Paper 2012/357

Publicly Verifiable Ciphertexts

Juan Manuel Gonzälez Nieto, Mark Manulis, Bertram Poettering, Jothi Rangasamy, and Douglas Stebila


In many applications, where encrypted traffic flows from an open (public) domain to a protected (private) domain, there exists a gateway that bridges the two domains and faithfully forwards the incoming traffic to the receiver. We observe that indistinguishability against (adaptive) chosen-ciphertext attacks (IND-CCA), which is a mandatory goal in face of active attacks in a public domain, can be essentially relaxed to indistinguishability against chosen-plaintext attacks (IND-CPA) for ciphertexts once they pass the gateway that acts as an IND-CCA/CPA filter by first checking the validity of an incoming IND-CCA ciphertext, then transforming it (if valid) into an IND-CPA ciphertext, and forwarding the latter to the recipient in the private domain. ``Non-trivial filtering'' can result in reduced decryption costs on the receivers' side. We identify a class of encryption schemes with \emph{publicly verifiable ciphertexts} that admit generic constructions of (non-trivial) IND-CCA/CPA filters. These schemes are characterized by existence of public algorithms that can distinguish between valid and invalid ciphertexts. To this end, we formally define (non-trivial) public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public-key, identity-based, and tag-based encryption flavours. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.

Note: Full version published in Journal of Computer Security 21(5):749--778, DOI:10.3233/JCS-130473.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. This paper appears in the Proceedings of the 8th International Conference on Security and Cryptography for Networks (SCN 2012).
public verifiabilityciphertext consistencygeneral encryptionkey encapsulationhybrid encryption
Contact author(s)
j gonzaleznieto @ qut edu au
mark @ manulis eu
bertram poettering @ rhul ac uk
j rangasamy @ qut edu au
stebila @ qut edu au
2013-11-27: revised
2012-06-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Juan Manuel Gonzälez Nieto and Mark Manulis and Bertram Poettering and Jothi Rangasamy and Douglas Stebila},
      title = {Publicly Verifiable Ciphertexts},
      howpublished = {Cryptology ePrint Archive, Paper 2012/357},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.