Completely Non-malleable Encryption Revisited

Several security notions for public-key encryption schemes have been proposed so far, in particular considering the powerful adversary that can play a so called "man-in-the-middle" attack. In this paper we extend the notion of completely non-malleable encryption introduced in [Fischlin, ICALP 05]. This notion immunizes a scheme from adversaries that can generate related ciphertexts under new public keys. This notion is motivated by its powerful features when encryption schemes are used as subprotocols. While in [Fischlin, ICALP 05] the only notion of simulation-based completely non-malleable encryption with respect to CCA2 adversaries was given, we present new game-based definitions for completely non-malleable encryption that follow the standard separations among NM-CPA, NM-CCA1 and NM-CCA2 security given in [Bellare et al., CRYPTO 98]. This is motivated by the fact that in several cases, the simplest notion we introduce (i.e., NM-CPA*) in several cases suffices for the main application that motivated the introduction of the notion of NM-CCA2* security, i.e., the design of nonmalleable commitment schemes. Further the game-based definition of NM-CPA* security actually implies the simulation-based one. We then focus on constructing encryption schemes that satisfy these strong security notions and show: 1) an NM-CCA2* secure encryption scheme in the shared random string model; 2) an NM-CCA2* secure encryption scheme in the plain model; for this second result, we use interaction and non-black-box techniques to overcome an impossibility result. Our results clarify the importance of these stronger notions of encryption schemes and show how to construct them without requiring random oracles.

[1]  Jonathan Katz,et al.  Efficient cryptographic protocols preventing man-in-the-middle attacks , 2002 .

[2]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[3]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[4]  Marc Fischlin,et al.  Completely Non-malleable Schemes , 2005, ICALP.

[5]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[6]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[7]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[8]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[9]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[10]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[11]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[12]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[13]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[14]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[15]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[16]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[17]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[18]  Rafail Ostrovsky,et al.  Concurrent Non-Malleable Witness Indistinguishability and its Applications , 2006, Electron. Colloquium Comput. Complex..

[19]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[20]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[21]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[22]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[23]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[24]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[25]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[26]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[27]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[28]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).