Non-malleable encryption: Simpler, shorter, stronger

Sandro Coretti; Yevgeniy Dodis; Björn Tackmann; Daniele Venturi

doi:10.1007/978-3-662-49096-9_13

Non-malleable encryption: Simpler, shorter, stronger

Sandro Coretti, Yevgeniy Dodis, Björn Tackmann, Daniele Venturi

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ²) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “encode-then-encrypt-bit-by-bit” approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results—(faster) construction from IND-CPA and domain extension from one-bit scheme—also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.

Original language	English (US)
Title of host publication	Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings
Editors	Eyal Kushilevitz, Tal Malkin
Publisher	Springer Verlag
Pages	306-335
Number of pages	30
ISBN (Print)	9783662490952
DOIs	https://doi.org/10.1007/978-3-662-49096-9_13
State	Published - 2016
Event	13th International Conference on Theory of Cryptography, TCC 2016 - Tel Aviv, Israel Duration: Jan 10 2016 → Jan 13 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9562
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	13th International Conference on Theory of Cryptography, TCC 2016
Country/Territory	Israel
City	Tel Aviv
Period	1/10/16 → 1/13/16

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-662-49096-9_13

Cite this

Coretti, S., Dodis, Y., Tackmann, B., & Venturi, D. (2016). Non-malleable encryption: Simpler, shorter, stronger. In E. Kushilevitz, & T. Malkin (Eds.), Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings (pp. 306-335). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9562). Springer Verlag. https://doi.org/10.1007/978-3-662-49096-9_13

Non-malleable encryption: Simpler, shorter, stronger. / Coretti, Sandro; Dodis, Yevgeniy; Tackmann, Björn et al.
Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings. ed. / Eyal Kushilevitz; Tal Malkin. Springer Verlag, 2016. p. 306-335 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9562).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Coretti, S, Dodis, Y, Tackmann, B & Venturi, D 2016, Non-malleable encryption: Simpler, shorter, stronger. in E Kushilevitz & T Malkin (eds), Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9562, Springer Verlag, pp. 306-335, 13th International Conference on Theory of Cryptography, TCC 2016, Tel Aviv, Israel, 1/10/16. https://doi.org/10.1007/978-3-662-49096-9_13

Coretti S, Dodis Y, Tackmann B, Venturi D. Non-malleable encryption: Simpler, shorter, stronger. In Kushilevitz E, Malkin T, editors, Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings. Springer Verlag. 2016. p. 306-335. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-662-49096-9_13

Coretti, Sandro ; Dodis, Yevgeniy ; Tackmann, Björn et al. / Non-malleable encryption : Simpler, shorter, stronger. Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings. editor / Eyal Kushilevitz ; Tal Malkin. Springer Verlag, 2016. pp. 306-335 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{19711a7e178f497499ef27e974f7e4a9,

title = "Non-malleable encryption: Simpler, shorter, stronger",

abstract = "In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ2) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “encode-then-encrypt-bit-by-bit” approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results—(faster) construction from IND-CPA and domain extension from one-bit scheme—also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.",

author = "Sandro Coretti and Yevgeniy Dodis and Bj{\"o}rn Tackmann and Daniele Venturi",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2016.; 13th International Conference on Theory of Cryptography, TCC 2016 ; Conference date: 10-01-2016 Through 13-01-2016",

year = "2016",

doi = "10.1007/978-3-662-49096-9_13",

language = "English (US)",

isbn = "9783662490952",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "306--335",

editor = "Eyal Kushilevitz and Tal Malkin",

booktitle = "Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings",

}

TY - GEN

T1 - Non-malleable encryption

T2 - 13th International Conference on Theory of Cryptography, TCC 2016

AU - Coretti, Sandro

AU - Dodis, Yevgeniy

AU - Tackmann, Björn

AU - Venturi, Daniele

PY - 2016

Y1 - 2016

N2 - In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ2) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “encode-then-encrypt-bit-by-bit” approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results—(faster) construction from IND-CPA and domain extension from one-bit scheme—also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.

AB - In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ2) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “encode-then-encrypt-bit-by-bit” approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results—(faster) construction from IND-CPA and domain extension from one-bit scheme—also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA security.

UR - http://www.scopus.com/inward/record.url?scp=84952683015&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84952683015&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-49096-9_13

DO - 10.1007/978-3-662-49096-9_13

M3 - Conference contribution

AN - SCOPUS:84952683015

SN - 9783662490952

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 306

EP - 335

BT - Theory of Cryptography - 13th International Conference, TCC 2016-A, Proceedings

A2 - Kushilevitz, Eyal

A2 - Malkin, Tal

PB - Springer Verlag

Y2 - 10 January 2016 through 13 January 2016

ER -

Non-malleable encryption: Simpler, shorter, stronger

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this