Cryptology ePrint Archive: Report 2014/126

Public-Key Encryption Resilient Against Linear Related-Key Attacks Revisited

Hui Cui \and Yi Mu \and Man Ho Au

Abstract: Wee (PKC'12) proposed a generic public-key encryption scheme in the setting of related-key attacks. Bellare, Paterson and Thomson (Asiacrypt'12) provided a framework enabling related-key attack (RKA) secure cryptographic primitives for a class of non-linear related-key derivation functions. However, in both of their constructions, the instantiations to achieve the full (not weak) RKA security are given under the scenario regarding the private key composed of single element. In other words, each element of the private key shares the same modification. However, this is impractical in real world. In this paper, we concentrate on the security of public-key encryption schemes under linear related-key attacks in the setting of multi-element private keys (that is, the private key is composed of more than one element), where an adversary is allowed to tamper any part of this private key stored in a hardware device, and subsequently observe the outcome of a public-key encryption system under this targeted modified private key. We define the security model for RKA secure public-key encryption schemes as chosen-ciphertext and related-key attack (CC-RKA) security, which means that a public-key encryption scheme remains secure even when an adversary is allowed to issue the decryption oracle on linear shifts of any component of the private key. After that, we present a detailed public-key encryption schemes with the private key formed of several elements, of which the CC-RKA security is under the decisional BDH assumption in the standard model.

Category / Keywords: Public-key encryption, Linear related-key attack, CC-RKA security

Date: received 17 Feb 2014, last revised 25 Feb 2014, withdrawn 19 Mar 2014

Contact author: hc892 at uowmail edu au

Available format(s): (-- withdrawn --)

Version: 20140319:225410 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]