A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions

  • Yehuda Lindell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


In this paper we present a simpler construction of a public-key encryption scheme that achieves adaptive chosen ciphertext security (CCA2), assuming the existence of trapdoor permutations. We build on previous works of Sahai and De Santis et al. and construct a scheme that we believe is the easiest to understand to date. In particular, it is only slightly more involved than the Naor-Yung encryption scheme that is secure against passive chosen-ciphertext attacks (CCA1). We stress that the focus of this paper is on simplicity only.


Encryption Scheme Signature Scheme Commitment Scheme Challenge Ciphertext Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption — How to encrypt with RSA. In EUROCRYPT’94, Springer-Verlag (LNCS 950), pages 92–111, 1994.Google Scholar
  2. 2.
    D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In CRYPTO’98, Springer-Verlag (LNCS 1462), pages 1–12, 1998.Google Scholar
  3. 3.
    M. Blum, P. Feldman and S. Micali. Non-interactive zero-knowledge and its applications. In 20th STOC, pages 103–112, 1988.Google Scholar
  4. 4.
    R. Cramer and V. Shoup. A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO’98, Springer-Verlag (LNCS 1462), pages 13–25, 1998.Google Scholar
  5. 5.
    R. Cramer and V. Shoup. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In EUROCRYPT 2002, Springer-Verlag (LNCS 2332), pages 45–64, 2002.CrossRefGoogle Scholar
  6. 6.
    A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano and A. Sahai. Robust Non-interactive Zero-Knowledge. In CRYPTO 2001, Springer-Verlag (LNCS 2139), pages 566–598, 2001.CrossRefGoogle Scholar
  7. 7.
    D. Dolev, C. Dwork and M. Naor. Non-malleable Cryptography. In SICOMP, 30(2):391–437, 2000.zbMATHMathSciNetGoogle Scholar
  8. 8.
    U. Feige, D. Lapidot and A. Shamir. Multiple Non-Interactive Zero-Knowledge Proofs Under General Assumptions. In SICOMP, 29(1):1–28, 1999.zbMATHMathSciNetGoogle Scholar
  9. 9.
    U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
  10. 10.
    O. Goldreich. Foundation of Cryptography — Basic Tools. Cambridge University Press, 2001.Google Scholar
  11. 11.
    O. Goldreich. Foundations of Cryptography: Volume 2 — Basic Applications. To be published. Available from
  12. 12.
    Y. Lindell. A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. Cryptology ePrint Archive, Report 2002/057,, 2002.
  13. 13.
    M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151–158, 1991.zbMATHCrossRefGoogle Scholar
  14. 14.
    M. Naor and M. Yung. Universal One-Way Hash Functions and their Cryptographic Applications. In 21st STOC, pages 33–43, 1989.Google Scholar
  15. 15.
    M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In 22nd STOC, pages 427–437, 1990.Google Scholar
  16. 16.
    J. Rompel. One-way functions are necessary and efficient for secure signatures. In 22nd STOC, pages 387–394, 1990.Google Scholar
  17. 17.
    A. Sahai. Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. In 40th FOCS, pages 543–553, 1999.Google Scholar
  18. 18.
    A. Sahai. Simulation-Sound Non-Interactive Zero Knowledge. Manuscript, 2000.Google Scholar
  19. 19.
    V. Shoup. Why chosen ciphertext security matters. IBM Research Report RZ 3076, November, 1998.Google Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Yehuda Lindell
    • 1
  1. 1.IBM T.J. WatsonHawthorneUSA

Personalised recommendations