|
|||||
|
|
Plaintext awareness in identity-based key encapsulation |
|
| Authors: | Mark Manulis Bertram Poettering Douglas Stebila |
| Affiliation: | 1. Department of Computing, University of Surrey, Guildford, Surrey?, GU2 7XH, UK 2. Information Security Group, Royal Holloway, University of London, Egham, Surrey?, TW20 0EX, UK 3. School of Electrical Engineering and Computer Science, Science and Engineering Faculty, Queensland University of Technology, GPO Box 2434, Brisbane, QLD, Australia |
| Abstract: | The notion of plaintext awareness ( ${\mathsf{PA}}$ ) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen-ciphertext attacks ( ${\mathsf{IND}\hbox {-}{\mathsf{CCA}}}$ ), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving ${\mathsf{PA}}$ in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving ${\mathsf{PA}}$ of schemes in one model cannot be adapted to the other model. Existing research addresses ${\mathsf{PA}}$ in detail only in the public key setting. This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of ${\mathsf{PA}}$ in proof strategies of ${\mathsf{IND}\hbox {-}{\mathsf{CCA}}}$ security, and explores relationships between ${\mathsf{PA}}$ and other security properties. On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and ${\mathsf{IND}\hbox {-}{\mathsf{CCA}}}$ -secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of $\gamma $ -uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs), this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is ${\mathsf{PA}}$ and ${\mathsf{IND}\hbox {-}{\mathsf{CCA}}}$ -secure by applying our construction to a popular IB-KEM and optimizing it for better performance. |
| Keywords: | |
| 本文献已被 SpringerLink 等数据库收录! | |