Equivalence Between Non-malleability Against Replayable CCA and Other RCCA-Security Notions

Abstract

Replayable chosen ciphertext (RCCA) security was introduced by Canetti, Krawczyk, and Nielsen (CRYPTO 03) in order to handle an encryption scheme that is “non-malleable except tampering which preserves the plaintext”. RCCA security is a relaxation of CCA security and a useful security notion for many practical applications such as authentication and key exchange. Canetti et al. defined non-malleability against RCCA (NM-RCCA), indistinguishability against RCCA (IND-RCCA), and universal composability against RCCA (UC-RCCA). Moreover, they proved that these three security notions are equivalent when considering a PKE scheme whose plaintext space is super-polynomially large. Among these three security notions, NM-RCCA seems to play the central role since RCCA security was introduced in order to capture “non-malleability except tampering which preserves the plaintext.” However, their definition of NM-RCCA is not a natural extension of that of classical non-malleability, and it is not clear whether their NM-RCCA captures the requirement of classical non-malleability. In this paper, we propose definitions of indistinguishability-based and simulation-based non-malleability against RCCA by extending definitions of classical non-malleability. We then prove that these two notions of non-malleability and IND-RCCA are equivalent regardless of the size of plaintext space of PKE schemes.

A Definition of SS-RCCA and Its Equivalence with IND-RCCA

We give our definition of semantic security under RCCA environment (SS-RCCA) as follows.

Let \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) be a PKE scheme, \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) and \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) be a pair of PPTAs, and h and f be polynomial time computable function. We consider the following experiments SS-RCCA-0 and SS-RCCA-1:

where, a predicate \(\varvec{P}\) satisfies \(\varvec{P}(m,m)=1\) for any m which is included in support of \(\mathcal {M}\), and

$$\begin{aligned}&\mathcal {O}_1(c)=\mathsf{{Dec}}(sk,c),&\\&\mathcal {O}_2(c)= {\left\{ \begin{array}{ll} \mathsf {Test} &{} (\varvec{P}(m,\mathsf{{Dec}}(sk,c))=1)\\ \mathsf{{Dec}}(sk,\cdot ) &{} (\text {otherwise}). \end{array}\right. }&\end{aligned}$$

In above two experiments, \(\mathcal {M}\) is a distribution over the plaintext space.

We define the advantage \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda )\) as \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda ):=|\Pr [\mathcal {D}(\mathsf{{Exp}}_{\varSigma ,\mathcal {A},h,f}^{\text{ SS-RCCA-0 }}(\lambda ))\rightarrow 1]-\Pr [\mathcal {D}(\mathsf{{Exp}}_{\varSigma ,\mathcal {S},h,f}^{\text{ SS-RCCA-1 }}(\lambda ))\rightarrow 1]|\).

Definition 5

(SS-RCCA security). We say that \(\varSigma \) is SS-RCCA secure if for any polynomial time computable function h and f, and for any pair of PPTAs \(\mathcal {A}\), there exists a simulator \(\mathcal {S}\) such that \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda )\) is negligible for any PPTA \(\mathcal {D}\).

1.1 A.1 IND-RCCA Implies SS-RCCA

We prove that IND-RCCA implies SS-RCCA by a case analysis. Like as proofs of Theorems 3 and 4, we consider two cases that the size of the plaintext space which a PKE scheme \(\varSigma \) supports is polynomial or not.

Theorem 7

If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, and the size of plaintext space of \(\varSigma \) is polynomial, then \(\varSigma \) is SS-RCCA secure.

We omit proof of the theorem.

Theorem 8

If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, and the size of the plaintext space of \(\varSigma \) is super polynomially large, then \(\varSigma \) is SS-RCCA secure.

We omit proof of the theorem.

The following theorem holds from Theorems 7 and 8.

Theorem 9

If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, then \(\varSigma \) is SS-RCCA secure.

1.2 A.2 SS-RCCA Implies IND-RCCA

Theorem 10

If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is SS-RCCA secure, then \(\varSigma \) is IND-RCCA secure.

We omit proof of the theorem.