Misplaced Pages

Plaintext-aware encryption

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

Plaintext-awareness is a notion of security for public-key encryption. A cryptosystem is plaintext-aware if it is difficult for any efficient algorithm to come up with a valid ciphertext without being aware of the corresponding plaintext.

From a lay point of view, this is a strange property. Normally, a ciphertext is computed by encrypting a plaintext. If a ciphertext is created this way, its creator would be aware, in some sense, of the plaintext. However, many cryptosystems are not plaintext-aware. As an example, consider the RSA cryptosystem without padding. In the RSA cryptosystem, plaintexts and ciphertexts are both values modulo N (the modulus). Therefore, RSA is not plaintext aware: one way of generating a ciphertext without knowing the plaintext is to simply choose a random number modulo N.

In fact, plaintext-awareness is a very strong property. Any cryptosystem that is semantically secure and is plaintext-aware is actually secure against a chosen-ciphertext attack, since any adversary that chooses ciphertexts would already know the plaintexts associated with them.

History

The concept of plaintext-aware encryption was developed by Mihir Bellare and Phillip Rogaway in their paper on optimal asymmetric encryption, as a method to prove that a cryptosystem is chosen-ciphertext secure.

Further research

Limited research on plaintext-aware encryption has been done since Bellare and Rogaway's paper. Although several papers have applied the plaintext-aware technique in proving encryption schemes are chosen-ciphertext secure, only three papers revisit the concept of plaintext-aware encryption itself, both focussed on the definition given by Bellare and Rogaway that inherently require random oracles. Plaintext-aware encryption is known to exist when a public-key infrastructure is assumed. Also, it has been shown that weaker forms of plaintext-awareness exist under the knowledge of exponent assumption, a non-standard assumption about Diffie-Hellman triples. Finally a variant of the Cramer Shoup encryption scheme was shown to be fully plaintext aware in the standard model under the knowledge of exponent assumption.

See also

References

  1. M. Bellare and P. Rogaway. Optimal Asymmetric Encryption -- How to encrypt with RSA. Extended abstract in Advances in Cryptology – Eurocrypt '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. full version (pdf)
  2. J. Herzog, M. Liskov, and S. Micali. Plaintext Awareness via Key Registration. In Advances in Cryptology – CRYPTO 2003 Proceedings, Lecture Notes in Computer Science Vol. 2729, Springer-Verlag, 2003. (pdf)
  3. M. Bellare and A. Palacio. Towards Plaintext-Aware Public-Key Encryption without Random Oracles. In Advances in Cryptology – ASIACRYPT 2004, Lecture Notes in Computer Science Vol. 3329, Springer-Verlag, 2004. full version (pdf)
  4. A. W. Dent The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model. In Advances in Cryptology – EUROCRYPT 2006, Lecture Notes in Computer Science Vol. 4004, Springer-Verlag, 2006. full version (pdf)
Category: