TY - GEN
T1 - Bounded CCA2-secure encryption
AU - Cramer, Ronald
AU - Hanaoka, Goichiro
AU - Hofheinz, Dennis
AU - Imai, Hideki
AU - Kiltz, Eike
AU - Pass, Rafael
AU - Shelat, Abhi
AU - Vaikuntanathan, Vinod
PY - 2007
Y1 - 2007
N2 - Whereas encryption schemes withstanding passive chosen-plaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosen-ciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model - bounded CCA2-security - wherein security needs only hold against adversaries that make an a-priori bounded number of queries to the decryption oracle. Regarding this notion we show (without any further assumptions): - For any polynomial q, a simple black-box construction of q-bounded IND-CGA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. When instantiated with the Decisional Diffie-Hellman (DDH) assumption, this construction additionally yields encryption schemes with very short ciphertexts. - For any polynomial q, a (non-black box) construction of q-bounded NM-CCA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. Bounded-CCA2 non-malleability is the strongest notion of security yet known to be achievable assuming only the existence of IND-CPA secure encryption schemes. Finally, we show that non-malleability and indistinguishability are not equivalent under bounded-CCA2 attacks (in contrast to general CCA2 attacks).
AB - Whereas encryption schemes withstanding passive chosen-plaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosen-ciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model - bounded CCA2-security - wherein security needs only hold against adversaries that make an a-priori bounded number of queries to the decryption oracle. Regarding this notion we show (without any further assumptions): - For any polynomial q, a simple black-box construction of q-bounded IND-CGA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. When instantiated with the Decisional Diffie-Hellman (DDH) assumption, this construction additionally yields encryption schemes with very short ciphertexts. - For any polynomial q, a (non-black box) construction of q-bounded NM-CCA2-secure encryption schemes, from any IND-CPA-secure encryption scheme. Bounded-CCA2 non-malleability is the strongest notion of security yet known to be achievable assuming only the existence of IND-CPA secure encryption schemes. Finally, we show that non-malleability and indistinguishability are not equivalent under bounded-CCA2 attacks (in contrast to general CCA2 attacks).
UR - http://www.scopus.com/inward/record.url?scp=38349013798&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-76900-2_31
DO - 10.1007/978-3-540-76900-2_31
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:38349013798
SN - 9783540768999
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 502
EP - 518
BT - Advances in Cryptology - ASIACRYPT 2007 - 13th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
PB - Springer Verlag
T2 - 13th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2007
Y2 - 2 December 2007 through 6 December 2007
ER -