Is the IV-Based Encryption Scheme IND$-Secure or Priv$-Secure?

mrz · August 29, 2022, 3:19am

Hi everyone,

I would like to ask clarification about the security notion in this article.

On Page 6, the advantage of an adversary in violating the privacy of a conventional IV-based encryption scheme \Pi (called the priv$ security notion) is defined.

Then, the next page (Page 7) describes about the advantage of an adversary in violating the pseudorandomness of a function F.

On the same page (Page 7), when describing about the SIV construction, the authors wrote:

We will now show that if F is PRF-secure and \Pi is IND$-secure then …

Is IND$-secure written here a typo since this notion does not appear anywhere else in the article, and should instead be written as Priv$-secure? Or does IND$-secure here means something else?

Thanks.

talayhan · September 8, 2022, 1:33pm

I am pretty sure IND$-secure is a typo and should be priv$-secure. Mainly because of the theorem statement right after the proof summary.

Theorem 2 states the following:

\mathsf{Adv}_{\Pi}^{priv\$}(B) + \mathsf{Adv}_{F}^{prf}(D) \ge \mathsf{Adv}_{\tilde{\Pi}}^{dae}(D) - q/2^n

Which basically says if the advantage of $priv and prf is negligible, then the advantage of dae also is.

mrz · September 12, 2022, 1:37am

Thanks Abdullah. Appreciate the response .