On the Selective Opening Security of Practical Public-Key Encryption Schemes

  • Felix HeuerEmail author
  • Tibor Jager
  • Eike Kiltz
  • Sven Schäge
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


We show that two well-known and widely employed public-key encryption schemes – RSA Optimal Asymmetric Encryption Padding (RSA-OAEP) and Diffie-Hellman Integrated Encryption Standard (DHIES), the latter one instantiated with a one-time pad, – are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model. Both schemes are obtained via known generic transformations that transform relatively weak primitives (with security in the sense of one-wayness) to INDCCA secure encryption schemes. We prove that selective opening security comes for free in these two transformations. Both DHIES and RSA-OAEP are important building blocks in several standards for public key encryption and key exchange protocols. They are the first practical cryptosystems that meet the strong notion of simulation-based selective opening (SIM-SO-CCA) security.


Public key encryption Selective opening security OAEP DHIES SIM-SO-CCA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache [33], pp. 143–158Google Scholar
  2. 2.
    Backes, M., Dürmuth, M., Unruh, D.: OAEP is secure under key-dependent messages. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 506–523. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  3. 3.
    Beaver, D.: Plug and play encryption. In: Kaliski Jr., [29], pp. 75–89Google Scholar
  4. 4.
    Beaver, D., Haber, S.: Cryptographic protocols provably secure against dynamic adversaries. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 307–323. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, Johansson [37], pp. 645–662Google Scholar
  6. 6.
    Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux [28], pp. 1–35Google Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, Fairfax (1993)Google Scholar
  8. 8.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Waters, B., Yilek, S.: Identity-Based encryption secure against selective opening attack. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 235–252. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Boldyreva, A., Fischlin, M.: On the security of OAEP. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 210–225. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  13. 13.
    Brown, D.R.L.: What hashes make RSA-OAEP secure? Cryptology ePrint Archive, Report 2006/223 (2006).
  14. 14.
    Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski Jr. [29], pp. 90–104Google Scholar
  15. 15.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: 28th ACM STOC, pp. 639–648. ACM Press, Philadephia (1996)Google Scholar
  16. 16.
    Canetti, R., Halevi, S., Katz, J.: Adaptively-Secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  17. 17.
    Clancy, T., Arbaugh, W.: Extensible Authentication Protocol (EAP) Password Authenticated Exchange. RFC 4746 (Informational) (November 2006)Google Scholar
  18. 18.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176 (August 2008)Google Scholar
  20. 20.
    Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  21. 21.
    Fujisaki, E.: All-but-many encryptions: A new framework for fully-equipped UC commitments. Cryptology ePrint Archive, Report 2012/379. (2012)
  22. 22.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  23. 23.
    Harris, B.: RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432 (Proposed Standard) (March 2006)Google Scholar
  24. 24.
    Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  25. 25.
    Hofheinz, D.:. All-but-many lossy trapdoor functions. In: Pointcheval, Johansson [37], pp. 209–227Google Scholar
  26. 26.
    Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  27. 27.
    Housley, R.: Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS). RFC 3560 (Proposed Standard) (July 2003)Google Scholar
  28. 28.
    Joux, A. (ed.): EUROCRYPT 2009. LNCS, vol. 5479. Springer, Heidelberg (2009) zbMATHGoogle Scholar
  29. 29.
    Kaliski Jr., B.S. (ed.): CRYPTO 1997. LNCS, vol. 1294. Springer, Heidelberg (1997)Google Scholar
  30. 30.
    Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen-plaintext attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  31. 31.
    Kiltz, E., Pietrzak, K.: On the security of padding-based encryption schemes - or - why we cannot prove OAEP secure in the standard model. In: Joux [28], pp. 389–406Google Scholar
  32. 32.
    Lai, J., Deng, R.H., Liu, S., Weng, J., Zhao, Y.: Identity-Based encryption secure against selective opening chosen-ciphertext attack. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 77–92. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  33. 33.
    Naccache, D. (ed.): CT-RSA 2001. LNCS, vol. 2020. Springer, Heidelberg (2001) zbMATHGoogle Scholar
  34. 34.
    Nadeau, T., Srinivasan, C., Farrel, A.: Multiprotocol Label Switching (MPLS) Management Overview. RFC 4221 (Informational) (November 2005)Google Scholar
  35. 35.
    Okamoto, T., Pointcheval, D.: REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In: Naccache [33], pp. 159–175Google Scholar
  36. 36.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, Victoria (2008)Google Scholar
  37. 37.
    Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012) zbMATHGoogle Scholar
  38. 38.
    Raeburn, K.: Encryption and Checksum Specifications for Kerberos 5. RFC 3961 (Proposed Standard)(February 2005)Google Scholar
  39. 39.
    Ramsdell, B., Turner, S.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751 (Proposed Standard) (January 2010)Google Scholar
  40. 40.
    Rescorla, E.: Preventing the Million Message Attack on Cryptographic Message Syntax. RFC 3218 (Informational) (January 2002)Google Scholar
  41. 41.
    Shoup, V.: OAEP reconsidered. Journal of Cryptology 15(4), 223–249 (2002)Google Scholar
  42. 42.
    Shoup, V.: ISO 18033–2: An emerging standard for public-key encryption. Final Committee Draft (December 2004).
  43. 43.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs 13166 received (November 30, 2004). (last revised January 18, 2006)Google Scholar
  44. 44.
    Steinfeld, R., Baek, J., Zheng, Y.: On the necessity of strong assumptions for the security of a class of asymmetric encryption schemes. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 241–256. Springer, Heidelberg (2002) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Felix Heuer
    • 1
    Email author
  • Tibor Jager
    • 1
  • Eike Kiltz
    • 1
  • Sven Schäge
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr University BochumBochumGermany

Personalised recommendations