- Plaintext-aware encryption
**Plaintext-awareness**is a notion of security forpublic-key encryption . Acryptosystem is plaintext-aware if it is difficult for any efficientalgorithm to come up with a validciphertext without being aware of the correspondingplaintext .From a lay point of view, this is a strange property. Normally, a ciphertext is computed by encrypting a plaintext. If a ciphertext is created this way, its creator would be aware, in some sense, of the plaintext. However, many cryptosystems are "not" plaintext-aware. As an example, consider the RSA cryptosystem. In the RSA cryptosystem, plaintexts and ciphertexts are both values modulo N (the modulus). Therefore, RSA is not plaintext aware: one way of generating a ciphertext without knowing the plaintext is to simply choose a random number modulo N.

In fact, plaintext-awareness is a very strong property. Any cryptosystem that is semantically secure and is plaintext-aware is actually secure against a

chosen-ciphertext attack , since any adversary that chooses ciphertexts would already know the plaintexts associated with them.**History**The concept of plaintext-aware encryption was developed by

Mihir Bellare andPhillip Rogaway in their paper on optimal asymmetric encryption [*M. Bellare and P. Rogaway. "Optimal Asymmetric Encryption -- How to encrypt with RSA". Extended abstract in Advances in Cryptology -*] , as a method to prove that a cryptosystem is chosen-ciphertext secure.Eurocrypt '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed,Springer-Verlag , 1995. [*http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)*]**Further research**Limited research on plaintext-aware encryption has been done since Bellare and Rogaway's paper. Although several papers have applied the plaintext-aware technique in proving encryption schemes are chosen-ciphertext secure, only three papers revisit the concept of plaintext-aware encryption itself, both focussed on the definition given by Bellare and Rogaway that inherently require

random oracle s. Plaintext-aware encryption is known to exist when a public-key infrastructure is assumed. [*J. Herzog, M. Liskov, and*] Also, it has been shown that weaker forms of plaintext-awareness exist under the knowledge of exponent assumption, a non-standard assumption aboutS. Micali . "Plaintext Awareness via Key Registration". In Advances in Cryptology --CRYPTO 2003 Proceedings, Lecture Notes in Computer Science Vol. 2729, Springer-Verlag, 2003. [*http://www.cs.wm.edu/~mliskov/pubs/helimi.pdf (pdf)*]Diffie-Hellman triples. [*M. Bellare and A. Palacio. "Towards Plaintext-Aware Public-Key Encryption without Random Oracles". In Advances in Cryptology --*] Finally a variant of the Cramer Shoup encryption scheme was shown to be fully plaintext aware in the standard model under the knowledge of exponent assumption. [ASIACRYPT 2004, Lecture Notes in Computer Science Vol. 3329, Springer-Verlag, 2004. [*http://eprint.iacr.org/2004/221.pdf full version (pdf)*]*A. W. Dent "The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model". In Advances in Cryptology -- EUROCRYPT 2006, Lecture Notes in Computer Science Vol. 4004, Springer-Verlag, 2006. [*]*http://eprint.iacr.org/2005/261.pdf full version (pdf)*]**ee also***

Topics in cryptography **References**

*Wikimedia Foundation.
2010.*