@MISC{Birkett10onplaintext-aware, author = {James Birkett}, title = { On Plaintext-Aware PUBLIC-KEY ENCRYPTION SCHEMES}, year = {2010} }

Share

OpenURL

Abstract

Plaintext awareness is a property of a public-key encryption scheme intended to capture the idea that the only way to produce a valid ciphertext is to take a message and encrypt it. The idea is compelling, but the devil, as always, is in the details. The established definition of plaintext awareness in the standard model is known as PA2 plaintext awareness and was introduced by Bellare and Palacio. We propose a modified definition of plaintext awareness, which we call 2PA2, in which the arbitrary stateful plaintext creators of the PA2 definition are replaced with a choice of two fixed stateless plaintext creators. We show that under reasonable conditions our new definition is equivalent to the standard one. We also adapt techniques used by Teranishi and Ogata to show that no encryption scheme which allows arbitrarily long messages can be PA2 plaintext aware, a disadvantage which our new definition does not appear to share. Dent has shown that a variant of the Cramer-Shoup encryption scheme based on the Diffie-Hellman problem is PA2 plaintext aware under the Diffie-Hellman Knowledge (DHK) assumption. We present a generalisation of this assumption to arbitrary subset membership problems, which we call the Subset Witness Knowledge (SWK) assumption, and use it to show that the generic Cramer-Shoup and Kurosawa-Desmedt encryption schemes based on hash proof systems are plaintext aware. In the case of the Diffie-Hellman problem, the SWK assumption is exactly the Diffie-Hellman Knowledge assumption, but we also discuss several other possible instantiations of this assumption.