We present a new primitive of randomized message-locked encryption (MLE) in this paper and define a new security model for it. The new primitive, named message-locked encryption3 (hereafter referred as MLE3), is actually a variant of randomized message-locked encryption (Bellare et al. Eurocrypt' 13). In order to prevent trivial attacks, our primitive admits a semi-trusted server, which is allowed to hold a secret key of public key encryption (PKE), to verify the correctness of a tag. The new security notion, called privacy chosen-distribution attacks3 (PRV-CDA3), requires that a ciphertext generated by encrypting an unpredictable message and another ciphertext (possible invalid) chosen randomly from a ciphertext space are indistinguishable. Compared with the priori proposed security notion, privacy chosen- distribution attacks (PRV-CDA) (Bellare et al. Eurocrypt' 13), which requires that two ciphertexts generated by encrypting two unpredictable messages are indistinguishable, the security notion we propose is much stronger. Based on the new primitive, under the blackbox reductions, we put forward a novel construction which achieves both privacy chosen- distribution attacks3 (PRV-CDA3) and strong tag consistency(STC) securities in the standard model via universal computational extractors (UCEs) ( Bellare et al. Crypto' 13). In addition, our scheme also provides the validity-testing for ciphertext.

• 出版日期2017-5
• 单位安徽科技学院; 上海交通大学; 杭州师范大学; 西南科技大学