# An IND-CCA2 Public-Key Cryptosystem with Fast Decryption

## Abstract

We propose an IND-CCA2 public-key cryptosystem with fast decryption, called the NICE-X cryptosystem. Its decryption time is the polynomial time of degree 2 by the bit-length of a public-key *D*, i.e., *O*((log ∣*D*∣)^{2}), and the cost of two hash functions. The NICE-X is an enhancement of the NICE cryptosystem, which is constructed over the quadratic class group *Cl*(*D*). We first show that the one-wayness of the encryption of the NICE cryptosystem is as intractable as the Smallest Kernel Equivalent Problem (SKEP). We also prove that the NICE cryptosystem is IND-CPA under the Decisional Kernel Problem (DKP). Then we prove that the NICE-X cryptosystem is IND-CCA2 under the SKEP in the random oracle model. Indeed, the overhead of the decryption of the NICE-X from the NICE is only the cost of one ideal multiplication and two hash functions. Our conversion technique from the NICE to the NICE-X is based on the REACT. However we modify it to be suitable for the NICE. A message of the NICE-X is encrypted with the random mask of the encryption function of the NICE, instead of the encrypted key. Then the reduced security problem of the NICE-X is enhanced from the Gap-SKEP to the SKEP.

## Keywords

Public-key cryptosystem Chosen ciphertext attack NICE cryptosystem factoring algorithm fast decryption## Preview

Unable to display preview. Download preview PDF.

## References

- BLK00.J. Baek, B. Lee, and K. Kim “Provably secure length-saving public key encryption scheme under the computational Diffie-Hellmam assumption,” ETRI J, Vol.22, No.4, (2000), pp.25–31.Google Scholar
- BDPR98.M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” Advances in Cryptology-CRYPTO’98, LNCS 1462, (1998), pp.26–45.CrossRefGoogle Scholar
- BR93.M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” First ACM Conference on Computer and Communications Security, (1993), pp.62–73.Google Scholar
- BR94.M. Bellare and P. Rogaway, “Optimal asymmetric encryption-How to encrypt with RSA,”
*Advances in Cryptology-EUROCRPT’94*, LNCS 950, (1994), pp.92–111.CrossRefGoogle Scholar - Ble98.D. Bleichenbacher, “A chosen ciphertext attack against protocols based on RSA encryption standard PKCS # 1,”
*Advances in Cryptology-CRYPTO’98*, LNCS 1462, (1998), pp.1–12.CrossRefGoogle Scholar - Bon01.D. Boneh, “Simplified OAEP for the RSA and Rabin Functions,” Advances in Cryptology-CRYPTO 2001, LNCS 2139, (2001), pp.275–291.CrossRefGoogle Scholar
- BW88.J. Buchmann and H. C. Williams, “A key-exchange system based on imaginary quadratic fields,” Journal of Cryptology, 1, (1988), pp.107–118.zbMATHCrossRefMathSciNetGoogle Scholar
- BST01.J. Buchmann, K. Sakurai, and T. Takagi, “An IND-CCA2 public-key cryptosystem with fast decryption,” Darmstadt University of Technology, Technical Report No. TI-10/01, (2001). http://www.informatik.tu-darmstadt.de/TI/Veroeffentlichung/TR/Welcome.html
- CGH98.R. Canetti, O. Goldreich, and S. Halevi, “The random oracle model, revisited,” 30th Annual ACM Symposium on Theory of Computing, (1998).Google Scholar
- CS98.R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,”
*Advances in Cryptology-CRYPTO’98*, LNCS 1462, (1998), pp.13–25.CrossRefGoogle Scholar - DDN00.D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptography,” SIAM Journal of Computing, Vol. 30 (2), (2000), pp.391–437.zbMATHCrossRefMathSciNetGoogle Scholar
- FO99a.E. Fujisaki and T. Okamoto, “How to enhance the security of public-key encryption at minimum cost,” 1999 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1560, (1999), pp.53–68.Google Scholar
- FO99b.E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,” Advances in Cryptology-CRYPTO’99, LNCS 1666, (1999), pp.537–554.Google Scholar
- FO01.E. Fujisaki and T. Okamoto, “A chosen-cipher secure encryption scheme tightly as secure as factoring,” IEICE Trans. Fundamentals, Vol. E84-A, No.1, (2001), pp.179–187.Google Scholar
- FOPS01.E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, “RSA-OAEP Is Secure under the RSA Assumption,” Advances in Cryptology-CRYPTO 2001, LNCS 2139, (2001), pp.260–274.CrossRefGoogle Scholar
- HM89.J. L. Hafner and K. S. McCurley, “A rigorous subexponential algorithm for computation of class groups, ” J. Amer. Math. Soc., 2, (1989), pp.837–850.zbMATHCrossRefMathSciNetGoogle Scholar
- HPT99.M. Hartmann, S. Paulus, and T. Takagi, “NICE-New Ideal Coset Encryption-, ” Conference of Hardware Embedding System (CHES), LNCS 1717, (1999).Google Scholar
- HIME01.HIME, HITACHI Systems Development Laboratories, http://www.sdl.hitachi.co.jp/crypto/hime/, “Design and analysis of fast provably secure public-key cryptosystems based on a modular squaring” in these proceedings.
- JJ00.E. Jaulmes and A. Joux; “A NICE cryptanalysis,” Advances in Cryptology-EUROCRYPT’2000, LNCS 1807, (2000), pp.382–391.CrossRefGoogle Scholar
- JQY01.M. Joye, J.-J. Quisquater, and M. Yung, “On the power of misbehaving adversaries and security analysis of the original EPOC,” In Proceedings of the Cryptographers’ Track at RSA Conference’ 2001, LNCS 2020, (2001), pp.208–222.Google Scholar
- KI01.K. Kobara and H. Imai, “Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, (2001), pp.19–35.Google Scholar
- KOMM01.K. Kurosawa, W. Ogata, T. Matsuo, and S. Makishima, “IND-CCA public key schemes equivalent to factoring n = pq,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, (2001), pp.36–47.Google Scholar
- Len87.H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, 126, (1987), pp.649–673.CrossRefMathSciNetGoogle Scholar
- LL91.A. K. Lenstra and H. W. Lenstra, Jr. (Eds.),
*The development of the number field sieve*. Lecture Notes in Mathematics, 1554, Springer, (1991).Google Scholar - Mue01.S. Müller, “On the security of Williams based public key encryption scheme,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, (2001), pp.1–18.Google Scholar
- OP01a.T. Okamoto and D. Pointcheval, “The Gap-Problems: a new class of problems fro the security of cryptographic schemes,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, (2001), pp.104–118.Google Scholar
- OP01b.T. Okamoto and D. Pointcheval, “REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform,” In Proceedings of the Cryptographers’ Track at RSA Conference’ 2001, LNCS 2020, (2001), pp.159–175.Google Scholar
- OUF98.T. Okamoto, S. Uchiyama, and E. Fujisaki, “EPOC: Efficient Probabilistic Public-Key Encryption,” Submission to IEEE P1363a, (1998).Google Scholar
- PP99.P. Paillier and D. Pointcheval, “Efficient public-key cryptosystem provably secure against active adversaries,” Advances in Cryptology-ASIACRYPT’99, LNCS 1716, (1999), pp.165–179.Google Scholar
- PT00.S. Paulus and T. Takagi, “A new public-key cryptosystem over quadratic orders with quadratic decryption time”, Journal of Cryptology, 13, (2000), pp.263–272.zbMATHCrossRefMathSciNetGoogle Scholar
- Poi99a.D. Pointcheval, “New public key cryptosystems based on the dependent-RSA problems,” Advances in Cryptography-Eurocryt’99, LNCS 1592, (1999), pp. 239–254.Google Scholar
- Poi99b.D. Pointcheval, “HD-RSA: Hybrid Dependent RSA-a New Public-Key Encryption Scheme,” Submission to IEEE P1363a. October (1999).Google Scholar
- Poi00.D. Pointcheval, “Chosen-ciphertext security for any one-way cryptosystem,” 2000 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1751, (2000), pp.129–146.Google Scholar
- RS91.C. Rackoff and D. Simon, “Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack,” Advances in Cryptology-CRYPTO’91, LNCS 576, (1991), pp.433–444.Google Scholar
- Sou01a.V. Shoup, “OAEP reconsidered,” Advances in Cryptology-CRYPTO 2001, LNCS 2139, (2001), pp.239–259.CrossRefGoogle Scholar
- Sou01b.V. Shoup, “A proposal for an ISO standard for public key encryption,” http://shoup.net/
- SG98.V. Shoup and R. Gennaro, “Securing threshold cryptosystems against chosen ciphertext attack,” Advanced in Cryptology-Eurocrypt’98, LNCS 1403, (1998), pp.1–16.CrossRefGoogle Scholar
- Sil00.R. Silverman, “A cost-based security analysis of symmetric and asymmetric key lengths,” RSA Laboratories, Bulletin 13, (2000), pp.1–22.Google Scholar
- TY98.Y. Tsiounis and M. Yung, “On the security of El Gamal based encryption,” 1998 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1431, (1998), pp.117–134.Google Scholar