Network Adversary Attacks against Secure Encryption Schemes

We show that, in practice, a network adversary can achieve decidedly non-negligible advantage in attacking provable key-protection properties; e.g., the "existential key recovery" security and "multi-key hiding" property of typical nonce-based symmetric encryption schemes whenever these schemes are implemented with standard block ciphers. We also show that if a probabilistic encryption scheme uses certain standard block ciphers (e.g., two-key 3DES), then enforcing the security bounds necessary to protect against network adversary attacks will render the scheme impractical for network applications that share group keys amongst many peers. The attacks presented here have three noteworthy implications. First, they help identify key-protection properties that separate the notion of indistinguishability from random bits (IND$) from the strictly weaker notion of indistinguishability of ciphertexts (IND); also, they help establish new relationships among these properties. Second, they show that nonce-based symmetric encryption schemes are typically weaker than probabilistic ones. Third, they illustrate the need to account for the Internet-level growth of adversary capabilities when establishing the useful lifetime of standard block-cipher parameters.