Sandro Coretti scite author profile

One approach towards basing public-key encryption (PKE) schemes on weak and credible assumptions is to build "stronger" or more general schemes generically from "weaker" or more restricted ones. One particular line of work in this context was initiated by Myers and shelat (FOCS '09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt '12), who provide constructions of multi-bit CCA-secure PKE from single-bit CCA-secure PKE.It is well-known that encrypting each bit of a plaintext string independently is not CCA-securethe resulting scheme is malleable. We therefore investigate whether this malleability can be dealt with using the conceptually simple approach of applying a suitable non-malleable code (Dziembowski et al., ICS '10) to the plaintext and subsequently encrypting the resulting codeword bitby-bit. We find that an attacker's ability to ask multiple decryption queries requires that the underlying code be continuously non-malleable (Faust et al., TCC '14). Since, as we show, this flavor of non-malleability can only be achieved if the code is allowed to "self-destruct," the resulting scheme inherits this property and therefore only achieves a weaker variant of CCA security.We formalize this new notion of so-called self-destruct CCA security (SD-CCA) as CCA security with the restriction that the decryption oracle stops working once the attacker submits an invalid ciphertext. We first show that the above approach based on non-malleable codes yields a solution to the problem of domain extension for SD-CCA-secure PKE, provided that the underlying code is continuously non-malleable against a reduced form of bit-wise tampering. Then, we prove that the code of Dziembowski et al. is actually already continuously non-malleable against (even full ) bit-wise tampering; this constitutes the first information-theoretically secure continuously nonmalleable code, a technical contribution that we believe is of independent interest. Compared to the previous approaches to PKE domain extension, our scheme is more efficient and intuitive, at the cost of not achieving full CCA security. Our result is also one of the first applications of non-malleable codes in a context other than memory tampering.

show abstract

Non-Malleable Encryption: Simpler, Shorter, Stronger

Coretti

Dodis

Tackmann

et al. 2015

View full text Add to dashboard Cite

In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security:1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security?We answer all three questions in the positive. First, we improve the rate in the construction of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ 2 ) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural "encode-then-encrypt-bit-by-bit" approach to work.Finally, we introduce a new security notion for public-key encryption (PKE) that we dub nonmalleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results-(faster) construction from IND-CPA and domain extension from one-bit scheme-also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.

show abstract

Nonlocality is Transitive

Coretti¹,

Hänggi²,

Wolf³

2011

Phys. Rev. Lett.

View full text Add to dashboard Cite

We show a transitivity property of nonlocal correlations: There exist tripartite nonsignaling correlations of which the bipartite marginals between A and B as well as B and C are nonlocal and any tripartite nonsignaling system between A, B, and C consistent with them must be such that the bipartite marginal between A and C is also nonlocal. This property represents a step towards ruling out certain alternative models for the explanation of quantum correlations such as hidden communication at finite speed. Whereas it is not possible to rule out this model experimentally, it is the goal of our approach to demonstrate this explanation to be logically inconsistent: either the communication cannot remain hidden, or its speed has to be infinite. The existence of a three-party system that is pairwise nonlocal is of independent interest in the light of the monogamy property of nonlocality.

show abstract

Random Oracles and Non-uniformity

Coretti

Dodis

Guo

et al. 2018

View full text Add to dashboard Cite

Constructing Confidential Channels from Authenticated Channels—Public-Key Encryption Revisited

Coretti

Maurer

Tackmann

2013

View full text Add to dashboard Cite

Abstract. The security of public-key encryption (PKE), a widely-used cryptographic primitive, has received much attention in the cryptology literature. Many security notions for PKE have been proposed, including several versions of CPA-security, CCA-security, and non-malleability. These security notions are usually defined via a game that no efficient adversary can win with non-negligible probability or advantage.If a PKE scheme is used in a larger protocol, then the security of this protocol is proved by showing a reduction of breaking a certain security property of the PKE scheme to breaking the security of the protocol. A major problem is that each protocol requires in principle its own tailormade security reduction. Moreover, which security notion of the PKE scheme should be used in a given context is a priori not evident; the employed games model the use of the scheme abstractly through oracle access to its algorithms, and the sufficiency for specific applications is neither explicitly stated nor proven.In this paper we propose a new approach to investigating the application of PKE, based on the constructive cryptography framework [24,25]. The basic use of PKE is to enable confidential communication from a sender A to a receiver B, assuming A is in possession of B's public key. One can distinguish two relevant cases: The (non-confidential) communication channel from A to B can be authenticated (e.g., because messages are signed) or non-authenticated. The application of PKE is shown to provide the construction of a secure channel from A to B from two (assumed) authenticated channels, one in each direction, or, alternatively, if the channel from A to B is completely insecure, the construction of a confidential channel without authenticity. Composition then means that the assumed channels can either be physically realized or can themselves be constructed cryptographically, and also that the resulting channels can directly be used in any applications that require such a channel. The composition theorem of constructive cryptography guarantees the soundness of this approach, which eliminates the need for separate reduction proofs.We also revisit several popular game-based security notions (and variants thereof) and give them a constructive semantics by demonstrating which type of construction is achieved by a PKE scheme satisfying which notion. In particular, the necessary and sufficient security notions for the above two constructions to work are CPA-security and a variant of CCAsecurity, respectively.

show abstract

Security Analysis and Improvements for the IETF MLS Standard for Group Messaging

Alwen¹,

Coretti²,

Dodis

et al. 2020

View full text Add to dashboard Cite

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions

Coretti

Garay

Hirt

et al. 2016

View full text Add to dashboard Cite

12 3

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Sandro Coretti

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

From Single-Bit to Multi-bit Public-Key Encryption via Non-malleable Codes

Non-Malleable Encryption: Simpler, Shorter, Stronger

Nonlocality is Transitive

Random Oracles and Non-uniformity

Constructing Confidential Channels from Authenticated Channels—Public-Key Encryption Revisited

Security Analysis and Improvements for the IETF MLS Standard for Group Messaging

Constant-Round Asynchronous Multi-Party Computation Based on One-Way Functions

Contact Info

Product

Resources

About