Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

  • Pascal Paillier
  • Jorge L. Villar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)


We revisit a long-lived folklore impossibility result for factoring-based encryption and properly establish that reaching maximally secure one-wayness (i.e. equivalent to factoring) and resisting chosen-ciphertext attacks (CCA) are incompatible goals for single-key cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple RO-model schemes such as Rabin/RW-SAEP[+]/OAEP[+][+], EPOC-2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a key-preserving reduction. We extend this impossibility to arbitrary reductions assuming non-malleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n′≠n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in Naor-Yung or Dolev-Dwork-Naor constructions.


Encryption Scheme Success Probability Random Oracle Impossibility Result Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–46. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73 (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Blum, M., Goldwasser, S.: An probabilistic public key encryption scheme which hides all partial information. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 289–299. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  5. 5.
    Boneh, D.: Simplified OAEP for the RSA and rabin functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 275–291. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  7. 7.
    Brown, D.R.L.: Unprovable security of RSA-OAEP in the standard model (2006), http://eprint/ Scholar
  8. 8.
    Chor, B., Goldreich, O.: RSA/Rabin least significant bits are \(\frac{1}{2} + \frac{1}{poly(\log N)}\) secure. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 303–313. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  9. 9.
    Demytko, N.: A new elliptic curve based analogue of RSA. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: ACM STOC 1991, pp. 542–552 (1991)Google Scholar
  11. 11.
    Fujisaki, E.: Chosen-chipertext security of EPOC-2. Technical report, NTT Corporation (2001)Google Scholar
  12. 12.
    Fujisaki, E., Kobayashi, T., Morita, H., Oguro, H., Okamoto, T., Okazaki, S., Pointcheval, D., Uchiyama, S.: EPOC: Efficient probabilistic public-key encryption. ISO and NESSIE (submitted)Google Scholar
  13. 13.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. on Comp. 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A.: New public-key schemes based on elliptic curves over the ring ℤn. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 252–266. Springer, Heidelberg (1992)Google Scholar
  16. 16.
    Malkin, T.G., Moriarty, R., Yakovenko, N.: Generalized environmental security from number theoretic assumptions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 343–359. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen-ciphertext attacks. In: 22nd ACM Symposium on Theory of Computing (1990)Google Scholar
  18. 18.
    Okamoto, T., Pointcheval, D.: REACT: Rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Rabin, M.O.: Digital signatures and public key functions as intractable as factorization. Technical Report MIT/LCS/TR-212 (January 1979)Google Scholar
  21. 21.
    RSA Data Security. PKCS #1: RSA encryption standard, Version 1.5. (November 1993)Google Scholar
  22. 22.
    Williams, H.C.: A modification of the RSA public-key encryption procedure. IEEE Transactions on Information Theory IT-26(6), 726–729 (1980)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Pascal Paillier
    • 1
  • Jorge L. Villar
    • 2
  1. 1.Cryptography Group, Security LabsGemalto
  2. 2.Departament de Matemàtica AplicadaUniversitat Politècnica de Catalunya 

Personalised recommendations