We investigate public key encryption that allows the originator of a ciphertext to retrieve a "forgotten" plaintext from the ciphertext. This type of public key encryption with "backward recovery" contrasts more widely analyzed public key encryption with "forward secrecy". We advocate that together they form the two sides of a whole coin, whereby offering complementary roles in data security, especially in cloud computing, 3G/4G communications and other emerging computing and communication platforms. We formalize the notion of public key encryption with backward recovery, and present two construction methods together with formal analyses of their security. The first method embodies a generic public key encryption scheme with backward recovery using the "encrypt then sign" paradigm, whereas the second method provides a more efficient scheme that is built on Hofheinz and Kiltz's public key encryption in conjunction with target collision resistant hashing. Security of the first method is proved in a two-user setting, whereas the second is in a more general multi-user setting.
We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of q in the MA setting, where q is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Water’s transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the q-type assumption in Gentry and Water’s semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header.
This paper investigates public key encryption that has a desirable feature of allowing the sender of a ciphertext to recover the original plaintext from the ciphertext without relying on a recipient's private decryption key (PKE-SR). We propose two efficient methods for converting KEM/DEM (key encapsulation mechanisms/data encapsulation mechanisms) to PKE-SR. The first method, called pre-KEM seeding, can be applied to a large class of KEM/DEM constructions including those based on the discrete logarithm problem. Following the idea of pre-KEM seeding, we propose an efficient PKE-SR using DHIES, which has only one more additional element of length 160-bit in ciphertext than that of the original DHIES. Furthermore, we show that PKE-SR can be constructed from identity based encryptions using the method of pre-KEM seeding. The second method, called post-KEM converging, is more powerful and can be employed to convert any secure KEM/DEM into a secure PKE-SR. Post-KEM converging takes advantages of an interesting property, called collision accessibility, of sibling intractable hashing. For both methods, added costs in ciphertext length and computation are minimal, making them a particularly attractive "drop-in" replacement in applications where plaintexts need to be recovered efficiently by the sender alone. We further explore the problem of constructing PKE-SR without redundancy and show such a construction for one-bit encryptions.the ciphertext, without relying on the private decryption key of the intended recipient. This notion was first introduced by Wei et al. in [18] and called public key encryption with backward recovery. In this paper we continue this line of research. As backward recovery is implied by decryption by sender, we will instead use the term of public key encryption with sender recovery, or PKE-SR for short.One can think of many practical applications of PKE-SR, thanks to its property of allowing the sender to decrypt a ciphertext by herself alone without the need to use a recipient's private decryption key. One example of such applications is secure email communication. Consider a situation where Alice the sender encrypts a message m under the public key of Bob the receiver and passes the resultant ciphertext c to Bob while keeping an identical copy of the ciphertext in a "Sent" folder on Alice's email server which may physically reside in an insecure computing "cloud". We note that other than the ciphertext, Alice may not keep an additional copy of the original message m. At a later time, Alice realizes that she needs to access m which lies in the "Sent" folder albeit in an encrypted form. By the virtue of traditional public key encryption, the only way to get m back is for Alice to ask Bob to decrypt the ciphertext with Bob's decryption key, which may be impractical or undesirable from either Alice or Bob's point of view. This dilemma is readily avoided if Alice and Bob employ PKE-SR we propose in this article.In [18], Wei et al. define a security model for PKE-SR and present two methods of constru...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.