I recently came across the theorem about $n$-way nesting. It states that if $\mathcal{E}=(E, D)$ is semantically secure, then $\mathcal{E}$ is secure for $n$-way nesting. I'm trying to prove the specific case of $n=2$.
For the encryption $c\leftarrow E(k_1, E(k_0, m))$, the adversary provides $(m_0, m_1)$ to the challenger and receives $E(k_1, E(k_0, m_b))$ along with either $k_0$ or $k_1$. I want to prove that for any adversary $A$ attacking this nested encryption, there is an adversary $B$ attacking the original $\mathcal{E}$ with the same advantage.
When $A$ is provided with $k_1$, I can create a $B$ that works as an elementary wrapper of $A$. $A$ provides $(m_0, m_1)$ to $B$, then $B$ passes it to his challenger and receives $E(k_0, m_b)$. He encrypts it with $k_1$ and returns the ciphertext along with $k_1$ back to $A$. I can easily prove that they have the same advantage in this case.
If $A$ needs to get back $k_0$, I'm not sure how to model the message flow. Should $B$ encrypt the message before handing it over to the challenger? How I can prove that $A$ and $B$ have the same advantage?
Asked
Active
Viewed 139 times
1
libre
- 21
- 1