Breaking and Repairing Damgård et al. Public Key Encryption Scheme with Non-interactive Opening
We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interactive opening (PKENO) presented by Damgård, Kiltz, Hofheinz and Thorbek in CT-RSA 2008. In a PKENO scheme a receiver can convincingly reveal to a verifier what the result of decrypting a ciphertext C is, without interaction and without compromising the confidentiality of non-opened ciphertexts. A special interesting feature of PKENO is that a verifier can even ask for opening proofs on invalid ciphertexts. Those opening proofs will convince the verifier that the ciphertext was indeed invalid. We show that one of the schemes by Damgård et al. does not achieve the claimed security goal. Next we provide a fix for it. The repaired scheme presents essentially no overhead and is proven secure under the Decisional Bilinear Diffie-Hellman assumption in the standard model.
Keywordsidentity-based encryption public key encryption non-interactive proofs standard model
Unable to display preview. Download preview PDF.
- [BF03]Boneh, D., Franklin, M.K.: Identity-Based encryption from the Weil pairing. SIAM Journal of Computing 32(3), 586–615 (2003); this is the full version of an extended abstract of the same title presented at in: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)MathSciNetCrossRefzbMATHGoogle Scholar
- [BMW05]Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACM Conference on Computer and Communications Security 2005, pp. 320–329 (2005)Google Scholar