Cryptology ePrint Archive: Report 2005/261
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
Alexander W. Dent
Abstract: In this paper we examine the security criteria for a KEM and a DEM that are su±cient for the overall hybrid encryption scheme to be plaintext-aware in the standard model. We apply this theory to the Cramer-Shoup hybrid scheme acting on ¯xed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of plaintext-aware encryption schemes.
Category / Keywords: public-key cryptography / provable security, plaintext-awareness
Date: received 9 Aug 2005, last revised 21 Apr 2006
Contact author: a dent at rhul ac uk
Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Note: The original version of this paper contained an subtle, but substantial error in the proof of the theorem that PA1 + Simulability => PA2. This theorem has been withdrawn. The main result, that Cramer-Shoup is PA2, is now proven using a slight variation of the original technique. My apologies to anyone inconvenienced by the error.
Version: 20060421:172803 (All versions of this report)
Short URL: ia.cr/2005/261
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]