Download:
|
by Rui Zhang, Goichiro Hanaoka, Junji Shikata, Hideki Imai
Proc. of PKC’04, LNCS 2947
http://eprint.iacr.org/2003/181.ps.gz
Add To MetaCart
Abstract:
In a practical system, a message is often encrypted more than once by dierent encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message for a scheme, such as the key-insulated cryptosystems [13] and anonymous channels [8]. Intuitively, a multiple encryption should remain secure, whenever there is one component cipher unbreakable in it. In NESSIE's latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on dierent assumptions to acquire long term security. However, in this paper we show this needs careful discussion. Especially, this may not be true according to (adaptive) chosen ciphertext attack (CCA), even with all component ciphers CCA secure. We dene an extended version of CCA called chosen ciphertext attack for multiple encryption (ME-CCA) to emulate real world partial breaking of assumptions, and give constructions of multiple encryption satisfying ME-CCA security. Since CCA security seems so stringent, we further relax it by introducing weak ME-CCA (ME-wCCA), and prove IND-ME-wCCA secure multiple encryption can be acquired from IND-gCCA secure component ciphers. We also study the relation of various security notions for multiple encryption. We then apply these results to keyinsulated cryptosystem. It is only previously known in [13] that a generic construction exists provably secure against CPA attack, however, we prove that this generic construction is in fact secure against ME-wCCA by choosing all components IND-CCA secure. We also give an ecient generic construction of key-insulated cryptosystem, which is so far the rst generic construction provably secure against CCA (in the random oracle model). key words: multiple encryption, CCA security, key-insulated cryptosystem
Citations
|
844
|
Probabilistic encryption
– Goldwasser, Micali
- 1984
|
|
742
|
Untraceable electronic mail, return addresses, and digital pseudonyms
– Chaum
- 1981
|
|
404
|
Communications theory of secrecy system
– Shannon
- 1949
|
|
355
|
Nonmalleable cryptography
– Dolev, Dwork, et al.
|
|
354
|
Relations among notions of security for public-key encryption schemes
– Bellare, Desai, et al.
- 1462
|
|
306
|
Universally composable security: A new paradigm for cryptographic protocols
– Canetti
- 2001
|
|
245
|
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
– Rackoff, Simon
- 1992
|
|
196
|
Threshold cryptosystem
– Desmedt, Frankel
- 1989
|
|
166
|
Public-key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. STOC ’90
– Naor, Yung
|
|
136
|
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
– Frey, Ruck
- 1994
|
|
132
|
Secure integration of asymmetric and symmetric encryption schemes
– Fujisaki, Okamoto
- 1999
|
|
82
|
Society and group oriented cryptography
– Desmedt
- 1987
|
|
81
|
On the security of joint signature and encryption
– An, Dodis, et al.
- 2002
|
|
78
|
A Proposal for an ISO Standard for Public Key Encryption,” Version
– Shoup
|
|
76
|
Securing Threshold Cryptosystems Against Chosen Ciphertext Attack. Eurocrypt ’98. A Proof of Equality for GM Ciphertexts Input: Blum integers N1,N2 and X1,X2 where: {X1 =(−1) b x 2 1 mod N1,X2 =(−1) b x 2 2 mod N2} with xj ∈ Z ∗ N j and b ∈{0, 1}. Repeat
– Shoup, Gennaro
|
|
65
|
OAEP reconsidered
– Shoup
- 2002
|
|
59
|
A practical mix
– Jakobsson
- 1998
|
|
58
|
The Discrete Logarithm Problem on Elliptic Curves of Trace One
– Smart
- 1997
|
|
55
|
Fermat Quotient and the Polynomial Time Discrete Log Algorithm for Anomalous Elliptic Curves
– Satoh, Araki
- 1997
|
|
47
|
Key-insulated public key cryptosystems
– Dodis, Katz, et al.
|
|
45
|
Evaluation of Discrete Logarithms in a Group of p-Torsion Points of an Elliptic Curve in Characteristic p
– Semaev
- 1998
|
|
36
|
On the security of multiple encryption
– Merkle, Hellman
- 1981
|
|
34
|
Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization
– Bellare, Sahai
- 1999
|
|
23
|
An optimally robust hybrid mix network
– Jakobsson, Juels
- 2001
|
|
18
|
Cascade Ciphers: The Importance of Being First
– Maurer, Massey
- 1993
|
|
13
|
Relaxing chosen-ciphertext security
– Canetti, Krawczyk, et al.
- 2003
|
|
12
|
Optimistic Mixing for ExitPolls
– Golle, Zhong, et al.
- 2002
|
|
9
|
Flaws in Some Robust Optimistic Mix-Nets
– Abe, Imai
- 2003
|
|
8
|
Security amplification by composition: the case of doubly-iterated, ideal ciphers
– Aiello, Bellare, et al.
- 1998
|
|
7
|
On modeling IND-CCA security in cryptographic protocols. Cryptology ePrint Archive, Report 2003/024
– Hofheinz, Mueller-Quade, et al.
- 2003
|
|
7
|
Equivalence between semantic security and indistinguishability against chosen ciphertext attacks
– Watanabe, Shikata, et al.
- 2003
|
|
4
|
Portfolio of recommended cryptographic primitives (Latest version
– NESSIE
- 2003
|
|
3
|
Exhaustive cryptananlysis of the NBS Data Encryption Standard
– Diffie, Hellman
- 1977
|
|
2
|
Rump session talk
– Dodis, Katz
- 2003
|
|
2
|
Foundations of cryptography, volume 1. Cambridge Unversity
– Goldreich
- 2001
|
|
2
|
Foundations of Cryptography: Volume II (third posted version). Aavailable at http://www. wisdom.weizmann.ac.il/~oded/PSBookFrag/enc.ps
– Goldreich
- 2002
|
|
2
|
Coding constructions for blacklisting problems
– Kumar, Rajagopalan, et al.
- 1999
|
|
2
|
Cascade ciphers: The importance of being rst
– Maurer, Massey
- 1993
|
|
1
|
Security amplication by composition: the case of doubly-iterated, ideal ciphers
– Aiello, Bellare, et al.
- 1998
|
|
1
|
Reducing elliptic curve logarithms to lgarithms in a nite eld
– Menezes, Okamoto, et al.
- 1993
|
|
1
|
On the security of multi-layered encryption or CCAsecurity +CCA-security=CCA-security
– Zhang, Hanaoka, et al.
- 2003
|
|
1
|
On the security of multi-layered encryption or CCAsecurity+CCA-security=CCA-security
– Zhang, Hanaoka, et al.
- 2003
|
