Chosen-Ciphertext Security for Any One-Way Cryptosystem

  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1751)


For two years, public key encryption has become an essential topic in cryptography, namely with security against chosen-ciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor one-way function, in the random oracle model. More concretely, any suitable problem providing a one-way cryptosystem can be efficiently derived into a chosen-ciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational Diffie-Hellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).


Encryption Scheme Random Oracle Discrete Logarithm Random Oracle Model Security Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem. IEEE P1363a Submission (September 1998), Available from
  2. 2.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of the 1st CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Bellare, M., Sahai, A.: Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    Cohen, J.D. (Benaloh): Improving Privacy in Cryptographic Elections. Technical Report TR-454, Yale University (February 1986)Google Scholar
  8. 8.
    Cohen, J.D. (Benaloh): Improving Privacy in Cryptographic Elections. PhD thesis, Yale University (September 1987); Also available as technical report TR-561 Google Scholar
  9. 9.
    Bleichenbacher, D.: A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  10. 10.
    Coppersmith, D., Halevi, S., Jutla, C.S.: ISO 9796 and the New Forgery Strategy. Working Draft presented at the Rump Session of Crypto 1999 (1999)Google Scholar
  11. 11.
    Coron, S., Naccache, D., Stern, J.P.: On the Security of RSA Padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  13. 13.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT–22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. In: Proc. of the 23rd STOC. ACM Press, New York (1991)Google Scholar
  15. 15.
    El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory IT–31(4), 469–472 (1985)Google Scholar
  16. 16.
    Fujisaki, E., Okamoto, T.: How to Enhance the Security of Public-Key Encryption at Minimum Cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 53–68. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)Google Scholar
  18. 18.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28, 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    SET Secure Electronic Transaction LLC. SET Secure Electronic Transaction Specification Book 3: Formal Protocol Definition (May 1997), Available from
  20. 20.
    Maurer, U.M.: Diffie Hellman Oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268–282. Springer, Heidelberg (1996)Google Scholar
  21. 21.
    Naccache, D., Stern, J.: A New Cryptosystem based on Higher Residues. In: Proc. of the 5th CCS, pp. 59–66. ACM Press, New York (1998)Google Scholar
  22. 22.
    Naor, M., Yung, M.: Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In: Proc. of the 22nd STOC, pp. 427–437. ACM Press, New York (1990)Google Scholar
  23. 23.
    Ohta, K., Okamoto, T.: On Concrete Security Treatment of Signatures Derived from Identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998)Google Scholar
  24. 24.
    Okamoto, T., Uchiyama, S.: A New Public Key Cryptosystem as Secure as Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  25. 25.
    Okamoto, T., Uchiyama, S., Fujisaki, E.: EPOC: Efficient Probabilistic Public-Key Encryption. Submission to IEEE P1363a (November 1998), Available from
  26. 26.
    Paillier, P.: A Trapdoor Permutation Equivalent to Factoring. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 219–222. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  27. 27.
    Paillier, P.: Public-Key Cryptosystems Based on Discrete Logarithms Residues. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  28. 28.
    Paillier, P., Pointcheval, D.: Efficient Public-Key Cryptosystems Provably Secure against Active Adversaries. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 165–179. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  29. 29.
    Pointcheval, D.: New Public Key Cryptosystems based on the Dependent-RSA Problems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 239–254. Springer, Heidelberg (1999)Google Scholar
  30. 30.
    Pointcheval, D.: HD–RSA: Hybrid Dependent RSA - a New Public Key Encryption Scheme. Submission to IEEE P1363a (October 1999), Available from
  31. 31.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology (1999), Available from
  32. 32.
    Rackoff, C., Simon, D.R.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  33. 33.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    RSA Data Security, Inc. Public Key Cryptography Standards – PKCS., Available from
  35. 35.
    Schnorr, C.P.: Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3), 161–174 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Shoup, V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
  37. 37.
    Shoup, V., Gennaro, R.: Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  38. 38.
    Tsiounis, Y., Yung, M.: On the Security of El Gamal based Encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, p. 117. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • David Pointcheval
    • 1
  1. 1.Dépt d’InformatiqueENS – CNRSParis Cedex 05France

Personalised recommendations