Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages
This paper considers arbitrary-length chosen-ciphertext secure asymmetric encryption, thus addressing what is actually needed for a practical usage of strong public-key cryptography in the real world. We put forward two generic constructions, gem-1 and gem-2 which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files). Our techniques optimally combine a single call to any one-way trapdoor function with repeated encryptions through some weak block-cipher (a simple xor is fine) and hash functions of fixed-length input so that a minimal number of calls to these functions is needed. Our encryption/decryption throughputs are comparable to the ones of standard methods (asymmetric encryption of a session key + symmetric encryption with multiple modes). In our case, however, we formally prove that our designs are secure in the strongest sense and provide complete security reductions holding in the random oracle model.
- [BDPR99]Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. Full paper (30 pages), February 1999. An extended abstract appears in H. Krawczyk, ed., Advances in Cryptology — CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, pages 26–45, Springer-Verlag, 1998.CrossRefGoogle Scholar
- [BPS00]Olivier Baudron, David Pointcheval, and Jacques Stern. Extended Notions of Security for Multicast Public Key Cryptosystems. In Proc. of the 27th ICALP, LNCS 1853, pages 499–511. Springer-Verlag, Berlin, 2000.Google Scholar
- [BR93]Mihir Bellare and Phillip Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In First ACM Conference on Computer and Communications Security, pages 62–73. ACM Press, 1993.Google Scholar
- [CHJ+01]Jean-Sébastien Coron, Helena Handschuh, Marc Joye, Pascal Paillier, David Pointcheval, and Christophe Tymen. Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages. http://eprint.iacr.org/, 2001.
- [FOPS01]Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is Secure under the RSA Assumption. In Advances in Cryptology — CRYPTO’01, Lecture Notes in Computer Science. Springer-Verlag, 2001.Google Scholar
- [NY90]Moni Naor and Moti Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In 22nd ACM Annual Symposium on the Theory of Computing (STOC’ 90), pages 427–437. ACM Press, 1990.Google Scholar
- [OP01b]Tatsuaki Okamoto and David Pointcheval. The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes. In PKC, volume 1992 of Lecture Notes in Computer Science, pages 104–118. Springer-Verlag, 2001.Google Scholar
- [Poi00]David Pointcheval. Chosen-Ciphertext Security for any One-Way Cryptosystem. In H. Imai and Y. Zheng, editors, Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 129–146. Springer-Verlag, 2000.Google Scholar
- [RS92]Charles Rackoff and Daniel R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In J. Feigenbaum, editor, Advances in Cryptology — CRYPTO’91, volume 576, pages 433–444. Springer-Verlag, 1992.Google Scholar
- [Sho01]Victor Shoup. OAEP Reconsidered. In Advances in Cryptology —CRYPTO’01, Lecture Notes in Computer Science. Springer-Verlag, 2001.Google Scholar