Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security

In PKC 2014, Dachman-Soled showed a construction of a chosen ciphertext CCA secure public key encryption PKE scheme based on a PKE scheme which simultaneously satisfies a security property called weak simulatability and standard model plaintext awareness sPA1 in the presence of multiple public keys. It is not well-known if plaintext awareness for the multiple keys setting is equivalent to the more familiar notion of that in the single key setting, and it is typically considered that plaintext awareness is a strong security assumption because to achieve it we have to rely on a "knowledge"-type assumption. In Dachman-Soled's construction, the underlying PKE scheme needs to be plaintext aware in the presence of $$2k+2$$2k+2 public keys. The main result in this work is to show that the strength of plaintext awareness required in the Dachman-Soled construction can be somehow "traded" with the strength of a "simulatability" property of other building blocks. Furthermore, we also show that we can "separate" the assumption that a single PKE scheme needs to be both weakly simulatable and plaintext aware in her construction. Specifically, in this paper we show two new constructions of CCA secure key encapsulation mechanisms KEMs: Our first scheme is based on a KEM which is chosen plaintext CPA secure and plaintext aware only under the 2 keys setting, and a PKE scheme satisfying a "slightly stronger" simulatability than weak simulatability, called "trapdoor simulatability" introduced by Choi et al. ASIACRYPT 2009. Our second scheme is based on a KEM which is 1-bounded CCA secure Cramer et al. ASIACRYPT 2007 and plaintext aware only in the single key setting, and a trapdoor simulatable PKE scheme. Our results add new recipes for constructing CCA secure PKE/KEM from general assumptions that are incomparable to those used by Dachman-Soled, and in particular show interesting trade-offs among building blocks with those used in Dachman-Soled's construction.

[1]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[2]  Allison Bishop,et al.  Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security , 2012, EUROCRYPT.

[3]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, CRYPTO.

[4]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[5]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[6]  Scott Yilek,et al.  Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions , 2010, Public Key Cryptography.

[7]  Yevgeniy Dodis,et al.  Interactive Encryption, Message Authentication, and Anonymous Key Exchange , 2013, IACR Cryptology ePrint Archive.

[8]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[9]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[10]  Yevgeniy Dodis,et al.  Interactive Encryption and Message Authentication , 2014, SCN.

[11]  Adam O'Neill,et al.  Adaptive Trapdoor Functions and Chosen-Ciphertext Security , 2010, EUROCRYPT.

[12]  Ron Rothblum,et al.  Enhancements of Trapdoor Permutations , 2012, Journal of Cryptology.

[13]  Yu Chen,et al.  Publicly evaluable pseudorandom functions and their applications , 2014, J. Comput. Secur..

[14]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[15]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[16]  Mihir Bellare,et al.  Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed? , 2013, Journal of Cryptology.

[17]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[18]  Goichiro Hanaoka,et al.  Chosen Ciphertext Security via UCE , 2014, Public Key Cryptography.

[19]  Rafail Ostrovsky,et al.  Building Lossy Trapdoor Functions from Lossy Encryption , 2013, ASIACRYPT.

[20]  Yehuda Lindell,et al.  A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions , 2003, Journal of Cryptology.

[21]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[22]  Hoeteck Wee,et al.  Efficient Chosen-Ciphertext Security via Extractable Hash Proofs , 2010, CRYPTO.

[23]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[24]  Mihir Bellare,et al.  Instantiating Random Oracles via UCEs , 2013, IACR Cryptol. ePrint Arch..

[25]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[26]  Steven Myers,et al.  Bit Encryption Is Complete , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[27]  Goichiro Hanaoka,et al.  Constructing and Understanding Chosen Ciphertext Security via Puncturable Key Encapsulation Mechanisms , 2015, TCC.

[28]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[29]  Goichiro Hanaoka,et al.  An Asymptotically Optimal Method for Converting Bit Encryption to Multi-Bit Encryption , 2015, ASIACRYPT.

[30]  Eike Kiltz,et al.  Chosen-Ciphertext Security from Tag-Based Encryption , 2006, TCC.

[31]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[32]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[33]  Abhi Shelat,et al.  Bounded CCA2-Secure Encryption , 2007, ASIACRYPT.

[34]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[35]  Gil Segev,et al.  Chosen-Ciphertext Security via Correlated Products , 2009, SIAM J. Comput..

[36]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[37]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[38]  Steven Myers,et al.  Black-box construction of a more than non-malleable CCA1 encryption scheme from plaintext awareness , 2012, J. Comput. Secur..

[39]  Bruce M. Kapron,et al.  Reproducible Circularly Secure Bit Encryption: Applications and Realizations , 2017, Journal of Cryptology.

[40]  Stefano Tessaro,et al.  Amplification of Chosen-Ciphertext Security , 2013, EUROCRYPT.

[41]  Goichiro Hanaoka,et al.  Achieving Chosen Ciphertext Security from Detectable Public Key Encryption Efficiently via Hybrid Encryption , 2013, IWSEC.

[42]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[43]  Tal Malkin,et al.  Improved Non-committing Encryption with Applications to Adaptively Secure Protocols , 2009, ASIACRYPT.

[44]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[45]  David Pointcheval,et al.  Public-key encryption indistinguishable under plaintext-checkable attacks , 2015, IET Inf. Secur..

[46]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[47]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[48]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[49]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[50]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[51]  Rafail Ostrovsky,et al.  On Homomorphic Encryption and Chosen-Ciphertext Security , 2012, Public Key Cryptography.

[52]  Goichiro Hanaoka,et al.  Chosen Ciphertext Security via Point Obfuscation , 2014, TCC.

[53]  Dana Dachman-Soled,et al.  A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware Encryption Scheme , 2014, IACR Cryptol. ePrint Arch..

[54]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[55]  Steven Myers,et al.  Blackbox Construction of a More Than Non-Malleable CCA1 Encryption Scheme from Plaintext Awareness , 2012, SCN.

[56]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[57]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.