Despite the fact that industry continues to rate confidentiality protection as the least important security goal for a commercial organisation, the cryptographic community has a fascination with developing new encryption technologies. It often seems that the majority of advances in general cryptologic theory are a result of research designed to improve our ability to transmit messages confidentially.
The development of security models are a good example of this phenomenon. The earliest attempts to produce cryptographic schemes with some provable security guarantees centred on encryption technologies (Shannon 1949; Rabin 1979). The modern security model for confidentiality dates back to the early eighties (Goldwasser–Micali 1982; Goldwasser–Micali 1984) when the notion of
indistinguishability under chosen plaintext attacks
(IND-CPA) was proposed. This was followed by the more advanced notions of IND-CCA1 security (Naor–Yung 1990) and IND-CCA2 security (Rackoff–Simon 1991) which are now so ubiquitous that they are often applied to new cryptographic primitives without thought. Many people have forgotten that the elegant notion of IND-CCA2 security is a simplification of the much more complex notion of
In this invited talk, we’ll consider the bedrock of cryptographic confidentiality: the notion of IND-CCA2 security. We’ll show by a series of examples that the simplifications that can be obtained in deriving the indistinguishability security notion from the semantic security notion for public key encryption can’t always be derived for other types of public-key cryptography. For example,
The IND-CCA2 model for public-key encryption only considers a single user (public key), whereas the security model for a signcryption scheme must consider multiple users.
The IND-CCA2 model for public-key encryption only considers attacks against a single (challenge) ciphertext, whereas the security model for deterministic encryption must consider attacks against multiple (challenge) ciphertexts.
The IND-CCA2 model for public-key encryption only considers an attacker that is trying to determine some information about a message of some known length, whereas some results in plaintext awareness require the attacker be unable to determine any information about a message of an unknown length.
Our ultimate aim will be to define a general model and set of rules for deriving a security notion for confidentiality for an arbitrary public-key primitive.