On the Security Notions for Public-Key Encryption Schemes

Information Processing Letters, 2008

In public key encryption schemes with a double decryption mechanism (DD-PKE), decryption can be done in either of two ways: by the user owning the secret/public key pair corresponding to the ciphertext, or by a trusted party holding a sort of master secret-key. In this note we argue that the classical security notion for standard public key encryption schemes does not suffice for DD-PKE schemes, and propose a new natural definition. Additionally, we illustrate the usefulness of the new security definition by showing that a DD-PKE scheme presented in the workshop Selected Areas in Cryptography 2005 is insecure under this augmented security notion.

Lecture Notes in Computer Science, 2008

Several security notions for public-key encryption schemes have been proposed so far, in particular considering the powerful adversary that can play a so called "man-in-the-middle" attack. In this paper we extend the notion of completely non-malleable encryption introduced in [Fischlin, ICALP 05]. This notion immunizes a scheme from adversaries that can generate related ciphertexts under new public keys. This notion is motivated by its powerful features when encryption schemes are used as subprotocols. While in [Fischlin, ICALP 05] the only notion of simulation-based completely non-malleable encryption with respect to CCA2 adversaries was given, we present new game-based definitions for completely non-malleable encryption that follow the standard separations among NM-CPA, NM-CCA1 and NM-CCA2 security given in [Bellare et al., CRYPTO 98]. This is motivated by the fact that in several cases, the simplest notion we introduce (i.e., NM-CPA*) in several cases suffices for the main application that motivated the introduction of the notion of NM-CCA2* security, i.e., the design of non-malleable commitment schemes. Further the game-based definition of NM-CPA* security actually implies the simulation-based one. We then focus on constructing encryption schemes that satisfy these strong security notions and show: 1) an NM-CCA2* secure encryption scheme in the shared random string model; 2) an NM-CCA2* secure encryption scheme in the plain model; for this second result, we use interaction and non-black-box techniques to overcome an impossibility result. Our results clarify the importance of these stronger notions of encryption schemes and show how to construct them without requiring random oracles.

2002

Recently various public key encryption schemes such as DHIES by Abdalla, Bellare and Rogaway and REACT by Okamoto and Pointcheval, whose security against adaptive chosen ciphertext attack (CCA) is based on the Gap problems, have been proposed. Although the Gap problems were proved to be a sufficient assumption for those schemes to be secure against adaptive chosen-cipertext attack, a necessary condition for CCA security of those schemes has not been explicitly discussed. In this paper we clarify the necessary condition for CCA security of those schemes. Namely we prove (in the random oracle model) that the Gap Diffie-Hellman is not only sufficient, but also a necessary assumption for the CCA security of DHIES and Diffie-Hellman version of REACT. We also show that our result applies to a wider class of public key encryption schemes. Furthermore we show that our result implies the equivalence, in the random oracle model, between ‘Strong Diffie-Hellman’ and ‘Oracle Diffie-Hellman’ assumptions proposed by Abdalla, Bellare and Rogaway. Our results may be used as criteria for distinguishing public key encryption schemes whose CCA security is based on strong assumptions (such as Gap Diffie-Hellman) from those schemes based on weaker ones (such as Computational Diffie-Hellman).

Lecture Notes in Computer Science, 2017

We take a critical look at established security definitions for predicate encryption (PE) with public index under chosen-plaintext attack (CPA) and under chosen-ciphertext attack (CCA). In contrast to conventional public-key encryption (PKE), security definitions for PE have to deal with user collusion which is modeled by an additional key generation oracle. We identify three different formalizations of key handling in the literature implicitly assumed to lead to the same security notion. Contrary to this assumption we prove that the corresponding models result in two different security notions under CPA and three different security notions under CCA. Similarly to the recent results for PKE and conventional key-encapsulation mechanism (KEM) (Journal of Cryptology, 2015) we also analyze subtleties in security definitions for PE and predicate keyencapsulation mechanism (P-KEM) regarding the so-called "no-challenge-decryption" condition. While the results for PE and PKE are similar, the results for P-KEM significantly differ from the corresponding results for conventional KEM. Our analysis is based on appropriate definitions of semantic security and indistinguishability of encryptions for PE under different attacks scenarios. These definitions complement related security definitions for identity-based encryption and functional encryption. As a result of our work we suggest security definitions for PE and P-KEM under different attack scenarios.

2001

We consider a novel security requirement of encryption schemes that we call “key-privacy” or “anonymity”. It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary. We investigate the anonymity of known encryption schemes. We prove that the El Gamal scheme provides anonymity under chosen-plaintext attack assuming the Decision Diffie-Hellman problem is hard and that the Cramer-Shoup scheme provides anonymity under chosen-ciphertext attack under the same assumption. We also consider anonymity for trapdoor permutations. Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it. We provide a variant of RSA-OAEP that provides anonymity in the random oracle model assuming RSA is one-way. We also give constructions of anonymous trapdoor permutations, assuming RSA is one-way, which yield anonymous encryption schemes in the standard model.

Lecture Notes in Computer Science, 2006

Identity based encryption (IBE) schemes have been flourishing since the very beginning of this century. In IBE it is widely believed that proving the security of a scheme in the sense of IND-ID-CCA2 is sufficient to claim the scheme is also secure in the senses of both SS-ID-CCA2 and NM-ID-CCA2. The justification for this belief is the relations among indistinguishability (IND), semantic security (SS) and non-malleability (NM). But these relations are proved only for conventional public key encryption (PKE) schemes in historical works. The fact is that between IBE and PKE, there exists a difference of special importance, i.e. only in IBE the adversaries can perform a particular attack, namely the chosen identity attack. This paper shows that security proved in the sense of IND-ID-CCA2 is validly sufficient for implying security in any other sense in IBE. This is to say the security notion, IND-ID-CCA2, captures the essence of security for all IBE schemes. To achieve this intention, we first describe formal definitions of the notions of security for IBE, and then present the relations among IND, SS and NM in IBE, along with rigorous proofs. All of these results are proposed with the consideration of the chosen identity attack.

2009

Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the long-standing open problem of “circular encryption,” by presenting a public key encryption scheme and proving that it is semantically secure against key dependent chosen plaintext attack (KDM-CPA security) under standard assumptions (and without resorting to random oracles). However, they left as an open problem that of designing an encryption scheme that simultaneously provides security against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem. First, we show that by applying the Naor-Yung “double encryption” paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second, we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup CCA2 secure encryption scheme, and recently developed pairing-based NIZK proof systems. This instantiation increases the complexity of the BHHO scheme by just a small constant factor.

IACR Cryptol. ePrint Arch., 2018

In this paper, we introduce a new framework for constructing public-key encryption (PKE) schemes resilient to joint post-challenge/after-the-fact leakage and tampering attacks in the bounded leakage and tampering (BLT) model, introduced by Damgard et al. (Asiacrypt 2013). All the prior formulations of PKE schemes considered leakage and tampering attacks only before the challenge ciphertext is made available to the adversary. However, this restriction seems necessary, since achieving security against post-challenge leakage and tampering attacks in its full generality is impossible, as shown in previous works. In this paper, we study the post-challenge/after-the-fact security for PKE schemes against bounded leakage and tampering under a restricted yet meaningful and reasonable notion of security, namely, the split-state leakage and tampering model. We show that it is possible to construct secure PKE schemes in this model, tolerating arbitrary (but bounded) leakage and tampering querie...

Introduction to Security Reduction, 2018

In this chapter, we mainly use a variant of ElGamal encryption to introduce how to prove the security of encryption schemes under computational hardness assumptions. The basic scheme is called the hashed ElGamal scheme [1]. The twin ElGamal scheme and the iterated ElGamal scheme are from [29] and [55], respectively, and introduce two totally different approaches for addressing the reduction loss of finding a correct solution from hash queries. The ElGamal encryption scheme with CCA security is introduced using the Fujisaki-Okamoto transformation [42]. The given schemes and/or proofs may be different from the original ones. 7.1 Hashed ElGamal Scheme SysGen: The system parameter generation algorithm takes as input a security parameter λ. It chooses a cyclic group (G, p, g), selects a cryptographic hash function H : {0, 1} * → {0, 1} n , and returns the system parameters SP = (G, p, g, H). KeyGen: The key generation algorithm takes as input the system parameters SP. It randomly chooses α ∈ Z p , computes g 1 = g α , and returns a public/secret key pair (pk, sk) as follows: pk = g 1 , sk = α. Encrypt: The encryption algorithm takes as input a message m ∈ {0, 1} n , the public key pk, and the system parameters SP. It chooses a random number r ∈ Z p and returns the ciphertext CT as CT = (C 1 ,C 2) = g r , H(g r 1) ⊕ m .

Lecture Notes in Computer Science, 2007

Whereas encryption schemes withstanding passive chosenplaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosen-ciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model -bounded CCA2-security -wherein security needs only hold against adversaries that make an a-priori bounded number of queries to the decryption oracle. Regarding this notion we show (without any further assumptions):

2006

The development of precise definitions of security for encryption, as well as a detailed understanding of their relationships, has been a major area of research in modern cryptography. Here, we focus on the case of private-key encryption. Extending security notions from the public-key setting, we define security in the sense of both indistinguishability and non-malleability against chosen-plaintext and chosen-ciphertext attacks, considering both non-adaptive (i.e., "lunchtime") and adaptive oracle access (adaptive here refers to an adversary's ability to interact with a given oracle even after viewing the challenge ciphertext). We then characterize the 18 resulting security notions in two ways. First, we construct a complete hierarchy of security notions; that is, for every pair of definitions we show whether one definition is stronger than the other, whether the definitions are equivalent, or whether they are incomparable. Second, we partition these notions of security into two classes (computational or information-theoretic) depending on whether one-way functions are necessary in order for encryption schemes satisfying the definition to exist.

Lecture Notes in Computer Science, 2014

At FOCS'99, Dwork et al. put forth the notion of 'selective-opening attacks' (SOAs, for short). In the literature, security against such attacks has been formalized via indistinguishability-based and simulation-based notions, respectively called IND-SO-CPA security and SIM-SO-CPA security. Furthermore, the IND-SO-CPA notion has been studied under two flavors-weak-IND-SO-CPA and full-IND-SO-CPA security. At Eurocrypt'09, Bellare et al. showed the first positive results on SOA security of encryption schemes: 1) any lossy encryption scheme is weak-IND-SO-CPA secure; 2) any lossy encryption scheme with efficient openability is SIM-SO-CPA secure. Despite rich further work on SOA security, the (un)feasibility of full-IND-SO-CPA remains a major open problem in the area of SOA security. The elusive nature of the full-IND-SO-CPA notion of security is attributed to a specific aspect of the security game, namely, the challenger requiring to perform a super-polynomial time task. Not only do we not know whether there exists a scheme that is full-IND-SO-CPA secure, but we also do not know concrete attacks against popular schemes such as the ElGamal and Cramer-Shoup schemes in the full-IND-SO-CPA model. The contribution of our work is threefold. 1. Motivated by the difficulty in understanding (un)feasibility of the full-IND-SO-CPA notion, we study a variant of this notion that is closer in spirit to the IND-CPA notion but still embodies the security captured by the full-IND-SO-CPA notion. We observe that the weak form of our variation does not introduce any significant change to the weak-IND-SO-CPA notion; that is, the weak form of our notion is equivalent to the weak-IND-SO-CPA notion. 2. Interestingly, we can show that a large class of encryption schemes can be proven insecure for the full form of our notion. The large class includes most known constructions of weak-IND-SO-CPA secure schemes and SIM-SO-CPA secure schemes and also popular schemes like the ElGamal and Cramer-Shoup schemes. 3. Our third contribution studies the complexity of SIM-SO-CPA security. Complementing the result of Bellare et al., we show that lossiness is not necessary to achieve SIM-SO-CPA security. More specifically, we Work partially done while visiting UCLA. present a SIM-SO-CPA scheme that is not a lossy encryption scheme (regardless of efficient openability). Since SIM-SO-CPA security implies weak-IND-SO-CPA security, it follows as a corollary that the converses of both the implications proved by Bellare et al. do not hold. Furthermore, as a corollary of our techniques, on a slightly unrelated but useful note, we obtain that lossiness is not required to obtain non-committing encryption. Previously, at Eurocrypt'09, Fehr et al. showed a construction of a non-committing encryption scheme from trapdoor permutations and this scheme was, as noted by the authors, possibly not lossy. Our scheme amounts to the first construction of a non-committing encryption scheme that is provably not lossy.

2006

KEM (Key Encapsulation Mechanism) was introduced by Shoup to formalize the asymmetric encryption specified for key distribution in ISO standards on public-key encryption. Shoup defined the "semantic security (IND) against adaptively chosen ciphertext attacks (CCA2)" as a desirable security notion of KEM. This paper introduces "non- malleability (NM)" of KEM, a stronger security notion than IND. We provide three definitions of NM, and show that these three definitions are equivalent.

2010

We construct the first public-key encryption scheme in the Bounded-Retrieval Model (BRM), providing security against various forms of adversarial “key leakage” attacks. In this model, the adversary is allowed to learn arbitrary information about the decryption key, subject only to the constraint that the overall amount of “leakage” is bounded by at most ℓ bits. The goal of the BRM is to design cryptographic schemes that can flexibly tolerate arbitrarily leakage bounds ℓ (few bits or many Gigabytes), by only increasing the size of secret key proportionally, but keeping all the other parameters — including the size of the public key, ciphertext, encryption/decryption time, and the number of secret-key bits accessed during decryption — small and independent of ℓ. As our main technical tool, we introduce the concept of an Identity-Based Hash Proof System (IB-HPS), which generalizes the notion of hash proof systems of Cramer and Shoup [CS02] to the identity-based setting. We give three different constructions of this primitive based on: (1) bilinear groups, (2) lattices, and (3) quadratic residuosity. As a result of independent interest, we show that an IB-HPS almost immediately yields an Identity-Based Encryption (IBE) scheme which is secure against (small) partial leakage of the target identity’s decryption key. As our main result, we use IB-HPS to construct public-key encryption (and IBE) schemes in the Bounded-Retrieval Model.

2000

This paper addresses the security of public-key cryptosystems in a "multi-user" setting, namely in the presence of attacks involving the encryption of related messages under different public keys, as exemplified by Håstad's classical attacks on RSA. We prove that security in the single-user setting implies security in the multiuser setting as long as the former is interpreted in the strong sense of "indistinguishability," thereby pinpointing many schemes guaranteed to be secure against Håstad-type attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two Diffie-Hellman based schemes, namely El Gamal and Cramer-Shoup.