Security Models and Proof Strategies for Plaintext-Aware Encryption

Birkett, James; Dent, Alexander W.

doi:10.1007/s00145-012-9141-6

Security Models and Proof Strategies for Plaintext-Aware Encryption

Published: 09 January 2013

Volume 27, pages 139–180, (2014)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Security Models and Proof Strategies for Plaintext-Aware Encryption

Download PDF

James Birkett¹ &
Alexander W. Dent²

1510 Accesses
3 Citations
Explore all metrics

Abstract

Plaintext-aware encryption is a simple concept: a public-key encryption scheme is plaintext aware if no polynomial-time algorithm can create a ciphertext without “knowing” the underlying message. However, the formal definitions of plaintext awareness are complex. This paper analyses these formal security definitions and presents the only known viable strategy for proving a scheme is PA2 plaintext aware. At the heart of this strategy is a new notion called PA1+ plaintext awareness. This security notion conceptually sits between PA1 and PA2 plaintext awareness (although it is formally distinct from either of these notions). We show exactly how this new security notion relates to the existing notions and how it can be used to prove PA2 plaintext awareness.

How to Securely Release Unverified Plaintext in Authenticated Encryption

A conceptually simple and generic construction of plaintext checkable encryption in the standard model

Article 24 February 2024

Combiners for Chosen-Ciphertext Security

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

The concept of plaintext awareness was initially developed as a tool to aid attempts to prove the security of public-key encryption schemes. The basic idea is that a scheme should be deemed plaintext aware if no polynomial-time algorithm can create a valid ciphertext without “knowing” the underlying plaintext. This mitigates the usefulness of the decryption oracle in the IND-CCA2 security model: an attacker automatically knows the decryption of any ciphertext that attacker could submit to the decryption oracle. Thus we would hope that a scheme which is IND-CPA secure [16] and plaintext aware would be IND-CCA2 secure [23].

Initially, the formal model for plaintext awareness was developed in the mid-1990s by Bellare and Rogaway [3] in an attempt to create a framework to prove the security of encryption schemes in the random oracle model. Unfortunately, the original formulation only sufficed to prove IND-CCA1 security [21] rather than the preferred IND-CCA2 security [23]. A revised random oracle definition was proposed by Bellare et al. [6] in the late 1990s that did imply IND-CCA2 security, but at the cost of a more complex definition. Moreover, this formulation could still not be easily translated from the random oracle model into the standard model. The cryptographic community had to wait for a decade until a formal model which could be achieved in the standard model was proposed by Bellare and Palacio [2]. The key insight which allowed this new model to be developed was that the security motion could not be formulated in a black-box manner.

The non-black-box security models for plaintext awareness are unusual and independently interesting. This paper highlights the important differences that can be introduced into a model through the decision to use a priori and a posteriori generated random coins. The existing security models for plaintext awareness assume an adversary with a pre-generated random tape—i.e. a priori generated random coins. We propose a novel model for plaintext awareness which uses random values that can be generated by the adversary during their execution—i.e. a posteriori random coins. A key insight into the proof strategies in this work is that an a posteriori choice of randomness provides a stronger and more useful security model. The work on the models for plaintext awareness contained in this model are essentially an investigation in to the relationship between non-black-box models which assume a priori and a posteriori random coins and therefore may be of independent interest.

While earlier work formalised a standard-model interpretation of plaintext awareness, there was no known generic strategy for proving (full) plaintext awareness. This paper provides the first such methodology and uses this methodology to prove that the Cramer–Shoup encryption scheme [10] is plaintext aware under the well-known (but non-falsifiable) Diffie–Hellman Knowledge (DHK) assumption.

Unfortunately, this methodology is not useful in proving IND-CCA2 security, as one of the properties that the encryption scheme is required to fulfil in order to use this methodology implies IND-CCA2 security. We claim that this fact does not seriously undermine the contributions of this paper. We believe that the development of new models for plaintext awareness may be of interest even if no solid methodology exists to prove that a scheme meets the new security definition. Furthermore, we believe that the discovery that an encryption scheme is plaintext aware is of theoretical interest beyond the chore of proving IND-CCA2 security. Plaintext awareness gives an interesting insight into why certain schemes achieve IND-CCA2 security and why certain schemes which would appear to be IND-CCA2 secure have not been proven to achieve that security level.

One of the main challenges of proving the IND-CCA2 security of a public-key encryption scheme is the difficulty in simulating the decryption oracle without full knowledge of the private decryption key. This challenge is made harder by the possibility of trivial decryption oracle queries in which an attacker submits a ciphertext to the oracle for which it already “knows” the underlying message. The simulated decryption oracle must return the correct underlying message, as otherwise the attacker would be able to distinguish the simulated decryption oracle from a real decryption oracle, despite the fact that the query does not actually help the attacker break the security of the underlying scheme. Plaintext awareness can be interpreted as a formalisation of the idea that all decryption oracle queries that a polynomial-time attacker can generate must be trivial. IND-CCA2 proofs for encryption schemes which are not plaintext aware must either (i) answer decryption queries using private information unknown to the attacker and show that this does not leak “too much” of the private key to the attacker; (ii) show that the scheme is plaintext aware for a large portion of the ciphertext space and that it is unlikely that the attacker will be able to generate a valid ciphertext for which he does not “know” the underlying plaintext; or (iii) show that the ability to decrypt non-trivial ciphertexts does not enable an attacker to determine any information about the challenge ciphertext.

Furthermore, plaintext awareness has been shown to be a useful property in its own right and one that allows the construction of simple provably-secure encryption-based protocols. For example, Di Raimondo et al. use plaintext awareness to analyse the deniability of the SKEME key exchange protocol [13]. Di Raimondo et al.’s work considers protocols which use a message transmission system of the following form:

1.
Bob generates a symmetric session key K and encrypts it using Alice’s public key pk _A to form a ciphertext $C \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk}_{A},K)$. Bob sends this ciphertext to the sender.
2.
Alice decrypts the ciphertext to recover the session key K. Alice uses this to encrypt a message m using an authenticated encryption system $\mathcal{AE}_{K}(m)$ and sends this to Bob.

Loosely speaking, this protocol is (sender) deniable if every possible legitimate protocol transcript between Alice and Bob could have been produced by Bob alone. Bob may try to break deniability by producing the ciphertext C in a non-standard way and showing that Alice must have been involved in decrypting the ciphertext. This proves Alice’s involvement in the protocol and removes Alice’s deniability. Di Raimondo et al. use plaintext awareness to argue that Bob must know the symmetric key K encrypted by any valid ciphertext C and so Bob can always simulate a protocol transcript. They conclude that protocols of this form, including SKEME, are deniable if they are instantiated using plaintext-aware encryption. A similar argument is made by Ventre and Visconti in the construction of two-round extractable commitment schemes [30].

Models for Plaintext Awareness

The concept of plaintext-aware encryption may be simple, but the formal definition is complex and subtle. The problem lies in the difficulty of formally defining what is meant by the phrase ‘an attacker knows the underlying plaintext’. The initial definition of plaintext awareness, introduced by Bellare and Rogaway [3] and extended by Bellare, Desai, Pointcheval and Rogaway [6], relies on the random oracle model. A public-key encryption scheme was said to be plaintext aware if it is possible to deduce the decryption of a ciphertext produced by an attacker by observing the random oracle queries made by the attacker during the construction of the ciphertext. A class of public-key encryption schemes, which make use of a hash-based “checksum” value, can easily be proven plaintext aware in this model. However, this definition relies on the random oracle model and has no obvious counterpart in the standard model.

A more general treatment was introduced by Bellare and Palacio [2] who introduced a definition of “knowledge” similar to the definition which appears in the analysis of zero-knowledge protocols [17]. For a zero-knowledge protocol, an algorithm $\mathcal {A}$ is deemed to “know” a value if it could be altered to give an algorithm $\mathcal {A}^{*}$ of similar complexity which could output that value. For example, assuming the hardness of discrete logarithm problem, a polynomial-time algorithm which is given a group generator g and a randomly chosen element g ^x does not know x, since no polynomial-time algorithm could compute x, but would know g ^x+1 since we could alter $\mathcal {A}$ to give an algorithm $\mathcal {A}^{*}(g,g^{x})$ which outputs g ^x+1. In the context of plaintext-aware encryption, Bellare and Palacio proposed that an encryption scheme be deemed plaintext-aware if (roughly) for any polynomial-time algorithm $\mathcal {A}$ which can output ciphertexts, there exists a polynomial-time algorithm $\mathcal {A}^{*}$ which will output the underlying messages of those ciphertexts given the same inputs as original algorithm. The algorithm $\mathcal {A}$ is known as the “ciphertext creator” and the algorithm $\mathcal {A}^{*}$ is known as the “plaintext extractor” for obvious reasons. It should be noted that the phrase “given the same inputs” is a very strong requirement: crucially, the plaintext extractor $\mathcal {A}^{*}$ should even be given the random coins of the ciphertext creator $\mathcal {A}$.

From a model point of view, the approach proposed by Bellare and Palacio is very appealing. The plaintext extractor $\mathcal {A}^{*}$ can be thought of as a polynomial-time “spy” which sits on the shoulder of an IND-CCA2 attacker $\mathcal {A}$ as it creates a ciphertext, deduces the underlying message, and feeds this information back to the attacker when it makes a decryption oracle query.

This model for plaintext awareness is known as PA1 plaintext awareness. Unfortunately, PA1 plaintext awareness is not sufficient to allow us to prove the IND-CCA2 security of an IND-CPA secure encryption scheme. This is because the IND-CCA2 game allows the attacker to make use of an extra piece of information to help them create a ciphertext: the challenge ciphertext itself. It may be possible for an attacker to use the challenge ciphertext to create a ciphertext which the plaintext extractor cannot successfully decrypt. In order to use the concept of plaintext awareness to prove IND-CCA2 security, Bellare and Palacio allowed the ciphertext creator $\mathcal {A}$ to query an encryption oracle which would return the encryption of a randomly chosen message output by a polynomial-time “plaintext creator” algorithm $\mathcal {P}$. A scheme which remains plaintext aware in the presence of any plaintext creator is deemed to be PA2 plaintext aware, and a scheme which is both PA2 plaintext aware and IND-CPA secure is necessarily IND-CCA2 secure.

Our Contribution

The core of our approach to plaintext-aware public-key encryption is the concept of PA1+ plaintext awareness. One major difference between PA1 and PA2 plaintext awareness is that, in the PA1 model of plaintext awareness, the plaintext extractor can determine every action that the ciphertext creator will take during its entire execution, since the plaintext extractor knows all of the inputs that the ciphertext creator will ever receive. In the definition of PA2 plaintext awareness, the plaintext extractor is only able to determine the actions of the ciphertext creator up to the point at which it queries the encryption oracle, since it cannot a priori know the ciphertext that oracle will return.

This means, for a suitably random encryption scheme, the encryption oracle can actually be used to provide two services: it gives the ciphertext creator access to ciphertexts and it gives the ciphertext creator access to a source of new random bits. PA1+ plaintext awareness is similar to PA1 plaintext awareness except that the plaintext creator is also given access to a source of new random bits. Conceptually, the PA1+ model sits between the PA1 and PA2 models: it gives the ciphertext creator access to a source of randomness, but does not give the ciphertext creator access to a full encryption oracle.

We show how this new notion of PA1+ plaintext awareness relates to Bellare and Palacio’s existing notions of PA1 and PA2 plaintext awareness; in particular, we show that it is a weaker notion than PA2 plaintext awareness in the sense that any public-key encryption scheme which is PA2 plaintext aware and IND-CPA secure is necessarily PA1+ plaintext aware. We also show that a scheme which is PA1+ plaintext aware and which presents ciphertexts which appear essentially random is necessarily PA2 plaintext aware. This gives the only known viable strategy for proving PA2 plaintext awareness in the standard model. We demonstrate the usefulness of this strategy by proving that the Cramer–Shoup public-key encryption scheme is PA2 plaintext aware [10].

Related Work

Obviously, the work in this paper builds heavily on the standard-model definitions presented by Bellare and Palacio [2]. Bellare and Palacio also proved the fundamental result that PA2 plaintext awareness and IND-CPA security implies IND-CCA2 security. This result was improved by Teranishi and Ogata [29] who proved that PA2 plaintext awareness and one-way security implies IND-CCA2 security. Jiang and Wang investigated notions of the plaintext awareness of hybrid (KEM-DEM) encryption schemes [19] and used the proof strategy in this paper to prove that the hash-proof-based public-key encryption scheme of Kurosawa and Desmedt [20] is PA2 plaintext aware. This latter result was independently obtained by Birkett [7] who also proved that the hash-proof-based public-key encryption scheme of Cramer and Shoup [10] is PA2 plaintext aware.

2 Preliminaries

We let ← and $\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }$ denote assignment. If $\mathcal {A}$ is a deterministic algorithm, then $y\gets \mathcal {A}(x)$ denotes the assignment to y of the output of running $\mathcal {A}$ on x. If $\mathcal {A}$ is a probabilistic algorithm, then $y\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {A}(x)$ denotes the assignment to y of the output of running $\mathcal {A}$ on x with a fresh set of random coins. We write $y\gets \mathcal {A}(x;R)$ to denote the assignment to y of the output of running $\mathcal {A}$ on x with the random coins R and we let $R[\mathcal {A}]$ denote the random coins of $\mathcal {A}$. An algorithm $\mathcal {A}$ is (strict) polynomial-time if there exists a polynomial p such that the running time of $\mathcal {A}(x)$ is bounded by p(|x|). A function f(k,x) is negligible in k if f(k,x)∈O(k ⁻ⁿ) for all x∈{0,1}^∗ and n∈ℕ.

If S is a finite set, then $y\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S$ denotes the assignment to y of a randomly chosen element of S. If X is a distribution over a finite set S, then $y\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }X$ denotes the assignment to y of an element of S chosen according to the distribution X. If X and Y are distributions over some common finite set S, then the statistical distance between X and Y is

$$\varDelta [X,Y] = \frac{1}{2} \sum_{s\in S} \bigl|\Pr[X=s] - \Pr[Y=s]\bigr|. $$

The output of a probabilistic polynomial-time (PPT) algorithm $\mathcal {A}$ with input x and access to an oracle ${\mathcal {O}}$ is written $\mathcal {A}^{\mathcal {O}}(x)$. If we are describing an algorithm $\mathcal {A}$ then we will use the phrase “Query $\beta\gets{ \mathcal {O}}(\alpha)$” to denote that $\mathcal {A}$ queries the oracle ${\mathcal {O}}$ on α and receives the response β. We will frequently encounter a situation where an algorithm $\mathcal {A}^{\mathcal {O}}(x)$ will be running an algorithm $\mathcal {B}^{{\mathcal {O}}'}(y)$ as a subroutine. In this situation $\mathcal {A}$ will be expected to simulate the oracle ${\mathcal {O}}'$ for $\mathcal {B}$. In order to describe this, we will use a pseudocode description of the form

to denote that $\mathcal {B}$ is run on y, may query the “oracle” ${\mathcal {O}}'$ with an input α and will receive a response β in return, and finally outputs z. We also make use of pseudocode of the form

to mean that the set of first calculations is repeated until either E occurs or the loop has been executed k times. If E has not occurred after k executions of the loop, then the second set of calculations is performed.

We refer to a list of bitstrings using the form AList for some identifier A. All lists are initially initialised to be empty (AList←ε). Elements of the list are addressed as AList[i] with the first entry addressed as AList[0]; the number of the entries in the list is written as |AList|.

A public-key encryption scheme is a triple of PPT algorithms $(\mathcal {G},\mathcal {E},\mathcal {D})$. The key generation algorithm takes as input a security parameter 1^k and outputs a public/private key pair $(\mathit {pk},\mathit {sk})\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {G}(1^{k})$. The public key implicity defines the message space $\mathcal {M}$ and ciphertext space $\mathcal {C}$. The encryption algorithm takes a message $m\in \mathcal {M}$ and a public key pk as input, and outputs a ciphertext $C\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk},m)$ in the ciphertext space $\mathcal {C}$. The (deterministic) decryption algorithm takes a ciphertext $C\in \mathcal {C}$ and a private key sk as input, and output either a message $m\gets \mathcal {D}(\mathit {sk},C)$ in the message space $\mathcal {M}$ or the distinguished error symbol ⊥. For correctness, we require that for all $(\mathit {pk},\mathit {sk})\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {G}(1^{k})$ and messages $m\in \mathcal {M}$, we have that $\mathcal {D}(\mathit {sk},\mathcal {E}(\mathit {pk},m))=m$ with probability 1.

We define five notions of security for a public-key encryption scheme: IND-ATK, LH-IND-ATK, and OW-CPA for ATK∈{CPA,CCA2} [16, 23]. These security notions are defined via the experiments in Fig. 1. For the IND/LH-IND security notions, a PPT attacker $\mathcal {A}$ is deemed to have advantage

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny (LH-)IND}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny (LH-)IND-1}}=1\bigr ]-\Pr\bigl[ \textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny (LH-)IND-0}}=1\bigr]\bigr|. $$

For the OW security notion, a PPT attacker $\mathcal {A}$ is deemed to have advantage

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny OW}}(k) = \Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny OW}}=1\bigr]. $$

A public-key encryption scheme is OW/IND/LH-IND secure if the corresponding advantage is negligible. We will often prove results about the security of encryption schemes using game-hopping techniques [4, 26] for which a short introduction is given in Appendix A.

The LH-IND (length-hiding indistinguishable) security notion perhaps merits a few words of explanation. A scheme is deemed to be IND secure if a ciphertext hides all partial information about a message except perhaps its length. A scheme is deemed to be LH-IND secure if hides all partial information about a ciphertext including its length. Clearly, any scheme which has $\mathcal {M}= \{0,1\}^{\ell}$ is LH-IND-ATK secure if and only if it is IND-ATK secure. Equally clearly, any scheme which has $\mathcal {M}=\{0,1\}^{*}$ is not LH-IND-ATK secure even if it is IND-ATK secure (as one can break LH-IND-CPA security by setting m ₀ to be a very short message and m ₁ to be a very long message and observing the difference in ciphertext length).

Lastly, we will occasionally write

$$\Pr[ \mathit{condition} \,:\, \mathit{experiment} ] $$

to denote the probability that condition is true after executing the steps described by experiment.

3 Relations Between Notions of Plaintext Awareness

3.1 The Bellare–Palacio Notions of Plaintext Awareness

The standard-model definitions of plaintext awareness were provided by Bellare and Palacio [2]. As we have already discussed, the main idea behind the Bellare–Palacio definitions are the concepts of a ciphertext creator $\mathcal {A}$ and a plaintext extractor $\mathcal {A}^{*}$. The ciphertext creator will be able to submit ciphertexts to a “decryption oracle”. This oracle will either be a real decryption oracle or the plaintext extractor attempting to play the part of the real decryption oracle. The plaintext extractor is given all of the inputs of the ciphertext creator, including the ciphertext creator’s random coins. Thus, the plaintext extractor can be thought of as a modified version of the ciphertext creator which outputs both ciphertexts and their underlying messages, thus realising the idea that the ciphertext creator must “know” the underlying message in the sense introduced by zero-knowledge protocols.

The following two definitions are taken from the work of Bellare and Palacio [2]. We define plaintext awareness using two games in Fig. 2 which are played by a ciphertext creator $\mathcal {A}$, a plaintext extractor $\mathcal {A}^{*}$ and a distinguisher algorithm D. The advantage is defined to be

$$\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny PA1}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},D}^{\texttt {\tiny REAL-PA1}}=1\bigr]-\Pr \bigl[ \textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny FAKE-PA1}}=1\bigr]\bigr|. $$

Definition 3.1

(PA1)

A public-key encryption scheme is PA1 plaintext aware if for every PPT ciphertext creator $\mathcal {A}$ there exists a PPT plaintext extractor $\mathcal {A}^{*}$ such that for all polynomial-time distinguisher algorithms D we have that $\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny PA1}}(k)$ is negligible.

As we mentioned previously, PA1 plaintext awareness is not sufficient to prove IND-CCA2 security, since the model for PA1 plaintext awareness does not capture situations in which the ciphertext creator may be able to obtain ciphertexts for which they do not know the underlying message. This motivates the definition of PA2 plaintext awareness, which is defined by the two games in Fig. 3. The central difference between PA1 and PA2 plaintext awareness is the introduction of the encryption oracle $\mathcal {O}_{\mathcal {E}}$. This oracle gives the ciphertext creator access to a source of ciphertexts by returning the encryption of a message output by a stateful, PPT plaintext creator algorithm $\mathcal {P}$. This architecture is shown in Fig. 4. The advantage of a ciphertext creator $\mathcal {A}$, plaintext extractor $\mathcal {A}^{*}$, plaintext creator $\mathcal {P}$, and a distinguisher algorithm D is given by

$$\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny PA2}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}=1\bigr]-\Pr \bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr]\bigr|. $$

Definition 3.2

(PA2)

A public-key encryption scheme is PA2 plaintext aware if for every PPT ciphertext creator $\mathcal {A}$ there exists a PPT plaintext extractor $\mathcal {A}^{*}$ such that for all PPT plaintext creators $\mathcal {P}$ and PPT distinguisher algorithms D we have that $\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny PA2}}(k)$ is negligible.

Theorem 3.3

(Bellare–Palacio)

A public-key encryption scheme that is (LH-)IND-CPA secure and PA2 plaintext aware is (LH-)IND-CCA2 secure.

Theorem 3.4

(Teranishi–Ogata)

A public-key encryption scheme that is OW-CPA secure and PA2 plaintext aware is (LH-)IND-CPA secure.

Technically, both of these results are only proven for the IND security notions, but an examination of the proofs shows that neither relies on the fact that |m ₀|=|m ₁| in the IND security game. Thus, the proofs hold for the LH-IND security notions as well. This allows us to prove the following result (which motivates our consideration of LH-IND security at all):

Corollary 3.5

A public-key encryption scheme that is IND-CPA secure, PA2 plaintext aware, and has the property that $|\mathcal {M}|$ grows faster than any polynomial in the security parameter k is LH-IND-CPA secure.

Proof

An encryption scheme which is IND-CPA scheme and which has the property that $|\mathcal {M}|$ grows faster than any polynomial is OW-CPA secure. Thus, by the Teranishi–Ogata result, the scheme is LH-IND-CPA secure. □

Conceptually, this minor observation proves that we should only consider schemes which are LH-IND-CPA secure as candidates for PA2 plaintext awareness. Practically, this means that no scheme with $\mathcal {M}=\{ 0,1\}^{*}$ can ever be PA2 plaintext aware, which eliminates most hybrid schemes. Interestingly, we will show that the Cramer–Shoup hybrid encryption scheme is PA2 plaintext aware if we restrict the message space to $\mathcal {M}=\{0,1\}^{k}$ (and so, with the use of a suitable padding scheme, if $\mathcal {M}=\{0,1\}^{\leq k}$).

3.2 PA1+ Plaintext Awareness

The crux of our approach to plaintext awareness is a new definition which we term PA1+ plaintext awareness. We claim that it lies conceptually between PA1 and PA2 plaintext awareness, although it is formally distinct from either of them. In the definition of PA1 plaintext awareness, when the ciphertext creator $\mathcal {A}$ first invokes the plaintext extractor $\mathcal {A}^{*}$, the plaintext extractor can determine every action that the ciphertext creator will take during its entire execution, since the ciphertext creator is given no independently generated input during its execution.

In the PA2 model for plaintext awareness, the ciphertext creator can use the encryption oracle for two purposes:

It can use the encryption oracle to generate encryptions of messages drawn from polynomial-time distributions.
For suitably randomised encryption schemes, the encryption oracle can be used as a source of random bits (e.g. by hashing the ciphertext).

The ability to obtain “new” random bits means that the plaintext extractor cannot determine the ciphertext creator’s complete execution in advance. This is a significant difference between PA1 and PA2 plaintext awareness. PA1+ plaintext awareness explicitly gives the ciphertext creator one of the two abilities that it gets in the PA2 model: the ability to access a source of new random bits. In order to allow the plaintext extractor $\mathcal {A}^{*}$ to track the execution of the ciphertext creator $\mathcal {A}$, we give the plaintext extractor access to all the random bits that have been generated up to the point that it is queried.

Definition 3.6

(PA1+)

For any definition of plaintext awareness PA∈{PA1/PA2}, we give a new definition PA+ in which the ciphertext creator $\mathcal {A}$ is given access to a randomness oracle $\mathcal {R}$, which takes no input and returns a randomly-chosen bit. The plaintext extractor $\mathcal {A}^{*}$ is altered so that it takes a list RList of the random bits returned by the randomness oracle as an additional input, i.e. the plaintext extractor is run as $\mathcal {A}^{*}(1^{k},\mathit {pk},C,R[\mathcal {A}],\textsc {{C}List},\textsc {{R}List})$.

Another interpretation of the difference between the PA and PA+ definitions relates to the way one defines a probabilistic Turing machine. If one defines a probabilistic Turing machine as a Turing machine with access to infinite random tape, then one automatically derives the PA notions of plaintext awareness. If one defines a probabilistic Turing machine as a Turing machine with access to an oracle which will return a randomly chosen bit, then one derives the PA+ notions of plaintext awareness. It is interesting that these two definitions of probabilistic Turing machine, which are usually equivalent, lead to different definitions of plaintext awareness.

Interpreting the Difference Between PA1 and PA1+

The difference between PA1 and PA1+ plaintext awareness seem to be fairly minor—PA1 provides the plaintext extractor all the ciphertext creator’s random coins at the start of the game whereas PA1+ provides the plaintext extractor the ciphertext creator’s random coins as they are used.

In order to highlight the conceptual differences between a priori and a posteriori randomness in the PA1 and PA1+ definitions, we consider an analogous situation that may occur in zero-knowledge protocols. Consider the standard “cut-and-choose” protocol for proving that an element $x^{2} = y \in\mathbb{Z}_{N}^{*}$ is a quadratic residue [14]:

A prover P presents the verifier with ℓ quadratic residues (R ₁,R ₂,…,R _ℓ) in $\mathbb{Z}_{N}^{*}$ where $R_{i} = r^{2}_{i}$.
The verifier V sends the prover ℓ random bits (b ₁,b ₂,…,b _ℓ).
The prover returns the square roots (z ₁,z ₂,…,z _ℓ) where $z_{i} = r_{i}\cdot x^{b_{i}}$ in $\mathbb{Z}_{N}^{*}$.
The verifier checks that $z_{i}^{2} = R_{i} \cdot y^{b_{i}}$ for each 1≤i≤ℓ and accepts the proof if all checks pass.

Now consider a simulator S which wishes to fool the verifier V into accepting a non-residue by observing V’s randomness. (In our analogy, the verifier V is analogous to the ciphertext creator $\mathcal {A}$ and the simulator S is analogous to the plaintext extractor $\mathcal {A}^{*}$.) If the simulator S is working in a model in which the verifier’s randomness is an a priori fixed random tape, i.e. using a security definition similar to PA1 plaintext awareness, then it is simple for the simulator to fool the verifier by choosing the values of R _i so that the it can compute the square roots of $R_{i} \cdot y^{b_{i}}$. However, if the verifier has the ability to obtain new random bits during its execution, i.e. using a security definition similar to PA1+ plaintext awareness, then the simulator cannot fool the verifier as it does not know the bits (b ₁,b ₂,…,b _ℓ) when it has to commit to the values of (R ₁,R ₂,…,R _ℓ).

The PA1+ definition prevents the plaintext extractor $\mathcal {A}^{*}$ from returning values that are based on the ciphertext creator $\mathcal {A}$’s future actions (which prevents the use of certain proof techniques such as rewinding). This makes the PA1+ definition harder to achieve.

3.3 Simplifying PA2 Plaintext Awareness

The full definition for PA2 plaintext awareness models a very general scenario: the plaintext creator can be used to represent any number of (stateful) communicating users which wish to generate any number of ciphertexts using any polynomial-time distribution. This definition appears stronger than is required to prove Theorem 3.3, which only requires that we consider two plaintext creators, $\mathcal {P}_{0}$ and $\mathcal {P}_{1}$, defined as follows:^{Footnote 2}

We will show that, under certain conditions, plaintext awareness with respect to these two plaintext creators is equivalent to the general PA2 plaintext awareness.

Definition 3.7

(2PA2)

A public-key encryption scheme is 2PA2 plaintext aware if for every PPT ciphertext creator $\mathcal {A}$ there exists a PPT plaintext extractor $\mathcal {A}^{*}$ such that for the plaintext creators $\mathcal {P}\in\{\mathcal {P}_{0},\mathcal {P}_{1}\}$ and PPT distinguisher algorithms D we have that $\mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}}^{\texttt {\tiny PA2}}(k)$ is negligible.

We may now begin to relate 2PA2 and PA2 plaintext awareness for LH-IND-CPA and LH-IND-CCA2 schemes. We aim to show that a scheme which is LH-IND-CPA and 2PA2 plaintext aware is PA2. We will do this by showing a stronger theorem; we show that for a scheme which is LH-IND-CCA2 (e.g. as it is IND-CPA and 2PA2 plaintext aware) we have that a scheme that is plaintext aware with respect to any fixed plaintext creator (e.g. the $\mathcal {P}_{0}$ plaintext creator in the 2PA2 definition) is plaintext aware with respect to all plaintext creators (i.e. PA2 plaintext aware).

Theorem 3.8

Let $\hat{\mathcal {P}}$ be some fixed, stateless polynomial-time plaintext creator (i.e. $\hat{\mathcal {P}}$ does not pass state between invocations). If a public-key encryption scheme Π is LH-IND-CCA2 secure and PA2 plaintext aware with respect to the plaintext creator $\hat{\mathcal {P}}$, then Π is PA2 plaintext aware.

Proof

Let $\varPi=(\mathcal {G},\mathcal {E},\mathcal {D})$ and $\mathcal {A}$ be any PA2 ciphertext creator. Then, since Π is PA2 plaintext aware for the plaintext creator $\hat{\mathcal {P}}$, there exists a plaintext extractor $\mathcal {A}^{*}$ which “simulates” the decryption oracle in $\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\hat{\mathcal {P}},D}^{\texttt {\tiny FAKE-PA2}}$. We show that $\mathcal {A}^{*}$ “simulates” the decryption oracle for any plaintext creator $\mathcal {P}$.

Suppose $\mathcal {A}$ makes at most n queries to the plaintext creator oracle. Consider $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}$ instantiated with an arbitrary PPT plaintext creator $\mathcal {P}$. Define the games $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-$i$}}$ to be identical to $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}$ except that the final i plaintext creator oracle queries are answered using the plaintext creator $\hat{\mathcal {P}}$. Hence, $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}=\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-0}}$ and $\textsc {Expt}_{\mathcal {A},\hat{\mathcal {P}},D}^{\texttt {\tiny REAL-PA2}}=\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-$n$}}$. Suppose that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-0}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-$n$}}\bigr]\bigr| $$

is non-negligible. Then, by a hybrid argument, there exists a sequence of values i _k such that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-$i_{k}$}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-$(i_{k}+1)$}}\bigr]\bigr| $$

is non-negligible. We use this to build an LH-IND-CCA2 attacker $\mathcal {B}=(\mathcal {B}_{1},\mathcal {B}_{2})$ as follows:

Thus,

The fact that $(\mathcal {G},\mathcal {E},\mathcal {D})$ is LH-IND-CCA2 secure means that $\mathit {Adv}_{\mathrm {\mathcal {B}}}^{\texttt {\tiny LH-IND}}(k)$ is negligible, which is a contradiction. A similar argument (based on LH-IND-CPA security) shows that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr] - \Pr\bigl [\textsc {Expt}_{ \mathcal {A},\mathcal {A}^{*},\hat{\mathcal {P}},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr]\bigr| $$

is negligible. However, since Π is 2PA2 plaintext aware, we have that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\hat{\mathcal {P}},D}^{\texttt {\tiny REAL-PA2}}=1\bigr] - \Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*}, \hat{\mathcal {P}},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr]\bigr| $$

is negligible. Thus, we conclude that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}=1\bigr] - \Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr]\bigr| $$

is negligible, which means that Π is PA2 plaintext aware. □

Corollary 3.9

A public-key encryption scheme Π which is LH-IND-CPA secure and 2PA2 plaintext aware is PA2 plaintext aware.

Proof

If Π is LH-IND-CPA secure and 2PA2 plaintext aware, then Π is LH-IND-CCA2 secure by Theorem 3.3. And so, by Theorem 3.8, it is PA2 plaintext aware. □

3.4 Relations between Notions of Plaintext Awareness

It is trivial to see that PA2+ ⇒ PA1+ ⇒ PA1 and PA2+ ⇒ PA2 ⇒ PA1 (where X ⇒ Y means that any public-key encryption scheme which satisfies notion X must also satisfy notion Y). We would hope that, for sufficiently random encryption schemes, we also have that PA2 ⇒ PA2+, and this does indeed turn out to be the case. We will also see that, for encryption schemes whose ciphertexts resemble strings of random bits, PA1+ ⇒ PA2+. The relationship between the notions of plaintext awareness is shown in Fig. 5.

In this section, we will prove that schemes which are IND-CPA and PA2 plaintext aware are necessarily PA2+ plaintext aware (and therefore trivially PA1+ plaintext aware). Our proof uses a universal hash family [9] to extract the randomness inherent in the ciphertext produced by an IND-CPA encryption scheme.

Definition 3.10

(Universal Hash Family)

A family (H,K,A,B) of functions (H _k)_k∈K, where H _k:A→B for all k∈K, is universal if for all x,y∈A satisfying x≠y we have

$$\Pr\bigl[H_{k}(x)=H_{k}(y) \,:\, k\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }K\bigr] \leq1/|B| . $$

Definition 3.11

(Collision Probability)

For a random variable x which takes values on a set X, the collision probability is defined to be

$$\kappa(x) = \sum_{y\in X} \Pr[x=y]^{2}. $$

Lemma 3.12

The following results will be useful in later proofs:

1.
If x is a random variable on a set X, then $\max_{y\in X} \Pr [x=y] \leq\sqrt{\kappa(x)}$.
2.
Let $(\mathcal {G},\mathcal {E},\mathcal {D})$ be a public-key encryption scheme and M be a deterministic polynomial-time algorithm which outputs a message $M(\mathit {pk}) \in \mathcal {M}$. If x is the random variable on $\mathcal {C}$ distributed according to $\mathcal {E}(\mathit {pk},M(\mathit {pk}))$, then there exists an IND-CPA adversary $\mathcal {B}$ such that $\kappa(x) = \mathit {Adv}_{\mathrm {\mathcal {B}}}^{\texttt {\tiny IND}}(k)$.

The first part follows trivially from the definition of collision probability. The second part can easily be proven by noting that if $C_{1}, C_{2} \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk},M(\mathit {pk}))$ then the probability that C ₁=C ₂ is κ(x). The IND-CPA attacker $\mathcal {B}$ is constructed by setting $\mathcal {B}_{1}$ to output m ₀←M(pk) and some arbitrary m ₁≠m ₀, and setting $\mathcal {B}_{2}$ to output 0 if $C^{*} = \mathcal {E}(\mathit {pk},M(\mathit {pk}))$ and 1 otherwise.

The leftover hash lemma was originally proven by Håstad et al. [18]. We present the version given by Shoup [27, Theorem 6.21]:

Lemma 3.13

(Leftover Hash Lemma)

Let (H,K,A,B) be a family of universal hash functions. If $k\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }K$, x ₁,…,x _ℓ are random variables on A which are independent of k, and $y_{1},\ldots,y_{\ell} \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }B$, then

$$\varDelta \bigl[\bigl(k,H_{k}(x_{1}),\ldots,H_{k}(x_{\ell}) \bigr),(k,y_{1},\ldots,y_{\ell })\bigr] \leq\ell\sqrt{|B| \kappa}/2 \quad\mbox{\textit{where}} \ \kappa= \max_{i=1}^{\ell} \bigl\{\kappa(x_{i})\bigr\}. $$

We are now in a position to state and prove the main theorem of this section. This technical theorem essentially proves that a scheme which is IND-CPA secure and PA2 plaintext aware is PA2+ plaintext aware (and therefore PA1+ plaintext aware).

Theorem 3.14

If a public-key encryption scheme Π is IND-CPA secure and 2PA2 plaintext aware, then it is 2PA2+ plaintext aware.

Proof

Suppose $\varPi= (\mathcal {G},\mathcal {E},\mathcal {D})$. We intend to simulate the randomness oracle by hashing ciphertexts $\mathcal {E}(\mathit {pk},0)$ using a universal hash function. Let ℓ(k) be a (polynomial) upper-bound on the length of $\mathcal {E}(\mathit {pk},0)$ (such a bound exists as $\mathcal {E}$ is a strict polynomial-time algorithm). Let A be the set of all strings of length at most ℓ(k) and B={0,1}. We can construct a universal hash family from A to B without computational assumptions [9], so let (H _k)_k∈K be such a family.

Let $\mathcal {A}$ be a 2PA2+ ciphertext creator (i.e. $\mathcal {A}$ expects to have access to encryption, decryption, and randomness oracles). Let q _D and q _R be a bound on the number of decryption and randomness oracle queries respectively. We construct a 2PA2 ciphertext creator $\mathcal {B}$ (i.e. $\mathcal {B}$ has access to an encryption and decryption oracle) as in Fig. 6. (Note that we may assume that there exists a polynomial-bound t(k) on the number of random bits on $\mathcal {A}$’s initial random tape as $\mathcal {A}$ is polynomial time.) Since $(\mathcal {G},\mathcal {E},\mathcal {D})$ is 2PA2 plaintext aware, there exists a plaintext extractor $\mathcal {B}^{*}$ for $\mathcal {B}$. We use $\mathcal {B}^{*}$ to construct a 2PA2+ plaintext extractor $\mathcal {A}^{*}$ for $\mathcal {A}$ as in Fig. 6.

We now prove that $\mathcal {A}^{*}$ simulates the decryption oracle for $\mathcal {A}$. Fix a PPT distinguisher algorithm D. We will define a series of games G _i in which $\mathcal {A}$ outputs a variable x and let W _i be the event that D(x)=1 in game G _i. The games are summarised in Figs. 7 and 8.

Game G ₁: G ₁ is the $\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-2PA2+}}$ game.

Game G ₂: G ₂ is similar to G ₁ except that some of the components of the plaintext extractor $\mathcal {A}^{*}$ are moved into the randomness extractor $\mathcal {O}_{\mathcal {R}}$. G ₁ and G ₂ are identical except for one (subtle) exception. The ciphertext creator $\mathcal {A}$ is forbidden from submitting a ciphertext C∈CList to the decryption oracle. This means that, in G ₂, the ciphertext creator is forbidden from querying the decryption oracle on C∈RCList. The two games are identical if this is does not occur. Throughout this proof, z will be the distribution of $\mathcal {E}(\mathit {pk},0)$ on $\mathcal {C}$. The elements of RCList are distributed according to z and are unknown to $\mathcal {A}$. By Lemma 3.12, the probability that some specific decryption oracle query C is equal to some specific ciphertext C′∈RCList is bounded by $\sqrt{\kappa(z)}$ and κ(z) is bounded by $\mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny IND}}(k)$ for some IND-CPA adversary $\mathcal {B}'$. Therefore, $|{\Pr}[W_{1}]-\Pr[W_{2}]|\leq q_{D}q_{R}\sqrt{\mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny IND}}(k)}$.

Game G ₃: G ₃ is similar G ₂ except that $\mathcal {O}_{\mathcal {R}}$ continues to generate ciphertexts C until it generates one for which H _k(C)=ρ. Obviously, G ₂ and G ₃ are identical as long as $\mathcal {O}_{\mathcal {R}}$ doesn’t “abort” and set C←0 in G ₂. By the Leftover Hash Lemma (Lemma 3.13), if $C' \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk},0)$ and $\rho \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}$, then $\varDelta [(k,H_{k}(C')),(k,\rho)] \leq\sqrt{\kappa(z)/2}$. Since $\kappa(z) = \mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny IND}}(k)$ and Π is IND-CPA secure, we have that Pr[H _k(C′)=0],Pr[H _k(C′)=1]≤2/3 for large enough k. Therefore, for large enough values of k, we have that the probability that we “abort” in G ₂ is bounded by q _R(2/3)^k and so |Pr[W ₂]−Pr[W ₃]|≤q _R(2/3)^k.

Game G ₄: G ₄ is similar to G ₃ except that we again alter the randomness oracle. In G ₄ we compute ρ←H _k(C′) for $C'\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk},0)$ rather than $\rho \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}$. Suppose that $\mathcal {O}_{\mathcal {R}}$ outputs random bits $\rho_{1},\ldots,\rho _{q_{R}}$ in G ₃ and $\rho'_{1},\ldots,\rho'_{q_{R}}$ in G ₄. By the Leftover Hash Lemma, we have that

$$\varDelta \bigl[(k,\rho_{1},\ldots,\rho_{q_{R}}),\bigl(k, \rho'_{1},\ldots,\rho'_{q_{R}}\bigr) \bigr] \leq q_{R}\sqrt{\kappa(z)/2} = q_{R}\sqrt{\mathit {Adv}_{\mathrm { \mathcal {B}'}}^{\texttt {\tiny IND}}(k)/2}. $$

This is a distributional step in game hopping, see Appendix A, and so $|{\Pr}[W_{4}]-\Pr[W_{3}]|\leq q_{R}\sqrt {\mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny IND}}(k)/2}$.

Game G ₅: A close examination of the inputs to $\mathcal {B}$ in G ₄ shows that the event W ₄ is the same as the event $\textsc {Expt}_{\mathcal {B},\mathcal {B}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-2PA2}}=1$. G ₅ is the game in which decryption oracle queries are answered by the real decryption algorithm. So W ₅ is the same as $\textsc {Expt}_{\mathcal {B},\mathcal {P},D}^{\texttt {\tiny REAL-2PA2}}=1$. Thus, |Pr[W ₅]−Pr[W ₄]| is negligible as Π is 2PA2 plaintext aware.

Game G ₆: G ₆ and G ₇ reverse the previous changes to the randomness oracle. In G ₆ the randomness oracle is changed so that it no longer adds ciphertexts to CList. Since decryption oracle queries are answered by $\mathcal {D}(\mathit {sk},\cdot)$, rather than the plaintext extractor $\mathcal {A}^{*}$, the only affect of this change is to allow the ciphertext creator $\mathcal {A}$ to query the decryption oracle on ciphertexts in (the list previously described as) RCList. By a similar argument to G ₂, we have that $|{\Pr}[W_{6}]-\Pr [W_{5}]|\leq q_{D}q_{R} \sqrt{\mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny IND}}(k)}$.

Game G ₇: G ₇ changes the randomness oracle so that it simply returns a random bit. By a similar argument to G ₄, we have that $|{\Pr}[W_{7}]-\Pr[W_{6}]|\leq q_{R}\sqrt{\mathit {Adv}_{\mathrm {B'}}^{\texttt {\tiny IND}}(k)/2}$. Now, an examination of G ₇ shows that it is identical to the $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-2PA2+}}$ game. Therefore, we have that

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-2PA2+}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-2PA2+}}=1\bigr]\bigr| = \bigl|\Pr[W_{1}]-\Pr[W_{7}]\bigr| $$

is negligible and so Π is 2PA2+ is plaintext aware. □

Corollary 3.15

If a public-key encryption scheme Π is PA2 plaintext aware, IND-CPA secure and has that $|\mathcal {M}|$ grows faster than any polynomial in the security parameter, then Π is PA2+ plaintext aware (and therefore also PA1+ plaintext aware).

Proof

Since Π is PA2 plaintext aware, it is 2PA2 plaintext aware (by inclusion). Since Π is IND-CPA secure and 2PA2 plainext aware, it is 2PA2+ plaintext aware (by Theorem 3.14). We also have that, since Π is PA2 plaintext aware, IND-CPA secure and has that $|\mathcal {M}|$ grows faster than any polynomial, Π is LH-IND-CPA (by Corollary 3.5). Lastly, since Π is LH-IND-CPA and 2PA2+, it is PA2+ (by an argument analogous to Corollary 3.9). □

4 Simulatable Sets and Algorithms

We now introduce a novel generalisation of dense sets: simulatable sets and algorithms. Roughly speaking, a set is dense if a randomly chosen element of the set is indistinguishable from a randomly chosen element of the set {0,1}^ℓ. In essence, a set is simulatable if it is computationally indistinguishable from the image of {0,1}^ℓ under an invertible polynomial-time map. Since one can easily generate random elements in {0,1}^ℓ, one can also easily simulate a random element of the set by generating a random element of {0,1}^ℓ and applying the polynomial-time map (and vice versa).

We consider a family of sets indexed by a security parameter k∈ℕ. We may wish to simulate different sets at the same security level, so we allow for the possibility of further indexing at each security level. Hence, we consider families of sets of the form $S=((S_{i})_{i\in I_{k}})_{k\in \mathbb {N}}$ or (S _k)_k∈ℕ. A simulator for a family of sets $((S_{i})_{i\in I_{k}})_{k\in \mathbb {N}}$ is a tuple (f,f ⁻¹,ℓ) where ℓ(k) is a polynomial and (f,f ⁻¹) is a pair of PPT algorithms with the following properties:

f is a deterministic algorithm which takes as input a security parameter 1^k, an index i∈I _k, and a seed r∈{0,1}^ℓ(k), and outputs an element s∈S _i.
f ⁻¹ is a probabilistic algorithm which takes as input a security parameter 1^k, an index i, and an element s∈S, and outputs a seed r∈{0,1}^ℓ(k).
For all k∈ℕ, i∈I _k, s∈S _i, we have that f(1^k,i,f ⁻¹(1^k,i,s))=s.

In situations where the security parameter is clear by context, we will write f(i,r) and f ⁻¹(i,s) for f(1^k,i,r) and f ⁻¹(1^k,i,s), respectively.

We require that f ⁻¹(1^k,i,f(1^k,i,r)) appears to be random. Let U _k be the uniform distribution on {0,1}^ℓ(k) and let Y _k be the distribution on {0,1}^ℓ(k) given by f ⁻¹(1^k,i,f(1^k,i,r)) where $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell(k)}$. We define the simulator to be “statistically random-set simulatable” if Δ[U _k,Y _k] is negligible as a function of k. We define a simulator to be “computationally random-set simulatable” if the distributions U _k and Y _k are computationally indistinguishable. This is defined by the games in Fig. 9. A PPT algorithm $\mathcal {A}$ has advantage

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny RAND}} = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny RAND-1}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny RAND-0}}=1\bigr]\bigr| $$

in breaking the random-set simulatable property of the simulator. A simulator is “computationally random-set simulatable” if every PPT algorithm $\mathcal {A}$ has negligible advantage.

We also require that f(1^k,i,r) looks like a random element of the set S _i; however, the exact form of this definition depends upon whether we are talking about a simulatable set or a simulatable algorithm (of various different types). Let U _k be the uniform distribution on S _i and let Y _k be the distribution on S _i given by f(1^k,i,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell(k)}$. We say that the set is “statistically image-set simulatable” if Δ[U _k,Y _k] is negligible as a function of k. A set is “computationally image-set simulatable” is U _k and Y _k are computationally indistinguishable. This is defined by the games in Fig. 10. A PPT attacker has advantage

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny IM}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny IM-1}}=1\bigr] - \Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny IM-0}}=1\bigr]\bigr| $$

in breaking the image-set simulatable property of the simulator. A simulator is “computationally image-set simulatable” if every PPT algorithm $\mathcal {A}$ has negligible advantage.

Definition 4.1

(Simulatable Set)

A family of sets is statistically simulatable if there exists a simulator which is both statistically random-set and statistically image-set simulatable. A family of sets is computationally simulate if there exists a simulator which is both computationally random-set and computationally image-set simulatable.

A simple hybrid argument/probability argument shows the following:

Lemma 4.2

If the sets A and B are computationally/statistically simulatable, then the set A×B is computationally/statistically simulatable.

We will require the use of public-key encryption schemes with computationally simulatable ciphertext spaces; however, since we are going to attempt to simulate ciphertexts in the presence of a decryption oracle, we require a stronger notion of simulatability than for sets. Note that we may define the ciphertext space of a public-key encryption scheme as a family of sets $((\mathcal {C}_{\mathit {pk}})_{\mathit {pk}\in\mathit {PK}_{k}})_{k\in \mathbb {N}}$ where PK _k is the set of all public keys that could be produced for the security parameter 1^k. We define ciphertext-space simulatability using the games in Fig. 11. We define the attacker’s advantage $\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny PKE}}(k)$ in the usual way and define a public-key encryption scheme to be computationally ciphertext-space simulatable if every PPT algorithm $\mathcal {A}$ has negligible advantage.

Definition 4.3

(Simulate PKE)

A public-key encryption scheme is simulatable if there exists a simulator for the family $((\mathcal {C}_{\mathit {pk}})_{\mathit {pk}\in\mathit{PK}_{k}})_{k\in \mathbb {N}}$ which is computationally random-set simulatable and computationally ciphertext-space simulatable.

The following property was first noted by Stam [28].

Lemma 4.4

If a public-key encryption scheme is simulatable, then it is IND-CCA2 secure.

Sketch Proof

By the definition of a simulatable encryption scheme, one can replace the generation of the challenge ciphertext $C^{*} \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {E}(\mathit {pk},m_{b})$ with the generation of a simulated ciphertext C ^∗←f(1^k,pk,r) in the IND-CCA2 model. However, this is independent of the bit b, and so the probability that an attacker recovers b in this model is 1/2. □

This lemma represents one of the major challenges of plaintext awareness: all known proofs for plaintext awareness require that the public-key encryption scheme is simulatable. Thus, these proof techniques can only ever be applied to schemes which are already known to be IND-CCA2 secure and so plaintext awareness is not an effective tool for proving IND-CCA2 security.

5 A Strategy for Proving PA2 Plaintext Awareness

In this section, we will prove that a public-key encryption scheme which is PA1+ plaintext aware and simulatable is PA2 plaintext aware. This is logical: if the encryption scheme is simulatable then ciphertexts are indistinguishable from random bitstrings. Hence, access to an encryption oracle is indistinguishable from access to a randomness oracle. This gives the only known strategy for proving that schemes are PA2 plaintext aware: one proves that the scheme is both simulatable and that it is PA1+ plaintext aware.

Theorem 5.1

If Π is simulatable and PA1+ plaintext aware, then it is PA2 plaintext aware.

Proof

Suppose that $\varPi=(\mathcal {G},\mathcal {E},\mathcal {D})$ is simulatable with simulator (f,f ⁻¹,ℓ) and let $\mathcal {A}$ be a PA2 ciphertext creator. We define a PA1+ ciphertext creator $\mathcal {B}$ in Fig. 12. Since Π is PA1+ plaintext aware, there exists a PA1+ plaintext extractor $\mathcal {B}^{*}$ for $\mathcal {B}$. We use $\mathcal {B}^{*}$ to construct a PA2 plaintext extractor $\mathcal {A}^{*}$ for $\mathcal {A}$ in Fig. 12.

This proof is similar to, but slightly simpler than, Theorem 3.14. Fix a PPT distinguisher D and let W _i be the event that D(x)=1 in game G _i. The games are shown in Fig. 13.

Game G ₁: G ₁ is the $\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-PA2}}$ game.

Game G ₂: G ₂ is similar to G ₁ except that the encryption oracle $\mathcal {O}_{\mathcal {E}}$ returns f(pk,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\} ^{\ell}$ rather than $\mathcal {E}(\mathit {pk},\mathcal {P}(\alpha))$. Any difference between Pr[W ₁] and Pr[W ₂] gives rise to an attacker $\mathcal {B}'$ against the computational ciphertext-space simulatable property of the encryption scheme. The attacker $\mathcal {B}'$ is defined as follows:

The event W ₁ is equivalent to $\textsc {Expt}_{\mathcal {B}'}^{\texttt {\tiny PKE-1}}=1$ and the event W ₂ is equivalent to $\textsc {Expt}_{\mathcal {B}'}^{\texttt {\tiny PKE-0}}=1$. Hence, $|{\Pr} [W_{1}]-\Pr [W_{2}]| \leq \mathit {Adv}_{\mathrm {\mathcal {B}'}}^{\texttt {\tiny PKE}}(k)$ is negligible. (Note that $\mathcal {B}'$ does not make use of its decryption oracle in this step. This will not be the case when we make an analogous game hop in G ₅.)

Game G ₃: G ₃ is similar to G ₂ except that the randomness oracle constructs RList rather than the plaintext extractor $\mathcal {A}^{*}$. In G ₂, the element f ⁻¹(pk,f(pk,r)) is added to RList. In G ₃, the element r is added to RList. Any difference between Pr[W ₂] and Pr[W ₃] gives rise to an attacker $\mathcal {B}^{*}$ against the computational random-set simulatable property of the encryption scheme. The attacker $\mathcal {B}^{*}$ is defined as follows:

The randomness oracle ${\mathcal {O}}'_{\mathcal {R}}$ returns either $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\} ^{\ell }$ or f ⁻¹(pk,f(pk,r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell}$ depending on the random-set simulatable game. In both cases, f(pk,r) is returned to the ciphertext creator $\mathcal {A}$, as f(pk,f ⁻¹(pk,f(pk,r)))=f(pk,r) since f(pk,f ⁻¹(pk,C))=C for all $C\in \mathcal {C}$. The event W ₂ is identical to $\textsc {Expt}_{\mathcal {B}^{*}}^{\texttt {\tiny RAND-0}}=1$ and the event W ₃ is identical to $\textsc {Expt}_{\mathcal {B}^{*}}^{\texttt {\tiny RAND-1}}=1$. Thus, $|{\Pr}[W_{3}]-\Pr [W_{2}]| \leq \mathit {Adv}_{\mathrm {\mathcal {B}^{*}}}^{\texttt {\tiny RAND}}(k)$ is negligible by the random-set simulatable property.

Game G ₄: An examination of G ₃ shows that it is identical to $\textsc {Expt}_{\mathcal {B},\mathcal {B}^{*},D}^{\texttt {\tiny FAKE-PA1+}}$. G ₄ changes the decryption oracle so that it answers queries using the real decryption algorithm, i.e. G ₄ is $\textsc {Expt}_{\mathcal {B},D}^{\texttt {\tiny REAL-PA1+}}$. Since Π is PA1+, we have that $|{\Pr}[W_{4}]-\Pr[W_{3}]|\leq \mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*},D}}^{\texttt {\tiny PA1+}}(k)$ is negligible.

Game G ₅: G ₅ changes the action of the encryption oracle $\mathcal {O}_{\mathcal {E}}$ back to its original state, i.e. the encryption oracle returns $\mathcal {E}(\mathit {pk},\mathcal {P}(\alpha))$. A similar argument to that in G ₂ shows that any difference between Pr[W ₄] and Pr[W ₅] leads to an attacker $\mathcal {B}^{\dagger}$ against the computational ciphertext-space simulatable property of the encryption scheme (although in this case decryption oracle queries made by $\mathcal {A}$ are handled using $\mathcal {B}^{\dagger}$’s decryption oracle). Thus, $|{\Pr} [W_{5}]-\Pr[W_{4}]| \leq \mathit {Adv}_{\mathrm {\mathcal {B}^{\dagger}}}^{\texttt {\tiny PKE}}(k)$ is negligible.

However, G ₅ is identical to $\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}$. So

$$\bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},\mathcal {P},D}^{\texttt {\tiny FAKE-PA2}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {P},D}^{\texttt {\tiny REAL-PA2}}=1\bigr]\bigr| = \bigl|\Pr[W_{1}]-\Pr[W_{5}]\bigr| $$

is negligible and we conclude that Π is PA2 plaintext aware. □

A similar argument (with more complex book-keeping) can be used to prove that a public-key encryption scheme which is simulatable and PA1+ plaintext aware is necessarily PA2+ plaintext aware. However, we will be content with the basic result.

6 Extending the PA2 Proof Strategy to Hybrid Encryption Schemes

Section 5 provides a basic strategy for proving PA2 plaintext awareness; however, a proof which applies this methodology directly can quickly become complex in practice. In this section, we break the proof methodology down into several steps for hybrid encryption schemes.

6.1 Hybrid Encryption Using KEMs and DEMs

One common method to construct a practical public-key encryption scheme is to use hybrid encryption. This technique separates the public-key encryption scheme into an asymmetric key encapsulation mechanism (KEM) and a symmetric data encapsulation mechanism (DEM). Owing to the use of the symmetric DEM, the resulting public-key encryption scheme has the advantage of being able to encrypt messages of any length.

The notion of a hybrid encryption scheme was formalised using KEMs and DEMs by Cramer and Shoup [10, 25]. A KEM is a triple of PPT algorithms (Gen,Encap,Decap). The key generation algorithm takes a security parameter 1^k and outputs a public/private key pair $(\mathit {pk},\mathit {sk})\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathit {Gen}(1^{k})$. The public key defines a ciphertext space $\mathcal {C}$ and a symmetric key space $\mathcal {K}$. The encapsulation algorithm takes a public key pk as input, and outputs a ciphertext and a symmetric key $(C,K)\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathit {Encap}(\mathit {pk})$. The (deterministic) decapsulation algorithm takes a private key sk and a ciphertext $C\in \mathcal {C}$, and outputs either a symmetric key K←Decap(sk,C) or the distinguished error symbol ⊥. For correctness we require that for all $(\mathit {pk},\mathit {sk})\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathit {Gen}(1^{k})$ and $(C,K)\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathit {Encap}(\mathit {pk})$, we have that Decap(sk,C)=K with probability 1.

A DEM is defined by a pair of deterministic polynomial-time algorithms (Enc,Dec) and these algorithms implicitly define a key space $\mathcal {K}$, a message space $\mathcal {M}$, and a ciphertext space $\mathcal {C}$. The encapsulation algorithm takes a symmetric key $K\in \mathcal {K}$ and a message $m\in \mathcal {M}$ as input, and outputs a ciphertext C←Enc _K(m). The decapsulation algorithm takes a symmetric key $K\in \mathcal {K}$ and a ciphertext $C\in \mathcal {C}$ as input, and outputs either a message m←Dec _K(C) or the distinguished error symbol ⊥. For correctness we require that for all $K\in \mathcal {K}$ and $m\in \mathcal {M}$, we have that Dec _K(Enc _K(m))=m.

A public-key encryption scheme may be formed from a KEM and a DEM by setting the PKE key generation algorithm $\mathcal {G}$ to be the KEM key generation algorithm Gen, and computing encryption and decryption as in Fig. 14. Cramer and Shoup proved that the combination of a sufficiently secure KEM and a sufficiently secure DEM leads to an IND-CCA2 public-key encryption scheme [10, 25], although the exact form of that result is not relevant to this paper. However, we will note that a “sufficiently secure” DEM can be constructed through an “encrypt-then-MAC” construction using, for example, counter mode encryption with a CBC-MAC algorithm.

6.2 Simulatable KEMS and DEMs

Our strategy requires us to extend the notion of simulatable encryption to KEMs and DEMs. These notions are very similar to that of a simulatable encryption scheme. For a simulatable KEM, we consider the family of sets which define the ciphertext space $((\mathcal {C}_{\mathit {pk}})_{\mathit {pk}\in \mathit{PK}_{k}})_{k\in \mathbb {N}}$ as in Sect. 4 and define ciphertext-space simulatability using the games defined in Fig. 15. We define the attacker’s advantage $\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny KEM}}(k)$ in the usual way and define a KEM to be computationally ciphertext-space simulatable if every PPT algorithm $\mathcal {A}$ has negligible advantage.

Definition 6.1

(Simulatable KEM)

A KEM is simulatable if there exists a simulator for the family $((\mathcal {C}_{\mathit {pk}})_{\mathit {pk}\in\mathit{PK}_{k}})_{k\in \mathbb {N}}$ which is computationally random-set simulatable and computationally ciphertext-space simulatable.

For a simulatable DEM, we consider the family of ciphertext spaces $(\mathcal {C}_{k})_{k\in \mathbb {N}}$ and define ciphertext-space simulatability via the games in Fig. 16. We define the attacker’s advantage $\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny DEM}}(k)$ in the usual way and define a DEM to be computationally ciphertext-space simulatable if every PPT algorithm $\mathcal {A}$ has negligible advantage.

Definition 6.2

(Simulatable DEM)

A DEM is simulatable if there exists a simulator for the family (C)_k∈ℕ which is computationally random-set simulatable and computationally ciphertext-space simulatable.

There is a strong similarity between the notion of simulatable DEMs and the notion of IND-R-CCA2 security for symmetric encryption schemes [24]. Using similar techniques, it is relatively easy to show that an encrypt-then-MAC DEM composed of counter model encryption and CBC-MAC (each using an independent ideal cipher) is simulatable when $\mathcal {M}= \{0,1\}^{n}$ [5, 22]. The following lemma follows easily from the definitions:

Lemma 6.3

The composition of a simulatable KEM (with a super-polynomially-sized symmetric key space) and a simulatable DEM is a simulatable hybrid encryption scheme.

Remark 6.4

We have given the original definitions of simulatable sets/algorithms [12] in which the attacker is given access to an oracle which supplies multiple set elements/ciphertexts. A simple hybrid argument can be used to show that the definitions are equivalent to a simpler definition in which an attacker can only obtain a single set element/ciphertext. These definitions can be phrased in terms of an attacker $\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})$ in which $\mathcal {A}_{1}$ outputs the single oracle query and $\mathcal {A}_{2}$ processes this oracle’s response. We will use both version of these definitions in this paper. To prove a scheme is simulatable, we will use the single-query version of the definition; however, when making use of a simulatable set/scheme in a larger construction, we will assume the multi-query definition.

6.3 Proving PA2 Plaintext Awareness for Hybrid Encryption

We begin by defining a notion of PA1+ plaintext awareness for KEMs via the two games given in Fig. 17 (which make use of a ciphertext creator $\mathcal {A}$, a plaintext extractor $\mathcal {A}^{*}$ and a distinguisher algorithm D). The advantage is defined as

$$\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny KEM-PA1+}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A},D}^{\texttt {\tiny REAL-KEM-PA1+}}=1\bigr]- \Pr\bigl[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny FAKE-KEM-PA1+}}=1\bigr]\bigr|. $$

Definition 6.5

A KEM Π _K is PA1+ plaintext aware if for every PPT ciphertext creator $\mathcal {A}$ there exists a PPT plaintext extractor $\mathcal {A}^{*}$ such that for all PPT distinguisher algorithms D we have that $\mathit {Advv}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny KEM-PA1+}}(k)$ is negligible.

We now simplify the process of proving PA1+ plaintext awareness in the case of hybrid encryption schemes by showing that a hybrid encryption scheme Π is PA1+ plaintext aware if and only if its KEM Π _K is PA1+ plaintext aware. This proof technique does not immediately extend to PA2 plaintext awareness and this issue is further discussed by Jiang and Wang [19].

Lemma 6.6

Suppose Π is a public-key encryption scheme composed of a KEM scheme Π _K and a DEM scheme Π _D. If Π _K is PA1+ plaintext aware, then Π is PA1+ plaintext aware.

Proof

Let $\mathcal {A}$ be a PA1+ ciphertext creator for Π and suppose that the DEM Π _D is a (deterministic) DEM of the form (Enc,Dec). We may define a PA1+ ciphertext creator $\mathcal {B}$ for Π _K as in Fig. 18. Since Π _K is PA1+, there exists a plaintext extractor $\mathcal {B}^{*}$ for $\mathcal {B}$. We define a plaintext extractor $\mathcal {A}^{*}$ for Π in Fig. 18. An examination of the games easily shows that for any distinguisher algorithm D, we have $\textsc {Expt}_{\mathcal {A},D}^{\texttt {\tiny REAL-PA1+}}=\textsc {Expt}_{\mathcal {B},D}^{\texttt {\tiny REAL-KEM-PA1+}}$ and $\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny FAKE-PA1+}}=\textsc {Expt}_{\mathcal {B},\mathcal {B}^{*},D}^{\texttt {\tiny FAKE-KEM-PA1+}}$, which means that Π if PA1+ if Π _K is PA1+.

□

This now gives a complete strategy to prove that a hybrid encryption scheme, consisting of a KEM Π _K and a DEM Π _D, is PA2 plaintext aware:

Prove that Π _K is PA1+ plaintext aware.
Prove that both Π _K and Π _D are simulatable.

Recall that several DEMs have already been shown to be simulatable [5, 22] and so we may concentrate on proving that there are PA1+ and simulatable KEMs.

7 The Cramer–Shoup Encryption Scheme

In this section, we will use our strategy to show the hybrid Cramer–Shoup encryption scheme [10] is PA2 under a variety of assumptions including the interactive Diffie–Hellman Knowledge (DHK) assumption.^{Footnote 3}

7.1 Assumptions

The Cramer–Shoup encryption scheme is defined over a group $\mathbb {G}$ with a generator g of prime order q. We will require that the group is statistically simulatable (as a set), that the DDH problem is hard on $\mathbb {G}$, and that the DHK assumption holds on $\mathbb {G}$.

Definition 7.1

(DDH)

The DDH advantage of an attacker $\mathcal {A}$ is defined as

The DDH problem is hard if every PPT attacker $\mathcal {A}$ has negligible advantage.

The DHK assumption was first introduced by Dåmgard [11]. It is a very strong, interactive assumption which is designed to capture the intuition that it does not seem to be possible to create a Diffie–Hellman tuple (g,a,g ^x,a ^x) from (g,a) without knowing x. Let DH={(g,g ^x,g ^y,g ^xy) : x,y∈ℤ_q}. We define DHK security via the security game shown in Fig. 19.

Definition 7.2

(DHK)

The DHK advantage of an attacker $\mathcal {A}$ and an extractor $\mathcal {A}^{*}$ is defined as $\mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*}}}^{\texttt {\tiny DHK}}(k)=\Pr[\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*}}^{\texttt {\tiny DHK}}=1]$. The DHK assumption holds if for every PPT attacker $\mathcal {A}$ there exists a PPT extractor algorithm $\mathcal {A}^{*}$ such that $\mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*}}}^{\texttt {\tiny DHK}}(k)$ is negligible.

In order to prove that the Cramer–Shoup encryption scheme is plaintext aware, we require groups which are simulatable and on which the DDH and DHK assumptions are believed to hold. We will aim to show that a q-order finite field group $\mathbb {G}_{k} \subseteq\mathbb{F}_{p_{k}}$ is simulatable. Our strategy will be to show that $\mathbb{F}_{p_{k}}$ is simulatable and that sufficiently large subsets of simulatable sets are also simulatable.

We begin by showing that families of sets $S = ((S_{i})_{i\in I_{k}})_{k\in \mathbb {N}}$ with $S_{i} = \mathbb {Z}_{N_{i}}$ and 2^k−1<N _i<2^k are statistically simulatable. We define a simulator Π _S=(f,f ⁻¹,ℓ) where ℓ=2k and

Lemma 7.3

The simulator Π _S witnesses the fact that S is simulatable, i.e. Π _S is statistically random-set and statistically image-set simulatable.

Image-Set Simulatable Proof

Let α _i=⌊2^2k/N _i⌋ and β _i=2^2kmodN _i (i.e. 2^2k=α _i N _i+β _i). Let U be the uniform distribution on S _i and let Y be the distribution given by f(i,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell}$. Split S _i into two disjoint sets $S^{+}_{i}$ and $S^{-}_{i}$ where $S^{+}_{i}=\{0,\ldots ,\beta_{i}-1\}$ and $S^{-}_{i}=\{\beta_{i},\ldots,N_{i}-1\}$. Hence,

$$\bigl|\Pr[Y=s]-\Pr[U=s]\bigr| = \begin{cases} \bigl| \frac{\alpha_{i}+1}{2^{2k}} - \frac{1}{N_{i}} \bigr| & \mbox{if } s\in S^{+}_{i},\\[3pt] \bigl| \frac{\alpha_{i}}{2^{2k}} - \frac{1}{N_{i}} \bigr| & \mbox{if } s\in S^{-}_{i}. \end{cases} $$

Since 2^2k−α _i N _i=β _i, and β _i<N _i<2^k, we have that |Pr[Y=s]−Pr[U=s]|≤1/2^2k for all s∈S _i. Thus, Δ[U,Y]≤1/2^k and S is statistically image-set simulatable. □

Random-Set Simulatable Proof

Now let U′ be the uniform distribution on {0,1}^ℓ and Y′ be the distribution of f ⁻¹(i,f(i,r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell}$. We have

$$\bigl|\Pr\bigl[Y'=r'\bigr]-\Pr\bigl[U'=r' \bigr]\bigr| = \begin{cases} \bigl| \frac{\alpha_{i}+1}{\alpha_{i}2^{2k}}- \frac{1}{2^{2k}} \bigr| & \mbox{if } r' < \alpha_{i}N_{i} \mbox{ and } r' \bmod N_{i} \in S^{+}_{i},\\[3pt] \bigl| \frac{\alpha_{i}}{\alpha_{i}2^{2k}}- \frac{1}{2^{2k}} \bigr| & \mbox{if } r' < \alpha_{i}N_{i} \mbox{ and } r' \bmod N_{i} \in S^{-}_{i},\\[3pt] \frac{1}{2^{2k}} & \mbox{if } r' \geq\alpha_{i}N_{i}. \end{cases} $$

There exists α _i β _i≤α _i N _i values for r′ with r′<α _i N _i and $r' \bmod N_{i} \in S^{+}_{i}$ and there exists β _i<N _i values r′ with r′≥α _i N _i. Thus, Δ[U′,Y′]≤1/2^k and S is statistically random-set simulatable. □

This demonstrates that $\mathbb{F}_{p_{k}}$ is statistically simulatable when p _k is a k-bit prime. However, this does not imply that a prime order group $\mathbb {G}\subseteq\mathbb{F}_{p_{k}}$ is necessarily simulatable. To prove that we use the following lemma:

Lemma 7.4

(Simulatable Subset Lemma)

Suppose $S=((S_{i})_{i\in I_{k}})_{k\in \mathbb {N}}$ is statistically simulatable family of finite sets and that $S'=((S'_{i})_{i\in I_{k}})_{k\in \mathbb {N}}$ satisfies $S'_{i} \subseteq S_{i}$ for all i∈I _k and k∈ℕ. Let $\mu(k,i) = |S'_{i}|/|S_{i}|$ and ν(k,i)=1−μ(k,i). Suppose that there exists a polynomial p(k) such that μ(k,i),ν(k,i)≥|1/p(k)| for all sufficiently large k and i∈I _k and that there exists polynomial-time algorithm Ber _μ(1^k,i) which outputs a bit from the Bernoulli distribution with probability μ(k,i). Suppose further that membership of S _i and $S'_{i}$ are polynomial-time decideable. Then S′ is a statistically simulatable family of sets.

Image-Set Simulatable Proof

Suppose (f,f ⁻¹,ℓ) is a statistical simulator for S. We define a new simulator (f′,f′⁻¹,ℓ′) where ℓ′(k)=kp(k)ℓ(k) and the remaining algorithms are given in Fig. 20.

This proof can thought of as “distributional game hopping” and makes liberal use of the results of Appendix A. We define a number of distributions – un-prime distributions (e.g. X) are associated with (f,f ⁻¹,ℓ) and prime distributions (e.g. X′) are associated with (f′,f′⁻¹,ℓ′):

U _ℓ, U _ℓ′, U _T refer to the uniform distributions over the sets {0,1}^ℓ, {0,1}^ℓ′, T respectively. Note that T could be any set including S _i, $S'_{i}$ and $S_{i} \setminus S'_{i}$.
X refers to the distribution f(i,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\} ^{\ell}$.
Y refers to the distribution f ⁻¹(i,f(i,r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{ 0,1\}^{\ell}$.
Z refers to the distribution f ⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S_{i}$.
X′ refers to the distribution f′(i,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\} ^{\ell'}$ and $\bar{X'}$ refers to the distribution f′(i,r) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell'}$ conditioned on the fact that f′ does not set $\mathit{bad\_f}$ to be true. Note that $\varDelta [X',\bar{X'}] \leq1/2^{k}$.
Y′ refers to the distribution f′⁻¹(i,f(i,r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell'}$ and $\bar{Y'}$ refers to the distribution f′⁻¹(i,f(i,r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell'}$ conditioned on the fact that f′ does not set $\mathit{bad\_f}$ to be true. Note that $\varDelta [Y',\bar{Y'}] \leq1/2^{k}$.
Z′ refers to the distribution f′⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S'_{i}$ and $\bar{Z'}$ refers to the distribution f′⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S'_{i}$ conditioned on the fact that f′⁻¹ does not set $\mathit{bad\_finv}$ to be true. Note that $\varDelta [Z',\bar {Z'}] \leq1/2^{k}$.

In order to show that S′ is statistically image-set simulatable, we need to show that $\varDelta [U_{S'_{i}},X']$ is negligible. This follows simply as

$$\varDelta \bigl[U_{S'_{i}},X'\bigr] \leq \varDelta \bigl[U_{S'_{i}},\bar{X'}\bigr] + \varDelta \bigl[\bar {X'},X'\bigr] \leq \varDelta \bigl[U_{S'_{i}}, \bar{X'}\bigr] + 1/2^{k} \leq p(k)\varDelta [U_{S},X] + 1/2^{k} $$

and as $\varDelta [U_{S_{i}},X]$ is negligible (by definition). □

Random-Set Simulatable Proof

It is more difficult to show that S′ is statistically random-set simulatable. We make use of the following simple fact:

$$\varDelta [U_{\ell},Z] \leq \varDelta [U_{\ell},Y] + \varDelta [Y,Z] \leq \varDelta [U_{\ell},Y] + \varDelta [X,U_{S_{i}}]. $$

Thus, Δ[U _ℓ,Z] is negligible (as S is statistically image-set and random-set simulatable). This can be interpreted as saying that the distribution f ⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S_{i}$ is statistically close to uniform on {0,1}^ℓ.

Consider $r'\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }f'^{-1}(i,f'(i,r))$ for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell'}$. We may split r′ into “blocks” $r'_{1}\|\ldots\|r'_{kp(k)}$ where each $r'_{j} \in\{0,1\}^{\ell}$. Let λ be the smallest integer such that $f(i,r'_{\lambda}) \in S'_{i}$ and note that the value λ is correctly distributed—i.e. if we chose $s_{j} \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S_{i}$ and set λ to be the smallest value for which $s_{\lambda } \in S'_{i}$ then λ would have the same binomial distribution as is produced by f ⁻¹. Therefore, it is sufficient to show that each “block” r _j is statistically close to an independent copy of the uniformly random distribution U _ℓ. This is trivially true for blocks with j>λ.

In order to show that S′ is statistically random-set simulatable, we have to show that Δ[U _ℓ′,Y′] is negligible. We begin by noting that

$$\begin{array}{rcl@{\quad }r} \varDelta \bigl[U_{\ell'},Y'\bigr] &\leq& \varDelta \bigl[U_{\ell'},\bar{Y'}\bigr] + \varDelta \bigl[\bar {Y'},Y'\bigr]\\[6pt] &\leq& \varDelta \bigl[U_{\ell'},\bar{Y'}\bigr] + 1/2^{k} & \bigl(\mbox{as $\varDelta \bigl[\bar {Y'},Y'\bigr]\leq1/2^{k}$}\bigr)\\[6pt] &\leq& \varDelta \bigl[U_{\ell'},Z'\bigr] + \varDelta \bigl[Z',\bar{Y'}\bigr] + 1/2^{k}\\[6pt] &\leq& \varDelta \bigl[U_{\ell'},Z'\bigr] + \varDelta \bigl[U_{S'_{i}},\bar{X}'\bigr] + 1/2^{k} & (*)\\[6pt] &\leq& \varDelta \bigl[U_{\ell'},Z'\bigr] + \varDelta \bigl[U_{S'_{i}},X'\bigr] + \varDelta \bigl[X',\bar {X}'\bigr]+ 1/2^{k} \\[6pt] &\leq& \varDelta \bigl[U_{\ell'},Z'\bigr] + \varDelta \bigl[U_{S'_{i}},X'\bigr] + 2/2^{k} & \bigl(\mbox{as $\varDelta \bigl[\bar{X'},X'\bigr]\leq1/2^{k}$}\bigr)\\[6pt] &\leq& \varDelta \bigl[U_{\ell'},\bar{Z'}\bigr] + \varDelta \bigl[\bar{Z'},Z'\bigr] + \varDelta \bigl[U_{S'_{i}},X'\bigr] + 2/2^{k} \\[6pt] &\leq& \varDelta \bigl[U_{\ell'},\bar{Z'}\bigr] + \varDelta \bigl[U_{S'_{i}},X'\bigr] + 3/2^{k} & \bigl(\mbox{as $\varDelta \bigl[\bar{Z'},Z'\bigr]\leq1/2^{k}$.}\bigr) \end{array} $$

The inequality (∗) holds because the only difference between Z′ and $\bar{Y}'$ is in the distribution of the element s′ input to f′⁻¹. We can characterise $\bar{Y}'$ as $f'^{-1}(i,\bar{X}')$ and Z′ as $f'^{-1}(i,U_{S'_{i}})$. Hence, $\varDelta [Z', \bar{Y}'] \leq \varDelta [\bar{X}',U_{S'_{i}}]$. We have already shown that $\varDelta [U_{S'_{i}},X']$ is negligible and so it suffices to bound $\varDelta [U_{\ell'},\bar{Z'}]$. In other words, it suffices to show that the distribution f′⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S'_{i}$ (conditioned on the fact that f′⁻¹ does not set $\mathit{bad\_finv}$ to be true) is statistically close to uniform.

In order to show that $\varDelta [U_{\ell'},\bar{Z}']$ is negligible, we compare the simulator f′⁻¹(i,s) to a perfect (non-polynomial-time) version $\hat{f}^{-1}(i,s)$:

Let $\hat{Z'}$ be the distribution of $\hat{f}^{-1}(i,s)$ for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S'_{i}$. We have

$$\varDelta \bigl[U_{\ell'},\bar{Z'}\bigr] \leq \varDelta \bigl[U_{\ell'},\hat{Z'}\bigr] + \varDelta \bigl[\hat {Z'},\bar{Z'}\bigr]. $$

We bound the term $\varDelta [\hat{Z'},\bar{Z'}]$ by noting that the only difference between the two distributions is in the distribution of the value $s'_{j}$. We can characterise $\bar{Z}'$ as $f'^{-1}(i,\bar{X}')$ conditioned on the fact that f′⁻¹ does not set the flag $\mathit {bad\_finv}$ to be true and $\hat{Z}'$ as $f'^{-1}(U_{S_{i} \setminus S'_{i}})$. In other words, we require that the distribution of $\bar{X}'$ on $S_{i} \setminus S'_{i}$ is sufficiently close to uniform. By an argument that is almost identical to the proof that S′ is statistically image-set simulatable, we have that these two distributions are statistically indistinguishable. Hence, $\varDelta [\hat {Z'},\bar{Z'}]$ is negligible.

It therefore only remains to prove that $\varDelta [U_{\ell'},\hat{Z'}]$ is negligible. In $\hat{Z'}$, each “block” $r'_{j}$ output by $\hat {f}^{-1}(i,s)$ is either uniformly randomly distributed or distributed as f ⁻¹(i,s) for $s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }S$ (i.e. distributed according to Z). (This is because Z outputs a random element of $S'_{i}$ with probability μ and a random element of $S_{i} \setminus S'_{i}$ with probability ν.) Therefore, we have that

$$\varDelta \bigl[U_{\ell'},\hat{Z'}\bigr] \leq kp(k) \varDelta [U_{\ell},Z] $$

which is negligible. Thus, S′ is statistically random-set simulatable. □

Note that the majority of groups used in cryptography (e.g. prime-order finite field groups and elliptic curve groups) can be shown to be subgroups of ℤ_p or $\mathbb{Z}_{p}^{2}$ which satisfy the conditions of Theorem 7.4. Hence, most cryptographic groups are statistically simulatable.

The Cramer–Shoup also requires the use of a target collision resistant hash function:

Definition 7.5

(TCR)

Consider a family of hash functions TCR _k:A _k→B _k. We define the TCR advantage of an attacker $\mathcal {A}$ as follows:

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny TCR}}(k) = \Pr\left[ \begin{array}{c} x\neq y \quad\wedge\\ \mathit {TCR}_{k}(x)=\mathit {TCR}_{k}(y) \end{array} \,:\, \begin{array}{c} x \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }A_{k}\\ y \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathcal {A}(1^{k},x) \end{array} \right]. $$

A hash function TCR is target collision resistant if every PPT attacker $\mathcal {A}$ has negligible advantage.

We will write TCR in place of TCR _k if the hash function family is implicit by context.

7.2 The Hybrid Cramer–Shoup Encryption Scheme

The hybrid Cramer–Shoup encryption scheme is defined on a group $\mathbb {G}$ of prime order q and with generator g ₁, and uses a target collision-resistant hash function $\mathit {TCR}: \mathbb {G}^{2} \rightarrow \mathbb {Z}_{q}$. The scheme was famously proven IND-CCA2 secure by Cramer and Shoup in 1998 [10]. We present the scheme as a KEM in Fig. 21. The scheme has a symmetric key-space $\mathbb {G}$ and so has to be used with a DEM with key-space $\mathbb {G}$. However, a DEM can with key space $\mathcal {K}$ can be converted into a DEM with key space $\mathbb {G}$ using a smooth hash function^{Footnote 4} $H: \mathbb {G}\rightarrow \mathcal {K}$.

In accordance with the strategy in Sect. 6.3, we prove that this KEM is PA1+ and simulatable. Recall that, according to Remark 6.4, we are only required to show that the KEM is simulatable for attackers which obtain a single challenge ciphertext. In order to evaluate the simulatability of the Cramer–Shoup KEM, we need to introduce a new definition of security (which is very similar to the IND-R notion of security for symmetric encryption schemes).^{Footnote 5} The IND-R security notion for a KEM is defined using the two games given in Fig. 22.

Definition 7.6

(IND-R-CCA2)

A KEM Π=(Gen,Encap,Decap) is IND-R-CCA2 secure if for every PPT attacker $\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})$ the advantage

$$\mathit {Adv}_{\mathrm {\mathcal {A}}}^{\texttt {\tiny IND-R}}(k) = \bigl|\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny IND-R-1}}=1\bigr]-\Pr\bigl[\textsc {Expt}_{\mathcal {A}}^{\texttt {\tiny IND-R-0}}=1\bigr]\bigr| $$

is negligible.

Cramer and Shoup (essentially) proved the following theorem [10]:

Theorem 7.7

(Cramer–Shoup)

Suppose the DDH problem is hard in the group $\mathbb {G}$ and the hash function TCR is target collision resistant. Then the Cramer–Shoup KEM is IND-R-CCA2 secure

There is a clear relationship between IND-R-CCA2 security and simulatability. A simple hybrid argument can show that the following:

Theorem 7.8

If a KEM Π is IND-R-CCA2 secure and both $\mathcal {C}$ and $\mathcal {K}$ are computationally simulatable as sets, then Π is simulatable (as a KEM).

Thus, we can easily conclude:

Corollary 7.9

If $\mathbb {G}$ is a group on which the DDH problem is hard and which is simulatable as a set, and TCR is target collision resistant, then the Cramer–Shoup KEM is simulatable (as a KEM).

Proof

Since $\mathbb {G}$ is computationally simulatable, we have that both $\mathcal {C}=\mathbb {G}^{3}$ and $\mathcal {K}=\mathbb {G}$ are computationally simulatable (by Lemma 4.2). Hence, by a combination of Theorem 7.7 and Theorem 7.8, we have that the Cramer–Shoup KEM is simulatable. □

7.3 The Cramer–Shoup KEM is PA1+ Plaintext Aware

The proof that the Cramer–Shoup KEM is simulatable is heavily based on the proof that it is IND-CCA2 secure. We introduce new techniques to prove that the Cramer–Shoup KEM is PA1+.^{Footnote 6}

Theorem 7.10

Suppose $\mathbb {G}$ is a statistically simulatable group on which the DHK assumption holds. Then the Cramer–Shoup KEM is PA1+ plaintext aware.

Proof

Let (Gf,Gf ⁻¹,ℓ) be a simulator for the group $\mathbb {G}$. Let $\mathcal {A}$ be an arbitrary PPT PA1+ ciphertext creator. We define a DHK attacker $\mathcal {B}$ in Fig. 23. Since the DHK assumption holds on $\mathbb {G}$, there exists a DHK extractor $\mathcal {B}^{*}$ for $\mathcal {B}$, and we use this to define a plaintext extractor $\mathcal {A}^{*}$ in Fig. 23. One of the key points about the plaintext extractor $\mathcal {A}^{*}$ is that for every ciphertext C submitted to the decryption oracle, the plaintext extractor runs the DHK extractor $\mathcal {B}^{*}$ from scratch over all of the ciphertexts submitted to the decryption oracle up to this point. This is to cope with fact that the plaintext extractor $\mathcal {A}^{*}$ is forced to guess the results of future randomness oracle queries RList′; if the DHK extractor $\mathcal {B}^{*}$ is run as a stateful algorithm in the obvious way (with one execution of $\mathcal {B}^{*}$ for each execution of $\mathcal {A}^{*}$) then we cannot argue that $\mathcal {B}^{*}$’s responses are correct since the list of random coins RList′ generated in the previous execution is unlikely to be correct. Thus, the proof of this theorem revolves centrally around an argument that $\mathcal {B}^{*}$’s responses are identical when it is repeatedly run on the same ciphertexts in different executions of the plaintext extractor $\mathcal {A}^{*}$ (and therefore when it potentially has different internal states).

Let D be an arbitrary polynomial-time distinguisher algorithm and W _i be the event that D(x) outputs 1 in game G _i.

Game G ₁: G ₁ is the $\textsc {Expt}_{\mathcal {A},\mathcal {A}^{*},D}^{\texttt {\tiny FAKE-PA1+}}$ game.

Game G ₂: Note that the group elements e,f,h are uniformly distributed in $\mathbb {G}$ in G ₁. In G ₂ these elements are generated by choosing $\tilde{r}_{e},\tilde{r}_{f},\tilde{r}_{h} \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell}$ and setting $e\gets \mathit {Gf}(\tilde{r}_{e})$, $f\gets \mathit {Gf}(\tilde{r}_{f})$, and $h\gets \mathit {Gf}(\tilde{r}_{h})$. This is a distributional game hopping step (see Appendix A). Let U be the uniform distribution on $\mathbb {G}$ and Y be the distribution of $\mathit {Gf}(\tilde{r})$ for $\tilde{r}\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\}^{\ell}$. So |Pr[W ₂]−Pr[W ₁]|≤3Δ[U,Y] which is negligible by the assumption that $\mathbb {G}$ is statistically simulatable.

Game G ₃: Note that in G ₂ the plaintext extractor $\mathcal {A}^{*}$ re-computes the values r _e,r _f,r _h as $\mathit {Gf}^{-1}(\mathit {Gf}(\tilde{r}_{e})), \mathit {Gf}^{-1}(\mathit {Gf}(\tilde{r}_{f})), \mathit {Gf}^{-1}(\mathit {Gf}(\tilde {r}_{h}))$. G ₃ alters $\mathcal {A}^{*}$ to use the values $\tilde{r}_{e}, \tilde{r}_{f}, \tilde{r}_{h}$ that were introduced in G ₂ as part of the key generation process. This is a distributional game hopping step. Let U be the uniform distribution on {0,1}^ℓ and let Y be the distribution of Gf ⁻¹(Gf(r)) for $r\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\{0,1\} ^{\ell }$. So |Pr[W ₃]−Pr[W ₂]|≤3Δ[U,Y] which is negligible by the assumption that $\mathbb {G}$ is statistically simulatable.

Game G ₄: G ₄ responds to decryption oracle using the plaintext extractor $\mathcal {A}^{*}_{4}$ rather than $\mathcal {A}^{*}$. $\mathcal {A}^{*}_{4}$ is almost identical to $\mathcal {A}^{*}$ except that it no longer uses $\mathcal {B}^{*}$ but instead uses computes the Diffie–Hellman value r exactly (even though this makes a $\mathcal {A}^{*}_{4}$ a non-polynomial-time algorithm). The complete description is given in Fig. 24.

Let E be the event that the decryption oracle returns a different response in G ₃ and G ₄ and let E _i be the event that this first occurs on the ith decryption oracle query. Suppose that the ith decryption oracle query occurs on a ciphertext (c ₁,c ₂,π). If (g ₁,g ₂,c ₁,c ₂) is not a Diffie–Hellman tuple, then the decryption oracle will return ⊥ in G ₃ and G ₄. Hence, E _i only occurs if $\mathcal {A}$ submits a ciphertext to the decryption oracle for which (g ₁,g ₂,c ₁,c ₂) is a valid Diffie–Hellman tuple but for which $\mathcal {A}^{*}$ fails to compute a value r _i such that $c_{1}=g_{1}^{r_{i}}$ and $c_{2}=g_{2}^{r_{i}}$.

We will bound Pr[E _i]. Consider the ith decryption oracle query. $\mathcal {A}^{*}$ computes r _i by simulating an execution of the DHK game using $\mathcal {B}$ and $\mathcal {B}^{*}$ for i DHK oracle queries. This simulation doesn’t actually run $\mathcal {B}$ but supplies $\mathcal {B}^{*}$ with the ciphertexts that $\mathcal {B}$ would have computed using DList. Within this execution, let $E'_{j}$ be the event that $\mathcal {B}^{*}$ fails to determine the correct value $\tilde{r}_{j}$ when queried with the jth ciphtertext (i.e. the jth DHK oracle query is a pair (c ₁,c ₂) such that $c_{1}=g_{1}^{r}$ and $c_{2}=g_{2}^{r}$ but $\mathcal {B}^{*}$ fails to return the correct value of r).

If any $E'_{j}$ occurs, with 1≤j<i, then we cannot determine whether $\mathcal {B}^{*}$ will correctly determine the value r _i that $\mathcal {A}^{*}$ requires. This is because the internal state of $\mathcal {B}^{*}$ would be consistent with an execution of $\mathcal {B}$ which computed an incorrect decryption of the jth ciphertext. Hence, the list of ciphertexts DList may be inconsistent with the ciphertexts output by the algorithm $\mathcal {B}$ that $\mathcal {A}^{*}$ is trying to simulate. (Recall that E _i represents the first time the decryption oracle incorrectly decrypts a ciphertext; hence, all previous ciphertexts must have been decrypted correctly.)
If $E'_{i}$ occurs, then the value r _i computed by $\mathcal {A}^{*}$ is incorrect by the definition of $E'_{i}$.

Thus, we can conclude

$$\Pr[E_{i}] \leq\Pr\bigl[E'_{1} \vee E'_{2} \vee\cdots\vee E'_{i-1} \vee E'_{i}\bigr]. $$

However, by the definition of the DHK game, this value is bounded by $\mathit {Adv}_{\mathrm {\mathcal {B},\mathcal {B}^{*}}}^{\texttt {\tiny DHK}}(k)$. Thus, $\Pr[E_{i}]\leq \mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*}}}^{\texttt {\tiny DHK}}(k)$ and so $|{\Pr}[W_{4}]-\Pr[W_{3}]| \leq\Pr[E] \leq q_{D} \mathit {Adv}_{\mathrm {\mathcal {A},\mathcal {A}^{*}}}^{\texttt {\tiny DHK}}(k)$ which is negligible.

Game G ₅: Game G ₅ changes the distribution of e,f,h so that they are generated as $e,f,h \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathbb {G}$ rather than by using Gf. This “undoes” the change made in G ₂ and by the same argument we have that |Pr[W ₅]−Pr[W ₄]| is negligible since $\mathbb {G}$ is statistically image-set simulatable. (Note that we require statistical image-set simulatability here as the extractor is not polynomial-time and so there is no guarantee that computational image-set simulatability would suffice.) We do not have to “undo” the change made in G ₃ since $\mathcal {A}^{*}_{4}$ does not make use of the elements r _e,r _f,r _h.

Game G ₆: G ₆ changes the distribution of g ₂,e,f,h and uses the plaintext extractor $\mathcal {A}^{*}_{6}$ given in Fig. 24. The elements g ₂,e,f,h are computed by selecting $w,x,y,z \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathbb {Z}_{q}$ and setting $g_{2} \gets g_{1}^{w},\allowbreak e\gets g_{1}^{x},\allowbreak f\gets g_{1}^{y},\allowbreak h\gets g_{1}^{z}$. Obviously, this doesn’t change their distribution, so we concentrate on showing that the action of $\mathcal {A}^{*}_{6}$ is identical to the action of $\mathcal {A}^{*}_{4}$ used in G ₅. However, this can trivially be seen to be true by noting that $c_{2}=c_{1}^{w}$ if and only if there exist an r such that $c_{1}=g_{1}^{r}$ and $c_{2}=g_{2}^{r}$, and that if $c_{1}=g_{1}^{r}$ then $e^{rt}f^{r} = c_{1}^{xt}c_{1}^{y}$ and $h^{r}=c_{1}^{z}$. Thus, Pr[W ₆]=Pr[W ₅].

But an examination of $\mathcal {A}^{*}_{6}$ shows that it is functionally identical to the real decryption algorithm $\mathcal {D}(\mathit {sk}, \cdot)$. Thus, the event W ₆ is equivalent to the event $\textsc {Expt}_{\mathcal {A},D}^{\texttt {\tiny REAL-PA1+}}=1$. And so, $\mathit {Adv}_{\mathrm {\mathcal {A},D}}^{\texttt {\tiny PA1+}}(k)\leq|{\Pr}[W_{1}]-\Pr[W_{6}]|$ is negligible and so the Cramer–Shoup KEM is PA1+. □

Corollary 7.11

Suppose $\mathbb {G}$ is a statistically simulatable group on which both the DDH problem is hard and the DHK assumption holds, and that TCR is a target collision resistant hash function. Then the Cramer–Shoup KEM is PA2 plaintext aware.

Therefore, we have that the hybrid Cramer–Shoup encryption scheme (with $\mathcal {M}=\{0,1\}^{n}$) is PA2 plaintext aware. (Recall that the condition that $\mathcal {M}= \{0,1\}^{n}$ is required in order to prove that the DEM is simulatable.)

8 Conclusions and Open Problems

This paper gave the first proof strategy for proving PA2 plaintext awareness and used this strategy to prove that the hybrid Cramer–Shoup encryption scheme is PA2 plaintext aware. At the heart of this strategy are the notions of simulatability and PA1+ plaintext awareness. Both are strong requirements: a scheme which is simulatable is necessarily IND-CCA2 secure and a proof of PA1+ plaintext awareness seems to require strong extractor assumptions like the Diffie–Hellman Knowledge (DHK) assumption. Nevertheless, the fact that PA2 plaintext aware encryption schemes can be proven to exist at all is theoretically interesting and the fact that the Cramer–Shoup encryption scheme is PA2 plaintext aware gives some explanation as why the scheme achieves IND-CCA2 security. The approach demonstrated here has been used to show that all Cramer–Shoup hash-proof encryption schemes [7] and Kurosawa–Desmedt hash-proof encryption schemes [7, 19] are also plaintext aware (under certain extractor-based assumptions).

There are many open problems in this area. The most important ones are:

Is it possible to show any other schemes are plaintext aware? All the schemes that are currently known to be PA2 plaintext aware are of the “hash-proof” variety. It would be interesting to see if any other schemes could achieve this level of security.
Is it possible to use plaintext-aware encryption to reason about protocols and attack strategies? This approach was taken in the work of Di Raimondo, Gennaro and Krawczyk [13] and Ventre and Visconti [30], but it may be useful in other scenarios, e.g. in the analysis of protocols using formal methods.
Is it possible to develop a strategy for proving PA2 plaintext awareness that does not rely on simulatable encryption schemes? Since one of the major motivations for the study of plaintext-aware encryption is its use in proving IND-CCA2 security, the reliance of the strategy on simulatable encryption schemes, which are already necessarily IND-CCA2 secure, is a disadvantage.
Is it possible to prove that a scheme is PA1/PA2 plaintext aware without the use of an extractor-based assumption like the DHK assumption? Alternatively, can it be shown that plaintext awareness cannot be proven under any non-interactive assumption?

It is also interesting to examine other ways in which the extraction methodology can be applied. One interesting extension is the concept of secret-key awareness, which moves the knowledge assumption from the ciphertext to the public key, i.e. a scheme is secret-key aware if it is infeasible for any PPT algorithm to create a public key without “knowing” the underlying private key [1]. This has applications to proving complete non-malleability [15] and may have applications towards protocol analysis.

Notes

This paper presents, extends, and corrects errors in [12] and [8].
The original version of this result [8] claimed that plaintext awareness with respect to a single plaintext creator $\mathcal {P}_{I}$, which chooses a random bit b and then consistently outputs m _b when given α=(m ₀,m ₁), was sufficient to prove IND-CCA2 security. We called this property PA2I plaintext awareness. Sadly, this result is not correct. We will sketch a counter-example here. Suppose $\varPi=(\mathcal {G},\mathcal {E},\mathcal {D})$ is IND-CCA2 secure and PA2I plaintext aware. Let $\varPi'=(\mathcal {G},\mathcal {E}',\mathcal {D}')$ be the encryption scheme with $\mathcal {E}'(\mathit {pk},m)=0\|\mathcal {E}(\mathit {pk},m)$ and $\mathcal {D}'(\mathit {sk},\delta \|C)=\mathcal {D}(\mathit {sk},C)$ for any δ∈{0,1}. This scheme is IND-CPA secure but not IND-CCA2 secure. We claim that this scheme is still PA2I plaintext aware. We may build a plaintext extractor $\mathcal {A}^{*}$ for a ciphertext creator $\mathcal {A}$ working against Π′ by noting two properties of the scheme. (a) Since Π is PA2I there exists a plaintext extractor which can decrypt all decryption queries of the form δ∥C where 0∥C∉CList. (b) If $\mathcal {A}$ requests the decryption of 1∥C where 0∥C∈CList then the correct response must be either m ₀ or m ₁, which can be determined by observing the original encryption oracle query. Furthermore, since Π is IND-CCA2 secure, no algorithm can distinguish between the case where $\mathcal {A}^{*}$ returns the correct decryption of 1∥C and the case where $\mathcal {A}^{*}$ returns the message m _d (for some value d which was randomly chosen by $\mathcal {A}^{*}$ during its first execution). Thus Π′ is IND-CPA secure and PA2I plaintext aware, but not IND-CCA2 secure, which contradicts the claimed result of [8].
This is also sometimes known as the Knowledge-of-Exponent assumption (KEA).
A smooth hash function has the property that the distribution of H(x), for $x\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }\mathbb {G}$, is computationally indistinguishable from the uniform distribution on $\mathcal {K}$
The original proof that the Cramer–Shoup encryption scheme is simulatable [12] has a (minor) flaw. The proof does not “reset” the decryption oracle to its correct operation at the end of proof. This presentation sidesteps the issue by using a simplified proof.
The original proof of this result claimed that it was sufficient for the group $\mathbb {G}$ to be computationally simulatable. This is incorrect: we require that the group $\mathbb {G}$ is statistically simulatable. This error is relatively minor in practice as all the common groups which are used for cryptography are statistically simulatable (see Sect. 7.1). The original proof also failed to deal effectively with the differences in the way that the DHK extractor $\mathcal {B}^{*}$ and the PA1+ plaintext extractor $\mathcal {A}^{*}$ handle the random inputs of their respective underlying algorithms $\mathcal {B}$ and $\mathcal {A}$. The DHK extractor $\mathcal {B}^{*}$ requires all random bits of $\mathcal {B}$ to be known in advance, while the PA1+ extractor $\mathcal {A}^{*}$ must allow for the possibility that fresh random bits will be generated by $\mathcal {A}$ after $\mathcal {A}^{*}$’s execution.

References

M. Barbosa, P. Farshim, Strong knowledge extractors for public-key encryption schemes, in Australasian Conference on Information Security and Privacy—ACISP 2010, ed. by P. Hawkes, R. Steinfeld. Lecture Notes in Computer Science, vol. 6168 (Springer, Berlin, 2010), pp. 164–181
Google Scholar
M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in Advances in Cryptology—Asiacrypt 2004, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004), pp. 48–62
Google Scholar
M. Bellare, P. Rogaway, Optimal asymmetric encryption, in Advances in Cryptology—Eurocrypt ’94, ed. by A. De Santis. Lecture Notes in Computer Science, vol. 950 (Springer, Berlin, 1994), pp. 92–111
Google Scholar
M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—Eurocrypt 2006, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426
Google Scholar
M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in Foundations of Computer Science—FOCS 1997 (IEEE Computer Society, Los Alamitos, 1997), pp. 394–403
Google Scholar
M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology—Crypto 1998, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 26–45
Google Scholar
J. Birkett, On plaintext-aware public-key encryption schemes. PhD thesis, Royal Holloway, University of London, 2010
J. Birkett, A.W. Dent, Relations among notions of plaintext awareness, in Public Key Cryptography—PKC 2008, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 4939 (Springer, Berlin, 2008), pp. 47–65
Chapter Google Scholar
J.L. Carter, M.N. Wegman, New classes and applications of hash functions, in Foundations of Computer Science—FOCS 1979 (IEEE Computer Society, Los Alamitos, 1979), pp. 175–182
Google Scholar
R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2004)
Article MathSciNet Google Scholar
I.B. Damgård, Towards practical public key systems secure against chosen ciphertext attacks, in Advances in Cryptology—Crypto ’91, ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 445–456
Google Scholar
A.W. Dent, The Cramer-Shoup encryption scheme is plaintext aware in the standard model, in Advances in Cryptology—Eurocrypt 2006, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 289–307
Google Scholar
M. Di Raimondo, R. Gennaro, H. Krawczyk, Deniable authentication and key exchange, in ACM Conference on Computer and Communications Security—ACM CCS ’06 (ACM, New York, 2006), pp. 400–409
Chapter Google Scholar
U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)
Article MATH MathSciNet Google Scholar
M. Fischlin, Completely non-malleable schemes, in Automata, Languages and Programming—ICALP 2005, ed. by L. Caires, G.F. Italiano, L. Monteiro, C. Palamidessi, M. Yung. Lecture Notes in Computer Science, vol. 3580 (Springer, Berlin, 2005), pp. 779–790
Chapter Google Scholar
S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)
Article MATH MathSciNet Google Scholar
S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Article MATH MathSciNet Google Scholar
J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 18(1), 1364–1396 (1999)
Article Google Scholar
S. Jiang, H. Wang, Plaintext-awareness of hybrid encryption, in Topics in Cryptology—CT-RSA 2010, ed. by J. Pieprzyk. Lecture Notes in Computer Science, vol. 5985 (Springer, Berlin, 2010), pp. 57–72
Chapter Google Scholar
K. Kurosawa, Y. Desmedt, A new paradigm of hybrid encryption scheme, in Advances in Cryptology—Crypto 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 426–442
Chapter Google Scholar
M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in Proc. 22nd ACM Symposium on the Theory of Computing—STOC ’90 (ACM, New York, 1990), pp. 427–437
Google Scholar
E. Petrank, C. Rackoff, CBC MAC for real-time data sources. J. Cryptol. 13(3), 315–339 (2000)
Article MATH MathSciNet Google Scholar
C. Rackoff, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—Crypto ’91, ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 434–444
Google Scholar
P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption, in ACM Conference on Computer and Communications Security—ACM CCS ’01 (ACM, New York, 2001), pp. 196–205
Google Scholar
V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Advances in Cryptology—Eurocrypt 2000, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 275–288
Google Scholar
V. Shoup, Sequences of games: a tool for taming complexity in security proofs. Available from http://eprint.iacr.org/2004/332, 2004
V. Shoup, A Computational Introduction to Number Theory and Algebra (Cambridge University Press, Cambridge, 2005)
Book MATH Google Scholar
M. Stam, Personal e-mail correspondence, 2005
I. Teranishi, W. Ogata, Relationship between standard model plaintext awareness and message hiding, in Advances in Cryptology—Asiacrypt 2006, ed. by X. Lai, K. Chen. Lecture Notes in Computer Science, vol. 4284 (Springer, Berlin, 2006), pp. 226–240
Google Scholar
C. Ventre, I. Visconti, 2-round extractable commitments: definitions, constructions and applications in the plain model. Unpublished manuscript, 2010

Download references

Acknowledgements

The majority of research for this paper was performed while both authors were members of the Information Security Group at Royal Holloway, University of London. The authors would like to thank the referees of Eurocrypt 2006, PKC 2008 and the Journal of Cryptology for their helpful comments. The authors would also like to thank Martijn Stam and Nigel Smart for their detailed and insightful comments.

Author information

Authors and Affiliations

Information Security Group, Royal Holloway, University of London, London, UK
James Birkett
Qualcomm Research, Qualcomm Technologies Inc., San Diego, USA
Alexander W. Dent

Authors

James Birkett
View author publications
You can also search for this author in PubMed Google Scholar
Alexander W. Dent
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander W. Dent.

Additional information

Communicated by Phillip Rogaway

Appendix A. Game Hopping

Game hopping is a proof technique that involves adapting the environment in which an attacker runs until it is clear that an attacker has a negligible change of “winning”. Every time the environment (game) is changed, the proof has to show that the attacker does not have a significantly greater probability of winning in the second game than in the first—i.e. that the “game hop” does not significantly increase the attacker’s chance of winning. Hence, the main game hopping proof techniques involve showing that an attacker’s output is practical identical when running in two similar environments. We will often make use of game hopping techniques when working with statistically similar distributions, hence we begin by proving a few simple lemmas:

Lemma A.1

Let X, Y, Z be distributions over some common finite set S. Then Δ[X,Z]≤Δ[X,Y]+Δ[Y,Z]. Furthermore, if $\mathcal {A}$ is any (possibly probabilistic) algorithm, then $\varDelta [\mathcal {A}(X),\mathcal {A}(Y)] \leq \varDelta [X,Y]$.

A proof of these facts can be found in, for example, Shoup [27]. We restate the difference lemma [26] in terms of statistical distance:

Lemma A.2

Suppose that X is the random variable describing the output of a randomised algorithm $\mathcal {A}$ (on a finite set). Let E be some event that may occur during $\mathcal {A}$ ’s execution. Let Y be the random variable which describes the output of $\mathcal {A}$ given that E does not occur (i.e. Pr[Y=s]=Pr[X=s | ¬E]). Then Δ[X,Y]≤Pr[E].

Proof

The result follows from a simple probability calculation:

□

The computational distance between families of distributions X _k and Y _k for an algorithm $\mathcal {A}$ is

$$\mathit{dist}_{\mathcal {A}}^{X,Y}(k) = \bigl|{\Pr}\bigl[\mathcal {A}(s)=1 \,:\, s \stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }X_{k}\bigr] - \Pr\bigl[\mathcal {A}(s)=1 \,:\, s\stackrel {{\hspace {1pt}\scriptscriptstyle \$}}{\gets }Y_{k} \bigr]\bigr|. $$

X _k and Y _k are computationally indistinguishable if $\mathit {dist}_{\mathcal {A}}^{X,Y}(k)$ is negligible for all probabilistic polynomial-time algorithms $\mathcal {A}$.

A game G describes the distributions of a series of inputs to an algorithm $\mathcal {A}$ and a “win condition” for that algorithm. Let W _i denote the event that $\mathcal {A}$ achieves the win condition. A game hop is relationship between the probability that $\mathcal {A}$ wins game G ₀ and game G ₁. We make use of three type of game hop:

1.
Bridging Steps: The distribution of inputs to $\mathcal {A}$ in G ₀ and G ₁ are identical (although the inputs may be generated in a different way). Thus, Pr[W ₀]=Pr[W ₁].
2.
Distributional Steps: If the only difference between G ₀ and G ₁ is that an input s to $\mathcal {A}$ is drawn from distribution X in G ₀ and from distribution Y in G ₁, then
$$\bigl|\Pr[W_{0}]-\Pr[W_{1}]\bigr| \leq \varDelta [X,Y]. $$
Furthermore, if $\mathcal {A}$ is a probabilistic, polynomial-time (PPT) algorithm, and W ₀ and W ₁ are polynomial-time decidable events, then
$$\bigl|\Pr[W_{0}]-\Pr[W_{1}]\bigr| \leq\mathit{dist}_{\mathcal {A}}^{X,Y}(k). $$
3.
Small Error Steps: If G ₀ and G ₁ proceed identically unless some event E occurs, then
$$\bigl|\Pr[W_{0}]-\Pr[W_{1}]\bigr|\leq\Pr[E]. $$

The reader is referred to Bellare and Rogaway [4] and Shoup [26] for more information.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Birkett, J., Dent, A.W. Security Models and Proof Strategies for Plaintext-Aware Encryption. J Cryptol 27, 139–180 (2014). https://doi.org/10.1007/s00145-012-9141-6

Download citation

Received: 01 August 2010
Published: 09 January 2013
Issue Date: January 2014
DOI: https://doi.org/10.1007/s00145-012-9141-6

Key words

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Security Models and Proof Strategies for Plaintext-Aware Encryption

Abstract

Similar content being viewed by others

How to Securely Release Unverified Plaintext in Authenticated Encryption

A conceptually simple and generic construction of plaintext checkable encryption in the standard model

Combiners for Chosen-Ciphertext Security

1 Introduction

Models for Plaintext Awareness

Our Contribution

Related Work

2 Preliminaries

3 Relations Between Notions of Plaintext Awareness

3.1 The Bellare–Palacio Notions of Plaintext Awareness

Definition 3.1

Definition 3.2

Theorem 3.3

Theorem 3.4

Corollary 3.5

Proof

3.2 PA1+ Plaintext Awareness

Definition 3.6

Interpreting the Difference Between PA1 and PA1+

3.3 Simplifying PA2 Plaintext Awareness

Definition 3.7

Theorem 3.8

Proof

Corollary 3.9

Proof

3.4 Relations between Notions of Plaintext Awareness

Definition 3.10

Definition 3.11

Lemma 3.12

Lemma 3.13

Theorem 3.14

Proof

Corollary 3.15

Proof

4 Simulatable Sets and Algorithms

Definition 4.1

Lemma 4.2

Definition 4.3

Lemma 4.4

Sketch Proof

5 A Strategy for Proving PA2 Plaintext Awareness

Theorem 5.1

Proof

6 Extending the PA2 Proof Strategy to Hybrid Encryption Schemes

6.1 Hybrid Encryption Using KEMs and DEMs

6.2 Simulatable KEMS and DEMs

Definition 6.1

Definition 6.2

Lemma 6.3

Remark 6.4

6.3 Proving PA2 Plaintext Awareness for Hybrid Encryption

Definition 6.5

Lemma 6.6

Proof

7 The Cramer–Shoup Encryption Scheme

7.1 Assumptions

Definition 7.1

Definition 7.2

Lemma 7.3

Image-Set Simulatable Proof

Random-Set Simulatable Proof

Lemma 7.4

Image-Set Simulatable Proof

Random-Set Simulatable Proof

Definition 7.5

7.2 The Hybrid Cramer–Shoup Encryption Scheme

Definition 7.6

Theorem 7.7

Theorem 7.8

Corollary 7.9

Proof

7.3 The Cramer–Shoup KEM is PA1+ Plaintext Aware

Theorem 7.10

Proof

Corollary 7.11

8 Conclusions and Open Problems

Notes