## Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization (1999)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [theory.lcs.mit.edu]
- [www-cse.ucsd.edu]
- [www.cs.ucla.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 58 - 8 self |

### BibTeX

@INPROCEEDINGS{Bellare99non-malleableencryption:,

author = {Mihir Bellare and Amit Sahai},

title = {Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization},

booktitle = {},

year = {1999},

pages = {519--536},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Keywords: Asymmetric encryption, Non-malleability, Indistinguishability, equivalence between notions, semantic security.

### Citations

1241 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...he most basic is privacy, where the goal is to ensure that an attacker does not learn any useful information about the data from the ciphertext. Goldwasser and Micali's notion of indistinguishability =-=[8]-=- forms the accepted formalization of this goal. A second goal, introduced by Dolev, Dwork and Naor [5], is non-malleability, which, roughly, requires that an attacker given a challenge ciphertext be u... |

529 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...alizations put forth to capture privacy are actually equivalent to indistinguishability. In particular this is true of semantic security [8] and for a notion of privacy based on computational entropy =-=[14, 10]-=-. These foundational results have since been refined and extended to other settings [7]. These equivalences are a cornerstone of our understating of privacy, providing evidence that we have in fact fo... |

482 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ribution (cf. [1]) or electronic payment (cf. [13]). The interest is witnessed by attention to classification of the notions of encryption [2] and new efficient constructions of non-malleable schemes =-=[3, 4]-=-. In our discussions below, we begin for simplicity by focusing on the case where the notions are considered under chosen-plaintext attacks. We will discuss the extensions to stronger attacks later. 1... |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...mation about the data from the ciphertext. Goldwasser and Micali's notion of indistinguishability [8] forms the accepted formalization of this goal. A second goal, introduced by Dolev, Dwork and Naor =-=[5]-=-, is non-malleability, which, roughly, requires that an attacker given a challenge ciphertext be unable to modify it into another, different ciphertext in such a way that the plaintexts underlying the... |

472 | Relations among Notions of Security for Public-Key Encryption Schemes - Bellare, Desai, et al. - 1998 |

360 |
Non-interactive zeroknowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...two ciphertexts are "meaningfully related" to each other. Both these goals can be considered under attacks of increasing severity: chosen-plaintext attacks, and two kinds of chosen ciphertex=-=t attacks [11, 12]-=-. Recent uses of public-key encryption have seen a growing need for, and hence attention to, stronger than basic forms of security, like non-malleability. This kind of security is important when encry... |

262 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...two ciphertexts are "meaningfully related" to each other. Both these goals can be considered under attacks of increasing severity: chosen-plaintext attacks, and two kinds of chosen ciphertex=-=t attacks [11, 12]-=-. Recent uses of public-key encryption have seen a growing need for, and hence attention to, stronger than basic forms of security, like non-malleability. This kind of security is important when encry... |

233 | A modular approach to the design and analysis of authentication and key exchange protocols
- BELLARE, CANETTI, et al.
- 1998
(Show Context)
Citation Context ...asic forms of security, like non-malleability. This kind of security is important when encryption is used as a primitive in the design of higher level protocols, for example for key distribution (cf. =-=[1]-=-) or electronic payment (cf. [13]). The interest is witnessed by attention to classification of the notions of encryption [2] and new efficient constructions of non-malleable schemes [3, 4]. In our di... |

216 | Optimal Asymmetric Encryption – How to Encrypt with RSA
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...ribution (cf. [1]) or electronic payment (cf. [13]). The interest is witnessed by attention to classification of the notions of encryption [2] and new efficient constructions of non-malleable schemes =-=[3, 4]-=-. In our discussions below, we begin for simplicity by focusing on the case where the notions are considered under chosen-plaintext attacks. We will discuss the extensions to stronger attacks later. 1... |

113 | Public-key cryptography and password protocols
- Halevi, Krawczyk
- 1999
(Show Context)
Citation Context ...ese attacks and any relations which may exist among them. 1.7 Related work Halevi and Krawczyk introduce a weak version of chosen-ciphertext attack which they call a oneciphertextsverification attack =-=[9]-=-. This is not the same as a parallel attack. In their attack, the adversary generates a single plaintext along with a candidate ciphertext, and is allowed to ask a verification query, namely whether o... |

87 |
The notion of security for probabilistic cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ...alizations put forth to capture privacy are actually equivalent to indistinguishability. In particular this is true of semantic security [8] and for a notion of privacy based on computational entropy =-=[14, 10]-=-. These foundational results have since been refined and extended to other settings [7]. These equivalences are a cornerstone of our understating of privacy, providing evidence that we have in fact fo... |

78 | A Uniform-Complexity Treatment of Encryption and Zero-Knowledge
- Goldreich
- 1993
(Show Context)
Citation Context ...particular this is true of semantic security [8] and for a notion of privacy based on computational entropy [14, 10]. These foundational results have since been refined and extended to other settings =-=[7]. These eq-=-uivalences are a cornerstone of our understating of privacy, providing evidence that we have in fact found the "right" formalization. Characterizations. Semantic security captures in perhaps... |

66 | Complete characterization of security notions for probabilistic private-key encryption
- Katz, Yung
- 2000
(Show Context)
Citation Context ...didate ciphertext, and is allowed to ask a verification query, namely whether or not the pair is valid. In our notion, the adversary has more power: it can access the decryption oracle. Katz and Yung =-=[12]-=- provide relations among notions of security for symmetric (i.e. shared key) encryption schemes. In this context they mention that the stronger form of non-malleability (considered here) in which we d... |

9 | KEM/DEM: Necessary and Sufficient Conditions for secure Hybrid Encryption. Available at http://eprint.iacr.org/2006/265.pdf
- HERRANZ, HOFHEINZ, et al.
- 2006
(Show Context)
Citation Context ...ertext rather than the secret key. To make this work, the coins for the secret sharing are obtained by applying a PRF to a part of the ciphertext. Both the original result and the extension appear in =-=[11]-=-. Note that DDN-Lite does not serve to show that CNM-CPA* 6! CNM-CPA or SNM-CPA* 6! SNM-CPA, because, although it is not CNM-CPA [13], it is not known to be SNM-CPA*. There remains only to justify the... |

3 |
Relations among notions of security forpublic-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ... Now, let us specify the relation R: Relation R(x, x, M, s1) If s1 is not a pair of distinct strings then return false Let m0, m1 be such that s1 = (m0, m1) If |x| < 2 then return false t2sx[1] ; oesx=-=[2]-=- ; ps(x[3], . . . , x[|x|]) 15sIf M 6= {m0, m1} then return false If x = m0 then bs0 else bs1 gsI3(p, t2; oe) If g = b then return true else return false The 5th line above tests that M is a canonical... |

1 |
A modular approach to the design and analysis ofauthentication and key exchange protocols
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...asic forms of security, like non-malleability. This kind of security is important when encryption is used as a primitive in the design of higher level protocols, for example for key distribution (cf. =-=[1]-=-). The interest is witnessed by attention to classification of the notions of encryption [2, 6] and efficient constructions of non-malleable schemes [3, 5]. 1.1 Themes in foundations of encryption Our... |