2014 | OriginalPaper | Buchkapitel
Standard versus Selective Opening Security: Separation and Equivalence Results
verfasst von : Dennis Hofheinz, Andy Rupp
Erschienen in: Theory of Cryptography
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Suppose many messages are encrypted using a public-key encryption scheme. Imagine an adversary that may adaptively ask for openings of some of the ciphertexts. Selective opening (SO) security requires that the
unopened
ciphertexts remain secure, in the sense that this adversary cannot derive any nontrivial information about the messages in the unopened ciphertexts.
Surprisingly, the question whether SO security is already implied by standard security notions has proved highly nontrivial. Only recently, Bellare, Dowsley, Waters, and Yilek (Eurocrypt 2012) could show that a strong form of SO security,
simulation-based
SO security, is not implied by standard security notions. It remains wide open, though, whether the potentially weaker (and in fact comparatively easily achievable) form of
indistinguishability-based
SO (i.e., IND-SO) security is implied by standard security. Here, we give (full and partial) answers to this question, depending on whether active or passive attacks are considered.
Concretely, we show that:
(a) For active (i.e., chosen-ciphertext) security, standard security does
not
imply IND-SO security. Concretely, we give a scheme that is IND-CCA, but not IND-SO-CCA secure.
(b) In the case of passive (i.e., chosen-plaintext) security, standard security
does
imply IND-SO security, at least in a generic model of computation and for a large class of encryption schemes. (Our separating scheme from (a) falls into this class of schemes.)
Our results show that the answer to the question whether standard security implies SO security highly depends on the concrete setting.