Security of Symmetric Primitives under Incorrect Usage of Keys

  • Pooya Farshim École normale supérieure (ENS), The French National Centre for Scientific Research (CNRS), Inria & PSL Research University , Paris, France
  • Claudio Orlandi Aarhus Univeristy, Aarhus, Denmark
  • Razvan Rosie École normale supérieure (ENS), The French National Centre for Scientific Research (CNRS), Inria & PSL Research University, Paris, France
Keywords: incorrect key usage, key-robustness, authenticated encryption, MAC, •generic composition, collision-resistant PRF, collision-resistant PRG

Abstract

We study the security of symmetric primitives under the incorrect usage of keys. Roughly speaking, a key-robust scheme does not output ciphertexts/tags that are valid with respect to distinct keys. Key-robustness is a notion that is often tacitly expected/assumed in protocol design — as is the case with anonymous auction, oblivious transfer, or public-key encryption. We formalize simple, yet strong definitions of key robustness for authenticated-encryption, message-authentication codes and PRFs. We show standard notions (such as AE or PRF security) guarantee a basic level of key-robustness under honestly generated keys, but fail to imply keyrobustness under adversarially generated (or known) keys. We show robust encryption and MACs compose well through generic composition, and identify robust PRFs as the main primitive used in building robust schemes. Standard hash functions are expected to satisfy key-robustness and PRF security, and hence suffice for practical instantiations. We however provide further theoretical justifications (in the standardmodel) by constructing robust PRFs from (left-and-right) collision-resistant PRGs.
Published
2017-03-08
How to Cite
Farshim, P., Orlandi, C., & Rosie, R. (2017). Security of Symmetric Primitives under Incorrect Usage of Keys. IACR Transactions on Symmetric Cryptology, 2017(1), 449-473. https://doi.org/10.13154/tosc.v2017.i1.449-473
Section
Articles