## Relations among notions of security for public-key encryption schemes (1998)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www-verimag.imag.fr]
- [www.cs.ucdavis.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 475 - 68 self |

### BibTeX

@INPROCEEDINGS{Bellare98relationsamong,

author = {Mihir Bellare and David Pointcheval and Phillip Rogaway},

title = {Relations among notions of security for public-key encryption schemes},

booktitle = {},

year = {1998},

pages = {26--45},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one.

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...m-oracle (RO) model. Recall that in the RO model one embellishes the customary model of computation by providing all parties (good and bad alike) with a random function H from strings to strings. See =-=[5]-=- for a description of the random-oracle model and a discussion of its use. The six notions of security we have described can be easily \lifted" to the RO model, giving six corresponding denitions. On... |

1255 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... particular goal and a particular attack model. This viewpoint was suggested to us by Moni Naor [25]. We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and Micali =-=[21]-=-, and non-malleability, due to Dolev, Dwork and Naor [13]. Indistinguishability (IND) formalizes an adversary's inability to learn any information about the plaintext x underlying a challenge cipherte... |

760 | Pseudo-random Generation from one-way functions (Extended Abstracts
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ...ption. We know that the existence of even a IND-CPA secure encryption scheme implies the existence of a one-way function [23] which in turn implies the existence of a family of pseudorandom functions =-=[22, 20]-=-.) Here each F k = f F K : K 2 f0; 1g k g is asnite collection in which each key K 2 f0; 1g k indexes a particular function F K : f0; 1g k ! f0; 1g k . We dene the new encryption scheme PE 0 = (K 0 ;... |

668 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...s implemented via pseudorandom function families. Our construction. Let PE = (K; E ;D) be the given NM-CCA1 secure encryption scheme. Fix a family F = f F k : k 1 g of pseudorandom functions as per =-=[20]-=-. (Notice that this is not an extra assumption. We know that the existence of even a IND-CPA secure encryption scheme implies the existence of a one-way function [23] which in turn implies the existen... |

532 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...on [13] and the 1995 technical report [14], do not contain these claims.) Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and Micali [21] and continues with Yao =-=[29]-=-, Micali, Racko and Sloan [24], and Goldreich [18, 19]. These works treat privacy under chosen-plaintext attack (the notion we are capturing via IND-CPA). They show that various formalizations of it ... |

486 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ... security. Schemes proven secure under standard assumptions include that of [26], which meets IND-CCA1, that of [13], which meets IND-CCA2, and the much more eÆcient recent scheme of Cramer and Shoup =-=[10]-=-, which also meets IND-CCA2. Next are the schemes proven secure in a random-oracle model; here we have those of [5, 6], which meet PA and are as eÆcient as schemes in current standards. Then there are... |

475 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...point was suggested to us by Moni Naor [25]. We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and Micali [21], and non-malleability, due to Dolev, Dwork and Naor =-=[13]-=-. Indistinguishability (IND) formalizes an adversary's inability to learn any information about the plaintext x underlying a challenge ciphertext y, capturing a strong notion of privacy. Non-malleabil... |

379 | P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation
- BELLARE, —JOKIPII
- 1997
(Show Context)
Citation Context ...rity for public-key (ie. asymmetric) encryption. The same questions can be asked for private-key (ie. symmetric) encryption. Denitions for symmetric encryption scheme privacy under CPA were given by =-=[2]-=-. Those notions can be lifted to deal with CCA. Denitions for non-malleability in the private-key setting can be obtained by adapting the public-key ones. Again we would expect (and hope) that, if pr... |

363 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Racko, Simon
- 1992
(Show Context)
Citation Context ...eries to the decryption oracle cannot depend on the challenge y. Colloquially this attack has also been called a \lunchtime," \lunch-break," or \midnight" attack.) Under CCA2, due to Racko and Simon =-=[27]-=-, the adversary again gets (in addition to the public key) access to an oracle for the decryption function, but this time she may use this decryption function even on ciphertexts chosen after obtainin... |

263 | Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...e adversary can obtain ciphertexts of plaintexts of her choice. In the public-key setting, giving the adversary the public key suÆces to capture these attacks. Under CCA1, formalized by Naor and Yung =-=[26]-=-, the adversary gets, in addition to the public key, access to an oracle for the decryption function. The adversary may use this decryption function only for the period of time preceding her being giv... |

250 | A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1
- Bleichenbacher
- 1998
(Show Context)
Citation Context ...ther remarks. We comment that non-malleability is a general notion that applies to primitives other than encryption [13]. Our discussion is limited to its use in asymmetric encryption. Bleichenbacher =-=[8]-=- has recently shown that a popular encryption scheme, RSA PKCS #1, does not achieve IND-CCA1. He also describes a popular protocol for which this causes problems. His results reinforce the danger of a... |

234 | A modular approach to the design and analysis of authentication and key exchange protocols
- BELLARE, CANETTI, et al.
- 1998
(Show Context)
Citation Context ...ols for designing higher level protocols. For example, encryption schemes meeting IND-CCA2 appear to be the right tools in the design of authenticated key exchange protocols in the public-key setting =-=[1]-=-. As another example, the designers of SET (Secure Electronic Transactions) selected an encryption scheme which achieves more than IND-CPA [25]. This was necessary, insofar as the SET protocols would ... |

218 | Optimal Asymmetric Encryption { How to Encrypt with RSA
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...ions Among Notions of Security for Public-Key Encryption Schemes 29 1.3 Plaintext Awareness Another adversarial goal we will consider is plaintext awareness (PA), first defined by Bellare and Rogaway =-=[4]-=-. PA formalizes an adversary’s inability to create a ciphertext y without “knowing” its underlying plaintext x. (Inthecasethat the adversary creates an “invalid” ciphertext what she should know is tha... |

129 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ... not secure in the sense of PA. 4.3 Proof of Theorem 4.2: PA) IND-CCA2 Intuition. The basic idea for proving chosen-ciphertext security in the presence of some kind of proof of knowledge goes back to =-=[16, 17, 9, 12]-=-. Let us begin by recalling it. Assume there is some adversary A = (A 1 ; A 2 ) that breaks PE in the IND-CCA2 sense. We construct an adversary A 0 = (A 0 1 ; A 0 2 ) that breaks PE in the IND-CPA sen... |

120 |
One-way Functions are Essential for Complexity Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ... of pseudorandom functions as per [20]. (Notice that this is not an extra assumption. We know that the existence of even a IND-CPA secure encryption scheme implies the existence of a one-way function =-=[23]-=- which in turn implies the existence of a family of pseudorandom functions [22, 20].) Here each F k = f F K : K 2 f0; 1g k g is asnite collection in which each key K 2 f0; 1g k indexes a particular fu... |

88 |
The notion of security for probabilistic cryptosystems
- Micali, Racko®, et al.
- 1988
(Show Context)
Citation Context ...report [14], do not contain these claims.) Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and Micali [21] and continues with Yao [29], Micali, Racko and Sloan =-=[24]-=-, and Goldreich [18, 19]. These works treat privacy under chosen-plaintext attack (the notion we are capturing via IND-CPA). They show that various formalizations of it are equivalent, in various mode... |

80 | A uniform-complexity treatment of encryption and zero-knowledge
- Goldreich
- 1993
(Show Context)
Citation Context ...contain these claims.) Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and Micali [21] and continues with Yao [29], Micali, Racko and Sloan [24], and Goldreich =-=[18, 19]-=-. These works treat privacy under chosen-plaintext attack (the notion we are capturing via IND-CPA). They show that various formalizations of it are equivalent, in various models. Specically, Goldwas... |

69 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...rmulation of plaintext awareness for the standard model. One might imagine that plaintext awareness coincides with semantic security coupled with a (non-interactive) zero-knowledge proof of knowledge =-=[12]-=- of the plaintext. But this is not valid. The reason is the way the extractor operates in the notion and scheme of [12]: the common random string (even if viewed as part of the public key) is under th... |

58 | Non-Malleable Encryption: Equivalence between Two Notions and an Indistinguishability-Based Characterization
- Bellare, Sahai
- 1999
(Show Context)
Citation Context ...ce of some appropriate simulator. We believe our formulation is simpler. It is dened via an experiment involving only the adversary; there is no simulator. Nonetheless, the denitions are equivalent =-=[7]-=-, under any form of attack. Thus the results in this paper are not aected by the denitional change. We view the new denition as an additional, orthogonal contribution which could simplify the task ... |

38 |
Private communication
- Barak, Impagliazzo, et al.
- 2004
(Show Context)
Citation Context ... possible goals and the various possible attack models, and then obtain each denition as a pairing of a particular goal and a particular attack model. This viewpoint was suggested to us by Moni Naor =-=[25]-=-. We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and Micali [21], and non-malleability, due to Dolev, Dwork and Naor [13]. Indistinguishability (IND) formalizes... |

37 | Does parallel repetition lower the error in computationally sound protocols - Bellare, Impagliazzo, et al. - 1997 |

27 | Immunizing public key cryptosystems against chosen ciphertext attacks
- Zheng, Seberry
- 1993
(Show Context)
Citation Context ...schemes proven secure in a random-oracle model; here we have those of [5, 6], which meet PA and are as eÆcient as schemes in current standards. Then there are schemes without proofs, such as those of =-=[11, 30]-=-. Finally, there are schemes for non-standard models, like [16, 27]. We comment that it follows from our results that the above mentioned scheme of [10], shown to meet IND-CCA2, is also non-malleable,... |

10 |
Symmetric public-key encryption
- Galil, Haber, et al.
(Show Context)
Citation Context ... not secure in the sense of PA. 4.3 Proof of Theorem 4.2: PA) IND-CCA2 Intuition. The basic idea for proving chosen-ciphertext security in the presence of some kind of proof of knowledge goes back to =-=[16, 17, 9, 12]-=-. Let us begin by recalling it. Assume there is some adversary A = (A 1 ; A 2 ) that breaks PE in the IND-CCA2 sense. We construct an adversary A 0 = (A 0 1 ; A 0 2 ) that breaks PE in the IND-CPA sen... |

10 |
Foundations of cryptography. Class notes
- Goldreich
- 1989
(Show Context)
Citation Context ...contain these claims.) Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and Micali [21] and continues with Yao [29], Micali, Racko and Sloan [24], and Goldreich =-=[18, 19]-=-. These works treat privacy under chosen-plaintext attack (the notion we are capturing via IND-CPA). They show that various formalizations of it are equivalent, in various models. Specically, Goldwas... |

3 |
Security against replay chosen ciphertext attack. Distributed Computing and Cryptography
- Galil, Haber, et al.
- 1991
(Show Context)
Citation Context ... not secure in the sense of PA. 4.3 Proof of Theorem 4.2: PA) IND-CCA2 Intuition. The basic idea for proving chosen-ciphertext security in the presence of some kind of proof of knowledge goes back to =-=[16, 17, 9, 12]-=-. Let us begin by recalling it. Assume there is some adversary A = (A 1 ; A 2 ) that breaks PE in the IND-CCA2 sense. We construct an adversary A 0 = (A 0 1 ; A 0 2 ) that breaks PE in the IND-CPA sen... |

1 | A concrete security treatment ofsymmetric encryption: Analysis of the DES modes of operation - Bellare, Desai, et al. - 1997 |

1 |
Damg ard, Towards practical public key cryptosystems secure against chosen ciphertext attacks
- unknown authors
- 1991
(Show Context)
Citation Context ...schemes proven secure in a random-oracle model; here we have those of [5, 6], which meet PA and are as eÆcient as schemes in current standards. Then there are schemes without proofs, such as those of =-=[11, 30]-=-. Finally, there are schemes for non-standard models, like [16, 27]. We comment that it follows from our results that the above mentioned scheme of [10], shown to meet IND-CCA2, is also non-malleable,... |