values can be computed from the description of input CDFs without the need for K * .Looking ahead, this requirement would allow a proof strategy similar to one below in the private setting to be also applied in the public setting, with the difference that the values of headers and nonces would now be computed from the descriptions of the input CDFs.
The HwN Transform.We introduce the Hash-with-Nonce (HwN) transform with the goal of achieving KCA-security for symmetric encryption.Working in the random-oracle model, HwN converts a conventional AE-secure AEAD scheme SE to a new one, SE = HwN[SE, Gen] = (Gen, Enc, Dec), which we will prove to be KC-AE secure.Gen is its key-generation algorithm, its key length is k and nonce length is n.Its encryption and decryption algorithms are defined as follows, where H : K × N −→ K is a random oracle.
To show that SE is (Ξ e , Ξ d )-KC-AE secure it will be convenient to reduce to a multi-user variant of the AE game.Multi-user authenticated encryption (MUAE) allows an adversary to choose the number of keys to target, analogous to the number of users in the scheme.In addition to taking a message, nonce, and header, the encryption oracle takes an index i (indicating user number), and returns encryptions under a key K i , or a random string of the same length.Decryption always returns the error symbol, except in the case the real algorithms are being used where the message M is returned by decrypting C under K i .The adversary cannot ask user i to decrypt a ciphertext that it previously obtained from this user.In a scheme with n users, it follows via a simple hybrid argument (see Appendix B) that any AE-secure AEAD scheme is also MUAE secure.
The convenience in using MUAE lies in the fact that we can leverage the programmability of random oracles to implicitly map the hash values H(ξ e i | 1 (K * )|N i ) of the i-th query ξ e i to KCEnc, to a new randomly and independently chosen key in the MUAE game.This also decouples the key used in encryption (i.e., H(ξ e i | 1 (K * )|N i )) from the key-correlated messages ξ e i | 2 (K * ), key-correlated nonces ξ e i | 3 (K * ), and key-correlated headers ξ e i | 4 (K * ).Overall, our reduction proceeds by choosing a K * , computing the key-correlated message, nonce, and header, faithfully using this key, and implicitly setting H(ξ e i | 1 (K * )|N ) to keys K i in the MUAE game.For this analysis, we need that the keys K i remain hidden from the adversary's point of view, which we argue is the case as long the queried functions are key-unpredictable.We first give a definition formalizing the unpredictability of correlated keys before formally stating and proving the security guarantees of SE Theorem 3 (KCA security of HwN).Let SE be an AE-secure AEAD scheme.Let Ξ e and Ξ d be two CDF sets.Then for any (Ξ e , Ξ d )-KC-AE adversary A against the scheme SE obtained by applying the HwN transform to SE that makes q random oracle queries, q e encryption queries and q d decryption queries, there are adversaries B, C 1 and C 2 such that where adversary B makes at most q e + q d queries to Init, at most q e queries to encryption, and at most q d queries to decryption, adversary C 1 outputs two lists of sizes at most q e and q, and adversary C 2 outputs two lists of sizes at most q d and q.
Proof.The proof proceeds via a sequence of games as shown in Figs. 8 and 9.The three games in Fig. 8 run according to the KC-AE game with the HwN transform applied, and with b = 1.When b = 1, all oracle queries to KCEnc return encryptions of key-derived inputs under related keys.Queries to KCDec return the plaintext, or the error symbol ⊥ if the ciphertext is deemed illegitimate.The three games in Fig. 9 run according to the KC-AE game with the HwN transform applied, and with b = 0.In this scenario, all oracle queries to KCEnc return random ciphertexts, and KCDec always returns the error symbol ⊥.All games, adversaries, and transitions are outlined below.
Game 0 describes the KC-AE game with respect to the transformed scheme and b = 1.
Game 1 is identical to Game 0 with one conceptual change: it proceeds by separating the book-keeping list for H into cases when H is accessed within KCEnc and KCDec and when directly accessed by the adversary.More precisely, in Game 1 , records of adversary A's queries to the random oracle H will be recorded in a list L, whereas the oracle queries from KCEnc and KCDec will be recorded in a list L by oracle denoted H .A bad flag, Bad, is set if H is queried on a key/nonce pair that has already been queried by A to H.In this game, H and H jointly implement H in Game 0 and event Bad prepares us to fully decouple H and H later: Game 2 is identical to Game 1 up to the point that Bad is set.If this event occurs within H , records are no longer returned.By the fundamental lemma of game playing [BR06], we bound the difference between Game 2 and Game 1 as Event Bad corresponds to a non-empty intersection between the two lists L and L .Below, we will bound Pr [Bad] in Game 1 by showing that (1) this probability is close to the probability of setting Bad in Game 2 down to the MUAE security of SE; and (2) the probability of setting Bad in Game 2 is small down to the key unpredictability of Ξ e and Ξ d .
Game 3 switches the challenge bit to b = 0. We show below that any adversarial advantage in distinguishing Game 2 and Game 3 can be converted, via an adversary B 1 , against the MUAE game: Game 4 reverses the change in Game 2 and merges random oracles H and H .We have that Pr where we choose Game 3 to analyze the probability of Bad.Below we construct adversaries to show that this probability is bounded above by the key-unpredictability advantages against Ξ e and Ξ d .
Game 5 is identical to Game 4 except for a reversal of the conceptual change seen between Game 0 and Game 1 .The random oracles are completely re-coupled, and all queries by A, KCEnc and KCDec are written to a single list L. There are no procedural changes in this game: The reductions.We now give the details of the bounds for the three transitional changes above.
Adversary B 1 plays the MUAE game and is built based on an adversary A that attempts to distinguish Game 2 and Game 3 as follows.Adversary B 1 initializes q keys and chooses a K * .It then simulates the encryption and decryption oracles by explicitly computing the actual key, and also message when answering encryption, used using K * .In doing so, B 1 implicitly programs H(ξ e i (K * ), N i ) to K i , one of the q keys initialized by B 1 's challenger.Since nonces are not reused, and each K i is chosen randomly, this will constitute a perfect simulation of the random oracle H .When b = 0, this is a perfect simulation of Game 4 environment for A by B 1 .However when b = 1, although simulation encryption is good, care must be taken in decryption as decryption of (K , C , N , H ) is not allowed in the KC-AE game if (K , C , N , H ) was added to list CL.Adversary B 1 thus keeps track of these values and answers with ⊥ when such a query arises.Note that B 1 once again uses its knowledge K * and further that this modification does not affect the simulation when b = 0. Adversary B 1 continues in this way and returns the bit that A outputs.Hence, Adversaries C i for i = 1, 2 are used to show that the probability of Bad is small by the key-unpredictability of the queried functions.Adversaries C i for i = 1, 2 run A in Game 3 by simply simulating its encryption and decryption oracles with $ and ⊥ respectively.They also lazily sample the random oracles H for A. Adversary C 1 keeps track of all queried functions to KCEnc and adversary C 2 keeps track of all queried functions to KCDec.Both adversaries also keep track of all queries to H. When A terminates, C i simply outputs the list of all queried functions that it keeps track of and H queries its two lists of guesses in the multi-shot key-unpredictability game.(See Fig. 10 (middle) for the details.) Whenever flag Bad is triggered, either C 1 or C 2 wins the key-unpredictability game against Ξ e or Ξ d respectively: Adversary B 2 is used to bound the difference between the probabilities of setting Bad in games Game 3 and Game 4 .This is done via another reduction to the MUAE game which attempts to decide the challenge bit by observing if Bad is set.Algorithm B 2 runs A similarly to algorithm B 1 .It however keeps track of the queried functions to KCEnc and KCDec as well as H.It uses its knowledge of K * to verify if Bad has occurred.When the MUAE challenge bit of B 2 is 1, algorithm B 2 runs A in an environment identical to that of Game 2 ; hence the probability of B 2 outputting 0 is exactly that of Bad in Game 2 .Similarly, the probability of B 2 outputting 1 is exactly that of Bad occurring in Game 3 .Hence The theorem follows by putting the bounds established above together, and noting that In the theorem statement, we choose B to be B 1 or B 2 having the bigger advantage.
Remark.The above theorem can be extended to a misuse-resilient and key-correlated setting, whereby nonces may be repeated at encryption for a construction similar to HwN that also hashes the header information.A similar proof strategy can be used to analyse its KC-MRAE security at the expense of introducing three extra conditions: (1) the base scheme is MRAE secure; (2) the sets Ξ e and Ξ The above simulation strategy for does not work for the converse implication RK ⇒ KC, as best illustrated by the following example: Consider a blockcipher for which there exist K = K ∈ K and M ∈ M with E(K, M ) = E(K , M ) = C; now consider a KC adversary A that queries KCEnc(φ, M ) with φ(K * ) = K; thus (K, C) ∈ CL.Later A queries KCDec(φ , C) and KCDec(φ , C) where φ (K * ) = K and φ (K * ) = K.Reduction B can forward these queries to its RK oracle and will get M in both cases.But KCDec(φ , C) should be answered with M (since (K , C) / ∈ CL), whereas KCDec(φ , C) should be answered with ⊥.Thus, storing (C, M ) in a local list CL doesn't help, since both queries would make B look at this entry, but should result in different actions.
The reduction can thus not perfectly simulate the KC experiment; although this situation is very unlikely to occur for the ideal cipher, the reduction cannot abort and return 1 (as in the above proof), since the event that the adversary found a tuple (K, K , M, C) that would be hard to find for the ideal cipher is not detectable by the reduction (in contrast to the proof for KC ⇒ RK).
The proof will now rely on claw-freeness of the set Φ.If it was perfectly claw-free, then the reduction could perfectly simulate entries (K, C) ∈ CL by entries (φ, C) ∈ CL with φ(K * ) = K.But if claw-freeness is only computational then the adversary could find φ, φ with φ(K * ) = φ (K * ) for the key K * chosen by the game, but which would not be a claw for a random key and thus cannot be output as a solution in the claw-freeness game.
However, we can show that until the adversary finds a claw, the ideal game can be simulated without having chosen any key K * at all.If the adversary thus finds a claw, it must be one for a random key with non-negligible probability as well.We start with proving this last observation in the following lemma.Then there exists an adversary A cf such that Pr[E] ≤ q 2 • (Adv cf Φ (A cf ) + 1/2 n ) =: 2 , where q is the number of oracle queries B makes in game RK-CCA.
Proof.The crucial observation is that game RK-CCA Φ,B BC when b is fixed to 0 can be simulated without knowing choosing K * up to the event E happening, that is, the point where the adversary produces the first claw.Let (φ i ) q i=1 denote the list of all functions queried to RKEnc or RKDec.We construct an adversary A cf against claw-freeness as follows: it first guesses i 0 , i 1 ∈ [1, q] and then simulates the game for B until the i 1 -th query as follows: A cf keeps a list L with entries of the form (φ, M, C).Whenever B queries RKEnc(φ, M ), it checks whether there is some entry (φ, M, C ) ∈ L and if so, returns C .Else it samples C ← M, adds (φ, M, C) to L and returns C. Whenever B queries RKDec(φ, C), it checks whether there is some entry (φ, M , C) ∈ L and if so, returns M .Else it samples M ← M, adds (φ, M, C) to L and returns M .When B makes its i 1 -the query, A cf stops and returns (φ i0 , φ i1 ).
Assume event E occurred and A cf guessed correctly that the i 1 -th query was the first query after which E occurred and the i 0 -th query was the one it collided with.Consider A cf 's challenger, which chooses K * ← K and checks whether φ i0 (K * ) = φ i1 (K * ).If so, then A cf won the claw-freeness game.Else the probability that A cf would have answered the i 1 -th query so that E still occurred is 1/2 n .RK ⇒ KC.This direction relies on the claw-freeness of the set Φ. Let A be a KC adversary; we construct a reduction B against RK that maintains two local lists ML and CL and aborts whenever event E, defined in Lemma 2, occurs.
Whenever A queries KCEnc for ξ e : K → (φ(K), M ), reduction B queries RKEnc(φ, M ) to receive C. It first checks whether there has been a "colliding" RKEnc query: if there is an entry (φ , C, M ) in its list CL with φ = φ then B aborts and returns 1.
To answer the query KCEnc(φ, M ), an actual KC challenger would check whether (φ(K * ), M ) ∈ ML.Instead, B checks its local list ML : if (φ, M, C) ∈ ML , it returns ⊥; if there is an entry (φ = φ, M, C) then B aborts the simulation and returns 1; if there is no entry (•, M, C) ∈ ML , it adds (φ, C, M ) to its local list CL and returns C.
KCDec queries for ξ d : K → (φ(K), C) are dealt with analogously: B first queries RKDec(φ, C) to receive M .If there is an entry (φ , M, C) in ML with φ = φ then B aborts and returns 1.To answer KCDec(φ, C), an actual KC challenger would now check whether (φ(K * ), C) ∈ CL.Instead, B checks its local list CL : if (φ, C, M ) ∈ CL it returns ⊥; if there is an entry (φ = φ, C, M ) then B aborts the simulation and returns 1; if there is no entry (•, C, M ) ∈ CL , it adds (φ, M, C) to its local list ML and returns M .
We show that the simulation is perfect if B does not abort; consider a query KCDec(φ, C): (1) If (φ, C, M ) ∈ CL then there must have been a query KCEnc(φ, M ) with C = E(φ(K * ), M ); thus a KC challenger would have added (φ(K * ), C) to CL and the above KCDec query would have been answered by ⊥. (2) If there is no entry (•, C, M ) ∈ CL then (φ(K * ), C) cannot be in CL, since whenever it is added to CL, an entry (•, C, D(φ(K * ), C) would have been added to CL .Perfect simulation of KCEnc queries is argued completely analogously.
On the other hand, we have that B aborts precisely when E, as defined in Lemma 2, occurs.With as defined in the latter, we thus have

Figure 1 :
Figure 1: Game defining the (Ξ e , Ξ d )-KC-CCA security of a blockcipher BC = (E, D) with key space K and message space M. We require that ξ e ∈ Ξ e and ξ d ∈ Ξ d for all queries.

Figure 4 :
Figure 4: Game defining (Ξ e , Ξ d )-KC-CCA security of the ideal cipher with key length k and block length n.We require that ξ e ∈ Ξ e and ξ d ∈ Ξ d for all queries ξ e , ξ d .

Figure 7 :
Figure7: the game defining the KC-AE security of SE with key-correlated inputs and private headers and nonces (which are not revealed to the adversary).The adversary is required not to repeat nonces in its KCEnc queries.

Figure 8 :
Figure 8: Game 0 shows the KC-AE game with respect to SE and challenge bit 1. Game 1 separates the lists for H and H .There are no functional changes.Game 2 then fully decouples H and H .

Figure 9 :
Figure 9: Game 3 changes the challenge bit to 0. Game 4 merges H and H . Game 5 is functionally identical to Game 4 with merged H and H . Game 5 is the KC-AE game with respect to SE and challenge bit 0.

Figure 10 :
Figure10: On the left is the description of adversary B 1 simulating the challenger of A in the KC-AE game whilst interacting in the MUAE environment.In the middle is the description of adversaries C i simulating the oracle requests by A in the KC-AE game when b = 0 and whilst running in the key unpredictability environment.On the right is the code for an adversary B 2 simulating A in the KC-AE game whilst interacting in the MUAE environment.

Lemma 2 .
Consider game RK-CCA Φ,B BC with b fixed to 0 and define event E as follows: the adversary B makes two RKEnc queries (φ, M ) and (φ , M ), with φ = φ , both answered by the same C; or it makes two RKDec queries (φ, C ), (φ , C ), with φ = φ , both answered by the same M ; or it makes two queries RKEnc(φ, M ), answered by C and RKDec(φ , C ), answered by M , with φ = φ .