Theory of Cryptography

Volume 5978 of the series Lecture Notes in Computer Science pp 480-497

Robust Encryption

  • Michel AbdallaAffiliated withLancaster UniversityDepartement d’Informatique, École normale supérieure
  • , Mihir BellareAffiliated withLancaster UniversityDepartment of Computer Science & Engineering, University of California
  • , Gregory NevenAffiliated withLancaster UniversityCarnegie Mellon UniversityDepartment of Electrical Engineering, Katholieke Universiteit LeuvenIBM Research


We provide a provable-security treatment of “robust” encryption. Robustness means it is hard to produce a ciphertext that is valid for two different users. Robustness makes explicit a property that has been implicitly assumed in the past. We argue that it is an essential conjunct of anonymous encryption. We show that natural anonymity-preserving ways to achieve it, such as adding recipient identification information before encrypting, fail. We provide transforms that do achieve it, efficiently and provably. We assess the robustness of specific encryption schemes in the literature, providing simple patches for some that lack the property. We present various applications. Our work enables safer and simpler use of encryption.