## Cryptology ePrint Archive: Report 2012/357

Publicly Verifiable Ciphertexts

Juan Manuel Gonz{\'a}lez Nieto and Mark Manulis and Bertram Poettering and Jothi Rangasamy and Douglas Stebila

Abstract: In many applications, where encrypted traffic flows from an open (public) domain to a protected (private) domain, there exists a gateway that bridges the two domains and faithfully forwards the incoming traffic to the receiver. We observe that indistinguishability against (adaptive) chosen-ciphertext attacks (IND-CCA), which is a mandatory goal in face of active attacks in a public domain, can be essentially relaxed to indistinguishability against chosen-plaintext attacks (IND-CPA) for ciphertexts once they pass the gateway that acts as an IND-CCA/CPA filter by first checking the validity of an incoming IND-CCA ciphertext, then transforming it (if valid) into an IND-CPA ciphertext, and forwarding the latter to the recipient in the private domain. Non-trivial filtering'' can result in reduced decryption costs on the receivers' side.

We identify a class of encryption schemes with \emph{publicly verifiable ciphertexts} that admit generic constructions of (non-trivial) IND-CCA/CPA filters. These schemes are characterized by existence of public algorithms that can distinguish between valid and invalid ciphertexts. To this end, we formally define (non-trivial) public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public-key, identity-based, and tag-based encryption flavours. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.

Category / Keywords: public-key cryptography / public verifiability, ciphertext consistency, general encryption, key encapsulation, hybrid encryption

Publication Info: This paper appears in the Proceedings of the 8th International Conference on Security and Cryptography for Networks (SCN 2012).

Date: received 22 Jun 2012, last revised 27 Nov 2013

Contact author: j gonzaleznieto at qut edu au, mark@manulis eu, bertram poettering@rhul ac uk, j rangasamy@qut edu au, stebila@qut edu au

Available format(s): PDF | BibTeX Citation

Note: Full version published in Journal of Computer Security 21(5):749--778, DOI:10.3233/JCS-130473.

[ Cryptology ePrint archive ]