We show that, in practice, a network adversary can achieve decidedly non-negligible advantage in attacking provable key-protection properties; e.g., the “existential key recovery” security and “multi-key hiding” property of typical nonce-based symmetric encryption schemes whenever these schemes are implemented with standard block ciphers. We also show that if a probabilistic encryption scheme uses certain standard block ciphers (e.g., two-key 3DES), then enforcing the security bounds necessary to protect against network adversary attacks will render the scheme impractical for network applications that share group keys amongst many peers. The attacks presented here have three noteworthy implications. First, they help identify key-protection properties that separate the notion of indistinguishability from random bits (IND$) from the strictly weaker notion of indistinguishability of ciphertexts (IND); also, they help establish new relationships among these properties. Second, they show that nonce-based symmetric encryption schemes are typically weaker than probabilistic ones. Third, they illustrate the need to account for the Internet-level growth of adversary capabilities when establishing the useful lifetime of standard block-cipher parameters.

In this paper, we present new important privacy goals for on-line matchmaking protocols, which are resistance to off-line dictionary attacks and forward privacy of users' identities and matching wishes. We enhance traditional privacy requirements (e.g., user anonymity, matching-wish authenticity) with our new privacy goals and define the notion of privacy-enhanced matchmaking. We show that previous solutions for on-line matchmaking do not satisfy the new privacy goals and argue that privacy-enhanced matchmaking cannot be provided by solutions to seemingly related problems such as secret handshakes, set intersection, and trust negotiation. We define an adversary model, which captures the key security properties of privacy-enhanced matchmaking, and show that a simple, practical protocol derived by a two-step transformation of a password-based authenticated key exchange counters adversary attacks in a provable manner (in the standard model of cryptographic security).