Bounded CCA2-Secure Encryption

Cramer, Ronald; Hanaoka, Goichiro; Hofheinz, Dennis; Imai, Hideki; Kiltz, Eike; Pass, Rafael; Shelat, Abhi; Vaikuntanathan, Vinod

doi:10.1007/978-3-540-76900-2_31

Cited by 75 publications

(71 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These results imply that the approach of minimizing ciphertext overhead in the above mentioned schemes [28,22,34], by compressing group elements using a target collision resistant hash function (or a similar primitive), will not yield CCA secure or non-malleable KEMs based on non-interactive assumptions. Additionally, since the DDH-based KEM by Cramer et al [13] is contained in the KEM class, the results imply that this scheme cannot be shown fully CCA secure or non-malleable based on any non-interactive assumption. See Section 3 for a definition of the class of KEMs we consider, Section 4 for our main impossibility result, and Section 6 for further discussion about the implications and limitations of our results.…”

Section: Our Contributionmentioning

confidence: 94%

“…The class of KEMs we consider essentially captures the structure of the existing KEMs defined in standard prime order groups like Cramer-Shoup [14], Kurosawa-Desmedt [34] (with explicit rejection), Hofheinz-Kiltz [28], Hanaoka-Kurosawa [22], and Cramer et al [13], but requires the ciphertexts to consist of a single random group element and a string i.e. a ciphertext is required to be of the form (g r , f (pk, r)) where r ← Z p , p is the order of the group, pk is the public key of the scheme, f : PK × Z p → {0, 1} * is a scheme-dependent function, and PK is the public key space..…”

Section: A Class Of Simple and Space Efficient Kemsmentioning

confidence: 99%

“…Boyen-Mei-Waters [8]. Furthermore, note that the DDHbased KEM by Cramer et al [13] achieves a ciphertext overhead of just a single group element, but can only be shown to be q-bounded CCA secure (for a predetermined number of decryption queries q).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

Hanaoka

Matsuda

Schuldt

2012

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper, we focus on the problem of minimizing ciphertext overhead, and discuss the (im)possibility of constructing key encapsulation mechanisms (KEMs) with low ciphertext overhead. More specifically, we rule out the existence of algebraic black-box reductions from the (bounded) CCA security of a natural class of KEMs to any non-interactive problem. The class of KEMs captures the structure of the currently most efficient KEMs defined in standard prime order groups, but restricts an encapsulation to consist of a single group element and a string. This result suggests that we cannot rely on existing techniques to construct a CCA secure KEM in standard prime order groups with a ciphertext overhead lower than two group elements. Furthermore, we show how the properties of an (algebraic) programmable hash function can be exploited to construct a simple, efficient and CCA secure KEM based on the hardness of the decisional Diffie-Hellman problem with the ciphertext overhead of just a single group element. Since this KEM construction is covered by the above mentioned impossibility result, this enables us to derive a lower bound on the hash key size of an algebraic programmable hash function, and rule out the existence of algebraic (poly, n)-programmable hash functions in prime order groups for any integer n. The latter result answers an open question posed by Hofheinz and Kiltz (CRYPTO'08) in the case of algebraic programmable hash functions in prime order groups.

show abstract

Section: Our Contributionmentioning

confidence: 94%

Section: A Class Of Simple and Space Efficient Kemsmentioning

confidence: 99%

See 1 more Smart Citation

On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

Hanaoka

Matsuda

Schuldt

2012

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…al. [11], which is signficantly more efficient and simpler than the nonmalleable systems of either PSV [24] or Choi et. al.…”

Section: Introductionmentioning

confidence: 96%

“…Our construction will build a chosen ciphertext secure system from three components: a chosen plaintext secure system, 1-bounded CCA-secure system 2 , and a detectable CCA-secure system. Since DCCA security (trivially) implies CPA, and we can build 1-bounded CCA from CPA encryption [24,11,10], it follows that all components are realizable from DCCA as a building block.…”

Section: Introductionmentioning

confidence: 99%

Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security

Hohenberger

Lewko

Waters

2012

Advances in Cryptology – EUROCRYPT 2012

View full text Add to dashboard Cite

Abstract. We present a new approach for creating chosen ciphertext secure encryption. The focal point of our work is a new abstraction that we call Detectable Chosen Ciphertext Security (DCCA). Intuitively, this notion is meant to capture systems that are not necessarily chosen ciphertext attack (CCA) secure, but where we can detect whether a certain query CT can be useful for decrypting (or distinguishing) a challenge ciphertext CT * .We show how to build chosen ciphertext secure systems from DCCA security. We motivate our techniques by describing multiple examples of DCCA systems including creating them from 1-bit CCA secure encryption -capturing the recent Myers-shelat result (FOCS 2009). Our work identifies DCCA as a new target for building CCA secure systems.

show abstract

Public‐Key Encryption and Security Notions

Attrapadung

Matsuda

2022

Asymmetric Cryptography

View full text Add to dashboard Cite

Bounded CCA2-Secure Encryption

Cited by 75 publications

References 26 publications

On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security

Public‐Key Encryption and Security Notions

Contact Info

Product

Resources

About