Chosen Ciphertext Security with Optimal Ciphertext Overhead

  • Masayuki Abe
  • Eike Kiltz
  • Tatsuaki Okamoto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)

Abstract

Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security?

We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.

References

  1. 1.
    Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: A new framework for hybrid encryption. Journal of Cryptology 21(1), 97–130 (2008)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Abe, M., Kiltz, E., Okamoto, T.: Compact CCA-secure encryption for arbitrary messages (Unpublished Manuscript Available from the authors) (2007)Google Scholar
  3. 3.
    Abe, M., Kiltz, E., Okamoto, T.: Chosen ciphertext security with optimal overhead. IACR ePrint Archive 2008/374, September 2 (2008)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006); Full version available from IACR ePrint Archive 2004/331CrossRefGoogle Scholar
  6. 6.
    Bjørstad, B., Dent, A., Smart, N.: Efficient KEMs with partial message recovery. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 233–256. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACM Conference on Computer and Communications Security, pp. 320–329. ACM, New York (2005); Also available at IACR e-print 2005/288Google Scholar
  8. 8.
    Coron, J., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: A generic chosen-ciphertext secure encryption method. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 263–276. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Coron, J., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: Optimal chosen-ciphertext secure encryption of arbitrary-length messages. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 17–33. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Coron, J.S., Joye, M., Naccache, D., Paillier, P.: Universal padding schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Coron, J.S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2003)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Cui, Y., Kobara, K., Imai, H.: A generic conversion with optimal redundancy. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 104–117. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Dodis, Y., Freedman, M., Jarecki, S., Walfish, S.: Versatile padding schemes for joint signature and encryption. In: ACM CCS 2004. ACM Press, New York (2004)Google Scholar
  15. 15.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Jonsson, J.: An OAEP variant with a tight security proof. IACR e-print Archive 2002/034 (2002)Google Scholar
  18. 18.
    Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Kobara, K., Imai, H.: OAEP++: A very simple way to apply OAEP to deterministic OW-CPA primitives. IACR ePrint archive, 2002/130 (2002)Google Scholar
  20. 20.
    Komano, Y., Ohta, K.: Efficient universal padding schemes for multiplicative trapdoor one-way permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 366–382. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Okamoto, T., Pointcheval, D.: REACT: Rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Phan, D.H., Pointcheval, D.: Chosen-ciphertext security without redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Phan, D.H., Pointcheval, D.: OAEP 3-round: A generic and secure asymmetric encryption padding. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 63–78. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Ramzan, Z., Reyzin, L.: On the round security of symmetric-key cryptographic primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Masayuki Abe
    • 1
  • Eike Kiltz
    • 2
  • Tatsuaki Okamoto
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationJapan
  2. 2.CWI AmsterdamThe Netherlands

Personalised recommendations