Is it possible to build a CPA-secure encryption scheme which remains secure even when the encryption of...












6












$begingroup$


How can I design a CPA-secure encryption scheme which is secure even after the encryption of secret key is given in the training phase? I.e., in the training phase, $mathit{Enc}_{mathit{pk}}(mathit{sk})$ is given to the attacker, where $(mathit{sk},mathit{pk})$ is the key pair.










share|improve this question









New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$












  • $begingroup$
    We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
    $endgroup$
    – kiran
    21 hours ago
















6












$begingroup$


How can I design a CPA-secure encryption scheme which is secure even after the encryption of secret key is given in the training phase? I.e., in the training phase, $mathit{Enc}_{mathit{pk}}(mathit{sk})$ is given to the attacker, where $(mathit{sk},mathit{pk})$ is the key pair.










share|improve this question









New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$












  • $begingroup$
    We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
    $endgroup$
    – kiran
    21 hours ago














6












6








6


1



$begingroup$


How can I design a CPA-secure encryption scheme which is secure even after the encryption of secret key is given in the training phase? I.e., in the training phase, $mathit{Enc}_{mathit{pk}}(mathit{sk})$ is given to the attacker, where $(mathit{sk},mathit{pk})$ is the key pair.










share|improve this question









New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$




How can I design a CPA-secure encryption scheme which is secure even after the encryption of secret key is given in the training phase? I.e., in the training phase, $mathit{Enc}_{mathit{pk}}(mathit{sk})$ is given to the attacker, where $(mathit{sk},mathit{pk})$ is the key pair.







chosen-plaintext-attack






share|improve this question









New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 6 hours ago









Squeamish Ossifrage

21.2k13197




21.2k13197






New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









kirankiran

334




334




New contributor




kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






kiran is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • $begingroup$
    We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
    $endgroup$
    – kiran
    21 hours ago


















  • $begingroup$
    We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
    $endgroup$
    – kiran
    21 hours ago
















$begingroup$
We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
$endgroup$
– kiran
21 hours ago




$begingroup$
We can also assume that there exists a deterministic poly time algorithm T that on input sk outputs pk.
$endgroup$
– kiran
21 hours ago










3 Answers
3






active

oldest

votes


















6












$begingroup$

It turns out that what you are looking for is not trivial... A scheme that satisfies such property is called (CPA) circular secure scheme.



There are some schemes that satisfy that, but I don't know if they have publicly available implementions. For example, you can take a look to this scheme.



In the notation used on the paper, $ell$ is the number of pairs of public and secret keys (so, in your case, $ell = 1$). They prove a stronger security notion (KDM - Key dependent messages) that implies circular security (at least in their setting).



--EDIT--



As the other users pointed out, on the Random Oracle Model (ROM) there are other (more standard) constructions which meet this security definition. When I wrote this answer, I didn't consider this security model, but I made this unconsciously. I didn't want to say that schemes proved secure on ROM must be simply rejected. To be honest, I think that a correct answer to your question should merge my original answer with other answers and point out these details.






share|improve this answer











$endgroup$









  • 1




    $begingroup$
    It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago



















7












$begingroup$

You're in luck! Essentially every secure public-key encryption scheme on bit strings that is actually in use already has this property—and, even better, not just IND-CPA but often IND-CCA2/NM-CCA2*—because they can all be factored into a KEM/DEM structure via a hash function $H$ like SHAKE128:





  1. (KEM) Generate a uniform random $k$ and encapsulation $y$ using $mathit{pk}$.



    Examples:





    • RSA-KEM: $mathit{pk} = n$, a large integer; choose $x$ uniformly at random in $0, 1, 2, dots, n - 1$, and compute $y = x^3 bmod n$ and $k = H(x)$.



      The recipient will recover $x = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$.




    • RSA-OAEP KEM: $mathit{pk} = n$, a large integer; choose $k$ and $r$ uniformly at random, compute $a = k oplus H(0 mathbin| r), b = r oplus H(1 mathbin| a)$ (of appropriate bit lengths so they fill a $lfloorlog_2 nrfloor$-bit integer), and $y = (a mathbin| b)^3 bmod n$.



      The recipient will recover $a mathbin| b = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$, and then solve for $k$.




    • DH-based KEM: $mathit{pk} = h$, an element of prime order in a group $G$ generated by a standard base $g$; choose $x$ uniformly at random, and compute $y = g^x$, and $k = H(h^x)$.



      The recipient will recover $k = H(y^z)$ with secret knowledge of $z$ such that $h = g^z$, so that $h^x = (g^z)^x = (g^x)^z = y^z$.






  2. (DEM) Use $k$ as a one-time key for a one-time authenticated cipher $operatorname{AE}$ to encrypt the message $m$ as $c = operatorname{AE}_k(m)$.



    Any authenticated cipher works here, like AES-GCM or crypto_secretbox_xsalsa20poly1305; technically the security requirements of a DEM are lighter than AEAD, e.g. you could just use most of $k$ as a one-time pad and the rest as a one-time authenticator key, but it is simplest—and most common—to use an authenticated cipher.



  3. Transmit $(y, c)$, the encapsulation $y$ of the one-time key $k$ and the authenticated encryption $c$ of the message $m$.



The one-time key $k$ is (effectively) independent of the secret key $mathit{sk}$, so there is no problem with the symmetric encryption $operatorname{AE}_k(mathit{sk})$ used here.



This notion of security is sometimes called circular security or key-dependent message (KDM) security.




  • In 2001, Camenisch and Lysyanskaya defined circular security and proved that $(m, r) mapsto E_{mathit{pk}}(r) mathbin| (H(r) oplus m)$ for uniform random $r$ has it if $E_{mathit{pk}}$ is semantically secure[1].

  • Independently, in 2002, Black, Rogaway, and Shrimpton defined the slightly stronger KDM security and suggested but could not prove that KEM/DEM hybrid constructions like this would have it[2].

  • Then in 2014, Davies and Stam finally found formal techniques to prove that KEM/DEM via $H$ generically has KDM security[3].


Skipping the hash $H$, of course, can ruin the security, as in many cryptosystems.



Of course, if you need additional structure—e.g., the homomorphic property of Elgamal encryption $(h^r, g^r m)$ for a highly restricted message space—then the answer may be different, because such additional structure is incompatible with NM-CCA2. But in that case, you'll need to ask a more specific question about your specific additional structure.





* Well, some of the practical ones fail IND-CCA2/NM-CCA2, like S/MIME and OpenPGP, because their designers made foolish decisions leading to EFAIL[4]. But those particular mistakes don't imply problems with circular/KDM security: they are still effectively factored into KEM/not-quite-DEM.



In academic cryptography jargon, the security here is usually presented in the ‘random oracle model’. Essentially, this means that we can prove any attacker that doesn't depend on the details of $H$ can be used, if parametrized by $H$, as a subroutine in a procedure to factor large semiprimes, compute discrete logs, etc. In principle, it could be that particular choices of hash function $H$ could interact with the public-key mathematical structure to enable other attacks; pathological examples have been exhibited[5] where any choice of hash function is insecure. But these pathological examples are of little consequence in the real world, and they give no reason to doubt the practical security of the KEMs actually in widespread use today like these; these pathological examples are more of an interesting quirk of the formalism than anything else. More on the random oracle model.






share|improve this answer











$endgroup$













  • $begingroup$
    great. thanks a lot
    $endgroup$
    – kiran
    20 hours ago






  • 2




    $begingroup$
    The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
    $endgroup$
    – OrangeDog
    18 hours ago






  • 1




    $begingroup$
    @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago










  • $begingroup$
    @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago












  • $begingroup$
    @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago





















3












$begingroup$

This is secure for practically all hybrid asymmetric encryption algorithms, like ECIES or RSA-KEM. However it violates the security assumptions of the standard model, so you have to resort to the random oracle model.



I would avoid overly complicated designs, like those from the paper Hilder mentions, just for the sake of a standard model security proof.






share|improve this answer








New contributor




user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "281"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    kiran is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68270%2fis-it-possible-to-build-a-cpa-secure-encryption-scheme-which-remains-secure-even%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6












    $begingroup$

    It turns out that what you are looking for is not trivial... A scheme that satisfies such property is called (CPA) circular secure scheme.



    There are some schemes that satisfy that, but I don't know if they have publicly available implementions. For example, you can take a look to this scheme.



    In the notation used on the paper, $ell$ is the number of pairs of public and secret keys (so, in your case, $ell = 1$). They prove a stronger security notion (KDM - Key dependent messages) that implies circular security (at least in their setting).



    --EDIT--



    As the other users pointed out, on the Random Oracle Model (ROM) there are other (more standard) constructions which meet this security definition. When I wrote this answer, I didn't consider this security model, but I made this unconsciously. I didn't want to say that schemes proved secure on ROM must be simply rejected. To be honest, I think that a correct answer to your question should merge my original answer with other answers and point out these details.






    share|improve this answer











    $endgroup$









    • 1




      $begingroup$
      It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago
















    6












    $begingroup$

    It turns out that what you are looking for is not trivial... A scheme that satisfies such property is called (CPA) circular secure scheme.



    There are some schemes that satisfy that, but I don't know if they have publicly available implementions. For example, you can take a look to this scheme.



    In the notation used on the paper, $ell$ is the number of pairs of public and secret keys (so, in your case, $ell = 1$). They prove a stronger security notion (KDM - Key dependent messages) that implies circular security (at least in their setting).



    --EDIT--



    As the other users pointed out, on the Random Oracle Model (ROM) there are other (more standard) constructions which meet this security definition. When I wrote this answer, I didn't consider this security model, but I made this unconsciously. I didn't want to say that schemes proved secure on ROM must be simply rejected. To be honest, I think that a correct answer to your question should merge my original answer with other answers and point out these details.






    share|improve this answer











    $endgroup$









    • 1




      $begingroup$
      It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago














    6












    6








    6





    $begingroup$

    It turns out that what you are looking for is not trivial... A scheme that satisfies such property is called (CPA) circular secure scheme.



    There are some schemes that satisfy that, but I don't know if they have publicly available implementions. For example, you can take a look to this scheme.



    In the notation used on the paper, $ell$ is the number of pairs of public and secret keys (so, in your case, $ell = 1$). They prove a stronger security notion (KDM - Key dependent messages) that implies circular security (at least in their setting).



    --EDIT--



    As the other users pointed out, on the Random Oracle Model (ROM) there are other (more standard) constructions which meet this security definition. When I wrote this answer, I didn't consider this security model, but I made this unconsciously. I didn't want to say that schemes proved secure on ROM must be simply rejected. To be honest, I think that a correct answer to your question should merge my original answer with other answers and point out these details.






    share|improve this answer











    $endgroup$



    It turns out that what you are looking for is not trivial... A scheme that satisfies such property is called (CPA) circular secure scheme.



    There are some schemes that satisfy that, but I don't know if they have publicly available implementions. For example, you can take a look to this scheme.



    In the notation used on the paper, $ell$ is the number of pairs of public and secret keys (so, in your case, $ell = 1$). They prove a stronger security notion (KDM - Key dependent messages) that implies circular security (at least in their setting).



    --EDIT--



    As the other users pointed out, on the Random Oracle Model (ROM) there are other (more standard) constructions which meet this security definition. When I wrote this answer, I didn't consider this security model, but I made this unconsciously. I didn't want to say that schemes proved secure on ROM must be simply rejected. To be honest, I think that a correct answer to your question should merge my original answer with other answers and point out these details.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 4 hours ago

























    answered yesterday









    Hilder Vítor Lima PereiraHilder Vítor Lima Pereira

    4,019930




    4,019930








    • 1




      $begingroup$
      It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago














    • 1




      $begingroup$
      It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago








    1




    1




    $begingroup$
    It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago




    $begingroup$
    It would be helpful if you specified that you are discounting any scheme whose security has been proven only in the random oracle model, as you seem to be, with the consequence of discounting essentially every public-key cryptosystem in use in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago











    7












    $begingroup$

    You're in luck! Essentially every secure public-key encryption scheme on bit strings that is actually in use already has this property—and, even better, not just IND-CPA but often IND-CCA2/NM-CCA2*—because they can all be factored into a KEM/DEM structure via a hash function $H$ like SHAKE128:





    1. (KEM) Generate a uniform random $k$ and encapsulation $y$ using $mathit{pk}$.



      Examples:





      • RSA-KEM: $mathit{pk} = n$, a large integer; choose $x$ uniformly at random in $0, 1, 2, dots, n - 1$, and compute $y = x^3 bmod n$ and $k = H(x)$.



        The recipient will recover $x = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$.




      • RSA-OAEP KEM: $mathit{pk} = n$, a large integer; choose $k$ and $r$ uniformly at random, compute $a = k oplus H(0 mathbin| r), b = r oplus H(1 mathbin| a)$ (of appropriate bit lengths so they fill a $lfloorlog_2 nrfloor$-bit integer), and $y = (a mathbin| b)^3 bmod n$.



        The recipient will recover $a mathbin| b = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$, and then solve for $k$.




      • DH-based KEM: $mathit{pk} = h$, an element of prime order in a group $G$ generated by a standard base $g$; choose $x$ uniformly at random, and compute $y = g^x$, and $k = H(h^x)$.



        The recipient will recover $k = H(y^z)$ with secret knowledge of $z$ such that $h = g^z$, so that $h^x = (g^z)^x = (g^x)^z = y^z$.






    2. (DEM) Use $k$ as a one-time key for a one-time authenticated cipher $operatorname{AE}$ to encrypt the message $m$ as $c = operatorname{AE}_k(m)$.



      Any authenticated cipher works here, like AES-GCM or crypto_secretbox_xsalsa20poly1305; technically the security requirements of a DEM are lighter than AEAD, e.g. you could just use most of $k$ as a one-time pad and the rest as a one-time authenticator key, but it is simplest—and most common—to use an authenticated cipher.



    3. Transmit $(y, c)$, the encapsulation $y$ of the one-time key $k$ and the authenticated encryption $c$ of the message $m$.



    The one-time key $k$ is (effectively) independent of the secret key $mathit{sk}$, so there is no problem with the symmetric encryption $operatorname{AE}_k(mathit{sk})$ used here.



    This notion of security is sometimes called circular security or key-dependent message (KDM) security.




    • In 2001, Camenisch and Lysyanskaya defined circular security and proved that $(m, r) mapsto E_{mathit{pk}}(r) mathbin| (H(r) oplus m)$ for uniform random $r$ has it if $E_{mathit{pk}}$ is semantically secure[1].

    • Independently, in 2002, Black, Rogaway, and Shrimpton defined the slightly stronger KDM security and suggested but could not prove that KEM/DEM hybrid constructions like this would have it[2].

    • Then in 2014, Davies and Stam finally found formal techniques to prove that KEM/DEM via $H$ generically has KDM security[3].


    Skipping the hash $H$, of course, can ruin the security, as in many cryptosystems.



    Of course, if you need additional structure—e.g., the homomorphic property of Elgamal encryption $(h^r, g^r m)$ for a highly restricted message space—then the answer may be different, because such additional structure is incompatible with NM-CCA2. But in that case, you'll need to ask a more specific question about your specific additional structure.





    * Well, some of the practical ones fail IND-CCA2/NM-CCA2, like S/MIME and OpenPGP, because their designers made foolish decisions leading to EFAIL[4]. But those particular mistakes don't imply problems with circular/KDM security: they are still effectively factored into KEM/not-quite-DEM.



    In academic cryptography jargon, the security here is usually presented in the ‘random oracle model’. Essentially, this means that we can prove any attacker that doesn't depend on the details of $H$ can be used, if parametrized by $H$, as a subroutine in a procedure to factor large semiprimes, compute discrete logs, etc. In principle, it could be that particular choices of hash function $H$ could interact with the public-key mathematical structure to enable other attacks; pathological examples have been exhibited[5] where any choice of hash function is insecure. But these pathological examples are of little consequence in the real world, and they give no reason to doubt the practical security of the KEMs actually in widespread use today like these; these pathological examples are more of an interesting quirk of the formalism than anything else. More on the random oracle model.






    share|improve this answer











    $endgroup$













    • $begingroup$
      great. thanks a lot
      $endgroup$
      – kiran
      20 hours ago






    • 2




      $begingroup$
      The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
      $endgroup$
      – OrangeDog
      18 hours ago






    • 1




      $begingroup$
      @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago










    • $begingroup$
      @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago












    • $begingroup$
      @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago


















    7












    $begingroup$

    You're in luck! Essentially every secure public-key encryption scheme on bit strings that is actually in use already has this property—and, even better, not just IND-CPA but often IND-CCA2/NM-CCA2*—because they can all be factored into a KEM/DEM structure via a hash function $H$ like SHAKE128:





    1. (KEM) Generate a uniform random $k$ and encapsulation $y$ using $mathit{pk}$.



      Examples:





      • RSA-KEM: $mathit{pk} = n$, a large integer; choose $x$ uniformly at random in $0, 1, 2, dots, n - 1$, and compute $y = x^3 bmod n$ and $k = H(x)$.



        The recipient will recover $x = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$.




      • RSA-OAEP KEM: $mathit{pk} = n$, a large integer; choose $k$ and $r$ uniformly at random, compute $a = k oplus H(0 mathbin| r), b = r oplus H(1 mathbin| a)$ (of appropriate bit lengths so they fill a $lfloorlog_2 nrfloor$-bit integer), and $y = (a mathbin| b)^3 bmod n$.



        The recipient will recover $a mathbin| b = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$, and then solve for $k$.




      • DH-based KEM: $mathit{pk} = h$, an element of prime order in a group $G$ generated by a standard base $g$; choose $x$ uniformly at random, and compute $y = g^x$, and $k = H(h^x)$.



        The recipient will recover $k = H(y^z)$ with secret knowledge of $z$ such that $h = g^z$, so that $h^x = (g^z)^x = (g^x)^z = y^z$.






    2. (DEM) Use $k$ as a one-time key for a one-time authenticated cipher $operatorname{AE}$ to encrypt the message $m$ as $c = operatorname{AE}_k(m)$.



      Any authenticated cipher works here, like AES-GCM or crypto_secretbox_xsalsa20poly1305; technically the security requirements of a DEM are lighter than AEAD, e.g. you could just use most of $k$ as a one-time pad and the rest as a one-time authenticator key, but it is simplest—and most common—to use an authenticated cipher.



    3. Transmit $(y, c)$, the encapsulation $y$ of the one-time key $k$ and the authenticated encryption $c$ of the message $m$.



    The one-time key $k$ is (effectively) independent of the secret key $mathit{sk}$, so there is no problem with the symmetric encryption $operatorname{AE}_k(mathit{sk})$ used here.



    This notion of security is sometimes called circular security or key-dependent message (KDM) security.




    • In 2001, Camenisch and Lysyanskaya defined circular security and proved that $(m, r) mapsto E_{mathit{pk}}(r) mathbin| (H(r) oplus m)$ for uniform random $r$ has it if $E_{mathit{pk}}$ is semantically secure[1].

    • Independently, in 2002, Black, Rogaway, and Shrimpton defined the slightly stronger KDM security and suggested but could not prove that KEM/DEM hybrid constructions like this would have it[2].

    • Then in 2014, Davies and Stam finally found formal techniques to prove that KEM/DEM via $H$ generically has KDM security[3].


    Skipping the hash $H$, of course, can ruin the security, as in many cryptosystems.



    Of course, if you need additional structure—e.g., the homomorphic property of Elgamal encryption $(h^r, g^r m)$ for a highly restricted message space—then the answer may be different, because such additional structure is incompatible with NM-CCA2. But in that case, you'll need to ask a more specific question about your specific additional structure.





    * Well, some of the practical ones fail IND-CCA2/NM-CCA2, like S/MIME and OpenPGP, because their designers made foolish decisions leading to EFAIL[4]. But those particular mistakes don't imply problems with circular/KDM security: they are still effectively factored into KEM/not-quite-DEM.



    In academic cryptography jargon, the security here is usually presented in the ‘random oracle model’. Essentially, this means that we can prove any attacker that doesn't depend on the details of $H$ can be used, if parametrized by $H$, as a subroutine in a procedure to factor large semiprimes, compute discrete logs, etc. In principle, it could be that particular choices of hash function $H$ could interact with the public-key mathematical structure to enable other attacks; pathological examples have been exhibited[5] where any choice of hash function is insecure. But these pathological examples are of little consequence in the real world, and they give no reason to doubt the practical security of the KEMs actually in widespread use today like these; these pathological examples are more of an interesting quirk of the formalism than anything else. More on the random oracle model.






    share|improve this answer











    $endgroup$













    • $begingroup$
      great. thanks a lot
      $endgroup$
      – kiran
      20 hours ago






    • 2




      $begingroup$
      The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
      $endgroup$
      – OrangeDog
      18 hours ago






    • 1




      $begingroup$
      @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago










    • $begingroup$
      @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago












    • $begingroup$
      @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago
















    7












    7








    7





    $begingroup$

    You're in luck! Essentially every secure public-key encryption scheme on bit strings that is actually in use already has this property—and, even better, not just IND-CPA but often IND-CCA2/NM-CCA2*—because they can all be factored into a KEM/DEM structure via a hash function $H$ like SHAKE128:





    1. (KEM) Generate a uniform random $k$ and encapsulation $y$ using $mathit{pk}$.



      Examples:





      • RSA-KEM: $mathit{pk} = n$, a large integer; choose $x$ uniformly at random in $0, 1, 2, dots, n - 1$, and compute $y = x^3 bmod n$ and $k = H(x)$.



        The recipient will recover $x = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$.




      • RSA-OAEP KEM: $mathit{pk} = n$, a large integer; choose $k$ and $r$ uniformly at random, compute $a = k oplus H(0 mathbin| r), b = r oplus H(1 mathbin| a)$ (of appropriate bit lengths so they fill a $lfloorlog_2 nrfloor$-bit integer), and $y = (a mathbin| b)^3 bmod n$.



        The recipient will recover $a mathbin| b = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$, and then solve for $k$.




      • DH-based KEM: $mathit{pk} = h$, an element of prime order in a group $G$ generated by a standard base $g$; choose $x$ uniformly at random, and compute $y = g^x$, and $k = H(h^x)$.



        The recipient will recover $k = H(y^z)$ with secret knowledge of $z$ such that $h = g^z$, so that $h^x = (g^z)^x = (g^x)^z = y^z$.






    2. (DEM) Use $k$ as a one-time key for a one-time authenticated cipher $operatorname{AE}$ to encrypt the message $m$ as $c = operatorname{AE}_k(m)$.



      Any authenticated cipher works here, like AES-GCM or crypto_secretbox_xsalsa20poly1305; technically the security requirements of a DEM are lighter than AEAD, e.g. you could just use most of $k$ as a one-time pad and the rest as a one-time authenticator key, but it is simplest—and most common—to use an authenticated cipher.



    3. Transmit $(y, c)$, the encapsulation $y$ of the one-time key $k$ and the authenticated encryption $c$ of the message $m$.



    The one-time key $k$ is (effectively) independent of the secret key $mathit{sk}$, so there is no problem with the symmetric encryption $operatorname{AE}_k(mathit{sk})$ used here.



    This notion of security is sometimes called circular security or key-dependent message (KDM) security.




    • In 2001, Camenisch and Lysyanskaya defined circular security and proved that $(m, r) mapsto E_{mathit{pk}}(r) mathbin| (H(r) oplus m)$ for uniform random $r$ has it if $E_{mathit{pk}}$ is semantically secure[1].

    • Independently, in 2002, Black, Rogaway, and Shrimpton defined the slightly stronger KDM security and suggested but could not prove that KEM/DEM hybrid constructions like this would have it[2].

    • Then in 2014, Davies and Stam finally found formal techniques to prove that KEM/DEM via $H$ generically has KDM security[3].


    Skipping the hash $H$, of course, can ruin the security, as in many cryptosystems.



    Of course, if you need additional structure—e.g., the homomorphic property of Elgamal encryption $(h^r, g^r m)$ for a highly restricted message space—then the answer may be different, because such additional structure is incompatible with NM-CCA2. But in that case, you'll need to ask a more specific question about your specific additional structure.





    * Well, some of the practical ones fail IND-CCA2/NM-CCA2, like S/MIME and OpenPGP, because their designers made foolish decisions leading to EFAIL[4]. But those particular mistakes don't imply problems with circular/KDM security: they are still effectively factored into KEM/not-quite-DEM.



    In academic cryptography jargon, the security here is usually presented in the ‘random oracle model’. Essentially, this means that we can prove any attacker that doesn't depend on the details of $H$ can be used, if parametrized by $H$, as a subroutine in a procedure to factor large semiprimes, compute discrete logs, etc. In principle, it could be that particular choices of hash function $H$ could interact with the public-key mathematical structure to enable other attacks; pathological examples have been exhibited[5] where any choice of hash function is insecure. But these pathological examples are of little consequence in the real world, and they give no reason to doubt the practical security of the KEMs actually in widespread use today like these; these pathological examples are more of an interesting quirk of the formalism than anything else. More on the random oracle model.






    share|improve this answer











    $endgroup$



    You're in luck! Essentially every secure public-key encryption scheme on bit strings that is actually in use already has this property—and, even better, not just IND-CPA but often IND-CCA2/NM-CCA2*—because they can all be factored into a KEM/DEM structure via a hash function $H$ like SHAKE128:





    1. (KEM) Generate a uniform random $k$ and encapsulation $y$ using $mathit{pk}$.



      Examples:





      • RSA-KEM: $mathit{pk} = n$, a large integer; choose $x$ uniformly at random in $0, 1, 2, dots, n - 1$, and compute $y = x^3 bmod n$ and $k = H(x)$.



        The recipient will recover $x = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$.




      • RSA-OAEP KEM: $mathit{pk} = n$, a large integer; choose $k$ and $r$ uniformly at random, compute $a = k oplus H(0 mathbin| r), b = r oplus H(1 mathbin| a)$ (of appropriate bit lengths so they fill a $lfloorlog_2 nrfloor$-bit integer), and $y = (a mathbin| b)^3 bmod n$.



        The recipient will recover $a mathbin| b = y^d bmod n$ with secret knowledge of $d equiv e^{-1} pmod{lambda(n)}$, and then solve for $k$.




      • DH-based KEM: $mathit{pk} = h$, an element of prime order in a group $G$ generated by a standard base $g$; choose $x$ uniformly at random, and compute $y = g^x$, and $k = H(h^x)$.



        The recipient will recover $k = H(y^z)$ with secret knowledge of $z$ such that $h = g^z$, so that $h^x = (g^z)^x = (g^x)^z = y^z$.






    2. (DEM) Use $k$ as a one-time key for a one-time authenticated cipher $operatorname{AE}$ to encrypt the message $m$ as $c = operatorname{AE}_k(m)$.



      Any authenticated cipher works here, like AES-GCM or crypto_secretbox_xsalsa20poly1305; technically the security requirements of a DEM are lighter than AEAD, e.g. you could just use most of $k$ as a one-time pad and the rest as a one-time authenticator key, but it is simplest—and most common—to use an authenticated cipher.



    3. Transmit $(y, c)$, the encapsulation $y$ of the one-time key $k$ and the authenticated encryption $c$ of the message $m$.



    The one-time key $k$ is (effectively) independent of the secret key $mathit{sk}$, so there is no problem with the symmetric encryption $operatorname{AE}_k(mathit{sk})$ used here.



    This notion of security is sometimes called circular security or key-dependent message (KDM) security.




    • In 2001, Camenisch and Lysyanskaya defined circular security and proved that $(m, r) mapsto E_{mathit{pk}}(r) mathbin| (H(r) oplus m)$ for uniform random $r$ has it if $E_{mathit{pk}}$ is semantically secure[1].

    • Independently, in 2002, Black, Rogaway, and Shrimpton defined the slightly stronger KDM security and suggested but could not prove that KEM/DEM hybrid constructions like this would have it[2].

    • Then in 2014, Davies and Stam finally found formal techniques to prove that KEM/DEM via $H$ generically has KDM security[3].


    Skipping the hash $H$, of course, can ruin the security, as in many cryptosystems.



    Of course, if you need additional structure—e.g., the homomorphic property of Elgamal encryption $(h^r, g^r m)$ for a highly restricted message space—then the answer may be different, because such additional structure is incompatible with NM-CCA2. But in that case, you'll need to ask a more specific question about your specific additional structure.





    * Well, some of the practical ones fail IND-CCA2/NM-CCA2, like S/MIME and OpenPGP, because their designers made foolish decisions leading to EFAIL[4]. But those particular mistakes don't imply problems with circular/KDM security: they are still effectively factored into KEM/not-quite-DEM.



    In academic cryptography jargon, the security here is usually presented in the ‘random oracle model’. Essentially, this means that we can prove any attacker that doesn't depend on the details of $H$ can be used, if parametrized by $H$, as a subroutine in a procedure to factor large semiprimes, compute discrete logs, etc. In principle, it could be that particular choices of hash function $H$ could interact with the public-key mathematical structure to enable other attacks; pathological examples have been exhibited[5] where any choice of hash function is insecure. But these pathological examples are of little consequence in the real world, and they give no reason to doubt the practical security of the KEMs actually in widespread use today like these; these pathological examples are more of an interesting quirk of the formalism than anything else. More on the random oracle model.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 6 hours ago

























    answered 21 hours ago









    Squeamish OssifrageSqueamish Ossifrage

    21.2k13197




    21.2k13197












    • $begingroup$
      great. thanks a lot
      $endgroup$
      – kiran
      20 hours ago






    • 2




      $begingroup$
      The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
      $endgroup$
      – OrangeDog
      18 hours ago






    • 1




      $begingroup$
      @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago










    • $begingroup$
      @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago












    • $begingroup$
      @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago




















    • $begingroup$
      great. thanks a lot
      $endgroup$
      – kiran
      20 hours ago






    • 2




      $begingroup$
      The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
      $endgroup$
      – OrangeDog
      18 hours ago






    • 1




      $begingroup$
      @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago










    • $begingroup$
      @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago












    • $begingroup$
      @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
      $endgroup$
      – Squeamish Ossifrage
      14 hours ago


















    $begingroup$
    great. thanks a lot
    $endgroup$
    – kiran
    20 hours ago




    $begingroup$
    great. thanks a lot
    $endgroup$
    – kiran
    20 hours ago




    2




    2




    $begingroup$
    The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
    $endgroup$
    – OrangeDog
    18 hours ago




    $begingroup$
    The accepted answer (from Hilder Vítor) appears to contradict you. Is it because you are dismissing the "pathological examples"?
    $endgroup$
    – OrangeDog
    18 hours ago




    1




    1




    $begingroup$
    @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago




    $begingroup$
    @OrangeDog It would seem that Hilder tacitly rejects the random oracle model altogether—which flies in the face of essentially all public-key cryptography in practice. This is a perspective taken by some academic cryptography theoreticians, but it explains why one can't find practical implementations: because practitioners are justifiably unconcerned by the contortions that Canetti–Goldreich–Halevi go through to exhibit pathological counterexamples. By the same token, one might reject SHA-3 because there's technically no formalization of its ‘collision resistance’, per se.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago












    $begingroup$
    @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago






    $begingroup$
    @OrangeDog In particular, Canetti–Goldreich–Halevi concoct a signature scheme leaks the private key on inputs of the form $(x, H(x), pi)$ where $pi$ is a valid proof that $(x, H(x))$ is in the graph of some fixed polynomial-time function ensemble, which has negligible probability when $H$ is a uniform random function so the scheme is ROM-secure, but can be exhibited easily when $H$ is drawn from any concrete family of functions so the scheme is not instantiable. In other words, it's a signature scheme that by construction throws a tantrum if you instantiate it in practice.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago














    $begingroup$
    @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago






    $begingroup$
    @OrangeDog The theoretical concern high in the ivory tower is that a counterexample proves that ROM security doesn't imply concrete security. The sensible inference is not that schemes with ROM security should be silently ignored. Rather, there is probably some technical criterion separating the pathologically hopeless cases like Canetti–Goldreich–Halevi's tantrum-throwing signatures from real schemes we actually use, which we haven't identified yet. It's not the only such academic problem: collision resistance, free precomputation, etc., also have technical issues of little consequence.
    $endgroup$
    – Squeamish Ossifrage
    14 hours ago













    3












    $begingroup$

    This is secure for practically all hybrid asymmetric encryption algorithms, like ECIES or RSA-KEM. However it violates the security assumptions of the standard model, so you have to resort to the random oracle model.



    I would avoid overly complicated designs, like those from the paper Hilder mentions, just for the sake of a standard model security proof.






    share|improve this answer








    New contributor




    user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$


















      3












      $begingroup$

      This is secure for practically all hybrid asymmetric encryption algorithms, like ECIES or RSA-KEM. However it violates the security assumptions of the standard model, so you have to resort to the random oracle model.



      I would avoid overly complicated designs, like those from the paper Hilder mentions, just for the sake of a standard model security proof.






      share|improve this answer








      New contributor




      user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$
















        3












        3








        3





        $begingroup$

        This is secure for practically all hybrid asymmetric encryption algorithms, like ECIES or RSA-KEM. However it violates the security assumptions of the standard model, so you have to resort to the random oracle model.



        I would avoid overly complicated designs, like those from the paper Hilder mentions, just for the sake of a standard model security proof.






        share|improve this answer








        New contributor




        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        $endgroup$



        This is secure for practically all hybrid asymmetric encryption algorithms, like ECIES or RSA-KEM. However it violates the security assumptions of the standard model, so you have to resort to the random oracle model.



        I would avoid overly complicated designs, like those from the paper Hilder mentions, just for the sake of a standard model security proof.







        share|improve this answer








        New contributor




        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered yesterday









        user66919user66919

        311




        311




        New contributor




        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        user66919 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















            kiran is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            kiran is a new contributor. Be nice, and check out our Code of Conduct.













            kiran is a new contributor. Be nice, and check out our Code of Conduct.












            kiran is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68270%2fis-it-possible-to-build-a-cpa-secure-encryption-scheme-which-remains-secure-even%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

            He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

            Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029