Paper 2005/261

The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model

Alexander W. Dent

Abstract

In this paper we examine the security criteria for a KEM and a DEM that are su±cient for the overall hybrid encryption scheme to be plaintext-aware in the standard model. We apply this theory to the Cramer-Shoup hybrid scheme acting on ¯xed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of plaintext-aware encryption schemes.

Note: The original version of this paper contained an subtle, but substantial error in the proof of the theorem that PA1 + Simulability => PA2. This theorem has been withdrawn. The main result, that Cramer-Shoup is PA2, is now proven using a slight variation of the original technique. My apologies to anyone inconvenienced by the error.

Metadata
Available format(s)
PDF PS
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
provable securityplaintext-awareness
Contact author(s)
a dent @ rhul ac uk
History
2006-04-21: last of 3 revisions
2005-08-11: received
See all versions
Short URL
https://ia.cr/2005/261
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2005/261,
      author = {Alexander W.  Dent},
      title = {The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model},
      howpublished = {Cryptology ePrint Archive, Paper 2005/261},
      year = {2005},
      note = {\url{https://eprint.iacr.org/2005/261}},
      url = {https://eprint.iacr.org/2005/261}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.