3 research outputs found
Revisiting (R)CCA Security and Replay Protection
This paper takes a fresh approach to systematically characterizing,
comparing, and understanding CCA-type security definitions for
public-key encryption (PKE), a topic with a long history. The
justification for a concrete security definition is relative to a
benchmark application (e.g. confidential communication): Does the use
of a PKE scheme satisfying imply the security of the application?
Because unnecessarily strong definitions may lead to unnecessarily
inefficient schemes or unnecessarily strong computational assumptions,
security definitions should be as weak as possible, i.e. as close as
possible to (but above) the benchmark. Understanding the hierarchy of
security definitions, partially ordered by the implication (i.e. at
least as strong) relation, is hence important, as is placing the
relevant applications as benchmark levels within the hierarchy.
CCA-2 security is apparently the strongest notion, but because it is
arguably too strong, Canetti, Krawczyk, and Nielsen (Crypto 2003)
proposed the relaxed notions of Replayable CCA security (RCCA)
as perhaps the weakest meaningful definition, and they investigated
the space between CCA and RCCA security by proposing two versions of
Detectable RCCA (d-RCCA) security which are meant to ensure
that replays of ciphertexts are either publicly or secretly detectable
(and hence preventable).
The contributions of this paper are three-fold. First, following the
work of Coretti, Maurer, and Tackmann (Asiacrypt 2013), we formalize
the three benchmark applications of PKE that serve as the natural
motivation for security notions, namely the construction of certain
types of (possibly replay-protected) confidential channels (from an
insecure and an authenticated communication channel).
Second, we prove that RCCA does not achieve the confidentiality benchmark
and, contrary to previous belief, that the proposed d-RCCA notions are not
even relaxations of CCA-2 security.
Third, we propose the natural security notions corresponding to the
three benchmarks: an appropriately strengthened version of RCCA to
ensure confidentiality, as well as two notions for capturing public
and secret replay detectability
On the Security of Universal Re-Encryption
A universal re-encryption (URE) scheme is a public-key encryption scheme enhanced with an algorithm that on input a ciphertext, outputs another ciphertext which is still a valid encryption of the underlying plaintext. Crucially, such a re-encryption algorithm does not need any key as input, but the ciphertext is guaranteed to be valid under the original key-pair. Therefore, URE schemes lend themselves naturally as building blocks of mixnets: A sender transmits the encryption of a message under the receivers public-key to a mixer, which re-encrypts it, and the receiver later retrieves the re-encrypted ciphertext, which will decrypt successfully to the original message.
Young and Yung (SCN 2018) argued that the original definition of URE by Golle et al. (CT-RSA 2004) was flawed, because it did not consider anonymity of encryption. This motivated them to claim that they finally put URE on solid grounds by presenting four formal security notions which they argued a URE should satisfy.
As our first contribution, we introduce a framework that allows to compactly define and relate security notions as substitutions of systems. Using such framework, as our second contribution we show that Young and Yung\u27s four notions are not minimal, and therefore do not properly capture the essence of a secure URE scheme. We provide three definitions that imply (and are implied by) theirs. Using the constructive cryptography framework, our third contribution is to capture the essence of URE from an application point of view by providing a composable security notion that expresses the ideal use of URE in a mixnet. Finally, we show that the composable notion is implied by our three minimal notions