Public-Key Encryption with Non-Interactive Opening: New Constructions and Stronger Definitions

Public-key encryption schemes with non-interactive opening (PKENO) allow a receiver to non-interactively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identity-based encryption or public-key encryption with witness-recovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosen-ciphertext security; only the transformation from identity-based encryption remains thus valid. Next, we prove that PKENO can alternatively be built out of robust non-interactive threshold public-key cryptosystems, a primitive that differs from identity-based encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional Diffie-Hellman assumption (in the Random-Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable.

[1]  Ivan Damgård,et al.  Public-Key Encryption with Non-interactive Opening , 2008, CT-RSA.

[2]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[3]  Gil Segev,et al.  Efficient Lossy Trapdoor Functions based on the Composite Residuosity Assumption , 2008, IACR Cryptol. ePrint Arch..

[4]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[5]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[6]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[7]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.

[8]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[9]  Marc Fischlin,et al.  Topics in Cryptology – CT-RSA 2009 , 2009 .

[10]  Chris Peikert,et al.  Bonsai Trees (or, Arboriculture in Lattice-Based Cryptography) , 2009, IACR Cryptol. ePrint Arch..

[11]  S. Arita,et al.  Construction of Threshold Public-Key Encryptions through Tag-Based Encryptions , 2009, ACNS.

[12]  Parampalli Udaya,et al.  E cient Identity-based Signcryption without Random Oracles , 2012, AISC.

[13]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[14]  Xavier Boyen Miniature CCA2 PK Encryption: Tight Security Without Redundancy , 2007, ASIACRYPT.

[15]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[16]  Dániel Marx,et al.  On the Optimality of Planar and Geometric Approximation Schemes , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[17]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[18]  Ivan Damgård,et al.  Non-interactive Proofs for Integer Multiplication , 2007, EUROCRYPT.

[19]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[20]  David Galindo,et al.  Breaking and Repairing Damgård et al. Public Key Encryption Scheme with Non-interactive Opening , 2009, CT-RSA.

[21]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[22]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[23]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[24]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[25]  Eike Kiltz,et al.  Chosen-Ciphertext Security from Tag-Based Encryption , 2006, TCC.

[26]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, CRYPTO.

[27]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[28]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[29]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[30]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[31]  Jonathan Katz,et al.  Chosen-Ciphertext Security of Multiple Encryption , 2005, TCC.

[32]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[33]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[34]  Craig Gentry,et al.  Space-Efficient Identity Based EncryptionWithout Pairings , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[35]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[36]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[37]  Chris Peikert Some Recent Progress in Lattice-Based Cryptography , 2009, TCC.

[38]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[39]  Dan Boneh,et al.  Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles , 2006, CT-RSA.

[40]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[41]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[42]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[43]  Eike Kiltz,et al.  Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman , 2007, Public Key Cryptography.

[44]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[45]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[46]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[47]  J. Willems The Belgian National Fund for Scientific Research , 1945, Nature.

[48]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[49]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[50]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[51]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[52]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[53]  Xavier Boyen,et al.  Identity-Based Encryption from Lattices in the Standard Model , 2009 .

[54]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[55]  David Cash,et al.  How to Delegate a Lattice Basis , 2009, IACR Cryptol. ePrint Arch..