A Public-Key Encryption Scheme with Pseudo-random Ciphertexts

  • Bodo Möller
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3193)


This work presents a practical public-key encryption scheme that offers security under adaptive chosen-ciphertext attack (CCA) and has pseudo-random ciphertexts, i.e. ciphertexts indistinguishable from random bit strings. Ciphertext pseudo-randomness has applications in steganography. The new scheme features short ciphertexts due to the use of elliptic curve cryptography, with ciphertext pseudo-randomness achieved through a new key encapsulation mechanism (KEM) based on elliptic curve Diffie-Hellman with a pair of elliptic curves where each curve is a twist of the other. The public-key encryption scheme resembles the hybrid DHIES construction; besides by using the new KEM, it differs from DHIES in that it uses an authenticate-then-encrypt (AtE) rather than encrypt-then-authenticate (EtA) approach for symmetric cryptography.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: An encryption scheme based on the Diffie-Hellman problem (1998) (submission to IEEE P1363a), http://grouper.ieee.org/groups/1363/P1363a/Encryption.html
  2. 2.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    von Ahn, L., Hopper, N.: Public key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    American National Standards Institute (ANSI). Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X9.62 (1998)Google Scholar
  5. 5.
    Backes, M., Cachin, C.: Public-key steganography with active attacks. Cryptology ePrint Archive Report 2003/231 (revised Febraury 16, 2004) (2004), Available from http://eprint.iacr.org/
  6. 6.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE Computer Society, Los Alamitos (1997)Google Scholar
  8. 8.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–46. Springer, Heidelberg (1998)Google Scholar
  9. 9.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: First Annual Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  10. 10.
    Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. In: Jantke, K.P. (ed.) AII 1986. LNCS, vol. 265, Springer, Heidelberg (1987)Google Scholar
  11. 11.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. E-print cs.CR/0010019 (2000), Available from http://arXiv.org/abs/cs/0010019
  12. 12.
    Certicom Research. Standards for efficient cryptography – SEC 1: Elliptic curve cryptography. Version 1.0 (2000), Available from http://www.secg.org/
  13. 13.
    Certicom Research. Standards for efficient cryptography – SEC 2: Recommended elliptic curve cryptography domain parameters. Version 1.0 (2000), Available from http://www.secg.org/
  14. 14.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing. to appear (2003) (to appear), Available from http://shoup.net/papers/
  15. 15.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Fouquet, M., Gaudry, P., Harley, R.: Finding secure curves with the Satoh-FGH algorithm and an early-abort strategy. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 14–29. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Galbraith, S., McKee, J.: The probability that the number of points on an elliptic curve over a finite field is prime. CACR Technical Report CORR 99-51 (1999), Available from http://www.cacr.math.uwaterloo.ca/techreports/1999/
  18. 18.
    Goldreich, O.: Foundations of Cryptography – Vol. II: Basic Applications. Cambridge University Press, Cambridge (2004)Google Scholar
  19. 19.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Institute of Electrical and Electronics Engineers (IEEE). IEEE standard specifications for public-key cryptography. IEEE Std 1363-2000 (2000)Google Scholar
  21. 21.
    Kaliski Jr., B.S.: A pseudo-random bit generator based on elliptic logarithms. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 84–103. Springer, Heidelberg (1987)Google Scholar
  22. 22.
    Kaliski Jr., B.S.: One-way permutations on elliptic curves. Journal of Cryptology 3, 187–199 (1991)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48, 203–209 (1987)MATHMathSciNetCrossRefGoogle Scholar
  24. 24.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. RFC 2104 (1997), Available from http://www.ietf.org/rfc/rfc2104.txt
  25. 25.
    Lercier, R.: Finding good random elliptic curves for cryptosystems defined over F2n. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 379–392. Springer, Heidelberg (1997)Google Scholar
  26. 26.
    Lercier, R., Lubicz, D.: Counting points on elliptic curves over finite fields of small characteristic in quasi quadratic time. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 360–373. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39, 1639–1646 (1993)MATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–428. Springer, Heidelberg (1986)Google Scholar
  29. 29.
    National Institute of Standards and Technology. Recommendation for block cipher modes of operation – methods and techniques. NIST Special Publication SP 800-38A (2001)Google Scholar
  30. 30.
    Okamoto, T., Pointcheval, D.: A new class of problems for the security of cryptographic schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Rackoff, C.W., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  32. 32.
    Shoup, V.: A proposal for an ISO standard for public key encryption. Version 2.1 (December 20, 2001), http://shoup.net/papers/
  33. 33.
    Watanabe, Y., Shikata, J., Imai, H.: Equivalence between semantic security and indistinguishability against chosen ciphertext attacks. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 71–84. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Bodo Möller
    • 1
  1. 1.University of CaliforniaBerkeley

Personalised recommendations