Indistinguishability against Chosen Ciphertext Verification Attack Revisited: The Complete Picture

详细信息    查看全文

• 作者：Angsuman Das ; Sabyasachi Dutta ; Avishek Adhikari
• 关键词：Chosen Ciphertext Attack ; Chosen Ciphertext Verification Attack ; Homomorphic Cryptosystems
• 刊名：Lecture Notes in Computer Science
• 出版年：2013
• 出版时间：2013
• 年：2013
• 卷：8209
• 期：1
• 页码：121-138
• 全文大小：322KB
• 参考文献：1. Armknecht, F., Katzenbeisser, S., Peter, A.: Group homomorphic encryption: characterizations, impossibility results, and applications. Design, Codes and Cryptography (2012), doi:10.1007/s10623-011-9601-2
  2. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol.?1462, pp. 26-5. Springer, Heidelberg (1998) CrossRef
  3. Bellare, M., Hofheinz, D., Kiltz, E.: Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?, eprint.iacr.org/2009/418.pdf
  4. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol.?1462, pp. 1-2. Springer, Heidelberg (1998) CrossRef
  5. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing Chosen-Ciphertext Security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol.?2729, pp. 565-82. Springer, Heidelberg (2003) CrossRef
  6. Coron, J.-S., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: A Generic Chosen-Ciphertext Secure Encryption Method. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol.?2271, pp. 263-76. Springer, Heidelberg (2002) CrossRef
  7. Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol.?1462, pp. 13-5. Springer, Heidelberg (1998) CrossRef
  8. Das, A., Adhikari, A.: An Efficient IND-CCA2 secure Paillier-based cryptosystem. Information Processing Letters?112, 885-88 (2012) CrossRef
  9. Elgamal, T.: A Public Key Cryptosystem and A Signature Scheme Based on Discrete Logarithms. IEEE Trans. on Information Theory, IT-31(4), 469-72 (1985)
  10. Fujisaki, E., Okamoto, T.: How to Enhance the Security of Public-Key Encryption at Minimum Cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol.?1560, pp. 53-8. Springer, Heidelberg (1999) CrossRef
  11. Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol.?1666, pp. 537-54. Springer, Heidelberg (1999) CrossRef
  12. Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol.?1726, pp. 2-2. Springer, Heidelberg (1999) CrossRef
  13. Hu, Z.Y., Sun, F.C., Jiang, J.C.: Ciphertext verification security of symmetric encryption schemes. Sci. China Ser. F-Inf. Sci.?52(9), 1617-631 (2009) CrossRef
  14. Joye, M., Quisquater, J.-J., Yung, M.: On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol.?2020, pp. 208-22. Springer, Heidelberg (2001) CrossRef
  15. Nieto, J.M.G., Boyd, C., Dawson, E.: A Public Key Cryptosystem Based On A Subgroup Membership Problem. Designs, Codes and Cryptography?36, 301-16 (2005) CrossRef
  16. Krohn, M.: On the Definitions of Cryptographic Security: Chosen-Ciphertext Attack Revisited. Undergraduate Thesis, Harvard University (1999), pdos.csail.mit.edu/~max/docs/uthesis.pdf
  17. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC, pp. 427-37. ACM Press (May 1990)
  18. Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol.?2020, pp. 159-74. Springer, Heidelberg (2001) CrossRef
  19. Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol.?1592, pp. 223-38. Springer, Heidelberg (1999) CrossRef
  20. Kumar Pandey, S., Sarkar, S., Prasad Jhanwar, M.: Relaxing IND-CCA: Indistinguishability against Chosen Ciphertext Verification Attack. In: Bogdanov, A., Sanadhya, S. (eds.) SPACE 2012. LNCS, vol.?7644, pp. 63-6. Springer, Heidelberg (2012) CrossRef
  21. Pointcheval, D.: Chosen-Ciphertext Security for Any One-Way Cryptosystem. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol.?1751, pp. 129-46. Springer, Heidelberg (2000) CrossRef
  22. Rackoff, C., Simon, D.: Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In: 22nd Annual ACM Symposium on Theory of Computing, pp. 427-37 (1990)
  
• 作者单位：Angsuman Das (18)
  Sabyasachi Dutta (19)
  Avishek Adhikari (19)
  
  18. Department of Mathematics, St. Xavier’s College, Kolkata, India
  19. Department of Pure Mathematics, University of Calcutta, Kolkata, India
  
• ISSN：1611-3349

文摘

The knowledge that whether a purported ciphertext is valid or not may leak sufficient information to mount practical attacks on public key cryptosystem, e.g., Bleichenbacher’s attack on RSA-PKCS#1, Hall-Goldberg-Schneier’s “reaction attack-on both McEliece and Ajtai-Dwork cryptosystems. A notion called indistinguishability against chosen ciphertext verification attack (IND-CCVA) has been introduced in the literature, where the adversary has access to a chosen ciphertext verification oracle (not the full decryption oracle), to address those cryptographic functionalities where IND-CPA security is not sufficient and IND-CCA security is more than necessary. Some of the implications and separations between CPA, CCA and CCVA notions are known, while the rest are still open. In this paper we provide non-trivial constructions of schemes (existing/ new) to resolve all the open issues, thus providing a complete picture. We also introduce a slightly stronger attack, called Adaptive Chosen Ciphertext Decryption/Verification Attack (CCA1.5), where the adversary gets an access to a decryption oracle in the first query phase and a ciphertext verification oracle in the second query phase. We argue that this attack is more realistic than usual CCA2 attack. In fact, it lies between CCA1 and CCA2 security as well as between CCVA2 and CCA2 security. In this regard, inter-relationships between the proposed CCA1.5 notion with existing notions are established. Moreover, it is shown that any group homomorphic cryptosystem is CCA1.5 under some reasonable assumption, thereby providing another motivation for studying this particular type of attack scenario.