Optimal Asymmetric Encryption and Signature Paddings

  • Benoît Chevallier-Mames
  • Duong Hieu Phan
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Strong security notions often introduce strong constraints on the construction of cryptographic schemes: semantic security implies probabilistic encryption, while the resistance to existential forgeries requires redundancy in signature schemes. Some paddings have thus been designed in order to provide these minimal requirements to each of them, in order to achieve secure primitives.

A few years ago, Coron et al. suggested the design of a common construction, a universal padding, which one could apply for both encryption and signature. As a consequence, such a padding has to introduce both randomness and redundancy, which does not lead to an optimal encryption nor an optimal signature.

In this paper, we refine this notion of universal padding, in which a part can be either a random string in order to introduce randomness or a zero-constant string in order to introduce some redundancy. This helps us to build, with a unique padding, optimal encryption and optimal signature: first, in the random-permutation model, and then in the random-oracle model. In both cases, we study the concrete sizes of the parameters, for a specific security level: The former achieves an optimal bandwidth.


Signature Scheme Random Oracle Security Parameter Security Notion Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of the 1st CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Chevallier-Mames, B., Phan, D.H., Pointcheval, D.: Optimal Asymmetric Encryption and Signature Paddings. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, Springer, Heidelberg (2005), Full version available from Google Scholar
  6. 6.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal Padding Schemes For RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Cramer, R., Shoup, V.: Signature Scheme based on the Strong RSA Assumption. In: Proc. of the 6th CCS, pp. 46–51. ACM Press, New York (1999)Google Scholar
  9. 9.
    Dodis, Y., Reyzin, L.: On the power of claw-free permutation. In: Security in Communication Networks (2002)Google Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptative Chosen-Message Attacks. SIAM Journal of Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Granboulan, L.: Short Signatures in the Random Oracle Model. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 364–378. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Haber, S., Pinkas, B.: Combining Public Key Cryptosystems. In: Proc. of the 8th ACM CSS, pp. 215–224. ACM Press, New York (2001)Google Scholar
  13. 13.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Proc. of the 10th CCS, pp. 155–164. ACM Press, Washington (2003)Google Scholar
  14. 14.
    Komano, Y., Ohta, K.: Efficient Universal Padding Schemes for Multiplicative Trapdoor One-Way Permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 366–382. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Lenstra, A.K., Verheul, E.R.: Selecting Cryptographic Key Sizes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 446–465. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Naccache, D., Stern, J.: Signing on a Postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    NIST. Digital Signature Standard (DSS). Federal Information Processing Standards PUBlication 186 (November 1994)Google Scholar
  18. 18.
    Nyberg, K., Rueppel, R.A.: Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 182–193. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  19. 19.
    Okamoto, T., Pointcheval, D.: The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Phan, D.H., Pointcheval, D.: Chosen-Ciphertext Security without Redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Phan, D.H., Pointcheval, D.: OAEP 3-Round: A Generic and Secure Asymmetric Encryption Padding. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 63–77. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Rackoff, C., Simon, D.R.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  23. 23.
    Schnorr, C.P.: Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3), 161–174 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.: Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Benoît Chevallier-Mames
    • 1
    • 2
  • Duong Hieu Phan
    • 2
  • David Pointcheval
    • 2
  1. 1.GemplusFrance
  2. 2.ENSParisFrance

Personalised recommendations