Plaintext-aware encryption

Plaintext-aware encryption

Plaintext-awareness is a notion of security for public-key encryption. A cryptosystem is plaintext-aware if it is difficult for any efficient algorithm to come up with a valid ciphertext without being aware of the corresponding plaintext.

From a lay point of view, this is a strange property. Normally, a ciphertext is computed by encrypting a plaintext. If a ciphertext is created this way, its creator would be aware, in some sense, of the plaintext. However, many cryptosystems are "not" plaintext-aware. As an example, consider the RSA cryptosystem. In the RSA cryptosystem, plaintexts and ciphertexts are both values modulo N (the modulus). Therefore, RSA is not plaintext aware: one way of generating a ciphertext without knowing the plaintext is to simply choose a random number modulo N.

In fact, plaintext-awareness is a very strong property. Any cryptosystem that is semantically secure and is plaintext-aware is actually secure against a chosen-ciphertext attack, since any adversary that chooses ciphertexts would already know the plaintexts associated with them.


The concept of plaintext-aware encryption was developed by Mihir Bellare and Phillip Rogaway in their paper on optimal asymmetric encryption [M. Bellare and P. Rogaway. "Optimal Asymmetric Encryption -- How to encrypt with RSA". Extended abstract in Advances in Cryptology - Eurocrypt '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. [ full version (pdf)] ] , as a method to prove that a cryptosystem is chosen-ciphertext secure.

Further research

Limited research on plaintext-aware encryption has been done since Bellare and Rogaway's paper. Although several papers have applied the plaintext-aware technique in proving encryption schemes are chosen-ciphertext secure, only three papers revisit the concept of plaintext-aware encryption itself, both focussed on the definition given by Bellare and Rogaway that inherently require random oracles. Plaintext-aware encryption is known to exist when a public-key infrastructure is assumed. [J. Herzog, M. Liskov, and S. Micali. "Plaintext Awareness via Key Registration". In Advances in Cryptology -- CRYPTO 2003 Proceedings, Lecture Notes in Computer Science Vol. 2729, Springer-Verlag, 2003. [ (pdf)] ] Also, it has been shown that weaker forms of plaintext-awareness exist under the knowledge of exponent assumption, a non-standard assumption about Diffie-Hellman triples. [M. Bellare and A. Palacio. "Towards Plaintext-Aware Public-Key Encryption without Random Oracles". In Advances in Cryptology -- ASIACRYPT 2004, Lecture Notes in Computer Science Vol. 3329, Springer-Verlag, 2004. [ full version (pdf)] ] Finally a variant of the Cramer Shoup encryption scheme was shown to be fully plaintext aware in the standard model under the knowledge of exponent assumption. [A. W. Dent "The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model". In Advances in Cryptology -- EUROCRYPT 2006, Lecture Notes in Computer Science Vol. 4004, Springer-Verlag, 2006. [ full version (pdf)] ]

ee also

* Topics in cryptography


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • cryptology — cryptologist, n. cryptologic /krip tl oj ik/, cryptological, adj. /krip tol euh jee/, n. 1. cryptography. 2. the science and study of cryptanalysis and cryptography. [1635 45; < NL cryptologia. See CRYPTO , LOGY] * * * Introduction …   Universalium

  • Cryptography — Secret code redirects here. For the Aya Kamiki album, see Secret Code. Symmetric key cryptography, where the same key is used both for encryption and decryption …   Wikipedia

  • Encrypting File System — The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem level encryption. The technology enables files to be transparently encrypted to protect confidential data from… …   Wikipedia

  • Onion routing — is a technique for anonymous communication over a computer network. Messages are repeatedly encrypted and then sent through several network nodes called onion routers. Like someone unpeeling an onion, each onion router removes a layer of… …   Wikipedia

  • Differential cryptanalysis — is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at… …   Wikipedia

  • One-way compression function — In cryptography, a one way compression function is a function that transforms two fixed length inputs to an output of the same size as one of the inputs. The transformation is one way , meaning that it is difficult given a particular output to… …   Wikipedia

  • Pretty Good Privacy — Original author(s) Phil Zimmermann Developer(s) Phil Zimmermann Initial release In 1991 Written in Multi language …   Wikipedia

  • ZIP (file format) — unzip redirects here. For the program, see Info ZIP. ZIP Filename extension .zip .zipx (newer compression algorithms) Internet media type application/zip Uniform Type Identifier archive Magic …   Wikipedia

  • Steganography — is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message. By contrast, cryptography obscures the meaning of a message, but it does not conceal …   Wikipedia

  • Voynich manuscript — The Voynich manuscript is a mysterious illustrated book written in an indecipherable text. It is thought to have been written between 1450 and 1520. The author, script and language of the manuscript remain unknown.Over its recorded existence, the …   Wikipedia