# Simplifying Game-Based Definitions

## Abstract

Often the simplest way of specifying game-based cryptographic definitions is apparently barred because the adversary would have some trivial win. Disallowing or invalidating these wins can lead to complex or unconvincing definitions. We suggest a generic way around this difficulty. We call it *indistinguishability up to correctness*, or IND\(\vert \)C. Given games \({{\text {G}}}\) and \({{\text {H}}}\) and a correctness condition \({{\text {C}}}\) we define an advantage measure \({\mathbf {Adv}_{{{\text {G}}},{{\text {H}}},{{\text {C}}}}^{{\text {indc}}}}\) wherein \({{{\text {G}}}}\)/\({{{\text {H}}}}\) distinguishing attacks are effaced to the extent that they are inevitable due to \({{\text {C}}}\). We formalize this in the language of *oracle silencing*, an alternative to exclusion-style and penalty-style definitions. We apply our ideas to a domain where game-based definitions have been cumbersome: stateful authenticated-encryption (sAE). We rework existing sAE notions and encompass new ones, like replay-free AE permitting a specified degree of out-of-order message delivery.

## Keywords

Indistinguishability Oracle silencing Provable security Stateful authenticated encryption## Notes

### Acknowledgments

Many thanks to anonymous reviewers of this paper, whose questions motivated the addition of Sect. 5. Thanks to the NSF, which provided funding for this work under grants CNS 1314885 and CNS 1717542.

## Supplementary material

## References

- 1.Bellare, M., Hofheinz, D., Kiltz, E.: Subtleties in the definition of IND-CCA: when and how should challenge decryption be disallowed? J. Cryptol.
**28**(1), 29–48 (2015). 5, 10, 11, 14, 15MathSciNetCrossRefGoogle Scholar - 2.Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur.
**7**(2), 206–241 (2004). https://doi.acm.org/10.1145/996943.996945. 5, 16CrossRefGoogle Scholar - 3.Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25. 6CrossRefGoogle Scholar
- 4.Boyd, C., Hale, B., Mjølsnes, S.F., Stebila, D.: From stateless to stateful: generic authentication and authenticated encryption constructions with application to TLS. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 55–71. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_4. 5, 16CrossRefGoogle Scholar
- 5.Boyd, C., Hale, B., Mjølsnes, S.F., Stebila, D.: From stateless to stateful: Generic authentication and authenticated encryption constructions with application to TLS. Cryptology ePrint Archive, Report 2015/1150, revision 20160919:152253 (2016). https://eprint.iacr.org/2015/1150. 5
- 6.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). http://eprint.iacr.org/2000/067. 6, 24
- 7.Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28. 6CrossRefGoogle Scholar
- 8.Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_27. 6CrossRefGoogle Scholar
- 9.Fischlin, M., Gnther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. Cryptology ePrint Archive, Report 2017/1191 (2017). https://eprint.iacr.org/2017/1191. 6
- 10.Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_17. 6CrossRefzbMATHGoogle Scholar
- 11.Kohno, T., Palacio, A., Black, J.: Building secure cryptographic transforms, or how to encrypt and MAC. Cryptology ePrint Archive, Report 2003/177 (2003). http://eprint.iacr.org/2003/177. 5, 16
- 12.Namprempre, C.: Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 515–532. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_32. 6CrossRefGoogle Scholar
- 13.Perrin, T., Marlinspike, M.: The double ratchet algorithm. Open Whisper Systems (2016). https://signal.org/docs/specifications/doubleratchet/. 18
- 14.Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002: 9th Conference on Computer and Communications Security, 18–22 November 2002, pp. 98–107. ACM Press, Washington D.C. (2002). 18Google Scholar
- 15.Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23. 20CrossRefGoogle Scholar