Aps - criptografia
Pooya Farshim1 , Benoˆ Libert2 , Kenneth G. Paterson3 , and Elizabeth A. Quaglia4 ıt
1
3 4
Fachbereich Informatik, Technische Universit¨t Darmstadt, Germany a 2 Technicolor, France Information Security Group, Royal Holloway, University of London, UK ´ D´partement d’Informatique, Ecole Normale Sup´rieure – Paris, France e e
Abstract. We revisit the notions of robustness introduced by Abdalla, Bellare, and Neven (TCC 2010). One of the main motivations for the introduction of strong robustness for public-key encryption (PKE) by Abdalla et al. to prevent certain types of attack on Sako’s auction protocol. We show, perhaps surprisingly, that Sako’s protocol is still vulnerable to attacks exploiting robustness problems in the underlying PKE scheme, even when it is instantiated with a strongly robust scheme. This demonstrates that current notions of robustness are insufficient even for one of its most natural applications. To address this and other limitations in existing notions, we introduce a series of new robustness notions for PKE and explore their relationships. In particular, we introduce complete robustness, our strongest new notion of robustness, and give a number of constructions for completely robust PKE schemes. Keywords. Robustness, Anonymity, Public-key encryption, Security proofs.
1
Introduction
A commonly pursued goal in cryptography is message privacy, which is typically achieved by means of encryption. In recent years, the privacy of users has become an equally relevant concern. It has led the research community to strive for anonymity properties when designing cryptographic primitives. In publickey encryption, in particular, key-privacy (a.k.a. receiver anonymity) was introduced in [4] to capture the idea that a ciphertext does not leak any information about the public key under which it was created, thereby making the communication anonymous. In this context, Abdalla, Bellare, and Neven [2] raised a