Completely non-malleable encryption revisited

Abstract

Several security notions for public-key encryption schemes have been proposed so far, in particular considering the powerful adversary that can play a so called "man-in-the-middle" attack. In this paper we extend the notion of completely non-malleable encryption introduced in [Fischlin, ICALP 05]. This notion immunizes a scheme from adversaries that can generate related ciphertexts under new public keys. This notion is motivated by its powerful features when encryption schemes are used as subprotocols. While in [Fischlin, ICALP 05] the only notion of simulation-based completely non-malleable encryption with respect to CCA2 adversaries was given, we present new game-based definitions for completely non-malleable encryption that follow the standard separations among NM-CPA, NM-CCA1 and NM-CCA2 security given in [Bellare et al., CRYPTO 98]. This is motivated by the fact that in several cases, the simplest notion we introduce (i.e., NM-CPA*) in several cases suffices for the main application that motivated the introduction of the notion of NM-CCA2*security, i.e., the design of non-malleable commitment schemes. Further the game-based definition of NM-CPA*security actually implies the simulation-based one. We then focus on constructing encryption schemes that satisfy these strong security notions and show: 1) an NM-CCA2*secure encryption scheme in the shared random string model; 2) an NM-CCA2*secure encryption scheme in the plain model; for this second result, we use interaction and non-black-box techniques to overcome an impossibility result. Our results clarify the importance of these stronger notions of encryption schemes and show how to construct them without requiring random oracles. © 2008 Springer-Verlag Berlin Heidelberg.