Relaxing IND-CCA: Indistinguishability against Chosen Ciphertext Verification Attack
The definition of IND-CCA security model for public key encryption allows an adversary to obtain (adaptively) decryption of ciphertexts of its choice. That is, the adversary is given oracle access to the decryption function corresponding to the decryption key in use. The adversary may make queries that do not correspond to a valid ciphertext, and the answer will be accordingly (i.e., a special “failure” symbol).
In this article, we investigate the case where we restrict the oracle to only determine if the query made is a valid ciphertext or not. That is, the oracle will output 1 if the query string is a valid ciphertext (do not output the corresponding plaintext) and output 0 otherwise. We call this oracle as “ciphertext verification oracle” and the corresponding security model as Indistinguishability against chosen ciphertext verification attack (IND-CCVA). We point out that this seemingly weaker security model is meaningful, clear and useful to the extent where we motivate that certain cryptographic functionalities can be achieved by ensuring the IND-CCVA security where as IND-CPA is not sufficient and IND-CCA provides more than necessary. We support our claim by providing nontrivial construction (existing/new) of:
public key encryption schemes that are IND-CCVA secure but not IND-CCA secure,
public key encryption schemes that are IND-CPA secure but not IND-CCVA secure.
public key encryption schemes that are IND-CCA1 secure but not IND-CCVA secure.
Our discoveries are another manifestation of the subtleties that make the study of security notions for public key encryption schemes so attractive and are important towards achieving the definitional clarity of the target security.
KeywordsPKE security notions IND-CPA IND-CCA IND-CCVA
Unable to display preview. Download preview PDF.
- 7.Elkind, E., Sahai, A.: A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack, http://eprint.iacr.org/2002/042
- 9.Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol. Version 3.0Google Scholar
- 11.Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press (2004)Google Scholar
- 13.Goldwasser, S., Micali, S., Tong, P.: Why and how to establish a private code on a public network. In: Proc. 23rd IEEE Symp. on Foundations of Comp. Science, Chicago, pp. 134–144 (1982)Google Scholar
- 14.Håstad, J., Näslund, M.: The security of individual RSA bits (1998) (manuscript)Google Scholar
- 16.Naor, M., Yung, M.: Public-key cryptosystem provably secure against chosen ciphertext attacks. In: Proc. STOC, pp. 427–437 (1990)Google Scholar
- 17.Public-Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard. RSA Security Inc. (2002)Google Scholar
- 18.Rackoff, C., Simon, D.: Non-interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
- 19.RSA Data Security, Inc. PKCS #1: RSA Encryption Standard. Redwood City, CA. Version 1.5 (November 1993)Google Scholar
- 20.Shoup, V.: Why chosen ciphertext security matters. Technical Report RZ 3076, IBM Zurich (1998)Google Scholar
- 21.Vivek, S., Deva Selvi, S., Pandu Rangan, C.: CCA Secure Certificateless Encryption Schemes based on RSA. In: Proc. Secrypt 2011, pp. 208–217 (2011)Google Scholar
- 22.Vivek, S., Deva Selvi, S., Pandu Rangan, C.: Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks. ePrint Archive: Report 2012/118 (2012)Google Scholar