Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

  • Pascal Paillier
  • Jorge L. Villar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)


We revisit a long-lived folklore impossibility result for factoring-based encryption and properly establish that reaching maximally secure one-wayness (i.e. equivalent to factoring) and resisting chosen-ciphertext attacks (CCA) are incompatible goals for single-key cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple RO-model schemes such as Rabin/RW-SAEP[+]/OAEP[+][+], EPOC-2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a key-preserving reduction. We extend this impossibility to arbitrary reductions assuming non-malleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n′≠n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in Naor-Yung or Dolev-Dwork-Naor constructions.


Expense Malleability Padding 


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–46. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73 (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Blum, M., Goldwasser, S.: An probabilistic public key encryption scheme which hides all partial information. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 289–299. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  5. 5.
    Boneh, D.: Simplified OAEP for the RSA and rabin functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 275–291. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  7. 7.
    Brown, D.R.L.: Unprovable security of RSA-OAEP in the standard model (2006), http://eprint/ Scholar
  8. 8.
    Chor, B., Goldreich, O.: RSA/Rabin least significant bits are \(\frac{1}{2} + \frac{1}{poly(\log N)}\) secure. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 303–313. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  9. 9.
    Demytko, N.: A new elliptic curve based analogue of RSA. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: ACM STOC 1991, pp. 542–552 (1991)Google Scholar
  11. 11.
    Fujisaki, E.: Chosen-chipertext security of EPOC-2. Technical report, NTT Corporation (2001)Google Scholar
  12. 12.
    Fujisaki, E., Kobayashi, T., Morita, H., Oguro, H., Okamoto, T., Okazaki, S., Pointcheval, D., Uchiyama, S.: EPOC: Efficient probabilistic public-key encryption. ISO and NESSIE (submitted)Google Scholar
  13. 13.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. on Comp. 17(2), 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A.: New public-key schemes based on elliptic curves over the ring ℤn. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 252–266. Springer, Heidelberg (1992)Google Scholar
  16. 16.
    Malkin, T.G., Moriarty, R., Yakovenko, N.: Generalized environmental security from number theoretic assumptions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 343–359. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen-ciphertext attacks. In: 22nd ACM Symposium on Theory of Computing (1990)Google Scholar
  18. 18.
    Okamoto, T., Pointcheval, D.: REACT: Rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Rabin, M.O.: Digital signatures and public key functions as intractable as factorization. Technical Report MIT/LCS/TR-212 (January 1979)Google Scholar
  21. 21.
    RSA Data Security. PKCS #1: RSA encryption standard, Version 1.5. (November 1993)Google Scholar
  22. 22.
    Williams, H.C.: A modification of the RSA public-key encryption procedure. IEEE Transactions on Information Theory IT-26(6), 726–729 (1980)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Pascal Paillier
    • 1
  • Jorge L. Villar
    • 2
  1. 1.Cryptography Group, Security LabsGemalto
  2. 2.Departament de Matemàtica AplicadaUniversitat Politècnica de Catalunya 

Personalised recommendations