Ciphertext-Auditable Public Key Encryption

  • Satoshi Hada
  • Kouichi Sakurai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4266)


Loss of backup tapes containing personal information (PI) is a potential breach of privacy and encryption is the typical way to prevent the breach. This paper considers an attack scenario where an adversary who encrypts the PI for backup purpose tries to hide the plain PI in a valid-looking ciphertext without being detected. We show that the standard security notion IND-CCA2 does not capture such a scenario. For example, the Cramer-Shoup scheme is vulnerable to such an attack. To capture such a scenario, we define a new notion of “ciphertext-auditability” as a new property of public key encryption schemes (PKESs). It requires that, given a public key and a ciphertext, anyone should be able to verify whether the ciphertext was actually generated using the public key. Also, it requires that, given a public key and a plaintext, no adversary should be able to generate a valid-looking ciphertext so that the verification passes, but nevertheless the plaintext can be recovered from the ciphertext without the corresponding secret key. We propose a general construction of such PKESs based on standard cryptographic primitives in the random oracle model.


Personal Information Encryption Algorithm Random Oracle Random Oracle Model Security Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among Notions of Security for Public-key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 26. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-Privacy in Public-Key Encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 566. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Palacio, A.: An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  5. 5.
    Canetti, R.: Towards Realizing Random Oracles: Hash Functions that Hide All Partial Information. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Choi, J.Y., Golle, P., Jakobsson, M.: Auditable Privacy: On Tamper-evident Mix Networks. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006)Google Scholar
  7. 7.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Desmedt, Y.: Abuses in Cryptography and How to Fight Them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    ElGamal, T.: A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory 31, 469–472 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust Noninteractive Zero-Knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 566. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    De Santis, A., Persiano, G.: Zero-Knowledge Proofs of Knowledge without Interaction. In: Proceedings of the 33rd FOCS 1992 (1992)Google Scholar
  12. 12.
    Goldreich, O.: Foundations of Cryptography: Volume II Basic Applications. Cambridge University Press, Cambridge (2004)Google Scholar
  13. 13.
    Halevi, S.: A sufficient condition for key-privacy, Cryptology ePrint Archive, Report 2005/005 (2005)Google Scholar
  14. 14.
    Katz, J., Yung, M.: Unforgeable Encryption and Chosen Ciphertext Seucre Modes of Operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, p. 284. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Langford, J., Hopper, N., Ahn, L.: Provably Secure Steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 77. Springer, Heidelberg (2002)Google Scholar
  16. 16.
    Lepinski, M., Micali, S., Shelat, A.: Fair-Zero Knowledge. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 245–263. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Lindell, Y.: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Naor, M., Yung, M.: Public-key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. In: Proceedings of the 22nd STOC (1990)Google Scholar
  19. 19.
    Sahai, A.: Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. In: Proceedings of the 40th FOCS (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Satoshi Hada
    • 1
  • Kouichi Sakurai
    • 2
  1. 1.Tokyo Research LaboratoryIBM ResearchYamato, KanagawaJapan
  2. 2.Dept. of Computer Science and Communication EngineeringKyushu UniversityHakozaki, FukuokaJapan

Personalised recommendations