Plaintext Simulatability

We propose a new security class, called plaintext simulatability, defined over the public-key encryption schemes. The notion of plaintext simulatability (denoted PS) is similar to the notion of plaintext awareness (denoted PA) defined in [3], but it is "properly" a weaker security class for public-key encryption. It is known that PA implies the class of CCA2-secure encryption (denoted IND-CCA2) but not vice versa. In most cases, PA is "unnecessarily" strong---In such cases, PA is only used to study that the public-key encryption scheme involved meets IND-CCA2, because it looks much easier to treat the membership of PA than to do "directly" the membership of IND-CCA2. We show that PS also implies IND-CCA2, while preserving such a technical advantage as well as PA. We present two novel CCA2-secure public-key encryption schemes, which should have been provided with more complicated security analyses. One is a random-oracle version of Dolev-Dwork-Naor's encryption scheme [9]. Unlike the original scheme, this construction is efficient. The other is a public-key encryption scheme based on a strong pseudo-random permutation family [16] which provides the optimal ciphertext lengths for verifying the validity of ciphertexts, i.e., (ciphertext size) = (message size) + (randomness size). According to [19], such a construction remains open. Both schemes meet PS but not PA.

[1]  Masayuki Abe,et al.  Combining Encryption and Proof of Knowledge in the Random Oracle Model , 2004, Comput. J..

[2]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[3]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[4]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[5]  Kazukuni Kobara,et al.  A Generic Conversion with Optimal Redundancy , 2005, CT-RSA.

[6]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[7]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[8]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[9]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[10]  David Pointcheval,et al.  Chosen-Ciphertext Security without Redundancy , 2003, ASIACRYPT.

[11]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[12]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Giovanni Di Crescenzo,et al.  Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations , 2000, ICALP.

[15]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[16]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[17]  Silvio Micali,et al.  Plaintext Awareness via Key Registration , 2003, CRYPTO.

[18]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[19]  Manuel Blum,et al.  Proving Security Against Chosen Cyphertext Attacks , 1988, CRYPTO.