Chosen-ciphertext security of multiple encryption

Yevgeniy Dodis, Jonathan Katz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Encryption of data using multiple, independent encryption schemes ("multiple encryption") has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosen-plaintext attacks, and has shown constructions secure in this sense based on the chosen-plaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosen-ciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosen-ciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosen-ciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identity-based encryption scheme secure against selective-identity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes.

Original languageEnglish (US)
Title of host publicationLecture Notes in Computer Science
EditorsJ. Kilian
Pages188-209
Number of pages22
Volume3378
StatePublished - 2005
EventSecond Theory of Cryptography Conference, TCC 2005 - Cambridge, MA, United States
Duration: Feb 10 2005Feb 12 2005

Other

OtherSecond Theory of Cryptography Conference, TCC 2005
Country/TerritoryUnited States
CityCambridge, MA
Period2/10/052/12/05

ASJC Scopus subject areas

  • Computer Science (miscellaneous)

Fingerprint

Dive into the research topics of 'Chosen-ciphertext security of multiple encryption'. Together they form a unique fingerprint.

Cite this