On the Security of Multiple Encryption or CCA-security+CCA-security=CCA-security?

In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message, such as the key-insulated cryptosystems and anonymous channels. Intuitively, a multiple encryption should remain “secure”, whenever there is one component cipher unbreakable in it. In NESSIE’s latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on different assumptions to acquire long term security. However, in this paper we show this needs careful discussion, especially, this may not be true according to adaptive chosen ciphertext attack (CCA), even with all component ciphers CCA-secure. We define an extended model of (standard) CCA called chosen ciphertext attack for multiple encryption (ME-CCA) emulating partial breaking of assumptions, and give constructions of multiple encryption satisfying ME-CCA-security. We further relax CCA by introducing weak ME-CCA (ME-wCCA) and study the relations among these definitions, proving ME-wCCA-security can be acquired by combining IND-CCA-secure component ciphers together. We then apply these results to key-insulated cryptosystem.

[1]  Giovanni Di Crescenzo,et al.  Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers , 1998, CRYPTO.

[2]  Yvo Desmedt,et al.  Society and Group Oriented Cryptography: A New Concept , 1987, CRYPTO.

[3]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, CRYPTO.

[4]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[5]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[6]  Markus Jakobsson,et al.  Optimistic Mixing for Exit-Polls , 2002, ASIACRYPT.

[7]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[8]  Hugh C. Williams,et al.  An M³ Public-Key Encryption Scheme , 1985, CRYPTO.

[9]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[10]  Jonathan Katz,et al.  Chosen-Ciphertext Security of Multiple Encryption , 2005, TCC.

[11]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[12]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[13]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[14]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[15]  Hideki Imai,et al.  Flaws in Some Robust Optimistic Mix-Nets , 2003, ACISP.

[16]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[17]  Jörn Müller-Quade,et al.  On Modeling IND-CCA Security in Cryptographic Protocols , 2003, IACR Cryptol. ePrint Arch..

[18]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[19]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[20]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[21]  Amit Sahai,et al.  Coding Constructions for Blacklisting Problems without Computational Assumptions , 1999, CRYPTO.

[22]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[23]  Markus Jakobsson,et al.  An optimally robust hybrid mix network , 2001, PODC '01.

[24]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[25]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[26]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[27]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[28]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[29]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[30]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[31]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[32]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[33]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[34]  Junji Shikata,et al.  Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks , 2003, Public Key Cryptography.

[35]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[36]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[37]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[38]  Martin E. Hellman,et al.  On the security of multiple encryption , 1981, CACM.