Publicly Verifiable Ciphertexts

  • Juan Manuel González Nieto
  • Mark Manulis
  • Bertram Poettering
  • Jothi Rangasamy
  • Douglas Stebila
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7485)


In many applications where encrypted traffic flows from an open (public) domain to a protected (private) domain there exists a gateway that bridges the two domains and faithfully forwards the incoming traffic to the receiver. We observe that indistinguishability against (adaptive) chosen-ciphertext attacks (IND-CCA), which is a mandatory goal in face of active attacks in a public domain, can be essentially relaxed to indistinguishability against chosen-plaintext attacks (IND-CPA) for ciphertexts once they pass the gateway that acts as an IND-CCA/CPA filter, by first checking the validity of an incoming IND-CCA ciphertext, then transforming it (if valid) into an IND-CPA ciphertext, and finally forwarding the latter to the recipient in the private domain. “Non-trivial filtering” can result in reduced decryption costs on the receiver’s side.

We identify a class of encryption schemes with publicly verifiable ciphertexts that admit generic constructions of (non-trivial) IND-CCA/ CPA filters. These schemes are characterized by existence of public algorithms that can distinguish between valid and invalid ciphertexts. To this end, we formally define (non-trivial) public verifiability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public-key, identity-based, and tag-based encryption flavors. We further analyze the security impact of public verifiability and discuss generic transformations and concrete constructions that enjoy this property.


Encryption Scheme Cryptology ePrint Archive Challenge Ciphertext Decryption Oracle Hybrid Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bellare, M., Neven, G.: Robust Encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: A New Framework for Hybrid Encryption. Journal of Cryptology 21(1), 97–130 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Abe, M., Kiltz, E., Okamoto, T.: Chosen Ciphertext Security with Optimal Ciphertext Overhead. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 355–371. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Bentahar, K., Farshim, P., Malone-Lee, J., Smart, N.P.: Generic Constructions of Identity-Based and Certificateless KEMs. J. Cryptology 21(2), 178–199 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Boneh, D., Katz, J.: Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Boyen, X., Halevi, S.: Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 226–243. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005, pp. 320–329. ACM (2005)Google Scholar
  9. 9.
    Canetti, R., Halevi, S., Katz, J.: Chosen-Ciphertext Security from Identity-Based Encryption. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Computing 33(1), 167–226 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography (Extended Abstract). In: ACM STOC 1991, pp. 542–552. ACM (1991)Google Scholar
  12. 12.
    Elkind, E., Sahai, A.: A unified methodology for constructing public-key encryption schemes secure against adaptive chosen-ciphertext attack. Cryptology ePrint Archive, Report 2002/042 (2002),
  13. 13.
    González Nieto, J.M., Manulis, M., Poettering, B., Rangasamy, J., Stebila, D.: Publicly Verifiable Ciphertexts. Full version. Cryptology ePrint Archive, Report 2012/357 (2012),
  14. 14.
    Hanaoka, G., Kurosawa, K.: Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 308–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Herranz, J., Hofheinz, D., Kiltz, E.: KEM/DEM: Necessary and sufficient conditions for secure hybrid encryption. Cryptology ePrint Archive, Report 2006/256 (2006),
  16. 16.
    Imai, H., Yamagishi, A.: CRYPTREC Project - Cryptographic Evaluation Project for the Japanese Electronic Government -. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 399–400. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Kiltz, E.: Chosen-Ciphertext Security from Tag-Based Encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Kiltz, E.: Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 282–297. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Kiltz, E., Galindo, D.: Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation Without Random Oracles. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 336–347. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Lim, C.H., Lee, P.J.: Another Method for Attaining Security against Adaptively Chosen Ciphertext Attacks. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 420–434. Springer, Heidelberg (1994)Google Scholar
  21. 21.
    Liu, J.K., Chu, C.K., Zhou, J.: Identity-Based Server-Aided Decryption. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 337–352. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  22. 22.
    Libert, B., Yung, M.: Adaptively Secure Non-interactive Threshold Cryptosystems. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part II. LNCS, vol. 6756, pp. 588–600. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Naor, M., Yung, M.: Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In: ACM STOC 1990, pp. 427–437. ACM (1990)Google Scholar
  24. 24.
    NESSIE. Final report of European project IST-1999-12324: New European Schemes for Signatures, Integrity, and Encryption (April 2004),
  25. 25.
    Phan, D.H., Pointcheval, D.: Chosen-Ciphertext Security without Redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Phan, D.H., Pointcheval, D.: OAEP 3-Round:A Generic and Secure Asymmetric Encryption Padding. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 63–77. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Persiano, P.: About the Existence of Trapdoors in Cryptosystems (manuscript),
  28. 28.
    Rompel, J.: One-Way Functions are Necessary and Sufficient for Secure Signatures. In: STOC 1990, pp. 387–394. ACM (1990)Google Scholar
  29. 29.
    Sahai, A.: Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE (1999)Google Scholar
  30. 30.
    Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1) (2001) (manuscript),
  31. 31.
    Shoup, V.: ISO 18033-2: An emerging standard for public-key encryption, Final Committee Draft (December 2004),
  32. 32.
    Shoup, V., Gennaro, R.: Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Juan Manuel González Nieto
    • 1
  • Mark Manulis
    • 2
  • Bertram Poettering
    • 3
  • Jothi Rangasamy
    • 1
  • Douglas Stebila
    • 1
  1. 1.Queensland University of TechnologyBrisbaneAustralia
  2. 2.University of SurreyGuildfordUnited Kingdom
  3. 3.Royal Holloway, University of LondonUnited Kingdom

Personalised recommendations