Disavowable Public Key Encryption with Non-Interactive Opening

Ai ISHIDA  Keita EMURA  Goichiro HANAOKA  Yusuke SAKAI  Keisuke TANAKA  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E98-A   No.12   pp.2446-2455
Publication Date: 2015/12/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E98.A.2446
Type of Manuscript: Special Section PAPER (Special Section on Information Theory and Its Applications)
Category: Cryptography and Information Security
public key encryption with non-interactive opening,  disavowability,  non-interactive zero-knowledge proof,  

Full Text: PDF(1.4MB)>>
Buy this Article

The primitive called public key encryption with non-interactive opening (PKENO) is a class of public key encryption (PKE) with additional functionality. By using this, a receiver of a ciphertext can prove that the ciphertext is an encryption of a specified message in a publicly verifiable manner. In some situation that a receiver needs to claim that a ciphertext is NOT decrypted to a specified message, if he/she proves the fact by using PKENO straightforwardly, the real message of the ciphertext is revealed and a verifier checks that it is different from the specified message about which the receiver wants to prove. However, this naive solution is problematic in terms of privacy. Inspired by this problem, we propose the notion of disavowable public key encryption with non-interactive opening (disavowable PKENO) where, with respect to a ciphertext and a message, the receiver of the ciphertext can issue a proof that the plaintext of the ciphertext is NOT the message. Also, we give a concrete construction. Specifically, a disavowal proof in our scheme consists of 61 group elements. The proposed disavowable PKENO scheme is provably secure in the standard model under the decisional linear assumption and strong unforgeability of the underlying one-time signature scheme.