Security Proof : Semantic Security implies Message Recovery Security

authored by Premmi and Beguène

A cipher that is semantically secure is also secure against message recovery.

Prerequisites : Probability Primer, Attack Games In Cryptography, Proof Techniques in Cryptography

Theorem

Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K, M, C})$ . If $\mathcal{E}$ is semantically secure then $\mathcal{E}$ is secure against message recovery.

Intuitively, this theorem means that if an efficient adversary (running time poly-bounded with over-whelming probability) is given a ciphertext which is the encryption of one of the two messages chosen by it and this adversary cannot detect from the given ciphertext which message was encrypted, then it implies that it cannot also recover the message from the ciphertext. This is because had the adversary been able to recover the message from the ciphertext, then it would have known which one of the two messages was encrypted by the cipher $\mathcal{E}$ and hence would have correctly detected the message that the given ciphertext was an encryption of.

In order to prove this theorem, we need to find a way to relate the semantic security of cipher $\mathcal{E}$ to its security against message recovery. We will establish this relationship through a game wherein an efficient semantic security adversary tries to break the semantic security of cipher $\mathcal{E}$ by using an efficient message recovery adversary.

A message recovery adversary when given a ciphertext tries to recover the message from the ciphertext. A semantic security adversary, on the other hand, when given a ciphertext, which is the encryption of one of two possible messages of its choosing, tries to detect which message was encrypted. Therefore, a semantic security adversary, when given a ciphertext, can use a message recovery adversary to recover the message from the ciphertext and hence detect which one of the two possible messages was encrypted to result in the given ciphertext.

It should be noted that the only purpose of the game is to establish a relationship between the two notions of security; had their relationship been already known then we don’t need this game as we can the prove the theorem using this relationship.

How secure a cipher is against a particular notion of security attack is quantified as the advantage that an adversary has over a challenger whose output the adversary uses to attack the cipher, in a game played between them. Since the advantage of the adversary over the challenger is a measure of the difference in probabilities between the adversary winning the game and the challenger winning the game, hence, the higher the advantage of the adversary over the challenger, the lesser the security of the cipher for the particular notion of security under attack.

Therefore, in order to relate the semantic security of the given cipher $\mathcal{E}$ to its security against message recovery, we have to formulate a relationship between the advantage that an efficient semantic security adversary has over its challenger and the advantage that an efficient message recovery adversary has over its challenger. We establish this relationship through a game as described below.

It should be noted that efficient adversary / interface means its running time is poly-bounded with overwhelming probability or equivalently, unbounded with at most negligible probability..

Also SS denotes “Semantic Security” and MR denotes “Message Recovery”.

The game is played as follows :

The efficient SS Adversary $\mathcal{B}$ picks any two messages of its choice, namely, $m_0 \text{ and } m_1$ , from the message space $\mathcal{M}$ and sends them to its SS Challenger, $\mathcal{C_B}$ . It should be noted that $m_0 \text{ and } m_1$ are two different messages i.e., $m_0 \neq m_1$ .
The SS Challenger, $\mathcal{C_B}$ chooses either $m_0 \text{ or } m_1$ uniformly at random, encrypts it using cipher $\mathcal{E}$ and sends the ciphertext $c$ to $\mathcal{B}$ . The challenger, $\mathcal{C_B}$ , chooses the message to encrypt uniformly at random to ensure that the adversary $\mathcal{B}$ wins the game only by correctly detecting from the given ciphertext which one of the two messages was encrypted by the challenger and not by exploiting the bias (or preference) of $\mathcal{C_B}$ in picking one message over the other.
$\mathcal{B}$ forwards $c$ to its MR Adversary $\mathcal{A}$ through its interface, $\mathcal{C_A}$ , which acts as MR Challenger to $\mathcal{A}$ .
$\mathcal{A}$ tries to recover the message from the given ciphertext $c$ and outputs a message $\hat{m} \in \{m_0, m_1\}$ which it sends to its MR Challenger i.e., $\mathcal{B} \text{'s}$ interface $\mathcal{C_A}$ . It should be noted that since $c$ is an encryption of either $m_0 \text{ or } m_1$ , in the message recovery game the message space consists of just these two messages.
The adversary $\mathcal{B}$ outputs $\hat{b} = 1$ when $\hat{m} = m_1$ and outputs $\hat{b} = 0$ when $\hat{m} = m_0$ . $\mathcal{B}$ sends $\hat{b}$ to its SS Challenger, $\mathcal{C_B}$ .

For $b = 0, 1$ , efficient MR Adversary, $\mathcal{A}$ , wins the game against its MR Challenger, $\mathcal{C_A}$ , if $c$ is the encryption of $m_b$ and it outputs $\hat{m} = m_b$ , otherwise it loses and consequently, its MR Challenger, $\mathcal{C_A}$ , wins the game.

By definition,

\begin{equation*} \begin{split} \text{MR}\bold{adv}[\mathcal{A, C_A}] &= \big|P(\hat{m} = m_1 \,|\, c \text{ is encryption of } m_0) -P(\hat{m} = m_1 \,|\, c \text{ is encryption of } m_1)\big| \\ \end{split} \end{equation*}

For $b = 0, 1$ , $P(\hat{m} = m_1 \,|\, c \text{ is encryption of } m_b)$ is the probability that efficient MR Adversary $\mathcal{A}$ outputs $m_1$ when it is given a $c$ that is an encryption of message $m_b$ .

Efficient SS Adversary $\mathcal{B}$ outputs $\hat{b} = 1 \text{ when } \mathcal{A} \text{ outputs } \hat{m} = m_1, \text{ and outputs } \hat{b} = 0 \text{ when } \mathcal{A} \text{ outputs } \hat{m} = m_0$ .

By definition,

\begin{equation*} \begin{split} \text{SS}\bold{adv}[\mathcal{B, C_B}] &= \big|P(\hat{b} = 1 \,|\, b = 0) - P(\hat{b} = 1 \,|\, b = 1)\big| \\ &= \big|P(\hat{b} = 1 \,|\, c \text{ is encryption of } m_0) - P(\hat{b} = 1 \,|\, c \text{ is encryption of } m_1)\big| \\ &= \big|P(\hat{m} = m_1 \,|\, c \text{ is encryption of } m_0) - P(\hat{m} = m_1 \,|\, c \text{ is encryption of } m_1)\big| \\ \end{split} \end{equation*}

For $b^{\prime} = 0, 1$ , $P(\hat{b} = 1 \,|\, b = b^{\prime})$ is the probability that efficient SS Adversary $\mathcal{B}$ outputs $1$ when it is sent a $c$ that is an encryption of message $m_{b^{\prime}}$ . We know that $\hat{b} = 1 \text{ if } \hat{m} = m_1$ i.e., $\mathcal{B}$ outputs $1$ whenever $\mathcal{A}$ outputs $m_1$ .

Hence,

\text{SS}\bold{adv}[\mathcal{B, C_B}] = \text{MR}\bold{adv}[\mathcal{A, C_A}].

So far we have established the relationship between the semantic security advantage of an efficient adversary that attacks cipher $\mathcal{E}$ through its SS challenger and the message recovery advantage of an efficient adversary that attacks cipher $\mathcal{E}$ through its MR challenger.

Now we will go ahead and prove the theorem.

If $\mathcal{E}$ is semantically secure then $\mathcal{E}$ is secure against message recovery.

This is a conditional statement of the form “If $p$ , then $q"$ , where $p$ is the premise and $q$ , the conclusion. It is also written as $p \!\implies\! q$ , where

\begin{equation*} \begin{split} p &= \textit{``} \mathcal{E} \textit{ is semantically secure''} \\ &\textit{ and}\\ q &= \textit{``} \mathcal{E} \textit{ is secure against message recovery''.} \\ \end{split} \end{equation*}

We can prove the truth of this conditional statement directly or through its logical equivalents as explained here.

Modus Ponens (Direct Proof)

In order to prove this conditional statement using the direct proof method we will assume that $\mathcal{E}$ is semantically secure secure and show that as a consequence of that assumption $\mathcal{E}$ is also secure against message recovery.

Proof :

Suppose $\mathcal{E}$ is semantically secure.

Every efficient MR Adversary that does a message recovery attack on $\mathcal{E}$ through its MR Challenger employs its own strategy to win the game, i.e., recover the message from the given ciphertext. Let $\text{A} = \{\mathcal{A_1, A_2, \ldots, A_n}\}$ denote the set of all possible efficient MR Adversaries that can attack $\mathcal{E}$ , where $n$ is some poly-bounded positive integer. Further, let $\mathcal{A_{max}}$ be the best efficient MR Adversary i.e., the efficient MR Adversary with the highest message recovery advantage against $\mathcal{E}$ in the set $\text{A}$ .

In mathematical terms, $\mathcal{A_{max}} \in \text{argmax}_{\text{A}} \text{MR}\bold{adv}$ , where the argmax over set $\text{A}$ is defined as,

$\text{argmax}_{\text{A}} \text{MR}\bold{adv} \coloneqq \underset{\mathcal{A_x} \in \text{A}}{\operatorname{arg \,max}} \,\text{MR}\bold{adv} [\mathcal{A_x, C}] \coloneqq \{\mathcal{A_x} \in \text{A} \,\colon \text{MR}\bold{adv} [\mathcal{A_i, C}] \leq \text{MR}\bold{adv} [\mathcal{A_x, C}] \text{ for all } \mathcal{A_i} \in \text{A}\}$

Argmax is the set of efficient MR Adversaries $\mathcal{A_x}$ for which $\text{MR}\bold{adv} [\mathcal{A_x, C}]$ attains the largest value. Argmax is either a singleton set or a set that contains multiple efficient MR Adversaries.

We have already shown (through the game above) how to use an efficient MR Adversary to construct an efficient SS Adversary that does a semantic security attack on $\mathcal{E}$ . Using efficient MR Adversary $\mathcal{A_{max}}$ , we can construct an efficient SS Adversary $\mathcal{B^{\prime}}$ such that $\text{SS}\bold{adv}[\mathcal{B^{\prime}}, \mathcal{C}_{\mathcal{B^{\prime}}}] = \text{MR}\bold{adv}[\mathcal{A_{max}, C_{A_{max}}}]$ .

Since as per our assumption, $\mathcal{E}$ is semantically secure, any efficient adversary that does a semantic security attack on $\mathcal{E}$ through a challenger would have at most a negligible advantage when given a ciphertext in detecting correctly which one of the two possible messages’ encryption resulted in this ciphertext . Hence,

\epsilon(\lambda)\geq \text{SS}\bold{adv}[\mathcal{B^{\prime}}, \mathcal{C}_{\mathcal{B^{\prime}}}] = \text{MR}\bold{adv}[\mathcal{A_{max}, C_{A_{max}}}] \geq \text{MR}\bold{adv}[\mathcal{A_{i}, C_{A_{i}}}] \,\forall \,\mathcal{A_i} \in \text{A}

where $\lambda \in \mathbb{Z}_{\geq 1}$ is the security parameter (parameter, for example, key length that makes a cipher computationally secure, i.e., makes brute force attack succeed with only negligible probability within polynomial time). So efficient SS Adversary $\mathcal{B^{\prime}}$ has at most a negligible advantage in attacking $\mathcal{E}$ through its challenger $\mathcal{C}_{\mathcal{B^{\prime}}}$ .

Since efficient SS Adversary $\mathcal{B^{\prime}}$ derives its semantic security advantage from efficient MR Adversary $\mathcal{A_{max}} \text{'s}$ message recovery advantage, this means $\mathcal{A_{max}} \text{'s}$ message recovery advantage must be at most negligible. Also, since $\mathcal{A_{max}}$ is the efficient MR Adversary with the largest message recovery advantage against $\mathcal{E}$ , every efficient MR Adversary that attacks $\mathcal{E}$ through its challenger will also have at most a negligible advantage.

Therefore, when $\mathcal{E}$ is semantically secure, it is also secure against message recovery.

Next, we will prove this theorem using its logical equivalents, namely proof by contrapositive and proof by contradiction.

Modus Tollens (Proof by Contrapositive)

We will now prove the theorem,

If $\mathcal{E}$ is semantically secure then $\mathcal{E}$ is secure against message recovery.

by proving its contrapositive form, namely,

If $\mathcal{E}$ is not secure against message recovery then $\mathcal{E}$ is not semantically secure.

Intuitively, this means that if an efficient adversary can recover the message from a given ciphertext with non-negligible probability, then another efficient adversary could use this adversary to recover the message from a given ciphertext with non-negligible probability and hence detect with non-negligible probability from the given ciphertext which one of two possible messages was encrypted to result in this ciphertext.

Proof :

Suppose $\mathcal{E}$ is not secure against message recovery. This implies that, there exists at least one efficient MR Adversary, say $\mathcal{A}$ , that has a non-negligible advantage in recovering the message from a ciphertext encrypted using $\mathcal{E}$ .

We have already shown through the game above that using this efficient MR Adversary $\mathcal{A}$ , we can construct an efficient SS Adversary $\mathcal{B}$ such that,

\text{SS}\bold{adv}[\mathcal{B, C_B}] = \text{MR}\bold{adv}[\mathcal{A, C_A}]

where $\mathcal{C_B}$ is the SS Challenger to $\mathcal{B}$ and $\mathcal{C_A}$ is the MR Challenger to $\mathcal{A}$ .

From the above equation it follows that, $\text{SS}\bold{adv}[\mathcal{B, C_B}]$ is non-negligible since $\text{MR}\bold{adv}[\mathcal{A, C_A}]$ is non-negligible. Since $\text{SS}\bold{adv}[\mathcal{B, C_B}]$ is non-negligible, therefore $\mathcal{E}$ is not semantically secure.

Thus we have proved the theorem by proving its contrapositive.

Proof by Contradiction

In order to prove the theorem using proof by contradiction, we have to show that the statement,

$\mathcal{E}$ is semantically secure and $\mathcal{E}$ is not secure against message recovery

is false.

Intuitively, this statement means that any efficient adversary when given a ciphertext that could be the encryption of one of two possible messages would detect which one of the two messages was encrypted with only at most negligible probability; but, there exists at least one efficient adversary that when given a ciphertext can recover with non-negligible probability the message whose encryption resulted in the ciphertext.

Obviously, this is a contradiction, since had there existed an efficient adversary that could recover the message from a given ciphertext with non-negligible probability, then the efficient adversary that needs to detect from the given ciphertext which one of two possible messages’ encryption resulted in this ciphertext, would use this adversary to recover the message from the given ciphertext with non-negligible probability and hence detect with non-negligible probability which one of two possible messages was encrypted.

Proof :

Suppose $\mathcal{E}$ is semantically secure. This implies that any efficient SS Adversary attacking $\mathcal{E}$ through a SS Challenger will have at most a negligible advantage over the challenger.

Through the game above, we have shown that for any efficient MR Adversary, say $\mathcal{A}$ , we can construct an efficient SS Adversary, say $\mathcal{B}$ , such that

\text{SS}\bold{adv}[\mathcal{B, C_B}] = \text{MR}\bold{adv}[\mathcal{A, C_A}]

where $\mathcal{C_B}$ is the SS Challenger to $\mathcal{B}$ and $\mathcal{C_A}$ is the MR Challenger to $\mathcal{A}$ .

Since $\mathcal{E}$ is semantically secure, $\text{SS}\bold{adv}[\mathcal{B, C_B}]$ is at most negligible, which implies $\text{MR}\bold{adv}[\mathcal{A, C_A}]$ must also be at most negligible. This leads to a contradiction, since as per the statement $\mathcal{E}$ is not secure against message recovery and hence $\text{MR}\bold{adv}[\mathcal{A, C_A}]$ must be non-negligible.

Therefore the statement,

$\mathcal{E}$ is semantically secure and $\mathcal{E}$ is not secure against message recovery.

is false which implies that its negation is true. The negation of the above statement is logically equivalent to,

If $\mathcal{E}$ is semantically secure then $\mathcal{E}$ is secure against message recovery.

This proves that this statement is true. Hence, we have proved the theorem using proof by contradiction.

Does security against message recovery imply semantic security?

Now that we have proved this theorem, the next logical question to ask is whether the converse of this theorem is also true i.e., if a cipher is message recovery secure is it also semantically secure?

Share this: