Receiver-Anonymity in Rerandomizable RCCA-Secure Cryptosystems Resolved

Wang, Yi; Chen, Rongmao; Yang, Guomin; Huang, Xinyi; Wang, Baosheng; Yung, Moti

doi:10.1007/978-3-030-84259-8_10

Cited by 6 publications

(4 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prabhakaran and Rosulek [32] introduced the first Rand-RCCA PKE in the standard model. Abstracting the scheme of [32], and solving a long-standing open problem, recently Wang et al [35] introduced the first receiver-anonymous Rand-RCCA PKE. Faonio and Fiore [12] introduced a practical Rand-RCCA PKE in the random oracle model.…”

Section: Related Workmentioning

confidence: 99%

“…We leave as open problem to provide a generic framework to instantiate (almost) tightly-secure Rand-RCCA-secure PKE. Possible starting points are the HPS-based frameworks of [35] for Rand-RCCA schemes and [21] for tightlysecure (LR-)CCA-secure schemes. Recently, Faonio and Russo [15] improved over the mix-net protocol of [13], giving a more efficient instantiation based on non publicly-verifiable Rand-RCCA PKE schemes; however, their construction requires a leakage-resilient scheme.…”

Section: Open Problemsmentioning

confidence: 99%

See 1 more Smart Citation

Almost Tightly-Secure Re-randomizable and Replayable CCA-Secure Public Key Encryption

Faonio

Hofheinz

Russo

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Re-randomizable Replayable CCA-secure public key encryption (Rand-RCCA PKE) schemes guarantee security against chosenciphertext attacks while ensuring the useful property of re-randomizable ciphertexts. We introduce the notion of multi-user and multi-ciphertext Rand-RCCA PKE and we give the first construction of such a PKE scheme with an almost tight security reduction to a standard assumption. Our construction is structure preserving and can be instantiated over Type-1 pairing groups. Technically, our work borrows ideas from the state-of-theart Rand-RCCA PKE scheme of Faonio et al. (ASIACRYPT'19) and the adaptive partitioning technique of Hofheinz (EUROCRYPT'17). Additionally, we show (1) how to turn our scheme into a publicly verifiable (pv) Rand-RCCA scheme and (2) that plugging our pv-Rand-RCCA PKE scheme into the MixNet protocol of Faonio et al. we can obtain the first almost tightly-secure MixNet protocol.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Open Problemsmentioning

confidence: 99%

Almost Tightly-Secure Re-randomizable and Replayable CCA-Secure Public Key Encryption

Faonio

Hofheinz

Russo

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The work of Faonio and Fiore [16] presented a practical Rand-RCCA PKE scheme in the random oracle model. Recently, Wang et al [31] introduced the first receiver-anonymous Rand-RCCA PKE, solving the open problem raised by Prabhakaran and Rosulek in [28]. The state-of-art Rand-RCCA PKE scheme can be found in the work of Faonio et al [17].…”

Section: Related Workmentioning

confidence: 99%

“…Other publicly-verifiable Rand-RCCA PKE schemes were presented by Chase et al [10] and Libert et al [25]. As far as we know, our design for the verify-then-decrypt protocol cannot be easily instantiated with the schemes in [16,28,31]. The reason is that for all these schemes the decryption procedures have a "verification step" that depends on the encrypted message.…”

Section: Related Workmentioning

confidence: 99%

Mix-Nets from Re-randomizable and Replayable CCA-Secure Public-Key Encryption

Faonio

Russo

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Mix-nets are protocols that allow a set of senders to send messages anonymously. Faonio et al. (ASIACRYPT'19) showed how to instantiate mix-net protocols based on Public-Verifiable Re-randomizable Replayable CCA-secure (Rand-RCCA) PKE schemes. The bottleneck of their approach is that public-verifiable Rand-RCCA PKEs are less efficient than typical CPA-secure re-randomizable PKEs. In this paper, we revisit their mix-net protocol, showing how to get rid of the cumbersome public-verifiability property, and we give a more efficient instantiation for the mix-net protocol based on a (non publicly-verifiable) Rand-RCCA scheme. Additionally, we give a more careful security analysis of their mix-net protocol.

show abstract