Another Look at Tightness II: Practical Issues in Cryptography

How to deal with large tightness gaps in security proofs is a vexing issue in cryptography. Even when analyzing protocols that are of practical importance, leading researchers often fail to treat this question with the seriousness that it deserves. We discuss nontightness in connection with complexity leveraging, HMAC, lattice-based cryptography, identity-based encryption, and hybrid encryption.

1. 1.

   By “k bits of security” we mean that there is good reason to believe that, if a successful attack (of a specified type) takes time T and has success probability \(\epsilon \), then \(T/\epsilon > 2^k\).

2. 2.

   We are not accounting for recent progress by Kim and Barbulescu [51] in algorithms for computing discrete logarithms in \({\mathbb G}_T\). This will lead to working with even larger parameters.

3. 3.

   In iterated hash functions one also appends a “length block” to the message M before hashing. We are omitting the length block for simplicity.

4. 4.

   The early posted versions of [54] contained a serious error that was pointed out to the authors by Pietrzak, namely, the theorem is given assuming only the PRF property rather than the strong PRF property that is needed in the proof. This error was explained and corrected in the posted versions and the published version. Soon after the corrected version was posted, Pietrzak posted a paper [70] containing a different proof of essentially the same result as in Corollary 10.3 of Theorem 10.1 of [54] (see also [40]).

5. 5.

   The abstract to [40] also erroneously states that “NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant”.

6. 6.

   In this quotation Bellare uses the word “blackbox” in a non-standard way. Later in his paper he defines a “blackbox” reduction to be one that is constructible and a “non-blackbox” reduction to be one that is non-constructible. However, when comparing a proof as in [12] that uses “coin-fixing” with more recent proofs that do not, the standard terms are nonuniform/uniform rather than non-blackbox/blackbox.

7. 7.

   The section “Our Contributions” in [40] starts out: “Our first contribution is a simpler, uniform, and as we will show, basically tight proof for the PRF-security of NMAC\({}^f\) assuming only that f is a PRF.” The authors apparently meant to say that their tightness gap is best possible, i.e., cannot be improved. Their proof is not tight, however—far from it. Their tightness gap is nq, essentially the same as in Corollary 10.3 of [54].

8. 8.

   Regev’s theorem can also be stated with the \(\text {GapSVP}_{\gamma }\) problem instead of \(\text {SIVP}_{\gamma }\). Given an n-dimensional lattice L and a number \(r > 0\), GapSVP\({}_\gamma \) requires that one output “yes” if \(\lambda _1(L) \le r\) and “no” if \(\lambda _1(L) > \gamma r\) (either “yes” or “no” is allowed if \(r <\lambda _1\le \gamma r\)).

9. 9.

   In the IBE setting “CP” does not stand for chosen plaintext but rather for clave pedida, which means “requested key” in Spanish.

10. 10.

    In Table 1 of [78], Zhang and Imai claim that their security reduction has a tightness gap of \(q_E \cdot q_H\); this assertion is repeated in Table 4 of [8]. However, they neglected to account for the tightness gap arising from the running times in Theorem 1 of their paper.

11. 11.

    We can suppose that the \(2^a\) ciphertexts are sorted according to their first two blocks (or perhaps stored using a conventional hash function). Then one iteration of the attack takes essentially unit time, since it just requires computing \((C''_1,C''_2)\) and looking for it in the sorted table. Since the expected number of iterations is \(2^{128-a}\), the running time of the attack is \(T=2^{128-a}\) (and the success probability is essentially 1).

We wish to thank Greg Zaverucha for extensive help with Appendix B as well as useful comments on the other sections, Michael Naehrig for reviewing and commenting on Sect. 5, Somindu C. Ramanna for providing helpful comments on an earlier draft of Sect. 6, Ann Hibner Koblitz for editorial suggestions, and Ian Blake, Eike Kiltz, and Chris Peikert for helpful feedback and suggestions. Of course, none of them is responsible for any of the opinions expressed in this article.

Authors and Affiliations

1. Department of Computer Science and Automation, Indian Institute of Science, Bengaluru, India

   Sanjit Chatterjee

2. Department of Mathematics, University of Washington, Seattle, USA

   Neal Koblitz

3. Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Canada

   Alfred Menezes

4. Applied Statistics Unit, Indian Statistical Institute, Kolkata, India

   Palash Sarkar

Corresponding author

Correspondence to Alfred Menezes .

Editors and Affiliations

1. Multimedia University, MMU, Cyberjaya, Malaysia

   Raphaël C.-W. Phan

2. Snapchat and Columbia University, New York, New York, USA

   Moti Yung

A Concrete Analysis of Regev’s Worst-Case/Average-Case Reduction

Let \(q=q(n)\) and \(m=m(n)\) be integers, and let \(\alpha = \alpha (n) \in (0,1)\) be such that \(\alpha q > 2\sqrt{n}\). Let \(\chi \) be the probability distribution on \({\mathbb Z}_q\) obtained by sampling from a Gaussian distribution with mean 0 and variance \(\alpha ^2/2\pi \), and then multiplying by q and rounding to the closest integer modulo q. Then the (search version of the) LWE problem is the following: Let s be a secret vector selected uniformly at random from \({\mathbb Z}_q^n\). Given m samples \((a_i,a_i\cdot s +e_i)\), where each \(a_i\) is selected independently and uniformly at random from \({\mathbb Z}_q^n\), and where each \(e_i\) is selected independently from \({\mathbb Z}_q\) according to \(\chi \), determine s. The decisional version of LWE, called DLWE, asks us to determine whether we have been given m LWE samples \((a_i,a_i\cdot s + e_i)\) or m random samples \((a_i,u_i)\), where each \(u_i\) is selected independently and uniformly at random from \({\mathbb Z}_q\).

Regev [71] proved that the existence of an efficient algorithm that solves DLWE in the average case implies the existence of an efficient quantum algorithm that solves \(\text {SIVP}_{\gamma }\) in the worst case where \(\gamma = \tilde{O}(n/\alpha )\). In the remainder of this section we provide justification for the following refinement of Regev’s theorem:

Claim

Let \(q=n^2\) and \(\alpha = 1/(\sqrt{n} \log ^2 n)\), whence \(\gamma = \tilde{O}(n^{1.5})\). Suppose that there is an algorithm W that, given \(m=n^c\) samples, solves DLWE for a fraction \(1/n^{d_1}\) of all \(s \in {\mathbb Z}_q^n\) with advantage at least \(1/n^{d_2}\). Then there is a polynomial-time algorithm \(W'\) for solving \(\text {SIVP}_{\gamma }\) that calls the W oracle a total of \(O(n^{11+c+d_1+2d_2})\) times.

1.1 A.1 Gaussian Distributions

Recall that the Gaussian distribution with mean 0 and variance \(\sigma ^2\) is the distribution on \({\mathbb R}\) given by the probability density function

For \(x \in {\mathbb R}^n\) and \(s > 0\), define the Gaussian function scaled by s:

The Gaussian distribution \(D_s\) of parameter s over \({\mathbb R}^n\) is given by the probability density function

Note that \(D_s\) is indeed a probability distribution since \(\int _{x \in {\mathbb R}^n} \rho _s(x) \, dx = s^n\).

If L is a lattice, we can define

Then the discrete Gaussian probability distribution \(D_{L,s}\) of width s for \(x \in L\) is

Let L be a (full-rank integer) lattice of dimension n.

1.2 A.2 Concrete Analysis

In this section the tightness gap of a reduction algorithm from problem A to problem B is the number of calls to the oracle for B that are made by the reduction algorithm.

Regev’s worst-case/average-case reduction has two main components:

1. 1.

   The reduction of (search-)LWE to average-case DLWE (denoted \(\text {DLWE}_{ac}\)).

2. 2.

   The reduction of worst-case \(\text {SIVP}_{\gamma }\) to LWE.

Reduction of LWE to \(\mathbf {DLWE}_{\varvec{ac.}}\) This reduction has three parts.

Part I. Worst-Case to Average-Case. \(\text {DLWE}_{wc}\) denotes the worst-case DLWE problem. Lemma 4.1 in [71] shows that an algorithm \(W_1\) that solves \(\text {DLWE}_{ac}\) for a fraction \(\frac{1}{n^{d_1}}\) of all \(s \in {\mathbb Z}_q^n\) with acceptance probabilities differing by at least \(\frac{1}{n^{d_2}}\) can be used to construct an algorithm \(W_2\) that solves \(\text {DLWE}_{wc}\) with probability essentially 1 for all \(s \in {\mathbb Z}_q^n\). The algorithm \(W_2\) invokes \(W_1\) a total of \(O(n^{d_1+2d_2+2})\) times.

Part II. Search to Decision. Lemma 4.2 in [71] shows that an algorithm \(W_2\) which solves \(\text {DLWE}_{wc}\) for all \(s \in {\mathbb Z}_q^n\) with probability essentially 1 can be used to construct an algorithm \(W_3\) that solves (search-)LWE for all \(s \in {\mathbb Z}_q^n\) with probability essentially 1. Algorithm \(W_3\) invokes \(W_2\) a total of nq times, so this reduction has a tightness gap of nq.

Part III. Continuous to Discrete. Lemma 4.3 in [71] shows that an algorithm \(W_3\) that solves LWE can be used to construct an algorithm \(W_5\) that solves \(\text {LWE}_{q,\Psi _{\alpha }}\). (See [71] for the definition of the \(\text {LWE}_{q,\Psi _{\alpha }}\) problem.) This reduction is tight.

Reduction of \(\mathbf {SIVP}_{\gamma }\) to LWE. This reduction has tightness gap \(6n^{6+c}\). The reduction has two parts.

Part I. DGS to LWE. Let \(\epsilon = \epsilon (n)\) be some negligible function of n. Theorem 3.1 of [71] shows that an algorithm \(W_4\) that solves \(\text {LWE}_{q,\Psi _{\alpha }}\) given m samples can be used to construct a quantum algorithm \(W_{9}\) for \(DGS_{\sqrt{2n} \cdot \eta _{\epsilon }(L)/\alpha }\). Here, \(\eta _{\epsilon }(L)\) is the “smoothing parameter with accuracy \(\epsilon \)”, and \(\text {DGS}_{r'}\) (discrete Gaussian sampling problem) is the problem of computing a sample from the discrete Gaussian probability distribution \(D_{L,r'}\) where \(r' \ge \sqrt{2n} \cdot \eta _{\epsilon }(L)/\alpha \).

Let \(r = \sqrt{2n} \cdot \eta _{\epsilon }(L)/\alpha \). Let \(r_i = r \cdot (\alpha q/\sqrt{n})^i\) for \(i \in [0,3n]\). Algorithm \(W_{9}\) begins by producing \(n^c\) samples from \(D_{L,r_{3n}}\) (Lemma 3.2 in [71]); the \(W_4\) oracle is not used in this step. Next, by repeatedly applying the ‘iterative step,’ it uses the \(n^c\) samples from \(D_{L,r_i}\) to produce \(n^c\) samples from \(D_{L,r_{i-1}}\) for \(i=3n, 3n-1, \ldots , 1\). Since \(r_0=r\), the last step produces the desired sample from \(D_{L,r}\).

The iterative step (Lemma 3.3 in [71]) uses \(n^c\) samples from \(D_{L,r_i}\) to produce one sample from \(D_{L,r_{i-1}}\); this step is then repeated to produce \(n^c\) samples from \(D_{L,r_{i-1}}\). Thus, the iterative step is executed a total of \(3n \cdot n^c = 3n^{1+c}\) times.

Each iterative step has two parts.

1. 1.

   The first part invokes \(W_4\) a total of \(n^2\) times:

   • Lemma 3.7 in [71] uses \(W_4\) to construct an algorithm \(W_5\) that solves \(\text {LWE}_{q,\Psi _{\beta }}\); \(W_5\) invokes \(W_4\) n times.

   • Lemma 3.11 in [71] uses \(W_5\) and the \(n^c\) samples from \(D_{L,r_i}\) to construct an algorithm \(W_6\) that solves the \(\text {CVP}^{(q)}_{L^*, \alpha q/\sqrt{2}r_i}\) problem. The reduction is tight.

   • Lemma 3.5 in [71] uses \(W_6\) to construct an algorithm \(W_7\) that solves the \(\text {CVP}_{L^*,\alpha q/\sqrt{2}r_i}\) problem. Algorithm \(W_7\) invokes \(W_6\) n times.

2. 2.

   The second part (Lemma 3.14 in [71]) uses \(W_7\) to construct a quantum algorithm \(W_8\) that produces a sample from \(D_{L,r_{i-1}}\). This reduction is tight.

Since each iterative step has tightness gap \(n^2\), the total tightness gap for the reduction of DGS to LWE is \(3n^{3+c}\).

Part II. \(\text {SIVP}_{\gamma }\) to DGS Lemma 3.17 in [71] uses \(W_{9}\) to construct an algorithm \(W_{10}\) that solves \(\text {SIVP}_{2\sqrt{2} n \eta _{\epsilon }(L)/\alpha }\). Algorithm \(W_{10}\) invokes \(W_{9}\) \(2n^3\) times.

Lemma 2.12 in [71] states that \(\eta _{\epsilon }(L) \le \sqrt{\omega (\log n)} \cdot \lambda _n(L)\) for some negligible function \(\epsilon (n)\). Thus

Summary. Regev’s reduction of \(\text {SIVP}_{\gamma }\) to \(\text {DLWE}_{ac}\) has tightness gap

B Nontightness and Multi-user Attacks

In an important paper that has been all but ignored by the cryptographic research community, Zaverucha [77] showed that “provably secure” hybrid encryption, as described in several standards, is insecure in the multi-user setting if certain permitted (and even recommended) choices are made in the implementation. Because this work should be much better known than it is, we shall devote this section to explaining and summarizing [77]. We shall focus on hybrid encryption schemes in the comprehensive ISO/IEC 18033-2 standard [74].

We first recall the definition in [16] of IND-CCA security (Indistinguishability under Chosen-Ciphertext Attack) of encryption in the multi-user setting. Suppose there are n users. The adversary is given n public keys, a decryption oracle for each public key, and an LR (left-or-right encryption) oracle for each public key. The adversary can query each decryption oracle up to \(q_D\) times and each LR oracle up to \(q_\mathrm{LR}\) times. A decryption query simply asks for a chosen ciphertext to be decrypted under the corresponding public key. An LR query works differently. The n LR-oracles all have a hidden random bit b in common. The adversary chooses two equal-length messages \(M_0\) and \(M_1\) to query to one of the LR-oracles, which then returns an encryption \(C^*\) of \(M_b\). The adversary is not permitted to query \(C^*\) to the decryption oracle for the same public key. The adversary’s task is to guess b with success probability significantly greater than 1 / 2.

Remark 12

This “multi-challenge” security model (that is, \(q_\mathrm{LR}>1\)) can also be used in the single-user setting, but almost never is ([22] is a rare exception); in the standard IND-CCA security model \(q_\mathrm{LR}=1\). We shall later give a simple attack that shows that the standard IND-CCA is deficient and should be replaced by the multi-challenge model.

Remark 13

In [16] the authors give a generic reduction with tightness gap \(n\cdot q_\mathrm{LR}\) between the multi-user and single-user settings. In the full version of [16] they also give a construction that shows that this tightness bound is optimal; that is, they describe a protocol that can be attacked with \(n \cdot q_\mathrm{LR}\) times the advantage in the multi-user setting than in the single-challenge single-user setting. Their construction is contrived and impractical; later we shall describe a simple attack on hybrid encryption that shows that in practice as well as in theory the generic tightness bound in [16] is best possible. That is, the attack described below reduces security by a factor equal to n times the number of messages sent to each user (see Remark 16). (In specific cases tighter reductions are sometimes possible—for example, the paper [16] contains a reduction with tightness gap \(q_\mathrm{LR}\) in the case of the Cramer–Shoup public-key encryption scheme [31].)

We now recall the setup and terminology of hybrid encryption. The encryption has two stages: a key-encapsulation mechanism (KEM) using a public-key cryptosystem (with the recipient’s public/secret key pair denoted PK/SK), and a data-encapsulation mechanism (DEM) using a symmetric-key cryptosystem that encrypts the data by means of the shared key K that is produced by the KEM. The KEM takes PK as input and produces both the key material K by means of a key-derivation function (KDF) and also a ciphertext \(C_1\) that will enable the recipient to compute K; the DEM takes K and the message M as input and produces a ciphertext \(C_2\). The recipient decrypts by first using \(C_1\) and SK to find K and then using \(C_2\) and the symmetric key K to find M.

Among the public-key systems commonly used for KEM are Cramer-Shoup [31] and ECIES (ElGamal encryption using elliptic curves, see [74]); symmetric-key systems commonly used for DEM are AES in cipher block chaining (CBC) mode and XOR-Encrypt using a hash function with a counter. (We will describe this in more detail shortly.) The KDF is a publicly known way to produce key material of a desired length L from a shared secret that’s computed using the public-key system.

Suppose, following [74], that we use 128-bit AES in CBC-mode with zero initialization vector for DEM. Let MAC denote a message authentication code that depends on a 128-bit key. Our KDF produces two 128-bit keys \(K=(k_1,k_2)\). To send a 128m-bit message M, we set \(C_2\) equal to a pair \((C',t)\), where \(C'\) is the 128m-bit ciphertext computed below and \(t=\)MAC\({}_{k_2}(C')\) is its tag. The ciphertext \(C'=(C'_1,\ldots ,C'_m)\) is given by: \(C'_1=\)AES\({}_{k_1}(M_1), C'_i=\)AES\({}_{k_1}(C'_{i-1}\oplus M_i)\) for \(i=2,\ldots ,m\).

After receiving \((C_1,C_2)=(C_1,C',t)\), the recipient first uses \(C_1\), SK, and the KDF to find \((k_1,k_2)\), and then uses the shared key \(k_2\) to verify that t is in fact the tag of \(C'\); otherwise she rejects the message. Then she decrypts using \(k_1\).

Alternatively, for DEM we could use XOR-Encrypt with a hash function \({\mathcal H}\) as follows. To send a message M consisting of m 256-bit blocks, we have the KDF generate a 256m-bit key \(k_1=(k_{1,1},\ldots ,k_{1,m})\) by setting \(k_{1,i}={\mathcal H}(z_0\Vert i)\), where \(z_0\) is a shared secret produced by KEM, and also a MAC-ing key \(k_2\). The MAC works as before, but now \(C'\) is determined by setting \(C'_i=M_i\oplus k_{1,i}\). This is the hash function with counter (CTR) mode mentioned above.

In [32] Cramer and Shoup gave a tight proof that hybrid encryption has IND-CCA security under quite weak assumptions. The MAC-scheme need only be “one-time secure” (because it receives a new key \(k_2\) for each message), and the symmetric encryption function need only be one-time secure against passive adversaries—in particular, there is no need for randomization (again the reason is that it gets a new key \(k_1\) for each message). In accordance with the general principle that standards should not require extra features that are not needed in the security reductions, the standards for hybrid encryption [74] do not require randomization in the symmetric encryption; nor do they impose very stringent conditions on the KDF. In addition, in [74] Shoup comments that if KEM is implemented using the Cramer–Shoup construction [31], which has a security proof without random oracles, and if DEM is implemented using AES-CBC, then it is possible to prove a tight security reduction for the hybrid encryption scheme without the random oracle assumption. Thus, anyone who mistrusts random oracle proofs should use AES-CBC rather than XOR-Encrypt. All of these security proofs are given in the single-user setting.

1.1 B.1 Attacks in the Multi-user Setting

We now describe some of the attacks of Zaverucha [77] in the multi-user setting, which of course is the most common setting in practice. Let \(n=2^a\) be the number of users. First suppose that the DEM is implemented using AES128 in CBC-mode. Suppose that Bob sends all of the users messages that all have the same first two blocks \((M_1,M_2)\) (that is, they start with the same 256-bit header). The rest of the message blocks may be the same (i.e., broadcast encryption), or they may be different. The adversary Cynthia’s goal is to read at least one of the \(2^a\) messages. She guesses a key k that she hopes is the \(k_1\)-key for one of the messages. She computes \(C''_1=\)AES\({}_k(M_1)\) and \(C''_2=\text {AES}{}_k(C''_1\oplus M_2)\) and compares the pair \((C''_1,C''_2)\) with the first two blocks of ciphertext sent to the different users.^{Footnote 11} If there’s a match, then it is almost certain that she has guessed the key \(k_1=k\) for the corresponding message. That is because there are \(2^{128}\) possible keys \(k_1\) and \(2^{256}\) possible pairs \((C'_1,C'_2)\), so it is highly unlikely that distinct keys would give the same \((C'_1,C'_2)\). Once Cynthia knows \(k_1\)—each guess has a \(2^{-(128-a)}\) chance of producing a match—she can quickly compute the rest of the plaintext. This means that even though the hybrid encryption scheme might have a tight security reduction in the single-user setting that proves 128 bits of security, in the multi-user setting it has only \(128-a\) bits of security. Commenting on how dropping randomization in DEM made his attack possible, Zaverucha [77] calls this “an example of a provable security analysis leading to decreased practical security.”

Remark 14

In modern cryptography—ever since the seminal Goldwasser-Micali paper [44]—it has been assumed that encryption must always be probabilistic. In [74] this principle is violated in the interest of greater efficiency because the security proof in [32] does not require randomization. This decision was bold, but also rash, as Zaverucha’s attack shows.

Remark 15

A time–memory–data tradeoff can be applied to speed up the on-line portion of the attack; see Remark 7 in [27]. Namely, at a cost of precomputation time \(2^{128-a}\) and storage size \(2^{2(128-a)/3}\), the secret key k of one of the \(2^a\) users can be determined in time \(2^{2(128-a)/3}\).

Remark 16

The above attack can also be carried out in the single-user setting if we suppose that Bob is sending Alice \(2^{a'}\) different messages that all have the same header \((M_1,M_2)\). Since different keys are generated for different messages (even to the same user), there is no need for the recipients of the messages to be different. This gives a reduction of the number of bits of security by \(a'\). This attack shows the need for the multi-challenge security model even in the single-user setting. Thus, even in the single-user setting the standard security model for encryption is deficient because it fails to account for the very realistic possibility that Bob uses hybrid encryption as standardized in [74] to send Alice many messages that have the same header.

Remark 17

Note that if the \(2^{a'}\) messages are broadcast to \(2^a\) users, then obviously the reduction in security is by \(a'+a\) bits. In some circumstances \(a'+a\) could be large enough to reduce the security well below acceptable levels. For example, if \(a'+a>32\), it follows that what was thought to have 128 bits of security now has fewer than 96, which, as remarked in Sect. 1, is not enough. It should be emphasized that the security is reduced because of actual practical attacks, not because of a tightness gap that could conceivably be removed if one finds a different proof.

We note that the above attack does not in general work if DEM is implemented using XOR-Encrypt. (Of course, someone who does not trust security proofs that use random oracles would not be using XOR-Encrypt, and so would be vulnerable.) But Zaverucha has a different attack on hybrid encryption with XOR-Encrypt that works for certain KDF constructions.

1.2 B.2 Attacks on Extract-then-Expand with XOR-Encrypt

The most commonly used KDF takes the shared secret \(z_0\) produced in KEM and derives a key of the desired length by concatenating \({\mathcal H}(z_0\Vert i)\) for \(i=1,\ldots \). However, at Crypto 2010, as Zaverucha [77] explains,

Krawczyk argues that cryptographic applications should move to a single, well-studied, rigorously analyzed family of KDFs. To this end, he formally defines security for KDFs, presents a general construction that uses any keyed pseudorandom function (PRF), and proves the security of his construction in the new model. The approach espoused by the construction is called extract-then-expand. [...] The HKDF scheme is a concrete instantiation of this general construction when HMAC is used for both extraction and expansion.

The Extract-then-Expand key derivation mechanism was soon standardized [28, 29, 59]. In particular, RFC 5869 describes HKDF, which instantiates the Extract-then-Expand mechanism with HMAC, and states that HKDF is intended for use in a variety of KDF applications including hybrid encryption.

Extract-then-Expand works in hybrid encryption as follows. Suppose that \(z_0\) is the shared secret produced in KEM. The Extract phase produces a bitstring \(z_1=\>\)Extract\((z_0)\), perhaps of only 128 bits, which is much shorter than \(z_0\). (The Extract phase may also depend on a “salt,” but this is optional, and we shall omit it.) Then the key material K is obtained by a function that expands \(z_1\), i.e., \(K=\>\)Expand\((z_1,L)\), where L as before is the bitlength of K. (There is also the option of putting some contextual information inside the Expand-function, but we shall not do this.)

We now describe Zaverucha’s attack on hybrid encryption when Extract-then-Expand with 128-bit \(z_1\) values is used as the KDF and XOR-Encrypt is used for message encryption. Suppose that Bob sends messages to \(2^a\) users that all have the same header \((M_1,M_2)\) and the same bitlength L. Cynthia’s goal is to recover at least one of the plaintexts. Rather than guessing a key, she now guesses the bitstring \(z_1\). For each guess she computes \(K=\>\)Expand\((z_1,L)\) and \(C''_i=M_i\oplus k_{1,i}, i=1,2\). When she gets a match with \((C'_1,C'_2)\) for one of the users, she can then recover the rest of the plaintext sent to that user: \(M_i=C'_i\oplus k_{1,i}, i>2\).

Note that this attack does not work for XOR-Encrypt with the KDF using \({\mathcal H}(z_0\Vert i)\) described above. Once again the “provably secure” choice of Extract-then-Expand turns out to be vulnerable, whereas the traditional choice of KDF is not. Zaverucha comments that “In this example, replacing a commonly used KDF in favor of a provably secure one causes a decrease in practical security.”

As discussed in [77], Zaverucha’s attacks can be avoided in practice by putting in features that are not required in the standard single-user single-challenge security proofs. It would be worthwhile to give proofs of this.

Open Problem. Give a tight security reduction for hybrid encryption in the multi-user multi-challenge security model (random oracles are permitted) if DEM uses either: (1) randomized encryption rather than one-time-secure encryption (for example, AES-CBC with random IV that is different for each message and each recipient), (2) XOR-Encrypt using \({\mathcal H}(z_0\Vert i)\) for the KDF, (3) XOR-Encrypt using HKDF with a recipient- and message-dependent salt in the Extract phase and/or recipient- and message-dependent contextual information in the Expand phase.

We conclude this section by noting a curious irony. As we remarked in Sect. 1, it is very rare for a standards body to pay much attention to tightness gaps in the security reductions that are used to support a proposed standard or to whether those security reductions were proved in the multi-user or single-user setting. However, recently the IETF decided that the standard for Schnorr signatures [72] should require that the public key be included in the hash function. The reason was that Bernstein [20] had found a flaw in the tight reduction from an adversary in the single-user setting to an adversary in the multi-user setting that had been given by Galbraith et al. [37], and he had proved that a tight security reduction could be restored if the public key is included in the hash function. (Later Kiltz et al. [50] gave a tight security reduction without needing to include the public key in the hash function; however, their assumptions are stronger than in [37], and it is not yet clear whether their result will cause the IETF to go back to dropping the public key from the hash input.)

The peculiar thing is that the tightness gap between single-user and multi-user settings is only a small part of the tightness problem for Schnorr signatures.

Lemma 5.7 in [50] gives a security proof in the random oracle model for the Schnorr signature scheme in the single-user setting. The proof has a tightness gap equal to the number of random oracle queries, which can be very large—in particular, much larger than the number of users in the multi-user setting. Even a tight single-user/multi-user equivalence leaves untouched the large tightness gap between Schnorr security and hardness of the underlying Discrete Log Problem. It should also be noted that the IETF was responding to the error Bernstein found in a proof, not to any actual attack that exploited the tightness gap (we now know that such an attack is probably impossible, because of the recent proof in [50] that under a certain reasonable assumption there is no single-user/multi-user tightness gap).

In the meantime, standards bodies have done nothing to address Zaverucha’s critique of the standardized version [74] of hybrid encryption, which allows implementations that have far less security than previously thought, as shown by actual attacks.

Reprints and permissions

© 2017 Springer International Publishing AG

Policies and ethics