## On the Impossibility of Strong Encryption over ...

### BibTeX

@MISC{Phan_onthe,

author = {Raphael C.-W. Phan and Serge Vaudenay},

title = {On the Impossibility of Strong Encryption over ...},

year = {}

}

### OpenURL

### Abstract

We give two impossibility results regarding strong encryption over an infinite enumerable domain. The first one relates to statistically secure one-time encryption. The second one relates to computationally secure encryption resisting adaptive chosen ciphertext attacks in streaming mode with bounded resources: memory, time delay or output length. Curiously, both impossibility results can be achieved with either finite or continuous domains. The latter result explains why known CCA-secure cryptosystem constructions require at least two passes to decrypt a message with bounded resources.

### Citations

1184 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...theoretic security against computationally unbounded adversaries. The first known provable security notion for (public-key) encryption is indistinguishability (IND) (or so called polynomial security) =-=[18]-=-, which has an equivalent alternative definition called semantic security [18]. These characterizations did not consider adversarial access to the decryption oracle, and thus fall within the chosen-pl... |

564 |
A Decision Method for Elementary Algebra and Geometry
- Tarski
- 1948
(Show Context)
Citation Context ...inality 2ℵ0 of continuous sets, predicates based on inequalities can be decided. That is, over logical assertion with elementary formula of form f(x) = 0 or f(x) > 0 can be decided as shown by Tarski =-=[29]-=-. Assuming the continuum hypothesis we have ℵ1 = 2ℵ0 but ℵ1 can be smaller otherwise. This hypothesis is undecidable in the standard Zermelo-Fraenkel set theory axiomatic with the axiom of choice. In ... |

340 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...versarial access to the decryption oracle, and thus fall within the chosen-plaintext adversarial model (CPA). Later IND characterizations refined this to the chosen-ciphertext adversarial model (CCA) =-=[27, 28, 8]-=-. Given that the CCA adversarial model allows the adversary access to the decryption oracle, the basic idea in the design of CCA-secure schemes is to make this decryption oracle useless to the adversa... |

252 | Public-key Cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...versarial access to the decryption oracle, and thus fall within the chosen-plaintext adversarial model (CPA). Later IND characterizations refined this to the chosen-ciphertext adversarial model (CCA) =-=[27, 28, 8]-=-. Given that the CCA adversarial model allows the adversary access to the decryption oracle, the basic idea in the design of CCA-secure schemes is to make this decryption oracle useless to the adversa... |

203 | Chosen-ciphertext security from identity-based encryption
- Canetti, Halevi, et al.
- 2004
(Show Context)
Citation Context ...canning the plaintext once. Examples include the well-known Cramer-Shoup scheme [11] and variants [12], different forms of hybrid encryption [12, 2, 1, 20], and identitybased encryption (IBE) schemes =-=[7, 5, 6, 25]-=-. If we now relax the security notion down to IND-CPA security, we can achieve secure stream encryption with bounded resources. Consider a public-key encryption scheme OLDPKE over a finite domain (e.g... |

193 | Design and analysis of practical public-key encryption schemes secure against chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...-CCA-secure constructions require decryption to scan the ciphertext at least twice. However, encryption can process by scanning the plaintext once. Examples include the well-known Cramer-Shoup scheme =-=[11]-=- and variants [12], different forms of hybrid encryption [12, 2, 1, 20], and identitybased encryption (IBE) schemes [7, 5, 6, 25]. If we now relax the security notion down to IND-CPA security, we can ... |

80 | How to enhance the security of public key encryption at minimum cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...key encryption over the domain {0, 1} is feasible with these kinds of devices, we can transform it into an IND-CCA secure cryptosystem over the set of reals by adapting the Fujisaki-Okamoto transform =-=[16, 17]-=- in the random oracle model. 14In more detail, given an IND-CPA secure public key encryption OLDPKE over the bit domain {0, 1}, we can define an IND-CPA secure public key encryption TMPPKE over reals... |

77 | Improved efficiency for CCA-secure cryptosystems built using identity-based encryption
- Boneh, Katz
(Show Context)
Citation Context ...canning the plaintext once. Examples include the well-known Cramer-Shoup scheme [11] and variants [12], different forms of hybrid encryption [12, 2, 1, 20], and identitybased encryption (IBE) schemes =-=[7, 5, 6, 25]-=-. If we now relax the security notion down to IND-CPA security, we can achieve secure stream encryption with bounded resources. Consider a public-key encryption scheme OLDPKE over a finite domain (e.g... |

77 | Conditionally-perfect secrecy and a provably-secure randomized cipher
- Maurer
- 1992
(Show Context)
Citation Context ...outputs of bounded length. 1.1 Related Work In a different direction but related to the context of bounded resources, researchers have studied security models in which adversaries have bounded memory =-=[26, 19]-=-, as a compromise to achieve information theoretic security against computationally unbounded adversaries. The first known provable security notion for (public-key) encryption is indistinguishability ... |

62 | Complete characterization of security notions for probabilistic private-key encryption
- Katz, Yung
(Show Context)
Citation Context ...ion: Oracle O CPA 2 (c) 1: return ⊥ Note that in the context of PKEs, the encryption oracle is public by construction. For symmetric encryption, however, access to the encryption oracle characterizes =-=[22, 23]-=- an additional dimension to the adversary’s capability and hence corresponding security notion. In that case, an even weaker notion, so-called one-time encryption (IND-OTE) game [12, 24] and capturing... |

55 | TagKEM/DEM: A New Framework for Hybrid Encryption, Cryptology ePrint Archive: Report 2005/027
- Abe, Gennaro, et al.
- 2005
(Show Context)
Citation Context ...e well understood. Since Shannon, we know how to achieve perfect secrecy on finite sets by using the Vernam cipher (aka one-time pad). One-time pad can also be defined on the continuous unit interval =-=[0, 1]-=- by using the modulo 1 addition of a message and a ⋆ Part of work done while the author was with EPFL, Switzerland.key. However, it was shown by Chor and Kushilevitz [9, 10] that it was impossible to... |

35 | Relaxing chosen-ciphertext security
- Canetti, Krawczyk, et al.
- 2003
(Show Context)
Citation Context ...versarial access to the decryption oracle, and thus fall within the chosen-plaintext adversarial model (CPA). Later IND characterizations refined this to the chosen-ciphertext adversarial model (CCA) =-=[27, 28, 8]-=-. Given that the CCA adversarial model allows the adversary access to the decryption oracle, the basic idea in the design of CCA-secure schemes is to make this decryption oracle useless to the adversa... |

35 | Secure hybrid encryption from weakened key encapsulation
- Hofheinz, Kiltz
- 2007
(Show Context)
Citation Context ...ertext at least twice. However, encryption can process by scanning the plaintext once. Examples include the well-known Cramer-Shoup scheme [11] and variants [12], different forms of hybrid encryption =-=[12, 2, 1, 20]-=-, and identitybased encryption (IBE) schemes [7, 5, 6, 25]. If we now relax the security notion down to IND-CPA security, we can achieve secure stream encryption with bounded resources. Consider a pub... |

14 | Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models
- JOUX, MARTINET, et al.
(Show Context)
Citation Context ...s: the rest of the input blocks are not required for returning the output block up to this point. IND notions have been proposed for this particular setting to consider blockwise-adaptive adversaries =-=[21, 15]-=-, in both CPA and CCA style adversarial models [15, 14, 4]. It is known [9, 10] that weakly secure (in some statistical sense) symmetric encryption is impossible over infinite sets such as {0, 1} ∗ al... |

11 | Secret sharing over infinite domains
- Chor, Kushilevitz
- 1993
(Show Context)
Citation Context ...e continuous unit interval [0, 1] by using the modulo 1 addition of a message and a ⋆ Part of work done while the author was with EPFL, Switzerland.key. However, it was shown by Chor and Kushilevitz =-=[9, 10]-=- that it was impossible to achieve over ℵ0 under some ad-hoc generalization of the Shannon secrecy. Similarly, we can construct computationally secure encryption (in the sense of security against chos... |

9 | Practical Symmetric On-Line Encryption
- Fouque, Martinet, et al.
- 2003
(Show Context)
Citation Context ...s: the rest of the input blocks are not required for returning the output block up to this point. IND notions have been proposed for this particular setting to consider blockwise-adaptive adversaries =-=[21, 15]-=-, in both CPA and CCA style adversarial models [15, 14, 4]. It is known [9, 10] that weakly secure (in some statistical sense) symmetric encryption is impossible over infinite sets such as {0, 1} ∗ al... |

9 | On everlasting security in the hybrid bounded storage model
- Harnik, Naor
- 2006
(Show Context)
Citation Context ...outputs of bounded length. 1.1 Related Work In a different direction but related to the context of bounded resources, researchers have studied security models in which adversaries have bounded memory =-=[26, 19]-=-, as a compromise to achieve information theoretic security against computationally unbounded adversaries. The first known provable security notion for (public-key) encryption is indistinguishability ... |

7 |
Online Encryption Schemes: New Security Notions and Constructions
- Boldyreva, Taesombut
- 2004
(Show Context)
Citation Context ...lity for strong encryption would indicate that strong encryption schemes over infinite domains exist. For the symmetric (blockwise) encryption context, the concept of online encryption and decryption =-=[3, 4, 13, 14]-=- has been considered. The motivation for this is related to the desire to provide a kind of streaming capability without needing to buffer the entire text or wait until the entire text is received bef... |

6 | Blockwise adversarial model for on-line ciphers and symmetric encryption schemes
- Fouque, Joux, et al.
- 2004
(Show Context)
Citation Context ...lity for strong encryption would indicate that strong encryption schemes over infinite domains exist. For the symmetric (blockwise) encryption context, the concept of online encryption and decryption =-=[3, 4, 13, 14]-=- has been considered. The motivation for this is related to the desire to provide a kind of streaming capability without needing to buffer the entire text or wait until the entire text is received bef... |

5 | Authenticated On-Line Encryption
- Fouque, Joux, et al.
- 2003
(Show Context)
Citation Context ...lity for strong encryption would indicate that strong encryption schemes over infinite domains exist. For the symmetric (blockwise) encryption context, the concept of online encryption and decryption =-=[3, 4, 13, 14]-=- has been considered. The motivation for this is related to the desire to provide a kind of streaming capability without needing to buffer the entire text or wait until the entire text is received bef... |

3 | CCA2 Secure IBE: Standard Model Efficiency through Authenticated Symmetric Encryption., Topics in Cryptology
- Kiltz, Vahlis
- 2008
(Show Context)
Citation Context ...cle, the basic idea in the design of CCA-secure schemes is to make this decryption oracle useless to the adversary in terms of breaking IND. For this, some implicit or explicit form of validity check =-=[25]-=- is typically designed into the decryption algorithms of these schemes. This necessitates having two passes 2over the text input: for encryption, the first pass over the plaintext to obtain the ciphe... |

1 |
Full version available at http://www-cse.ucsd.edu/users/mihir/papers/olc.html
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context |

1 |
Secret Sharing over Infinite Domains (Extended Abstract
- Chor, Kushilevitz
- 1990
(Show Context)
Citation Context ...e continuous unit interval [0, 1] by using the modulo 1 addition of a message and a ⋆ Part of work done while the author was with EPFL, Switzerland.key. However, it was shown by Chor and Kushilevitz =-=[9, 10]-=- that it was impossible to achieve over ℵ0 under some ad-hoc generalization of the Shannon secrecy. Similarly, we can construct computationally secure encryption (in the sense of security against chos... |

1 |
A General Construction of
- Kiltz, Malone-Lee
- 2003
(Show Context)
Citation Context ...characterizes [22, 23] an additional dimension to the adversary’s capability and hence corresponding security notion. In that case, an even weaker notion, so-called one-time encryption (IND-OTE) game =-=[12, 24]-=- and capturing passive security makes even the encryption oracle unavailable to the adversary. We define Adv IND-ATK P KE,AE = | Pr[˜b = b] − 1| and Adv IND-ATK P KE 2 = max(Adv AE IND-ATK P KE,AE ) w... |