Security Formalizations and Their Relationships for Encryption and Key Agreement in Information-Theoretic Cryptography

TL;DR

This paper systematically analyzes various formalizations of information-theoretic security for symmetric-key encryption and key agreement, clarifying their relationships, equivalences, and differences, and deriving bounds and impossibility results.

Contribution

It provides a comprehensive comparison of multiple security formalizations, establishing their equivalences and differences, and deriving bounds and impossibility results in a unified framework.

Findings

Explicit relationships between different security formalizations

Lower bounds on adversary advantage and key size

Impossibility results derived from bounds

Abstract

This paper revisits formalizations of information-theoretic security for symmetric-key encryption and key agreement protocols which are very fundamental primitives in cryptography. In general, we can formalize information-theoretic security in various ways: some of them can be formalized as stand-alone security by extending (or relaxing) Shannon's perfect secrecy or by other ways such as semantic security; some of them can be done based on composable security. Then, a natural question about this is: what is the gap between the formalizations? To answer the question, we investigate relationships between several formalizations of information-theoretic security for symmetric-key encryption and key agreement protocols. Specifically, for symmetric-key encryption protocols in a general setting including the case where there exist decryption-errors, we deal with the following formalizations of security: formalizations extended (or relaxed) from Shannon's perfect secrecy by using mutual information and statistical distance; information-theoretic analogues of indistinguishability and semantic security by Goldwasser and Micali; and composable security by Maurer et al. and Canetti. Then, we explicitly show the equivalence and non-equivalence between those formalizations. Under the model, we also derive lower bounds on the adversary's (or distinguisher's) advantage and the size of secret-keys required under all of the above formalizations. Although some of them may be already known, we can explicitly derive them all at once through our relationships between the formalizations. In addition, we briefly observe impossibility results which easily follow from the lower bounds. The similar results are also shown for key agreement protocols in a general setting including the case where there exist agreement-errors in the protocols.