Cryptology ePrint Archive: Report 2016/845
Selective Opening Security from Simulatable Data Encapsulation
Felix Heuer and Bertram Poettering
Abstract: The confidentiality notion of security against selective opening attacks considers adver- saries that obtain challenge ciphertexts and are allowed to adaptively open them, thereby revealing the encrypted message and the randomness used to encrypt. The SO notion is stronger than that of CCA security and is often required when formally arguing towards the security of multi-user applications. While different ways of achieving correspondingly secure schemes are known, as they generally employ expensive asymmetric building blocks like lossy trapdoor functions or lossy en- cryption, such constructions are routinely left aside by practitioners and standardization bodies. So far, formal arguments towards the SO security of schemes used in practice (e.g., for email encryption) are not known.
In this work we shift the focus from the asymmetric to the symmetric building blocks of PKE and prove the following statement: If a PKE scheme is composed of a key encapsulation mechanism (KEM) and a blockcipher-based data encapsulation mechanism (DEM), and the DEM meets spe- cific combinatorial properties, then the PKE scheme offers SO security, in the ideal cipher model. Fortunately, as we show, the required properties hold for popular modes of operation like CTR, CBC, CCM, and GCM. This paper not only establishes the corresponding theoretical framework of analysis, but also contributes very concretely to practical cryptography by concluding that selective opening security is given for many real-world schemes.
Category / Keywords: public-key cryptography / selective opening, hybrid encryption, mode of operation, CTR, CBC, CCM, GCM
Original Publication (with minor differences): IACR-ASIACRYPT-2016
Date: received 2 Sep 2016
Contact author: felix heuer at rub de
Available format(s): PDF | BibTeX Citation
Note: An extended abstract of this paper appears in the proceedings of ASIACRYPT 2016. This is the full version.
Version: 20160906:154546 (All versions of this report)
Short URL: ia.cr/2016/845
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]