On the security of cryptosystems with all-or-nothing transform

Abstract

An AONT is an efficiently computable transform with two properties. Given all the bits of its output, it is easy to retrieve the message. On the other hand, if sufficiently many bits of the output are missing, it is computationally infeasible for an polynomial-time adversary to learn any information about the message. The natural intuition then may be deduced that if an secure AONT is used in a cryptosystem, the whole system will be secure as long as sufficiently many bits are "protected". However, we show this is not enough. Our results are three-fold: First we answer an open problem raised in [6], showing that previous definitions are not sufficient to guarantee a provably secure cryptosystem with strong data privacy, namely, indistinguishability against chosen ciphertext attack (IND-CCA). Second, we give a new definition to AONT, showing this definition suffices to guarantee an AONT integrated with any encryption functions to acquire IND-CCA secure cryptosystems. Third, we give concrete constructions that satisfy the new definition. © Springer-Verlag Berlin Heidelberg 2004.