On Plaintext-Aware Public-Key Encryption Schemes

Plaintext awareness is a property of a public-key encryption scheme intended to capture the idea that the only way to produce a valid ciphertext is to take a message and encrypt it. The idea is compelling, but the devil, as always, is in the details. The established definition of plaintext awareness in the standard model is known as PA2 plaintext awareness and was introduced by Bellare and Palacio. We propose a modified definition of plaintext awareness, which we call 2PA2, in which the arbitrary stateful plaintext creators of the PA2 definition are replaced with a choice of two fixed stateless plaintext creators. We show that under reasonable conditions our new definition is equivalent to the standard one. We also adapt techniques used by Teranishi and Ogata to show that no encryption scheme which allows arbitrarily long messages can be PA2 plaintext aware, a disadvantage which our new definition does not appear to share. Dent has shown that a variant of the Cramer-Shoup encryption scheme based on the Diffie-Hellman problem is PA2 plaintext aware under the DiffieHellman Knowledge (DHK) assumption. We present a generalisation of this assumption to arbitrary subset membership problems, which we call the Subset Witness Knowledge (SWK) assumption, and use it to show that the generic Cramer-Shoup and Kurosawa-Desmedt encryption schemes based on hash proof systems are plaintext aware. In the case of the Diffie-Hellman problem, the SWK assumption is exactly the Diffie-Hellman Knowledge assumption, but we also discuss several other possible instantiations of this assumption.

[1]  D. Galindo Chacon,et al.  An instantiation of the Cramer-Shoup encryption paradigm using bilinear map groups , 2005 .

[2]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[3]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[4]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[5]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[6]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[7]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[8]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[9]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[10]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[11]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[12]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[13]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[14]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[15]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[16]  Leonid A. Levin,et al.  Pseudo-random Generation from one-way functions (Extended Abstracts) , 1989, STOC 1989.

[17]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[18]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[19]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[20]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[21]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[22]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[23]  Isamu Teranishi,et al.  Relationship between Standard Model Plaintext Awareness and Message Hiding , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[24]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[25]  Larry Carter,et al.  New classes and applications of hash functions , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[26]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[27]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[28]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[29]  Ed Dawson,et al.  A Public Key Cryptosystem Based on the Subgroup Membership Problem , 2001, ICICS.

[30]  Colin Boyd,et al.  Concrete Chosen-Ciphertext Secure Encryption from Subgroup Membership Problems , 2006, CANS.

[31]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[32]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[33]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[34]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..