Standard Security Does Not Imply Security against Selective-Opening

Bellare, Mihir; Dowsley, Rafael; Waters, Brent; Yilek, Scott

doi:10.1007/978-3-642-29011-4_38

Cited by 63 publications

(49 citation statements)

References 38 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Providing a meaningful definition of SOA-security for D-PKE takes some care. A definition based on semantic security for relations, as given for R-PKE in [11,8], is trivially unachievable for D-PKE because a ciphertext is already partial information about a plaintext. Thus we consider semantic security for functions, where the adversary, given ciphertexsts, aims to figure out a function of the message, this function not being given the public key and thus unable to encrypt.…”

Section: Is Soa Security Achievable?mentioning

confidence: 99%

“…Additionally we must continue to require that messages do not depend on the public key and are unpredictable. Our definition is simulation-based and combines ideas from the basic (non-SOA) definitions of secure D-PKE [5,9] with ideas from the definitions of SOA-security for R-PKE from [11,8].…”

Section: Is Soa Security Achievable?mentioning

confidence: 99%

“…Security for the message-only version is implied by IND-CPA, as shown in [16], and is thus easily achievable. Security for full SOA is not implied by IND-CPA [8]. However, using lossy encryption [31,37,11,16], it is shown in [11,16] that there exist schemes that provide full SOA under standard assumptions, so full SOA security is achievable, under standard assumptions in the standard model.…”

Section: Introductionmentioning

confidence: 99%

“…The key element of our proof is to show that for any D-PKE scheme there is an algorithm that can impose and verify an association between a message and ciphertext that is unique with high probability, even for dishonestly chosen public keys. We combine this with the technique of BDWY [8] to obtain our impossibility result. We note that for R-PKE the BDWY technique did not show impossibility of (full) SOA for all R-PKE schemes, but for a subclass of them, while we are using the technique to rule out SOA-security for all D-PKE schemes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

How Secure is Deterministic Encryption?

Bellare

Dowsley

Keelveedhi

2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper presents three curious findings about deterministic public-key encryption (D-PKE) that further our understanding of its security, in particular because of the contrast with standard, randomized public-key encryption (R-PKE):• It would appear to be a triviality, for any primitive, that security in the standard model implies security in the random-oracle model, and it is certainly true, and easily proven, for R-PKE. For D-PKE it is not clear and depends on details of the definition. In particular we can show it in the non-uniform case but not in the uniform case.• The power of selective-opening attacks (SOA) comes from an adversary's ability, upon corrupting a sender, to learn not just the message but also the coins used for encryption. For R-PKE, security is achievable. For D-PKE, where there are no coins, one's first impression may be that SOAs are vacuous and security should be easily achievable. We show instead that SOA-security is impossible, meaning no D-PKE scheme can achieve it.• For R-PKE, single-user security implies multi-user security, but we show that there are D-PKE schemes secure for a single user and insecure with two users.

show abstract

Section: Is Soa Security Achievable?mentioning

confidence: 99%

Section: Is Soa Security Achievable?mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

How Secure is Deterministic Encryption?

Bellare

Dowsley

Keelveedhi

2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Since the tokens may encode a lot of information (at least as much as the functionality's outputs) the impossibility of [AGVW12] does not apply. To commit the simulator to the tokens before learning the functionality's outputs we use technique of [BDWY12]. This technique was recently used by [BO12] to extend the impossibility of [BSW11] to hold for a non-black-box definition and without using a non-programmable random oracle.…”

Section: Non-black-box Definitionmentioning

confidence: 99%

On the Achievability of Simulation-Based Security for Functional Encryption

Iovino

Jain

et al. 2013

Advances in Cryptology – CRYPTO 2013

View full text Add to dashboard Cite

Abstract. Recently, there has been rapid progress in the area of functional encryption (FE), in which a receiver with secret-key sky can compute from an encryption of x the value F (x, y) for some functionality F . Two central open questions that remain are: (1) Can we construct FE secure under an indistinguishability-based (IND) security notion for general circuits? (2) To what extent can we achieve a simulation-based (SIM) security notion for FE? Indeed, it was previously shown that IND-security for FE is too weak for some functionalities , but that there exist striking impossibility results for SIM-security [Boneh et al. -TCC'11, Agrawal et al. -ePrint 2012]. Our work establishes a connection between these questions by giving a compiler that transforms any IND-secure FE scheme for general circuits into one that is SIM-secure for general circuits.-In the random oracle model, our resulting scheme is SIM-secure for an unbounded number of ciphertexts and key-derivation queries. We achieve this result by starting from an IND-secure FE scheme for general circuits with random oracle gates. -In the standard model, our resulting scheme is secure for a bounded number of ciphertexts and non-adaptive key-derivation queries (i.e., those made before seeing the challenge ciphertexts), but an unbounded number of adaptive key-derivation queries. These parameters match the known impossibility results for SIM-secure FE and improve upon the parameters achieved by Gorbunov et al. [CRYPTO'12]. The techniques for our compiler are inspired by constructions of non-committing encryption [Nielsen -CRYPTO '02] and the celebrated Feige-Lapidot-Shamir paradigm [FOCS'90] for obtaining zeroknowledge proof systems from witness-indistinguishable proof systems. Our compiler in the standard model requires an IND-secure FE scheme for general circuits, it leaves open the question of whether we can obtain SIM-secure FE for special cases of interest under weaker assumptions. To this end, we next show that our approach leads to a direct construction of SIM-secure hidden vector encryption (an important special case of FE that generalizes anonymous identity-based encryption). The scheme, which is set in composite order bilinear groups under subgroup decision assumptions, achieves security for a bounded number of ciphertexts but unbounded number of both non-adaptive and adaptive key-derivation queries, again matching the known impossibility results. In particular, to our knowledge this is the first construction of SIM-secure FE (for any non-trivial functionality) in the standard model handling an unbounded number of adaptive key-derivation queries. Finally, we revisit the negative results for SIM-secure FE. We observe that the known results leave open the possibility of achieving SIM-security for various natural formulations of security (such as non-black-box simulation for non-adaptive adversaries). We settle these questions in the negative, thus providing essentially a full picture of the (un)achievability of SIM-security.

show abstract

Public‐Key Encryption and Security Notions

Attrapadung

Matsuda

2022

Asymmetric Cryptography

View full text Add to dashboard Cite

Standard Security Does Not Imply Security against Selective-Opening

Cited by 63 publications

References 38 publications

How Secure is Deterministic Encryption?

How Secure is Deterministic Encryption?

On the Achievability of Simulation-Based Security for Functional Encryption

Public‐Key Encryption and Security Notions

Contact Info

Product

Resources

About