Plaintext awareness is a property of a public-key encryption scheme intended
to capture the idea that the only way to produce a valid ciphertext is to take a
message and encrypt it. The idea is compelling, but the devil, as always, is in
the details. The established deŻnition of plaintext awareness in the standard
model is known as PA2 plaintext awareness and was introduced by Bellare
and Palacio. We propose a modiŻed deŻnition of plaintext awareness, which
we call 2PA2, in which the arbitrary stateful plaintext creators of the PA2
deŻnition are replaced with a choice of two Żxed stateless plaintext creators.
We show that under reasonable conditions our new deŻnition is equivalent to
the standard one. We also adapt techniques used by Teranishi and Ogata to
show that no encryption scheme which allows arbitrarily long messages can be
PA2 plaintext aware, a disadvantage which our new deŻnition does not appear
to share.
Dent has shown that a variant of the Cramer-Shoup encryption scheme
based on the Di±e-Hellman problem is PA2 plaintext aware under the Di±e-
Hellman Knowledge (DHK) assumption. We present a generalisation of this
assumption to arbitrary subset membership problems, which we call the Sub-
set Witness Knowledge (SWK) assumption, and use it to show that the generic
Cramer-Shoup and Kurosawa-Desmedt encryption schemes based on hash
proof systems are plaintext aware. In the case of the Di±e-Hellman problem,
the SWK assumption is exactly the Di±e-Hellman Knowledge assumption,
but we also discuss several other possible instantiations of this assumption.