Summary
|
For Full-Text PDF, please login, if you are a member of IEICE, or go to Pay Per View on menu list, if you are a nonmember of IEICE. |
|
Plaintext Simulatability Eiichiro FUJISAKI Publication IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences Vol.E89-A No.1 pp.55-65 Publication Date: 2006/01/01 Online ISSN: 1745-1337 DOI: 10.1093/ietfec/e89-a.1.55 Print ISSN: 0916-8508 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Public Key Cryptography Keyword: plaintext simulatability, plaintext awareness, chosen-ciphertext security (CCA2-security), Dolev-Dwork-Naor's encryption scheme, CCA2-secure encryption scheme without overhead, Full Text: PDF(179.4KB)>>
Summary: We propose a new security class, called plaintext simulatability, defined over the public-key encryption schemes. The notion of plaintext simulatability (denoted PS) is similar to the notion of plaintext awareness (denoted PA) defined in [3], but it is "properly" a weaker security class for public-key encryption. It is known that PA implies the class of CCA2-secure encryption (denoted IND-CCA2) but not vice versa. In most cases, PA is "unnecessarily" strong--In such cases, PA is only used to study that the public-key encryption scheme involved meets IND-CCA2, because it looks much easier to treat the membership of PA than to do "directly" the membership of IND-CCA2. We show that PS also implies IND-CCA2, while preserving such a technical advantage as well as PA. We present two novel CCA2-secure public-key encryption schemes, which should have been provided with more complicated security analyses. One is a random-oracle version of Dolev-Dwork-Naor's encryption scheme [8],[9]. Unlike the original scheme, this construction is efficient. The other is a public-key encryption scheme based on a strong pseudo-random permutation family [16] which provides the optimal ciphertext lengths for verifying the validity of ciphertexts, i.e., (ciphertext size) = (message size) + (randomness size). According to [19], such a construction remains open. Both schemes meet PS but not PA. | ||||||||||
| ||||||||||
