On Definitions of Selective Opening Security

Böhl, Florian; Hofheinz, Dennis; Kraschewski, Daniel

doi:10.1007/978-3-642-30057-8_31

Cited by 44 publications

(26 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As with commitment, our results imply that IND-SOA-CRS security is strictly weaker than SS-SOA-CRS security, answering an open question from [2,7]. Subsequent to our work, the relations between different notions of SOA-security under sender corruptions were further clarified in [9] but whether there exist schemes that are IND-CPA but not IND-SOA-CRS secure remains open.…”

mentioning

confidence: 51%

Standard Security Does Not Imply Security against Selective-Opening

Bellare

Dowsley

Waters

et al. 2012

Advances in Cryptology – EUROCRYPT 2012

View full text Add to dashboard Cite

We show that no commitment scheme that is hiding and binding according to the standard definition is semantically-secure under selective opening attack (SOA), resolving a long-standing and fundamental open question about the power of SOAs. We also obtain the first examples of IND-CPA encryption schemes that are not secure under SOA, both for sender corruptions where encryption coins are revealed and receiver corruptions where decryption keys are revealed. These results assume only the existence of collision-resistant hash functions.

show abstract

mentioning

confidence: 51%

Standard Security Does Not Imply Security against Selective-Opening

Bellare

Dowsley

Waters

et al. 2012

Advances in Cryptology – EUROCRYPT 2012

View full text Add to dashboard Cite

show abstract

“…[17]) do not seem to match this protocol. Possibly extensions of these notions might cover this case, but it is not clear what these extensions should look like (in particular if we extend the protocol such that some of the e i,j may depend on other e i,j , e.g., by including the latter in some of the plaintexts of the former).…”

mentioning

confidence: 82%

Computational soundness without protocol restrictions

Backes

Pant

Unruh

2012

Proceedings of the 2012 ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

The abstraction of cryptographic operations by term algebras, called Dolev-Yao models, is essential in almost all tool-supported methods for verifying security protocols. Recently significant progress was made in establishing computational soundness results: these results prove that Dolev-Yao style models can be sound with respect to actual cryptographic realizations and security definitions. However, these results came at the cost of imposing various constraints on the set of permitted security protocols: e.g., dishonestly generated keys must not be used, key cycles need to be avoided, and many more. In a nutshell, the cryptographic security definitions did not adequately capture these cases, but were considered carved in stone; in contrast, the symbolic abstractions were bent to reflect cryptographic features and idiosyncrasies, thereby requiring adaptations of existing verification tools.In this paper, we pursue the opposite direction: we consider a symbolic abstraction for public-key encryption and identify two cryptographic definitions called PROG-KDM (programmable key-dependent message) security and MKE (malicious-key extractable) security that we jointly prove to be sufficient for obtaining computational soundness without imposing assumptions on the protocols using this abstraction. In particular, dishonestly generated keys obtained from the adversary can be sent, received, and used. The definitions can be met by existing cryptographic schemes in the random oracle model. This yields the first computational soundness result for trace-properties that holds for arbitrary protocols using this abstraction (in particular permitting to send and receive dishonestly generated keys), and that is accessible to all existing tools for reasoning about Dolev-Yao models without further adaptations. * A short version of this paper appears at ACM CCS 2012 [7].

show abstract

“…Since the set I is the same in both executions, it must be that (π 0 , pk 0 ) = (π 1 , pk 1 ). So Indeed, for R-PKE, SOA-security definitions in both styles have been made and investigated, and the indistinguishability style is easier to achieve [11,16,17,30]. The difficulty is that for D-PKE it is not clear how to give a meaningful indistinguishability style definition of SOA-security.…”

Section: Is Soa Security Achievable?mentioning

confidence: 99%

“…The problem of SOA-security has been the subject of many works [3,21,20,2,23,33,25,22,36,11,16,26,15,29,17,30]. These have looked at R-PKE, commitment and IBE.…”

Section: Introductionmentioning

confidence: 99%

How Secure is Deterministic Encryption?

Bellare

Dowsley

Keelveedhi

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This paper presents three curious findings about deterministic public-key encryption (D-PKE) that further our understanding of its security, in particular because of the contrast with standard, randomized public-key encryption (R-PKE):• It would appear to be a triviality, for any primitive, that security in the standard model implies security in the random-oracle model, and it is certainly true, and easily proven, for R-PKE. For D-PKE it is not clear and depends on details of the definition. In particular we can show it in the non-uniform case but not in the uniform case.• The power of selective-opening attacks (SOA) comes from an adversary's ability, upon corrupting a sender, to learn not just the message but also the coins used for encryption. For R-PKE, security is achievable. For D-PKE, where there are no coins, one's first impression may be that SOAs are vacuous and security should be easily achievable. We show instead that SOA-security is impossible, meaning no D-PKE scheme can achieve it.• For R-PKE, single-user security implies multi-user security, but we show that there are D-PKE schemes secure for a single user and insecure with two users.

show abstract

On Definitions of Selective Opening Security

Cited by 44 publications

References 19 publications

Standard Security Does Not Imply Security against Selective-Opening

Standard Security Does Not Imply Security against Selective-Opening

Computational soundness without protocol restrictions

How Secure is Deterministic Encryption?

Contact Info

Product

Resources

About