Hedged Public-Key Encryption: How to Protect against Bad Randomness

Bellare, Mihir; Brakerski, Zvika; Naor, Moni; Ristenpart, Thomas; Segev, Gil; Shacham, Hovav; Yilek, Scott

doi:10.1007/978-3-642-10366-7_14

Cited by 108 publications

(122 citation statements)

References 29 publications

Supporting

Mentioning

122

Contrasting

Order By: Relevance

“…Moreover, for public-key encryption (as cryptosystem C) and Chosen Distribution Attack [1,2] (as game S) we will prove that C(WRO) is S-secure, which implies the appropriateness of the new concept of the WRO model.…”

Section: Our Contributions -A New Proposal Of Wro Methodology -mentioning

confidence: 86%

“…The IND-SIM security is a very weak property that an adversary cannot distinguish between encryptions of chosen messages under chosen randomness and the output of a simulator. 2 We show that any IND-SIM secure [21] 2 This definition is meaningless in the standard model because the encryption algorithm uses no further randomness beyond that input. 3 From Theorem 2 and 3, the CDA security in the WRO model is preserved if WRO is replaced with the ChopMD construction and the FOLSponge construction.…”

Section: Appropriateness Of Wromentioning

confidence: 99%

“…Thus, the next step is to show that there exists a secure cryptosystem for a multi-stage game in the WRO model. We consider public-key encryption (PKE) (as cryptosystem C) for the Chosen Distribution Attack (CDA) game [1,2] (as game S). Roughly, we say a PKE scheme is CDA secure if message privacy is preserved even if an adversary can control distributions of messages and randomness in generating the challenge ciphertext.…”

Section: Appropriateness Of Wromentioning

confidence: 99%

“…Roughly, we say a PKE scheme is CDA secure if message privacy is preserved even if an adversary can control distributions of messages and randomness in generating the challenge ciphertext. The CDA game captures several flavors of PKE settings (e.g., deterministic PKE (DPKE) [1,3,8,14,18], hedged PKE (HPKE) [2], and message-locked PKE [4]), and such PKE settings are tools for many practical applications. Thus, our target is to find a CDA secure cryptosystem in the WRO model.…”

Section: Appropriateness Of Wromentioning

confidence: 99%

“…They showed that any CPA secure PKE scheme in the RO model can be (redundancy-freely) transformed to an IND-SIM secure PKE scheme in the RO model via conversion REwH1 [2]. The IND-SIM security is a very weak property that an adversary cannot distinguish between encryptions of chosen messages under chosen randomness and the output of a simulator.…”

Section: Appropriateness Of Wromentioning

confidence: 99%

See 4 more Smart Citations

Reset Indifferentiability from Weakened Random Oracle Salvages One-Pass Hash Functions

Naito

Yoneyama

Ohta

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. Ristenpart et al. showed that the limitation of the indifferentiability theorem of Maurer et al. which does not cover all multi-stage security notions Sm but covers only single-stage security notions Ss, defined reset indifferentiability, and proved the reset indifferentiability theorem, which is an analogy of the indifferentiability theorem covers all security notions S (= Ss ∪ Sm): F1 r F2 ⇒ ∀C ∈ C, ∀S ∈ S: C(F1) ≻S C(F2) (if a hash function H U is reset indifferentiable from a random oracle RO, C ∈ C which is a set of all cryptosystems is at least as S-secure in the U model as in the RO model). Unfortunately, they also proved the impossibility of H U r RO where H is a one-pass hash construction such as ChopMD and Sponge.In this paper, we will propose a new proof of molular approach instead of the RO methodology, "Reset Indifferentiability from Weakened Random Oracle", called as the WRO methodology, in order to ensure the S-security of C with H U , salvaging ChopMD and Sponge. The concrete proof procedure of the WRO methodology is as follows:1. Define a new concept of WRO instead of RO, 2. Prove that H U r WRO, (here an example of H is ChopMD and Sponge), and 3. Prove that C is S-secure in the WRO model.As a result we can prove that C with H U is S-secure by combining the results of Steps 2, 3, and the theorem of Ristenpart et al. Moreover, for public-key encryption (as cryptosystem C) and chosendistribution attack (as the game of S ∈ Sm) we will prove that C(WRO) is S-secure, which implies the appropriateness of the new concept of the WRO model.

show abstract

Section: Our Contributions -A New Proposal Of Wro Methodology -mentioning

confidence: 86%

Section: Appropriateness Of Wromentioning

confidence: 99%

Section: Appropriateness Of Wromentioning

confidence: 99%

Section: Appropriateness Of Wromentioning

confidence: 99%

Section: Appropriateness Of Wromentioning

confidence: 99%

See 3 more Smart Citations

Reset Indifferentiability from Weakened Random Oracle Salvages One-Pass Hash Functions

Naito

Yoneyama

Ohta

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

Lossy Trapdoor Permutations with Improved Lossiness

Auerbach

Kiltz

Poettering

et al. 2019

Topics in Cryptology – CT-RSA 2019

View full text Add to dashboard Cite

Lossy Algebraic Filters with Short Tags

Libert

Qian

2019

Public-Key Cryptography – PKC 2019

View full text Add to dashboard Cite

Lossy algebraic filters (LAFs) are function families where each function is parametrized by a tag, which determines if the function is injective or lossy. While initially introduced by Hofheinz (Eurocrypt 2013) as a technical tool to build encryption schemes with key-dependent message chosen-ciphertext (KDM-CCA) security, they also find applications in the design of robustly reusable fuzzy extractors. So far, the only known LAF family requires tags comprised of Θ(n 2) group elements for functions with input space Z n p , where p is the group order. In this paper, we describe a new LAF family where the tag size is only linear in n and prove it secure under simple assumptions in asymmetric bilinear groups. Our construction can be used as a drop-in replacement in all applications of the initial LAF system. In particular, it can shorten the ciphertexts of Hofheinz's KDM-CCA-secure public-key encryption scheme by 19 group elements. It also allows substantial space improvements in a recent fuzzy extractor proposed by Wen and Liu (Asiacrypt 2018). As a second contribution, we show how to modify our scheme so as to prove it (almost) tightly secure, meaning that security reductions are not affected by a concrete security loss proportional to the number of adversarial queries.

show abstract

Hedged Public-Key Encryption: How to Protect against Bad Randomness

Cited by 108 publications

References 29 publications

Reset Indifferentiability from Weakened Random Oracle Salvages One-Pass Hash Functions

Reset Indifferentiability from Weakened Random Oracle Salvages One-Pass Hash Functions

Lossy Trapdoor Permutations with Improved Lossiness

Lossy Algebraic Filters with Short Tags

Contact Info

Product

Resources

About