Results 1 
8 of
8
Efficient ChosenCiphertext Security via Extractable Hash
"... Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive effi ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive efficient CCAsecure encryption schemes via extractable hash proofs in a simple and modular fashion. Our construction clarifies and generalizes the recent factoringbased cryptosystem of Hofheinz and Kiltz (Eurocrypt ’09), and is reminiscent of an approach proposed by Rackoff and Simon (Crypto ’91). We show how to instantiate extractable hash proof system for hard search problems, notably factoring and computational DiffieHellman. Using our framework, we obtain the first CCAsecure encryption scheme based on CDH where the public key is a constant number of group elements and a more modular and conceptually simpler variant of the HofheinzKiltz cryptosystem (though less efficient). – We introduce adaptive trapdoor relations, a relaxation of the adaptive trapdoor functions considered by Kiltz, Mohassel and O’Neil (Eurocrypt ’10), but nonetheless imply CCAsecure encryption schemes. We show how to construct such relations using extractable hash proofs, which in turn yields realizations from hardness of factoring and CDH.
Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security
, 2012
"... We present a new approach for creating chosen ciphertext secure encryption. The focal point of our work is a new abstraction that we call Detectable Chosen Ciphertext Security (DCCA). Intuitively, this notion is meant to capture systems that are not necessarily chosen ciphertext attack (CCA) secure, ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We present a new approach for creating chosen ciphertext secure encryption. The focal point of our work is a new abstraction that we call Detectable Chosen Ciphertext Security (DCCA). Intuitively, this notion is meant to capture systems that are not necessarily chosen ciphertext attack (CCA) secure, but where we can detect whether a certain query CT can be useful for decrypting (or distinguishing) a challenge ciphertext CT ∗. We show how to build chosen ciphertext secure systems from DCCA security. We motivate our techniques by describing multiple examples of DCCA systems including creating them from 1bit CCA secure encryption — capturing the recent Myersshelat result (FOCS 2009). Our work identifies DCCA as a new target for building CCA secure systems. 1
IdentityBased (Lossy) Trapdoor Functions and Applications
, 2011
"... We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many functionalities previously known only in the publickey setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.
A BlackBox Construction of a CCA2 Encryption Scheme from a Plaintext Aware Encryption Scheme
, 2013
"... We present a construction of a CCA2secure encryption scheme from a plaintext aware, weakly simulatable public key encryption scheme. The notion of plaintext aware, weakly simulatable public key encryption has been considered previously by Myers, Sergi and shelat (SCN, 2012) and natural encryption s ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present a construction of a CCA2secure encryption scheme from a plaintext aware, weakly simulatable public key encryption scheme. The notion of plaintext aware, weakly simulatable public key encryption has been considered previously by Myers, Sergi and shelat (SCN, 2012) and natural encryption schemes such as the Damg˚ard Elgamal Scheme (Damg˚ard, Crypto, 1991) and the CramerShoup Lite Scheme (Cramer and Shoup, SIAM J. Comput., 2003) were shown to satisfy these properties. Recently, Myers, Sergi and shelat (SCN, 2012) defined an extension of nonmalleable CCA1 security, called cNMCCA1, and showed how to construct a cNMCCA1secure encryption scheme from a plaintext aware and weakly simulatable public key encryption scheme. Our work extends and improves on this result by showing that a full CCA2secure encryption scheme can be constructed from the same assumptions. Key words: CCA2secure encryption, plaintext aware encryption, weakly simulatable public The basic security requirement for public key encryption schemes is Chosen Plaintext Attack (CPA) security [GM84] (also known as semantic security), which ensures security against a passive, eavesdropping
Building lossy trapdoor functions from lossy encryption
 ASIACRYPT 2013, Part II, volume 8270 of LNCS
, 2013
"... Injective oneway trapdoor functions are one of the most fundamental cryptographic primitives. In this work we show how to derandomize lossy encryption (with long messages) to obtain lossy trapdoor functions, and hence injective oneway trapdoor functions. Bellare, Halevi, Sahai and Vadhan (CRYPTO ’ ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Injective oneway trapdoor functions are one of the most fundamental cryptographic primitives. In this work we show how to derandomize lossy encryption (with long messages) to obtain lossy trapdoor functions, and hence injective oneway trapdoor functions. Bellare, Halevi, Sahai and Vadhan (CRYPTO ’98) showed that if Enc is an INDCPA secure cryptosystem, and H is a random oracle, then x 7 → Enc(x,H(x)) is an injective trapdoor function. In this work, we show that if Enc is a lossy encryption with messages at least 1bit longer than randomness, and h is a pairwise independent hash function, then x 7 → Enc(x, h(x)) is a lossy trapdoor function, and hence also an injective trapdoor function. The works of Peikert, Vaikuntanathan and Waters and Hemenway, Libert, Ostrovsky and Vergnaud showed that statisticallyhiding 2round Oblivious Transfer (OT) is equivalent to Lossy Encryption. In their construction, if the sender randomness is shorter than the message in the OT, it will also be shorter than the message in the lossy encryption. This gives an alternate interpretation of our main result. In this language, we show that any 2message statistically senderprivate semihonest oblivious transfer (OT) for strings longer than the sender randomness implies the existence of injective oneway trapdoor functions. This is in contrast to the black box separation of injective trapdoor functions from many common cryptographic protocols, e.g. INDCCA encryption.
Enhanced ChosenCiphertext Security and Applications
, 2012
"... We introduce and study a new notion of enhanced chosenciphertext security (ECCA) for publickey encryption. Loosely speaking, in ECCA, when the decryption oracle returns a plaintext to the adversary, it also provides coins under which the returned plaintext encrypts to the queried ciphertext (when t ..."
Abstract
 Add to MetaCart
(Show Context)
We introduce and study a new notion of enhanced chosenciphertext security (ECCA) for publickey encryption. Loosely speaking, in ECCA, when the decryption oracle returns a plaintext to the adversary, it also provides coins under which the returned plaintext encrypts to the queried ciphertext (when they exist). Our results mainly concern the case where such coins can also be recovered efficiently. We provide constructions of ECCA encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT 2010), resulting in ECCA encryption from standard numbertheoretic assumptions. We then give two applications of ECCA encryption: (1) We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tagbased adaptive trapdoor functions (namely, we show that both primitives are equivalent to ECCA encryption), resolving a main open question of Kiltz et al. (2) We show that ECCA encryption can be used to securely realize an approach to publickey encryption with noninteractive opening (PKENO) suggested by Damg˚ard and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite different from those in prior work. We believe our results indicate that ECCA is an intriguing notion that may prove useful in further work.
An Efficient CCA2Secure Variant of the McEliece Cryptosystem in the Standard Model
"... Abstract. Recently, a few CCA2secure (INDCCA2) variant of the McEliece cryptosystem in the standard model were introduced. All these schemes are based on RosrnSegev approach and lossy trapdoor function and utilize krepetition paradigm. The main drawback of these schemes is that they are need add ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Recently, a few CCA2secure (INDCCA2) variant of the McEliece cryptosystem in the standard model were introduced. All these schemes are based on RosrnSegev approach and lossy trapdoor function and utilize krepetition paradigm. The main drawback of these schemes is that they are need additional encryption and have large key size compared to the original scheme, which intricate the publickey size problem in the codebased cryptosystem. Furthermore, full CCA2security of these schemes achieved by using a strongly unforgeable onetime signature scheme, and so, the resulting scheme need separate encryption. Therefore, these schemes are completely impractical. In this manuscript, we propose a new and efficient INDCCA2 variant of the McEliece cryptosystem in the standard model. The main novelty is that, unlike previous approaches, our approach is a generic transformation and can be applied to any codebased oneway cryptosystem (both the McEliece and the Niederreiter cryptosystems). Our approach also leads to the elimination of the encryption repetition and using strongly unforgeable onetime signature scheme. This novel approach is more efficient, the publick/secret keys are as in the original scheme and the encryption/decryption complexity are comparable to the original scheme. CCA2security of the proposed scheme can be reduced in the standard model to the McEliece assumptions. To the best of our knowledge, this is the first variant of the codebased cryptosystem that is INDCCA2 in the standard model without using krepetition paradigm and strongly unforgeable onetime signature scheme.
Publicly Evaluable Pseudorandom Functions and Their Applications
, 2014
"... We put forth the notion of publicly evaluable pseudorandom functions (PEPRFs), which is a nontrivial extension of the standard pseudorandom functions (PRFs). Briefly, PEPRFs are defined over domain X containing an NP language L in which the witness is hard to extract on average, and each secret key ..."
Abstract
 Add to MetaCart
(Show Context)
We put forth the notion of publicly evaluable pseudorandom functions (PEPRFs), which is a nontrivial extension of the standard pseudorandom functions (PRFs). Briefly, PEPRFs are defined over domain X containing an NP language L in which the witness is hard to extract on average, and each secret key sk is associated with a public key pk. For any x ∈ L, in addition to evaluate Fsk(x) using sk as in the standard PRFs, one is also able to evaluate Fsk(x) with pk, x and a witness w for x ∈ L. We consider two security notions for PEPRFs. The basic one is weakpseudorandomness which stipulates PEPRF cannot be distinguished from a uniform random function at randomly chosen inputs. The strengthened one is adaptively weakpseudorandomness which requires PEPRF remains weakpseudorandom even when the adversary is given adaptive access to an evaluation oracle. We conduct a formal study of PEPRFs, focusing on applications, constructions, and extensions. • We show how to construct chosenplaintext secure (CPA) and chosenciphertext secure (CCA) publickey encryption scheme (PKE) from (adaptive) PEPRFs. The construction is simple, blackbox, and admits a direct proof of security. We provide evidence