3.4 Stronger Security Notions (Introduction to Modern Cryptography Jonathan Katz and Yehuda Lindell)
#cryptography#c#security#learning
dima853

dima853 @dima853

About: Aspiring Full-Stack Software Engineer | Cryptography & Deep Security Enthusiast | Back-End Focused | Currently learning and building the future.

Location:
Russia
Joined:
Nov 17, 2024

3.4 Stronger Security Notions (Introduction to Modern Cryptography Jonathan Katz and Yehuda Lindell)

Publish Date: May 2
11 1

3.4.1 Security for Multiple Encryptions

Simple experiment, obviously that

This experiment shows that, ideally, a secure encryption scheme should give an attacker a probability of guessing bit b, tending to 1/2 (or 50%).
Image description

important:

Image description

Explanation in simple words:

Definition 3.18 says that a private key encryption scheme is secure when used repeatedly if an adversary (e.g. hacker) cannot distinguish the encryption of two different sets of messages.

Key points:

1.Security with multiple encryptions:

  • The enemy selects two sets of messages (for example, two lists).
    • One of them is encrypted, and the enemy is trying to guess which one it is.
    • If the scheme is secure, his chances of guessing are only slightly better than just flipping a coin (that is, 1/2 + very small value).
  1. Comparison with single encryption (Definition 3.8):
  2. Definition 3.8 verifies security when an adversary encrypts a single message.
    • Definition 3.18 is stricter: it requires that even when encrypting multiple messages the enemy cannot find vulnerabilities.

Example:

  • Disposable Notebook (OTP) is secure if you encrypt one message, but if you encrypt two messages with the same key, the enemy may notice patterns (for example, identical messages give the same ciphers).
  • Therefore, OTP does not satisfy Definition 3.18, but satisfies Definition 3.8.

Conclusion:

  • A good encryption scheme should be resistant not only to single, but also to multiple attacks.
  • For this, randomization is often used (so that identical messages do not give the same ciphertexts).

In short:

Definition 3.18 is a requirement that encryption remains secure, even if an attacker sees a lot of encrypted messages.

Requirements for meeting Definition 3.18

In order for the private key encryption scheme П = Gen,Enc,Dec to satisfy Definition 3.18 (indistinguishability of multiple encryptions), it must:

1. Use probabilistic (randomized) encryption

  • Why? If the encryption is deterministic (for example, OTP), then the same messages give the same ciphertexts.
  • Attack: The opponent can send M_0 = (m, m) and M_1=(m, m'). If c_1 = c_2, he will understand that M_0 has been selected.
  • Solution: Encryption should add randomness (for example, via nonce or IV).

2. Provide semantic security with multiple encryption

  • Even if the enemy sees ** a lot of ciphertexts**, he should not extract information about the messages.
  • Examples of schemes satisfying this:
  • CPA-secure schemes (IND-CPA), for example, AES in CBC or CTR mode.
    • CCA-secure schemes (IND-CCA2), if protection against active attacks is required.

3. Have resistance to Matched plaintext attacks (CPA)

  • The enemy can request the encryption of any messages before attacking.
  • An example of vulnerability: ECB mode (identical blocks → identical cipher blocks).
  • Solution: Use randomized modes (CBC, CTR, GCM).

4. Maintain security when reusing the key.

  • The key should not "wear out" after several encryptions.
  • The OTP issue: The key is used once → the circuit breaks down when applied again.
  • Solution: Use stream ciphers (ChaCha20) or block ciphers in secure modes.

5. Be resistant to time-based attacks or leaks

  • Encryption should not depend on processing time or other side channels.
  • Example: If identical messages are encrypted faster, the enemy may notice this.

Conclusion

For a scheme to satisfy Definition 3.18, it must:
Use randomization (not be deterministic).

✅ Remain secure with multiple encryption (IND-CPA/CCA).

✅ Protect against attacks with selected text.

✅ Support reusable keys.

✅ Do not have side channel vulnerabilities.

Examples of suitable schemes:

  • AES-GCM (CPA-secure + authentication).
  • ChaCha20-Poly1305 (stream cipher with nonce reuse protection).
  • RSA-OAEP (for asymmetric encryption).

PROPOSITION 3.19
There is a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, but not in distinguishable multiple encryptions in the presence of an eavesdropper.

Image description

Output

  • OTP is secure for single encryption (Definition 3.8),
  • But ** is unsafe for repeated use** (Definition 3.18), because determinism allows you to distinguish between duplicate messages.

What does this mean?

  • For secure multiple encryption, you need:
  • Randomization (for example, adding IV/nonce),
  • Or stateful encryption (changing state).
  • OTP is not suitable for real systems where the key is used many times.

Examples of secure schemes:

  • AES in CBC/CTR/GCM mode (using random IVs),
  • ChaCha20-Poly1305 (nonce + authentication).

obviously, that

Image description

and that too

Image description

✅ nothing complicated, I'll see you soon.

Comments 1 total

  • Alex P
    Alex PMay 3, 2025

    These are the basics 🤝

Add comment