Public Key Encryption for the Forgetful

Abstract: We investigate public key encryption that allows the originator of a ciphertext to retrieve a "forgotten" plaintext from the ciphertext. This type of public key encryption with "backward recovery" contrasts more widely analyzed public key encryption with "forward secrecy". We advocate that together they form the two sides of a whole coin, whereby offering complementary roles in data security, especially in cloud computing, 3G/4G communications and other emerging computing and communication platforms. We formal… Show more

“…The inefficiency of the two earlier constructions stems also from an explicit but somewhat excessive requirement of ciphertext authenticity, which allows the sender to check whether the ciphertext is generated by herself. In this paper we remove this requirement for ciphertext authenticity.A further difference between this paper a and [18] lies in the fact that solutions in [18] are more akin to multi-recipient encryption in which the sender is included as one of the recipients. In this paper we address a more challenging problem, namely to search for a solution that is not only efficient but also imposes no requirement for the sender to possess a public/secret key pair.…”

“…By the virtue of traditional public key encryption, the only way to get m back is for Alice to ask Bob to decrypt the ciphertext with Bob's decryption key, which may be impractical or undesirable from either Alice or Bob's point of view. This dilemma is readily avoided if Alice and Bob employ PKE-SR we propose in this article.In [18], Wei et al define a security model for PKE-SR and present two methods of constructing PKE-SR from the framework of key-encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) [9]. The first method in [18] is a general one using the "encrypt then sign" paradigm, whereas the second method is more efficient, being based on a concrete public key encryption scheme by Hofheinz and Kiltz [13].…”

“…More precisely, following the idea of pre-KEM seeding, we convert DHIES [1] into an efficient PKE-SR, which has only one more additional element τ of 160-bit in ciphertext and one more computation of pseudorandom function than that of DHIES. While the method proposed in [18] needs to add at least one group element of length, say 1024-bit, and one exponentiation in the corresponding group. Furthermore, we also discuss the construction of PKE-SR from identity based encryptions using a technique proposed in [5,7], where no additional elements need to be added to the ciphertext of the original scheme in [5,7].…”

“…This notion was first introduced by Wei et al in [18] and called public key encryption with backward recovery. In this paper we continue this line of research.…”

“…In [18], Wei et al define a security model for PKE-SR and present two methods of constructing PKE-SR from the framework of key-encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) [9]. The first method in [18] is a general one using the "encrypt then sign" paradigm, whereas the second method is more efficient, being based on a concrete public key encryption scheme by Hofheinz and Kiltz [13].…”

On the Construction of Public Key Encryption with Sender Recovery

“…The inefficiency of the two earlier constructions stems also from an explicit but somewhat excessive requirement of ciphertext authenticity, which allows the sender to check whether the ciphertext is generated by herself. In this paper we remove this requirement for ciphertext authenticity.A further difference between this paper a and [18] lies in the fact that solutions in [18] are more akin to multi-recipient encryption in which the sender is included as one of the recipients. In this paper we address a more challenging problem, namely to search for a solution that is not only efficient but also imposes no requirement for the sender to possess a public/secret key pair.…”

“…By the virtue of traditional public key encryption, the only way to get m back is for Alice to ask Bob to decrypt the ciphertext with Bob's decryption key, which may be impractical or undesirable from either Alice or Bob's point of view. This dilemma is readily avoided if Alice and Bob employ PKE-SR we propose in this article.In [18], Wei et al define a security model for PKE-SR and present two methods of constructing PKE-SR from the framework of key-encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) [9]. The first method in [18] is a general one using the "encrypt then sign" paradigm, whereas the second method is more efficient, being based on a concrete public key encryption scheme by Hofheinz and Kiltz [13].…”

“…More precisely, following the idea of pre-KEM seeding, we convert DHIES [1] into an efficient PKE-SR, which has only one more additional element τ of 160-bit in ciphertext and one more computation of pseudorandom function than that of DHIES. While the method proposed in [18] needs to add at least one group element of length, say 1024-bit, and one exponentiation in the corresponding group. Furthermore, we also discuss the construction of PKE-SR from identity based encryptions using a technique proposed in [5,7], where no additional elements need to be added to the ciphertext of the original scheme in [5,7].…”

“…This notion was first introduced by Wei et al in [18] and called public key encryption with backward recovery. In this paper we continue this line of research.…”

“…In [18], Wei et al define a security model for PKE-SR and present two methods of constructing PKE-SR from the framework of key-encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) [9]. The first method in [18] is a general one using the "encrypt then sign" paradigm, whereas the second method is more efficient, being based on a concrete public key encryption scheme by Hofheinz and Kiltz [13].…”

On the Construction of Public Key Encryption with Sender Recovery

Multi-recipient Encryption in Heterogeneous Setting

New Techniques for Public Key Encryption with Sender Recovery