An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

  • Mihir Bellare
  • Alexandra Boldyreva
  • Adriana Palacio
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3027)


We present a simple, natural random-oracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standard-model instantiation that meets this goal. The goal in question is IND-CCA-preserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing RO-model schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.


Encryption Scheme Random Oracle Symmetric Encryption Asymmetric Encryption Symmetric Encryption Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Agarwal, M., Saxena, N., Kayal, N.: PRIMES is in P. Preprint. August 6 (2002), Available at
  2. 2.
    Baek, J., Lee, B., Kim, K.: Secure length-saving ElGamal encryption under the Computational Diffie-Hellman assumption. In: Dawson, E., Clark, A., Boyd, C. (eds.) ACISP 2000. LNCS, vol. 1841, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Palacio, A.: An Uninstantiable Random- Oracle-Model Scheme for a Hybrid-Encryption Problem. Full version of this paper, Available at
  4. 4.
    Baek, J., Lee, B., Kim, K.: Provably secure length-saving public-key encryption scheme under the computational Diffie-Hellman assumption. ETRI Journal 22(4) (2000)Google Scholar
  5. 5.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, Los Alamitos (1997)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: First ACM Conference on Computer and Communications Security, ACM, New York (1993)Google Scholar
  7. 7.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multiparty computation. In: Proceedings of the 28th Annual Symposium on the Theory of Computing, ACM, New York (1996)Google Scholar
  8. 8.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proceedings of the 30th Annual Symposium on the Theory of Computing, ACM, New York (1998)Google Scholar
  9. 9.
    Coron, J.-S., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: A Generic Chosen-Ciphertext Secure Encryption Method. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, p. 263. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, p. 17. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  12. 12.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. IACR ePrint archive, record 2001/108 (2001),
  13. 13.
    ElGamal, T.: A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31 (1985)Google Scholar
  14. 14.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  15. 15.
    Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 537. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Science 28, 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Goldwasser, S., Taumann, Y.: On the (in)security of the Fiat-Shamir paradigm. In: Proceedings of the 44th Symposium on Foundations of Computer Science, IEEE, Los Alamitos (2003)Google Scholar
  18. 18.
    Micali, S.: Computationally sound proofs. SIAM Journal on Computing 30(4), 1253–1298 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 111. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 159. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Shoup, V.: A proposal for an ISO standard for public key encryption. IACR ePrint archive, record 2001/112 (2001),

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Alexandra Boldyreva
    • 1
  • Adriana Palacio
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of California, San DiegoLa JollaUSA

Personalised recommendations