Paper 2009/205

Related Message Attacks to Public Key Encryption Schemes: Relations among Security Notions

Maria Isabel Gonzalez Vasco and Angel L. Perez del Pozo

Abstract

Consider a scenario in which an adversary, attacking a certain public key encryption scheme, gains knowledge of several ciphertexts which underlying plaintext are meaningfully related with a given target ciphertext. This kind of related message attack has been proved successful against several public key encryption schemes; widely known is the Franklin-Reiter attack to RSA with low exponent and its subsequent improvement by Coppersmith. However, to the best of our knowledge no formal treatment of these type of attacks has to date been done, and as a result, it has not been rigorously studied which of the ``standard'' security notions imply resilience to them. We give formal definitions of several security notions capturing the resistance to this kind of attacks. For passive adversaries we prove that, for the case of indistinguishability, security against related message attacks is equivalent to standard CPA security. On the other hand, one-wayness robust schemes in this sense can be seen as strictly between OW-CPA and IND-CPA secure schemes. Furthermore, we prove that the same holds for active (CCA) adversaries.