How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
Non-interactive and non-malleable commitment
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
SIAM Journal on Computing
Constant-Round Coin-Tossing with a Man in the Middle or Realizing the Shared Random String Model
FOCS '02 Proceedings of the 43rd Symposium on Foundations of Computer Science
The Representation Problem Based on Factoring
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
On Hash Function Firewalls in Signature Schemes
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
Efficient Non-malleable Commitment Schemes
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Efficient and Non-interactive Non-malleable Commitment
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol
PKC '99 Proceedings of the Second International Workshop on Practice and Theory in Public Key Cryptography
Security of Signature Schemes in a Multi-User Setting
Designs, Codes and Cryptography
Completely non-malleable encryption revisited
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Efficient completely non-malleable public key encryption
ICALP'10 Proceedings of the 37th international colloquium conference on Automata, languages and programming
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Strong knowledge extractors for public-key encryption schemes
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Lattice-based completely non-malleable PKE in the standard model
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
Non-malleable instance-dependent commitment in the standard model
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Strong security notions for timed-release public-key encryption revisited
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Lattice-based completely non-malleable public-key encryption in the standard model
Designs, Codes and Cryptography
| Hi-index | 0.00 |
An encryption scheme is non-malleable if the adversary cannot transform a ciphertext into one of a related message under the given public key. Although providing a very strong security property, some application scenarios like the recently proposed key-substitution attacks yet show the limitations of this notion. In such settings the adversary may have the power to transform the ciphertext and the given public key, possibly without knowing the corresponding secret key of her own public key. In this paper we therefore introduce the notion of completely non-malleable cryptographic schemes withstanding such attacks. We show that classical schemes like the well-known Cramer-Shoup DDH encryption scheme become indeed insecure against this stronger kind of attack, implying that the notion is a strict extension of chosen-ciphertext security. We also prove that, unless one puts further restrictions on the adversary’s success goals, completely non-malleable schemes are hard to construct (as in the case of encryption) or even impossible (as in the case of signatures). Identifying the appropriate restrictions we then show how to modify well-known constructions like RSA-OAEP and Fiat-Shamir signatures yielding practical solutions for the problem in the random oracle model.