Tightly CCA-secure encryption scheme in a multi-user setting with corruptions
- PDF / 373,705 Bytes
- 20 Pages / 439.37 x 666.142 pts Page_size
- 6 Downloads / 196 Views
Tightly CCA-secure encryption scheme in a multi-user setting with corruptions Youngkyung Lee1 · Dong Hoon Lee1 · Jong Hwan Park2 Received: 20 February 2019 / Revised: 25 March 2020 / Accepted: 19 August 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract The security of public-key encryption (PKE) schemes in a multi-user setting is aimed at capturing real-world scenarios in which an adversary could attack multiple users and multiple ciphertexts of its choice. However, the fact that a real-world adversary can also mount keyexposure attacks for a set of multiple public keys requires us to consider a more realistic notion of security in multi-user settings. In this study, we establish the security notion of PKE in a multi-user setting with corruptions, where an adversary is able to issue (adaptive) encryption, decryption, and corruption (i.e., private key) queries. We then propose the first practical PKE scheme whose security is proven in a multi-user setting with corruptions. The security of our scheme is based on the computational Diffie–Hellman (CDH) assumption and is proven to be tightly chosen-ciphertext secure in a random oracle model. Our scheme essentially follows the recently proposed modular approach of combining KEM and augmented DEM in a multi-user setting, but we show that this modular approach works well in a multi-user setting with corruptions. Keywords Public-key encryption · Multi-user setting with corruptions · CDH · Tight security · Random oracle model Mathematics Subject Classification 94A60
Communicated by R. Steinfeld.
B
Jong Hwan Park [email protected] Youngkyung Lee [email protected] Dong Hoon Lee [email protected]
1
Korea University, Seoul, Korea
2
Sangmyung University, Seoul, Korea
123
Y. Lee et al.
1 Introduction The security of most public-key encryption (PKE) schemes is analyzed using security models that reflect real-world attack environments as closely as possible. The standard security model for PKE schemes has been formalized as the indistinguishability against adaptive chosenciphertext attacks model (denoted as ‘IND-CCA’ security [5,12,26,27]), where a single user and a single ciphertext become targets to an adversary. However, the IND-CCA security model is still lacking for fully reflecting realistic scenarios because a real-world adversary can try to attack multiple users and multiple ciphertexts of their choice. To narrow the gap between the IND-CCA security model and real-world scenarios, Bellare et al. [6] proposed an IND-CCA security model in a multi-user setting (hereafter denoted as ‘IND-CCA-MUC’ or simply the ‘MUC’ model), where multiple users and multiple ciphertexts become targets to an adversary. In particular, the MUC model captures even attack scenarios in which an attacker obtains related messages encrypted using different public keys. Recently, many studies [2,14,15,18,20–22,24,25] have focused on designing new PKE schemes that are proven secure in the MUC model [6]. Another consideration to make when constructing PKE sch
Data Loading...
