Plaintext-aware encryption

About: Plaintext-aware encryption is a research topic. Over the lifetime, 1980 publications have been published within this topic receiving 101775 citations. The topic is also known as: Plaintext awareness.

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency

Abstract: Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters Crypto 2012 who noticed that revoking past keys should at times e.g., the scenario of cloud storage be accompanied by revocation of past ciphertexts to prevent unread ciphertexts from being read by revoked users. They introduced revocable-storage attribute-based encryption RS-ABE as a good access control mechanism for cloud storage. RS-ABE protects against the revoked users not only the future data by supporting key-revocation but also the past data by supporting ciphertext-update, through which a ciphertext at time T can be updated to a new ciphertext at time Ti¾?+i¾?1 using only the public key. Motivated by this pioneering work, we ask whether it is possible to have a modular approach, which includes a primitive for time managed ciphertext update as a primitive. We call encryption which supports this primitive a "self-updatable encryption" SUE. We then suggest a modular cryptosystems design methodology based on three sub-components: a primary encryption scheme, a key-revocation mechanism, and a time-evolution mechanism which controls the ciphertext self-updating via an SUE method, coordinated with the revocation when needed. Our goal in this is to allow the self-updating ciphertext component to take part in the design of new and improved cryptosystems and protocols in a flexible fashion. Specifically, we achieve the following results:

Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems

Abstract: Recently Canetti, Krawczyk and Nielsen defined the notion of replayable adaptive chosen ciphertext attack (RCCA) secure encryption. Essentially a cryptosystem that is RCCA secure has full CCA2 security except for the little detail that it may be possible to modify a ciphertext into another ciphertext containing the same plaintext.

Towards key-dependent message security in the standard model

Abstract: Standard security notions for encryption schemes do not guarantee any security if the encrypted messages depend on the secret key. Yet it is exactly the stronger notion of security in the presence of key-dependent messages (KDM security) that is required in a number of applications: most prominently, KDM security plays an important role in analyzing cryptographic multi-party protocols in a formal calculus. But although often assumed, the mere existence of KDM secure schemes is an open problem. The only previously known construction was proven secure in the random oracle model. We present symmetric encryption schemes that are KDM secure in the standard model (i.e., without random oracles). The price we pay is that we achieve only a relaxed (but still useful) notion of key-dependent message security. Our work answers (at least partially) an open problem posed by Black, Rogaway, and Shrimpton. More concretely, our contributions are as follows: 1. We present a (stateless) symmetric encryption scheme that is information-theoretically secure in face of a bounded number and length of encryptions for which the messages depend in an arbitrary way on the secret key. 2. We present a stateful symmetric encryption scheme that is computationally secure in face of an arbitrary number of encryptions for which the messages depend only on the respective current secret state/key of the scheme. The underlying computational assumption is minimal: we assume the existence of one-way functions. 3. We give evidence that the only previously known KDM secure encryption scheme cannot be proven secure in the standard model (i.e., without random oracles).

Cryptanalysis of a parallel sub-image encryption method with high-dimensional chaos

Abstract: Recently, a parallel sub-image encryption method with high-dimensional chaos has been proposed. But there is a fatal flaw in the cryptosystem that the generated keystream remains unchanged when encrypting every image. Based on this point, we could recover the plaintext by applying chosen plaintext attack. Therefore the proposed cryptosystem is not supposed to be used in image transmission system. Experimental results show the feasibility of our attack.