Paper 2014/609

Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks

Michel Abdalla, Fabrice Benhamouda, and David Pointcheval

Abstract

Indistinguishability under chosen-ciphertext attack (INDCCA) is now considered the de facto security notion for public-key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this paper, we consider a weaker security notion, termed indistinguishability under plaintext-checking attacks (INDPCA), in which the adversary has only access to an oracle indicating whether or not a given ciphertext encrypts a given message. After formalizing this notion, we design a new public-key encryption scheme satisfying it. The new scheme is a variant of the Cramer-Shoup encryption scheme with shorter ciphertexts. Its security is also based on the plain Decisional Diffie-Hellman (DDH) assumption. Additionally, the algebraic properties of the new scheme allow proving plaintext knowledge using Groth-Sahai non-interactive zero-knowledge proofs or smooth projective hash functions. Finally, as a concrete application, we show that, for many password-based authenticated key exchange (PAKE) schemes in the Bellare-Pointcheval-Rogaway security model, we can safely replace the underlying INDCCA encryption schemes with our new INDPCA one. By doing so, we reduce the overall communication complexity of these protocols and obtain the most efficient PAKE schemes to date based on plain DDH.

Note: version 2018-07-02: this version repairs a mistake in the GLPAKE, thanks to a remark from Yu Yu: the two-flow variants require the use of two IND-PCA encryption schemes instead of one IND-CPA and one IND-PCA; version 2015-01-16: new title, published in PKC 2015; version 2014-08-15: added missing references