Self-Destruct Non-Malleability

We introduce a new security notion for public-key encryption (PKE) that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA), which appears to be the strongest natural PKE security notion below full-blown chosen-ciphertext (IND-CCA) security. In this notion, the adversary is allowed to ask many adaptive “parallel” decryption queries (i.e., a query consists of many ciphertexts) up to the point when the first invalid ciphertext is submitted. As such, NM-SDA security generalizes non-malleability against chosen plaintext attacks (NM-CPA, where only one parallel decryption query is allowed) and recently introduced indistinguishability against (chosen-ciphertext) self-destruct attacks (IND-SDA, where each adaptive query consists of a single ciphertext). After showing that NM-SDA is a strict strengthening of NM-CPA and IND-SDA and allows for more applications, we establish the following two results: • Domain Extension. For any K > 1, there is a black-box construction of a K-bit NM-SDA PKE scheme from a single-bit NM-SDA PKE scheme. Moreover, this can be done using only O(K + λ) calls to the underlying single-bit NM-SDA scheme, where λ is the security parameter. To achieve our goal, we define and construct a novel type of continuous nonmalleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “expand-then-encrypt-bit-by-bit” approach to work. • Black-Box Construction from IND-CPA. Prior work showed that NM-CPA secure PKE can be constructed from any IND-CPA secure PKE in a black-box way. Here we show that the same construction actually achieves our strictly stronger notion of NM-SDA security. (This requires a non-trivial extension of the original security proof to handle multiple parallel decryption queries.) Hence, the notions of IND-CPA, NM-CPA, IND-SDA and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security. We also show how to improve the rate of the resulting NM-SDA scheme from quadratic to linear.

[1]  Shachar Lovett,et al.  Non-malleable codes from additive combinatorics , 2014, STOC.

[2]  Abhi Shelat,et al.  Construction of a Non-malleable Encryption Scheme from Any Semantically Secure One , 2006, CRYPTO.

[3]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[4]  Steven Myers,et al.  Bit Encryption Is Complete , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[5]  Manoj Prabhakaran,et al.  Explicit Non-Malleable Codes Resistant to Permutations , 2014, IACR Cryptol. ePrint Arch..

[6]  Eike Kiltz,et al.  Practical Chosen Ciphertext Secure Encryption from Factoring , 2009, Journal of Cryptology.

[7]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[8]  Venkatesan Guruswami,et al.  Non-malleable Coding against Bit-Wise and Split-State Tampering , 2014, TCC.

[9]  Yehuda Lindell,et al.  A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions , 2003, Journal of Cryptology.

[10]  Stefan Dziembowski,et al.  Non-Malleable Codes from Two-Source Extractors , 2013, IACR Cryptol. ePrint Arch..

[11]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[12]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[13]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[14]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[15]  Tal Malkin,et al.  Black-Box Construction of a Non-malleable Encryption Scheme from Any Semantically Secure One , 2008, TCC.

[16]  Daniel Wichs,et al.  Efficient Non-Malleable Codes and Key Derivation for Poly-Size Tampering Circuits , 2014, IEEE Transactions on Information Theory.

[17]  Allison Bishop,et al.  Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security , 2012, EUROCRYPT.

[18]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[19]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[20]  Steven Myers,et al.  Towards a Separation of Semantic and CCA Security for Public Key Encryption , 2007, TCC.

[21]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[22]  Abhi Shelat,et al.  Bounded CCA2-Secure Encryption , 2007, ASIACRYPT.

[23]  David Zuckerman,et al.  Non-malleable Codes against Constant Split-State Tampering , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[24]  Ueli Maurer,et al.  From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes , 2015, TCC.

[25]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[26]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[27]  Venkatesan Guruswami,et al.  Non-malleable Coding Against Bit-Wise and Split-State Tampering , 2013, Journal of Cryptology.

[28]  Pratyay Mukherjee,et al.  Continuous Non-malleable Codes , 2014, IACR Cryptol. ePrint Arch..