
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Nonmalleable Multiple PublicKey Encryption
Atsushi FUJIOKA Eiichiro FUJISAKI Keita XAGAWA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E97A
No.6
pp.13181334 Publication Date: 2014/06/01 Online ISSN: 17451337
DOI: 10.1587/transfun.E97.A.1318 Type of Manuscript: Special Section PAPER (Special Section on Discrete Mathematics and Its Applications) Category: Keyword: Multiple publickey encryption, Nonmalleability, Adversarially chosen publickey attacks, Threshold publickey encryption, and Completely nonmalleable publickey encryption.,
Full Text: PDF(715.9KB)>>
Summary:
We study nonmalleability of multiple publickey encryption (ME) schemes. The main difference of ME from the threshold publickey encryption schemes is that there is no dealer to share a secret among users; each user can independently choose their own publickeys; and a sender can encrypt a message under adhoc multiple public keys of his choice. In this paper we tackle nonmalleability of ME. We note that the prior works only consider confidentiality of messages and treat the case that all public keys are chosen by honest users. In the multiple publickey setting, however, some application naturally requires nonmalleability of ciphertexts under multiple public keys including malicious users'. Therefore, we study the case and have obtained the following results: ·We present three definitions of nonmalleability of ME, simulationbased, comparisonbased, and indistinguishabilitybased ones. These definitions can be seen as an analogue of those of nonmalleable publickey encryption (PKE) schemes. Interestingly, our definitions are all equivalent even for the “invalidallowing” relations. We note that the counterparts of PKE are not equivalent for the relations. ·The previous strongest security notion for ME, “indistinguishability against strong chosenciphertext attacks (sMCCA)” [1], does not imply our notion of nonmalleability against chosenplaintext attacks. ·Nonmalleability of ME guarantees that the single message indistinguishabilitybased notion is equivalent to the multiplemessage simulationbased notion, which provides designers a fundamental benefit. ·We define new, stronger decryption robustness for ME. A nonmalleable ME scheme is meaningful in practice if it also has the decryption robustness. ·We present a constant ciphertextsize ME scheme (meaning that the length of a ciphertext is independent of the number of publickeys) that is secure in our strongest security notion of nonmalleability. Indeed, the ciphertext overhead (i.e., the length of a ciphertext minus that of a plaintext) is the combined length of two group elements plus one hash value, regardless of the number of public keys. Then, the length of the partial decryption of one user consists of only two group elements, regardless of the length of the plaintext.


