Plaintext-aware encryption
Encyclopedia
Plaintext-awareness is a notion of security for public-key encryption. A cryptosystem
is plaintext-aware if it is difficult for any efficient algorithm
to come up with a valid ciphertext
without being aware of the corresponding plaintext
.
From a lay point of view, this is a strange property. Normally, a ciphertext is computed by encrypting
a plaintext. If a ciphertext is created this way, its creator would be aware, in some sense, of the plaintext. However, many cryptosystems are not plaintext-aware. As an example, consider the RSA cryptosystem. In the RSA cryptosystem, plaintexts and ciphertexts are both values modulo
N (the modulus). Therefore, RSA is not plaintext aware: one way of generating a ciphertext without knowing the plaintext is to simply choose a random number modulo N.
In fact, plaintext-awareness is a very strong property. Any cryptosystem that is semantically secure
and is plaintext-aware is actually secure against a chosen-ciphertext attack
, since any adversary that chooses ciphertexts would already know the plaintexts associated with them.
and Phillip Rogaway
in their paper on optimal asymmetric encryption
, as a method to prove that a cryptosystem is chosen-ciphertext secure.
s. Plaintext-aware encryption is known to exist when a public-key infrastructure is assumed.
Also, it has been shown that weaker forms of plaintext-awareness exist under the knowledge of exponent assumption, a non-standard assumption about Diffie-Hellman triples.
Finally a variant of the Cramer Shoup encryption scheme was shown to be fully plaintext aware in the standard model under the knowledge of exponent assumption.
Cryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...
is plaintext-aware if it is difficult for any efficient algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
to come up with a valid ciphertext
Ciphertext
In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...
without being aware of the corresponding plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
.
From a lay point of view, this is a strange property. Normally, a ciphertext is computed by encrypting
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
a plaintext. If a ciphertext is created this way, its creator would be aware, in some sense, of the plaintext. However, many cryptosystems are not plaintext-aware. As an example, consider the RSA cryptosystem. In the RSA cryptosystem, plaintexts and ciphertexts are both values modulo
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
N (the modulus). Therefore, RSA is not plaintext aware: one way of generating a ciphertext without knowing the plaintext is to simply choose a random number modulo N.
In fact, plaintext-awareness is a very strong property. Any cryptosystem that is semantically secure
Semantic security
Semantic security is a widely used definition for security in an asymmetric key encryption algorithm. For a cryptosystem to be semantically secure, it must be infeasible for a computationally bounded adversary to derive significant information about a message when given only its ciphertext and...
and is plaintext-aware is actually secure against a chosen-ciphertext attack
Chosen-ciphertext attack
A chosen-ciphertext attack is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the...
, since any adversary that chooses ciphertexts would already know the plaintexts associated with them.
History
The concept of plaintext-aware encryption was developed by Mihir BellareMihir Bellare
Mihir Bellare is a cryptographer and professor at the University of California, San Diego. He has published several seminal papers in the field of cryptography , many coauthored with Phillip Rogaway. Bellare has published a number of papers in the field of Format-Preserving Encryption...
and Phillip Rogaway
Phillip Rogaway
Phillip Rogaway is a professor of computer science at the University of California, Davis. He graduated with an BA in computer science from UC Berkeley and completed his PhD in cryptography at MIT, in the Theory of Computation group. He has taught at UC Davis since 1994.Dr...
in their paper on optimal asymmetric encryption
Optimal Asymmetric Encryption Padding
In cryptography, Optimal Asymmetric Encryption Padding is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway....
, as a method to prove that a cryptosystem is chosen-ciphertext secure.
Further research
Limited research on plaintext-aware encryption has been done since Bellare and Rogaway's paper. Although several papers have applied the plaintext-aware technique in proving encryption schemes are chosen-ciphertext secure, only three papers revisit the concept of plaintext-aware encryption itself, both focussed on the definition given by Bellare and Rogaway that inherently require random oracleRandom oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...
s. Plaintext-aware encryption is known to exist when a public-key infrastructure is assumed.
Also, it has been shown that weaker forms of plaintext-awareness exist under the knowledge of exponent assumption, a non-standard assumption about Diffie-Hellman triples.
Finally a variant of the Cramer Shoup encryption scheme was shown to be fully plaintext aware in the standard model under the knowledge of exponent assumption.