Re: crypto usage in my tagging-attack-prevention proposal

[Zooko <zooko@zooko.com>]

[following-up to my own post]

 I, Zooko, wrote:
>
> 1.  A symmetric cipher ...
> 2.  An integrity guarantee ...
> 3.  A way to generate a large amount of garbage ...

Hrm.  I should add that my scheme requires that encryption erases tags, that is 
that if an adversary chooses two plaintexts and then each is encrypted with the 
same secret key that he doesn't know, yielding two ciphertexts, he cannot get 
any non-negligible advantage in guessing which ciphertext corresponds to which 
plaintext.

Also it requires that decryption does the same in the reverse direction (i.e. 
where he chooses two ciphertexts and so forth...).

The first is I think equivalent to "indistinguishability under the chosen 
plaintext attack" -- IND-CPA as defined in [1] but in the realm of symmetric 
instead of public key encryption.

So it isn't *just* bog-standard crypto which guarantees safety against tagging 
of the non-MACed "B-payload".  To argue that it is safe we would need to show 
that AES encryption in CTR-mode provides the symmetric equivalent of IND-CPA, 
and that the decryption provides an equivalent guarantee.

Regards,

Zooko

[1] http://www.cs.ucsd.edu/users/mihir/papers/relations.html