TY - GEN
T1 - Plaintext-awareness of hybrid encryption
AU - Jiang, Shaoquan
AU - Wang, Huaxiong
PY - 2010
Y1 - 2010
N2 - We study plaintext awareness for hybrid encryptions. Based on a binary relation R, we define a new notion of PA2 (or R-PA2 for short) and a notion of IND-CCA2 (or R-IND-CCA2 for short) for key encapsulation mechanism (KEM). We define a relation RDEM from the description of data encryption mechanism (DEM). We prove two composition results, which holds with or without (public) random oracles. a. When KEM, with RDEM -PA2 and R DEM -IND-CCA2 security, composes with a one-time pseudorandom and unforgeable (OT-PUE) DEM, the resulting hybrid encryption is PA2 secure. OT-PUE is weak and even unnecessarily passively secure and can be realized by a one-time pad encryption followed by a pseudorandom function. b. If KEM is R DEM -IND-CCA and DEM is passively secure and unforgeable, the hybrid encryption (KEM, DEM) is IND-CCA2 secure. As an application, we show that DHIES, a public key encryption scheme by Abdalla et al. [1] and now in IEEE P1361a and ANSI X.963, is PA2 secure. As another application, we prove that a hash proof system based hybrid encryption is PA2. Consequently, this especially implies that the concrete Kurosawa-Desmedt hybrid encryption (CRYPTO04) is PA2.
AB - We study plaintext awareness for hybrid encryptions. Based on a binary relation R, we define a new notion of PA2 (or R-PA2 for short) and a notion of IND-CCA2 (or R-IND-CCA2 for short) for key encapsulation mechanism (KEM). We define a relation RDEM from the description of data encryption mechanism (DEM). We prove two composition results, which holds with or without (public) random oracles. a. When KEM, with RDEM -PA2 and R DEM -IND-CCA2 security, composes with a one-time pseudorandom and unforgeable (OT-PUE) DEM, the resulting hybrid encryption is PA2 secure. OT-PUE is weak and even unnecessarily passively secure and can be realized by a one-time pad encryption followed by a pseudorandom function. b. If KEM is R DEM -IND-CCA and DEM is passively secure and unforgeable, the hybrid encryption (KEM, DEM) is IND-CCA2 secure. As an application, we show that DHIES, a public key encryption scheme by Abdalla et al. [1] and now in IEEE P1361a and ANSI X.963, is PA2 secure. As another application, we prove that a hash proof system based hybrid encryption is PA2. Consequently, this especially implies that the concrete Kurosawa-Desmedt hybrid encryption (CRYPTO04) is PA2.
UR - http://www.scopus.com/inward/record.url?scp=77952073112&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-11925-5_5
DO - 10.1007/978-3-642-11925-5_5
M3 - Conference proceeding contribution
AN - SCOPUS:77952073112
SN - 3642119247
SN - 9783642119248
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 57
EP - 72
BT - Topics in cryptology - CT-RSA 2010
A2 - Pieprzyk, Josef
PB - Springer, Springer Nature
CY - Berlin; Heidelberg
T2 - 10th Cryptographers' Track at the RSA Conference, CT-RSA 2010
Y2 - 1 March 2010 through 5 March 2010
ER -