Orthogonality between Key Privacy and Data Privacy, Revisited
Information Security and Cryptology
Relationship between Two Approaches for Defining the Standard Model PA-ness
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Cramer-Shoup Satisfies a Stronger Plaintext Awareness under a Weaker Assumption
SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
Relationship between Standard Model Plaintext Awareness and Message Hiding
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
PA1 and IND-CCA2 do not guarantee PA2: brief examples
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
A generic method for reducing ciphertext length of reproducible KEMs in the RO model
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Relationship between standard model plaintext awareness and message hiding
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
| Hi-index | 0.00 |
We propose a new security class, called plaintext simulatability, defined over the public-key encryption schemes. The notion of plaintext simulatability (denoted PS) is similar to the notion of plaintext awareness (denoted PA) defined in [3], but it is "properly" a weaker security class for public-key encryption. It is known that PA implies the class of CCA2-secure encryption (denoted IND-CCA2) but not vice versa. In most cases, PA is "unnecessarily" strong---In such cases, PA is only used to study that the public-key encryption scheme involved meets IND-CCA2, because it looks much easier to treat the membership of PA than to do "directly" the membership of IND-CCA2. We show that PS also implies IND-CCA2, while preserving such a technical advantage as well as PA. We present two novel CCA2-secure public-key encryption schemes, which should have been provided with more complicated security analyses. One is a random-oracle version of Dolev-Dwork-Naor's encryption scheme [9]. Unlike the original scheme, this construction is efficient. The other is a public-key encryption scheme based on a strong pseudo-random permutation family [16] which provides the optimal ciphertext lengths for verifying the validity of ciphertexts, i.e., (ciphertext size) = (message size) + (randomness size). According to [19], such a construction remains open. Both schemes meet PS but not PA.