Generic constructions and transformations of decryption consistent encryption

Mingwu Zhang, Kirill Morozov, Tsuyoshi Takagi

Research output: Contribution to journalArticle

Abstract

Binding encryption provides an effective way to broadcast a secret to an authorized group of users, which guarantees decryption consistency, i.e., that all users can obtain the same message without any interaction among them. In this paper, we first give the definition of security of a binding encryption, and then construct a primitive that achieves security against chosen plaintext attacks (CPA) and decryption consistency. This primitive is derived from a CPA-secure public- key encryption (PKE) scheme. Then, we present several transformations of binding encryption, which ensure some advanced security requirements such as anonymity, strong decryption consistency, and non-malleability. (1) Negative results that: (a) A CCA (chosen-ciphertext attack) secure PKE does not imply a CCA-secure multi-receiver encryption (ME) or binding encryption; (b) an anonymous CPA-secure PKE implies an anonymous ME but does not imply any anonymous binding encryption; (c) a CCA-secure anonymous PKE does not imply a CCA-secure anonymous ME or anonymous binding encryption. (2) A generic construction for a binding encryption that: (a) Uses CPA-secure PKE and symmetric encryption to construct a CPA-secure ME; (b) uses a CPA-secure ME and a polynomially verifiable function to construct a CPAsecure binding encryption. (3) Three transformations from (anonymous) CCA-secure PKE to (anonymous) CCA-secure binding encryption: the first one is based on a strong one-time signature, the second one is derived from a trapdoor pseudo-random function, while the third one is based on (information-theoretically secure) cover-free families, and hence it does not require any additional computational assumptions.

Original languageEnglish
Pages (from-to)218-228
Number of pages11
JournalIETE Journal of Research
Volume60
Issue number3
DOIs
Publication statusPublished - Jan 1 2014

Fingerprint

Encryption
Cryptography
Attack
Public Key Encryption
Receiver
Imply
Non-malleability
Pseudorandom Function
Strong Consistency
Anonymity
Broadcast
Signature
Cover

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this

Generic constructions and transformations of decryption consistent encryption. / Zhang, Mingwu; Morozov, Kirill; Takagi, Tsuyoshi.

In: IETE Journal of Research, Vol. 60, No. 3, 01.01.2014, p. 218-228.

Research output: Contribution to journalArticle

Zhang, Mingwu ; Morozov, Kirill ; Takagi, Tsuyoshi. / Generic constructions and transformations of decryption consistent encryption. In: IETE Journal of Research. 2014 ; Vol. 60, No. 3. pp. 218-228.
@article{35938dc7456c4fe992cee5c8257dd497,
title = "Generic constructions and transformations of decryption consistent encryption",
abstract = "Binding encryption provides an effective way to broadcast a secret to an authorized group of users, which guarantees decryption consistency, i.e., that all users can obtain the same message without any interaction among them. In this paper, we first give the definition of security of a binding encryption, and then construct a primitive that achieves security against chosen plaintext attacks (CPA) and decryption consistency. This primitive is derived from a CPA-secure public- key encryption (PKE) scheme. Then, we present several transformations of binding encryption, which ensure some advanced security requirements such as anonymity, strong decryption consistency, and non-malleability. (1) Negative results that: (a) A CCA (chosen-ciphertext attack) secure PKE does not imply a CCA-secure multi-receiver encryption (ME) or binding encryption; (b) an anonymous CPA-secure PKE implies an anonymous ME but does not imply any anonymous binding encryption; (c) a CCA-secure anonymous PKE does not imply a CCA-secure anonymous ME or anonymous binding encryption. (2) A generic construction for a binding encryption that: (a) Uses CPA-secure PKE and symmetric encryption to construct a CPA-secure ME; (b) uses a CPA-secure ME and a polynomially verifiable function to construct a CPAsecure binding encryption. (3) Three transformations from (anonymous) CCA-secure PKE to (anonymous) CCA-secure binding encryption: the first one is based on a strong one-time signature, the second one is derived from a trapdoor pseudo-random function, while the third one is based on (information-theoretically secure) cover-free families, and hence it does not require any additional computational assumptions.",
author = "Mingwu Zhang and Kirill Morozov and Tsuyoshi Takagi",
year = "2014",
month = "1",
day = "1",
doi = "10.1080/03772063.2014.901480",
language = "English",
volume = "60",
pages = "218--228",
journal = "IETE Journal of Research",
issn = "0377-2063",
publisher = "Medknow Publications and Media Pvt. Ltd",
number = "3",

}

TY - JOUR

T1 - Generic constructions and transformations of decryption consistent encryption

AU - Zhang, Mingwu

AU - Morozov, Kirill

AU - Takagi, Tsuyoshi

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Binding encryption provides an effective way to broadcast a secret to an authorized group of users, which guarantees decryption consistency, i.e., that all users can obtain the same message without any interaction among them. In this paper, we first give the definition of security of a binding encryption, and then construct a primitive that achieves security against chosen plaintext attacks (CPA) and decryption consistency. This primitive is derived from a CPA-secure public- key encryption (PKE) scheme. Then, we present several transformations of binding encryption, which ensure some advanced security requirements such as anonymity, strong decryption consistency, and non-malleability. (1) Negative results that: (a) A CCA (chosen-ciphertext attack) secure PKE does not imply a CCA-secure multi-receiver encryption (ME) or binding encryption; (b) an anonymous CPA-secure PKE implies an anonymous ME but does not imply any anonymous binding encryption; (c) a CCA-secure anonymous PKE does not imply a CCA-secure anonymous ME or anonymous binding encryption. (2) A generic construction for a binding encryption that: (a) Uses CPA-secure PKE and symmetric encryption to construct a CPA-secure ME; (b) uses a CPA-secure ME and a polynomially verifiable function to construct a CPAsecure binding encryption. (3) Three transformations from (anonymous) CCA-secure PKE to (anonymous) CCA-secure binding encryption: the first one is based on a strong one-time signature, the second one is derived from a trapdoor pseudo-random function, while the third one is based on (information-theoretically secure) cover-free families, and hence it does not require any additional computational assumptions.

AB - Binding encryption provides an effective way to broadcast a secret to an authorized group of users, which guarantees decryption consistency, i.e., that all users can obtain the same message without any interaction among them. In this paper, we first give the definition of security of a binding encryption, and then construct a primitive that achieves security against chosen plaintext attacks (CPA) and decryption consistency. This primitive is derived from a CPA-secure public- key encryption (PKE) scheme. Then, we present several transformations of binding encryption, which ensure some advanced security requirements such as anonymity, strong decryption consistency, and non-malleability. (1) Negative results that: (a) A CCA (chosen-ciphertext attack) secure PKE does not imply a CCA-secure multi-receiver encryption (ME) or binding encryption; (b) an anonymous CPA-secure PKE implies an anonymous ME but does not imply any anonymous binding encryption; (c) a CCA-secure anonymous PKE does not imply a CCA-secure anonymous ME or anonymous binding encryption. (2) A generic construction for a binding encryption that: (a) Uses CPA-secure PKE and symmetric encryption to construct a CPA-secure ME; (b) uses a CPA-secure ME and a polynomially verifiable function to construct a CPAsecure binding encryption. (3) Three transformations from (anonymous) CCA-secure PKE to (anonymous) CCA-secure binding encryption: the first one is based on a strong one-time signature, the second one is derived from a trapdoor pseudo-random function, while the third one is based on (information-theoretically secure) cover-free families, and hence it does not require any additional computational assumptions.

UR - http://www.scopus.com/inward/record.url?scp=84906535360&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84906535360&partnerID=8YFLogxK

U2 - 10.1080/03772063.2014.901480

DO - 10.1080/03772063.2014.901480

M3 - Article

AN - SCOPUS:84906535360

VL - 60

SP - 218

EP - 228

JO - IETE Journal of Research

JF - IETE Journal of Research

SN - 0377-2063

IS - 3

ER -