Abstract
Replayable chosen ciphertext (RCCA) security was introduced by Canetti, Krawczyk, and Nielsen (CRYPTO 03) in order to handle an encryption scheme that is “non-malleable except tampering which preserves the plaintext”. RCCA security is a relaxation of CCA security and a useful security notion for many practical applications such as authentication and key exchange. Canetti et al. defined non-malleability against RCCA (NM-RCCA), indistinguishability against RCCA (IND-RCCA), and universal composability against RCCA (UC-RCCA). Moreover, they proved that these three security notions are equivalent when considering a PKE scheme whose plaintext space is super-polynomially large. Among these three security notions, NM-RCCA seems to play the central role since RCCA security was introduced in order to capture “non-malleability except tampering which preserves the plaintext.” However, their definition of NM-RCCA is not a natural extension of that of classical non-malleability, and it is not clear whether their NM-RCCA captures the requirement of classical non-malleability. In this paper, we propose definitions of indistinguishability-based and simulation-based non-malleability against RCCA by extending definitions of classical non-malleability. We then prove that these two notions of non-malleability and IND-RCCA are equivalent regardless of the size of plaintext space of PKE schemes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract). In: STOC, pp. 542–552 (1991)
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055718
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Pass, R., Shelat, A., Vaikuntanathan, V.: Relations among notions of non-malleability for encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 519–535. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_32
Katz, J., Yung, M.: Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006)
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Watanabe, Y., Shikata, J., Imai, H.: Equivalence between semantic security and indistinguishability against chosen ciphertext attacks. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 71–84. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_6
Bellare, M., Sahai, A.: Non-malleable encryption: equivalence between two notions, and an indistinguishability-based characterization. IACR Cryptology ePrint Archive 2006/228 (2006)
Chen, Y., Dong, Q.: RCCA security for KEM+DEM style hybrid encryptions and a general hybrid paradigm from RCCA-secure KEMs to CCA-secure encryptions. Secur. Commun. Netw. 7(8), 1219–1231 (2014)
Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21
Li, K., Wang, J., Zhang, Y., Ma, H.: Key policy attribute-based proxy re-encryption and RCCA secure scheme. J. Internet Serv. Inf. Secur. 4(2), 70–82 (2014)
Dai, H., Wang, D., Chang, J., Xu, M.: On the RCCA security of hybrid signcryption for internet of things. Wirel. Commun. Mob. Comput. 2018, 8646973:1–8646973:11 (2018)
Lu, R., Lin, X., Shao, J., Liang, K.: RCCA-secure multi-use bidirectional proxy re-encryption with master secret security. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 194–205. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12475-9_14
Backes, M., Cachin, C.: Public-key steganography with active attacks. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 210–226. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_12
Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: a new framework for hybrid encryption. J. Cryptol. 21(1), 97–130 (2008)
Groth, J.: Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 152–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_9
Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 517–534. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_29
Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_18
Libert, B., Peters, T., Qian, C.: Structure-preserving chosen-ciphertext security with shorter verifiable ciphertexts. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 247–276. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_11
Acknowledgments
The third and fourth authors are supported by JST CREST Grant Number JPMJCR19F6, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Definition of SS-RCCA and Its Equivalence with IND-RCCA
A Definition of SS-RCCA and Its Equivalence with IND-RCCA
We give our definition of semantic security under RCCA environment (SS-RCCA) as follows.
Let \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) be a PKE scheme, \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) and \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) be a pair of PPTAs, and h and f be polynomial time computable function. We consider the following experiments SS-RCCA-0 and SS-RCCA-1:
where, a predicate \(\varvec{P}\) satisfies \(\varvec{P}(m,m)=1\) for any m which is included in support of \(\mathcal {M}\), and
In above two experiments, \(\mathcal {M}\) is a distribution over the plaintext space.
We define the advantage \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda )\) as \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda ):=|\Pr [\mathcal {D}(\mathsf{{Exp}}_{\varSigma ,\mathcal {A},h,f}^{\text{ SS-RCCA-0 }}(\lambda ))\rightarrow 1]-\Pr [\mathcal {D}(\mathsf{{Exp}}_{\varSigma ,\mathcal {S},h,f}^{\text{ SS-RCCA-1 }}(\lambda ))\rightarrow 1]|\).
Definition 5
(SS-RCCA security). We say that \(\varSigma \) is SS-RCCA secure if for any polynomial time computable function h and f, and for any pair of PPTAs \(\mathcal {A}\), there exists a simulator \(\mathcal {S}\) such that \(\mathsf{{Adv}}_{\varSigma ,\mathcal {A},\mathcal {S},\mathcal {D},h,f}^{\text{ SS-RCCA }}(\lambda )\) is negligible for any PPTA \(\mathcal {D}\).
1.1 A.1 IND-RCCA Implies SS-RCCA
We prove that IND-RCCA implies SS-RCCA by a case analysis. Like as proofs of Theorems 3 and 4, we consider two cases that the size of the plaintext space which a PKE scheme \(\varSigma \) supports is polynomial or not.
Theorem 7
If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, and the size of plaintext space of \(\varSigma \) is polynomial, then \(\varSigma \) is SS-RCCA secure.
We omit proof of the theorem.
Theorem 8
If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, and the size of the plaintext space of \(\varSigma \) is super polynomially large, then \(\varSigma \) is SS-RCCA secure.
We omit proof of the theorem.
The following theorem holds from Theorems 7 and 8.
Theorem 9
If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is IND-RCCA secure, then \(\varSigma \) is SS-RCCA secure.
1.2 A.2 SS-RCCA Implies IND-RCCA
Theorem 10
If a PKE scheme \(\varSigma =(\mathsf{{Gen}},\mathsf{{Enc}},\mathsf{{Dec}})\) is SS-RCCA secure, then \(\varSigma \) is IND-RCCA secure.
We omit proof of the theorem.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hayata, J., Kitagawa, F., Sakai, Y., Hanaoka, G., Matsuura, K. (2019). Equivalence Between Non-malleability Against Replayable CCA and Other RCCA-Security Notions. In: Attrapadung, N., Yagi, T. (eds) Advances in Information and Computer Security. IWSEC 2019. Lecture Notes in Computer Science(), vol 11689. Springer, Cham. https://doi.org/10.1007/978-3-030-26834-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-26834-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26833-6
Online ISBN: 978-3-030-26834-3
eBook Packages: Computer ScienceComputer Science (R0)