Journal of Cryptology

, Volume 23, Issue 1, pp 91–120 | Cite as

A New and Improved Paradigm for Hybrid Encryption Secure Against Chosen-Ciphertext Attack

  • Yvo Desmedt
  • Rosario GennaroEmail author
  • Kaoru Kurosawa
  • Victor Shoup


We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM).

Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt’97, Springer LNCS, vol. 1233, pp. 256–266, 1997) (based on the Cramer–Shoup scheme in CRYPTO’98, Springer LNCS, vol. 1462, pp. 13–25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts.

This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie–Hellman (DDH) Assumption.

Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer–Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie–Hellman (CDH) Assumption.


Public key encryption Chosen ciphertext security Projective hash proofs 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    M. Abe, R. Gennaro, K. Kurosawa, Tag-KEM/DEM: a new framework for hybrid encryption. J. Cryptol. 21(1), 97–130 (2008) zbMATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in 1993 ACM Conference on Computer and Communications Security (ACM, New York, 1993), pp. 62–73 CrossRefGoogle Scholar
  3. [3]
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) CrossRefMathSciNetGoogle Scholar
  4. [4]
    R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in CRYPTO’98. Springer LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 13–25 Google Scholar
  5. [5]
    R. Cramer, V. Shoup, Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption, in EuroCrypt’02. Springer LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 45–64 Google Scholar
  6. [6]
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003) zbMATHCrossRefMathSciNetGoogle Scholar
  7. [7]
    W. Diffie, M. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory IT-22(6), 644–654 (1976) CrossRefMathSciNetGoogle Scholar
  8. [8]
    D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography, in STOC’91 (1991), pp. 542–552 Google Scholar
  9. [9]
    R. Gennaro, V. Shoup, A Note on An Encryption Scheme of Kurosawa and Desmedt. IACR Eprint Archive
  10. [10]
    J. Herranz, D. Hofheinz, E. Kiltz, The Kurosawa–Desmedt Key Encapsulation is not Chosen-Ciphertext Secure. IACR Eprint Archive
  11. [11]
    D. Hofheinz, E. Kiltz, Secure hybrid encryption from weakened key encapsulation, in CRYPTO 2007. Springer LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 553–571 CrossRefGoogle Scholar
  12. [12]
    K. Kurosawa, Y. Desmedt, A New Paradigm of Hybrid Encryption Scheme, in CRYPTO’04. Springer LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 426–442 Google Scholar
  13. [13]
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, STOC’90 (ACM, New York, 1990), pp. 427–437 CrossRefGoogle Scholar
  14. [14]
    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, STOC’89 (ACM, New York, 1989), pp. 33–43 CrossRefGoogle Scholar
  15. [15]
    C. Rackoff, D. Simon, Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack, in CRYPTO’91. Springer LNCS, vol. 576 (Springer, Berlin, 1991), pp. 433–444 Google Scholar
  16. [16]
    J. Rompel, One-way functions are necessary and sufficient for secure signatures, in Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, STOC’90 (ACM, New York, 1990), pp. 387–394 CrossRefGoogle Scholar
  17. [17]
    V. Shoup, Lower bounds for discrete logarithms and related problems, in EuroCrypt’97. Springer LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 256–266 Google Scholar
  18. [18]
    V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in EuroCrypt’00. Springer LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 275–288 Google Scholar

Copyright information

© International Association for Cryptologic Research 2009

Authors and Affiliations

  • Yvo Desmedt
    • 1
  • Rosario Gennaro
    • 2
    Email author
  • Kaoru Kurosawa
    • 3
  • Victor Shoup
    • 4
  1. 1.Dept. of Computer ScienceUniversity College LondonLondonUK
  2. 2.IBM T.J. Watson Research CenterYorktown HeightsUSA
  3. 3.Dept. of Computer and Information SciencesIbaraki UniversityIbarakiJapan
  4. 4.Computer Science Dept.NYUNew YorkUSA

Personalised recommendations