Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

  • Pascal Paillier
  • Jorge L. Villar
Conference paper

DOI: 10.1007/11935230_17

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)
Cite this paper as:
Paillier P., Villar J.L. (2006) Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption. In: Lai X., Chen K. (eds) Advances in Cryptology – ASIACRYPT 2006. ASIACRYPT 2006. Lecture Notes in Computer Science, vol 4284. Springer, Berlin, Heidelberg


We revisit a long-lived folklore impossibility result for factoring-based encryption and properly establish that reaching maximally secure one-wayness (i.e. equivalent to factoring) and resisting chosen-ciphertext attacks (CCA) are incompatible goals for single-key cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple RO-model schemes such as Rabin/RW-SAEP[+]/OAEP[+][+], EPOC-2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a key-preserving reduction. We extend this impossibility to arbitrary reductions assuming non-malleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n′≠n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in Naor-Yung or Dolev-Dwork-Naor constructions.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Pascal Paillier
    • 1
  • Jorge L. Villar
    • 2
  1. 1.Cryptography Group, Security LabsGemalto
  2. 2.Departament de Matemàtica AplicadaUniversitat Politècnica de Catalunya 

Personalised recommendations