Cited By
View all- Armour MPoettering B(2022)Algorithm substitution attacks against receiversInternational Journal of Information Security10.1007/s10207-022-00596-521:5(1027-1050)Online publication date: 1-Oct-2022
Publicly verifiable ciphertexts
Authors: 
Juan González Nieto, Mark Manulis, Bertram Poettering, Jothi Rangasamy, 
Douglas StebilaAuthors Info & Claims
Juan González Nieto, Mark Manulis, Bertram Poettering, Jothi Rangasamy, Douglas StebilaAuthors Info & ClaimsPages 749 - 778
Abstract
In many applications where encrypted traffic flows from an open public domain to a protected private domain there exists a gateway that bridges these two worlds, faithfully forwarding all incoming traffic to the receiver. We observe that the notion of indistinguishability against adaptive chosen-ciphertext attacks IND-CCA2, which is a mandatory goal in face of active attacks in a public domain, can be relaxed to indistinguishability against chosen-plaintext attacks IND-CPA once the ciphertexts passed the gateway. The latter then acts as an IND-CCA2/CPA filter by first checking the validity of an incoming IND-CCA2-secure ciphertext, transforming it if valid into an IND-CPA-secure ciphertext, and finally forwarding it to the recipient in the private domain. Non-trivial filtering can result in reduced decryption costs on the recipient's side.We identify a class of encryption schemes with publicly verifiable ciphertexts that admit generic constructions of IND-CCA2/CPA filters with non-trivial verification. These schemes are characterized by existence of public algorithms that can distinguish ultimately between valid and invalid ciphertexts. To this end, we formally define public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms and hybrid encryption schemes, encompassing public-key, identity-based and tag-based encryption flavours. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.
References
[1]
M. Abdalla, M. Bellare and G. Neven, Robust encryption, in: TCC 2010, D. Micciancio, ed., LNCS, Vol. 5978, Springer, 2010, pp. 480-497.
[2]
M. Abdalla, M. Bellare and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES, in: CT-RSA 2001, LNCS, Vol. 2020, Springer, 2001, pp. 143-158.
[3]
M. Abe, R. Gennaro and K. Kurosawa, Tag-KEM/DEM: A new framework for hybrid encryption, Journal of Cryptology 21(1) (2008), 97-130.
[4]
M. Abe, E. Kiltz and T. Okamoto, Chosen ciphertext security with optimal ciphertext overhead, in: ASIACRYPT 2008, LNCS, Vol. 5350, Springer, 2008, pp. 355-371.
[5]
D. Boneh, X. Boyen and S. Halevi, Chosen ciphertext secure public key threshold encryption without random oracles, in: CT-RSA 2006, LNCS, Vol. 3860, Springer, 2006, pp. 226-243.
[6]
D. Boneh, R. Canetti, S. Halevi and J. Katz, Chosen-ciphertext security from identity-based encryption, SIAM J. Comput. 36(5) (2007), 1301-1328.
[7]
D. Boneh and J. Katz, Improved efficiency for CCA-secure cryptosystems built using identity-based encryption, in: CT-RSA 2005, LNCS, Vol. 3376, Springer, 2005, pp. 87-103.
[8]
X. Boyen, Q. Mei and B. Waters, Direct chosen ciphertext security from identity-based techniques, in: ACM CCS 2005, V. Atluri, C. Meadows and A. Juels, eds, ACM, 2005, pp. 320-329.
[9]
R. Canetti, S. Halevi and J. Katz, Chosen-ciphertext security from identity-based encryption, in: EUROCRYPT 2004, C. Cachin and J. Camenisch, eds, LNCS, Vol. 3027, Springer, 2004, pp. 207-222.
[10]
D. Cash, E. Kiltz and V. Shoup, The twin Diffie-Hellman problem and applications, in: Proc. EUROCRYPT 2008, N. Smart, ed., LNCS, Vol. 4965, Springer, 2008, pp. 127-145; full version available at http://eprint.iacr.org/2008/067 and published as [11].
[11]
D. Cash, E. Kiltz and V. Shoup, The twin Diffie-Hellman problem and applications, J. Cryptology 22(4) (2009), 470-504; extended abstract published as [10].
[12]
R. Cramer and V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, SIAM J. Computing 33(1) (2003), 167-226.
[13]
D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography (extended abstract), in: ACM STOC 1991, ACM, 1991, pp. 542-552.
[14]
E. Elkind and A. Sahai, A unified methodology for constructing public-key encryption schemes secure against adaptive chosen-ciphertext attack, Cryptology ePrint Archive, Report 2002/042, 2002, available at: http://eprint.iacr.org/2002/042.
[15]
O. Goldreich and L.A. Levin, A hard-core predicate for all one-way functions, in: Proc. STOC 1989, D.S. Johnson, ed., ACM, 1989, pp. 25-32.
[16]
J.M. González Nieto, M. Manulis, B. Poettering, J. Rangasamy and D. Stebila, Publicly verifiable ciphertexts (extended abstract), in: Proc. Security and Cryptography for Networks (SCN) 2012, LNCS, Vol. 7485, Springer, 2012, pp. 393-410.
[17]
C.P.L. Gouvêa and J. López, Software implementation of pairing-based cryptography on sensor networks using the MSP430 microcontroller, in: INDOCRYPT 2009, LNCS, Vol. 5922, Springer, 2009, pp. 248-262.
[18]
G. Hanaoka and K. Kurosawa, Efficient chosen ciphertext secure public key encryption under the computational Diffie-Hellman assumption, in: ASIACRYPT 2008, LNCS, Vol. 5350, Springer, 2009, pp. 308-325.
[19]
J. Herranz, D. Hofheinz and E. Kiltz, KEM/DEM: Necessary and sufficient conditions for secure hybrid encryption, Cryptology ePrint Archive, Report 2006/265, 2006, available at: http://eprint.iacr.org/2006/265.
[20]
H. Imai and A. Yamagishi, CRYPTREC project - Cryptographic evaluation project for the Japanese electronic government, in: ASIACRYPT 2000, LNCS, Vol. 1976, Springer, 2000, pp. 399-400.
[21]
E. Kiltz, Chosen-ciphertext security from tag-based encryption, in: TCC 2006, LNCS, Vol. 3876, Springer, 2006, pp. 581-600.
[22]
E. Kiltz, Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman, in: PKC 2007, LNCS, Vol. 4450, Springer, 2007, pp. 282-297.
[23]
E. Kiltz, Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman, Cryptology ePrint Archive, Report 2007/36, 2007, available at: http://eprint.iacr.org/2007/036.pdf; preliminary version published as [22].
[24]
E. Kiltz and D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles, in: ACISP 2006, LNCS, Vol. 4058, Springer, 2006, pp. 336-347; full version published as [25].
[25]
E. Kiltz and D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles, Theoretical Computer Science 410(47-49) (2009), 5093-5111; extended abstract published as [24].
[26]
K. Kurosawa and Y. Desmedt, A new paradigm of hybrid encryption scheme, in: CRYPTO 2004, LNCS, Vol. 3152, Springer, 2004, pp. 426-442.
[27]
J. Lai, R.H. Deng, S. Liu and W. Kou, Efficient CCA-secure PKE from identity-based techniques, in: CT-RSA 2010, LNCS, Vol. 5985, Springer, 2010, pp. 132-147.
[28]
B. Libert and M. Yung, Adaptively secure non-interactive threshold cryptosystems, in: ICALP 2011, Part II, LNCS, Vol. 6756, Springer, 2011, pp. 588-600.
[29]
C.H. Lim and P.J. Lee, Another method for attaining security against adaptively chosen ciphertext attacks, in: CRYPTO 1993, LNCS, Vol. 773, Springer, 1993, pp. 420-434.
[30]
M. Naor and M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, ACM STOC 1990, ACM, 1990, pp. 427-437.
[31]
NESSIE, Final report of European project IST-1999-12324: New European Schemes for Signatures, Integrity, and Encryption, April 2004, available at: https://www.cosic.esat.kuleuven.be/nessie/.
[32]
G. Persiano, About the existence of trapdoors in cryptosystems, Manuscript, available at: http://libeccio.dia.unisa.it/Papers/Trapdoor/Trapdoor.pdf.
[33]
D.H. Phan and D. Pointcheval, Chosen-ciphertext security without redundancy, in: ASIACRYPT 2003, LNCS, Vol. 2894, Springer, 2003, pp. 1-18.
[34]
D.H. Phan and D. Pointcheval, OAEP 3-round: A generic and secure asymmetric encryption padding, in: ASIACRYPT 2004, LNCS, Vol. 3329, Springer, 2004, pp. 63-78.
[35]
J. Rompel, One-way functions are necessary and sufficient for secure signatures, in: STOC 1990, ACM, 1990, pp. 387-394.
[36]
A. Sahai, Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security, FOCS 1999, IEEE, 1999, pp. 543-553.
[37]
V. Shoup, A proposal for an ISO standard for public key encryption (version 2.1), Manuscript, 2001, available at: http://shoup.net/papers.
[38]
V. Shoup, ISO 18033-2: An emerging standard for public-key encryption, Final Committee Draft, December 2004, available at: http://shoup.net/iso/std6.pdf.
[39]
V. Shoup and R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack, in: EUROCRYPT 1998, LNCS, Vol. 1403, Springer, 1998, pp. 1-16.
[40]
S. Stelle, M. Manulis and M. Hollick, Topology-driven secure initialization in wireless sensor networks: A tool-assisted approach, in: IEEE ARES 2012, IEEE, 2012, pp. 28-37.
[41]
H. Wang and Q. Li, Efficient implementation of public key cryptosystems on mote sensors, in: ICICS 2006, LNCS, Vol. 4307, Springer, 2006, pp. 519-528.
[42]
D. Wikström, Simplified submission of inputs to protocols, in: SCN 2008, LNCS, Vol. 5229, Springer, 2008, pp. 293-308.
Recommendations
Simple CCA-Secure Public Key Encryption from Any Non-Malleable Identity-Based Encryption
Information Security and Cryptology --- ICISC 2008In this paper, we present a simple and generic method for constructing public key encryption (PKE) secure against chosen ciphertext attacks (CCA) from identity-based encryption (IBE). Specifically, we show that a CCA-secure PKE scheme can be generically ...
Efficient CCA-Secure PKE from identity-based techniques
CT-RSA'10: Proceedings of the 2010 international conference on Topics in CryptologyBoneh, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure public key encryption (PKE) from any selective-ID CPA-secure identity-based encryption (IBE) schemes. Their approach treated IBE as a black box. Subsequently, Boyen, ...
A Generic Construction of Timed-Release Encryption with Pre-open Capability
IWSEC '09: Proceedings of the 4th International Workshop on Security: Advances in Information and Computer SecurityIn 2005, Hwang et al. proposed a concept of timed-release encryption with pre-open capability (TRE-PC), where a receiver can decrypt a ciphertext not only by using a time-release key which is provided after its release-time, but also using a secret ...
Comments
Information & Contributors
Information
Published In
Publisher
IOS Press
Netherlands
Publication History
Published: 01 September 2013
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Jan 2025
Other Metrics
Citations
Cited By
View all- Armour MPoettering B(2022)Algorithm substitution attacks against receiversInternational Journal of Information Security10.1007/s10207-022-00596-521:5(1027-1050)Online publication date: 1-Oct-2022