Accidents happen: you may misplace the key to your front door, or maybe the pin to your home security system was written on an ill-placed post-it note. And so they end up in the hands of a bad actor, who is then granted the power to wreak all kinds of havoc in your life: the security of your home grants no guarantees in the event that keys are stolen and pins are leaked. Nonetheless your neighbour, whose key-and-pin routines leave comparatively little to be desired, should feel safe that just because you can’t keep your house safe from intruders, their home remains secured.
It is likewise with cryptology, whose security also relies on the secrecy of key material: one would expect that the ability to recover the secret keys of other users will not help an adversary break into an uncompromised system. And yet, formalizing this intuition has turned out tricky, with several competing notions of security of varying strength. This begs the question: when modelling a real-world scenario with many users, some of whom may be compromised, which formalization is the right one? Or: how do we build cryptography in a crowd?
Paper I embarks on the quest for answers by looking at how various notions of multi-user IND–CCA compare to each other, with and without the ability to adaptively compromise users. We find a partial answer by showing that, absent user compromise, some notions of security really are preferrable over others, yet when user compromise is taken into account the situation is left largely open.
Paper II makes a detour to a related set of security notions in which, rather than attacking a single user (from a pool of potential targets), an adversary seeks to break into many at once. One imagines an unusually powerful adversary, for example a state sponsored actor, for whom bruteforcing a single system is not a problem: our goal then shifts from that of securing every user, to rather making mass surveillance as difficult as possible, so that the vast majority of uncompromised users can remain secure.
Paper III picks up where Paper I left off by comparing and systemizing the same IND–CCA security notions with a much wider array of notions that aim to capture the same (or similar) scenarios. These notions appear under the names of Selective Opening Attacks (SOA) and Non-Committing Encryption (NCE), and are typically significantly stronger than the notions studied in Paper I. With a system in place, we are able to identify and highlight a large number of gaps, some of which we close, but many of which still remain open.