On the Security of Multiple Encryption or CCA-security+CCA-security=CCA-security?

  • Rui Zhang
  • Goichiro Hanaoka
  • Junji Shikata
  • Hideki Imai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2947)


In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message, such as the key-insulated cryptosystems and anonymous channels. Intuitively, a multiple encryption should remain “secure”, whenever there is one component cipher unbreakable in it. In NESSIE’s latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on different assumptions to acquire long term security. However, in this paper we show this needs careful discussion, especially, this may not be true according to adaptive chosen ciphertext attack (CCA), even with all component ciphers CCA-secure. We define an extended model of (standard) CCA called chosen ciphertext attack for multiple encryption (ME-CCA) emulating partial breaking of assumptions, and give constructions of multiple encryption satisfying ME-CCA-security. We further relax CCA by introducing weak ME-CCA (ME-wCCA) and study the relations among these definitions, proving ME-wCCA-security can be acquired by combining IND-CCA-secure component ciphers together. We then apply these results to key-insulated cryptosystem.


Generic Construction Random Oracle Model Security Notion Challenge Ciphertext Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abe, M., Imai, H.: Flaws in some robust optimistic mix-nets. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 39–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Aiello, B., Bellare, M., Di Crescenzo, G., Venkatesan, R.: Security amplification by composition: the case of doubly-iterated, ideal ciphers. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 390–407. Springer, Heidelberg (1998)Google Scholar
  3. 3.
    An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Pointcheval, D., Rogway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 26. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Canetti, R.: Composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145 (2001)Google Scholar
  6. 6.
    Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003); Full version available, CrossRefGoogle Scholar
  7. 7.
    Chaum, D.: Untraceable electronic mail, return address, and digitalpseudonyms. Communication of the ACM 24, 84–88 (1981)CrossRefGoogle Scholar
  8. 8.
    Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    Diffie, W., Hellman, M.E.: Exhaustive cryptananlysis of NBS data encryption standard. IEEE Computer Magazine 10(6), 74–84 (1977)Google Scholar
  10. 10.
    Dodis, Y., Katz, J.: On the chosen ciphertext security of multiple encryption. In: Rump session of Crypto 2003 (2003) manuscript available from the authorsGoogle Scholar
  11. 11.
    Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: 23rd STOC, pp. 542–552. ACM, New York (1991)Google Scholar
  13. 13.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: SIAM Journal of Computing, vol. 30. ACM, New York (2000)Google Scholar
  14. 14.
    Frey, G., Rück, H.G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation 62(206), 865–874 (1994)zbMATHMathSciNetGoogle Scholar
  15. 15.
    Goldreich, O.: Foundations of Cryptography, vol. 2 (third posted version). Aavailable at,
  16. 16.
    Goldreich, O.: Foundations of Cryptography, vol. 1. Cambridge University Press, New York (2001)zbMATHCrossRefGoogle Scholar
  17. 17.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Science (28), 270–299 (1984)Google Scholar
  18. 18.
    Golle, P., Zhong, S., Boneh, D., Jakobsson, M., Juels, A.: Optimistic mixing for exit-polls. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 451–465. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Jakobsson, M.: A practical mix. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 448–461. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  20. 20.
    Juels, M., Jakobsson, M.: An optimally robust hybrid mix network. In: 20th annual ACM Symposium on Principles of Distributed Computation (2001)Google Scholar
  21. 21.
    Kumar, R., Rajagopalan, S., Sahai, A.: Coding constructions for blacklisting problems. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 609–623. Springer, Heidelberg (1999)Google Scholar
  22. 22.
    Maurer, U.M., Massey, J.L.: Cascade ciphers: The importance of being first. Journal of Cryptology: the journal of the International Association for Cryptologic Research 6(1), 55–61 (1993)zbMATHGoogle Scholar
  23. 23.
    Menezes, Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to lgarithms in a finite field. IEEE Trans. on Information Theory 39, 1639–1646 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Merkle, R., Hellman, M.: On the security of multiple encryption. Communications of the ACM 24(7), 465–467 (1981)CrossRefMathSciNetGoogle Scholar
  25. 25.
    NESSIE. NESSIE Portfolio of recommended cryptographic primitives (Latest version: February 2003). Available at,
  26. 26.
    Rackoff, C., Simon, D.: Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  27. 27.
    Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Commentarii Mathematici Universitatis Sancti Pauli (47), 81–92 (1998)Google Scholar
  28. 28.
    Semaev: Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Mathematics of Computation (67), 353–356 (1998)Google Scholar
  29. 29.
    Shannon, C.: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949)Google Scholar
  30. 30.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Shoup, V.: A proposal for an iso standard for public key encryption (version 2.1). Manuscript (2001)Google Scholar
  32. 32.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. Journal of Cryptology 15(2), 75–96 (2002)zbMATHMathSciNetGoogle Scholar
  33. 33.
    Smart, N.: The discrete logarithm problems on elliptic curves of trace one. Journal of Cryptology 12, 193–196 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Watanabe, Y., Shikata, J., Imai, H.: Equivalence between semantic security and indistinguishability against chosen ciphertext attacks. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 71–84. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Zhang, R., Hanaoka, G., Shikata, J., Imai, H.: Full version of this paper, Available at,
  36. 36.
    Zhang, R., Hanaoka, G., Shikata, J., Imai, H.: On the security of multi-layered encryption or CCA-security+CCA-security=CCA-security? In: SCIS 2003 (January 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Rui Zhang
    • 1
  • Goichiro Hanaoka
    • 1
  • Junji Shikata
    • 2
  • Hideki Imai
    • 1
  1. 1.Institute of Industrial ScienceUniversity of TokyoJapan
  2. 2.Graduate School of Environment and Information ScienceYokohama National UniversityJapan

Personalised recommendations