Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack

SIAM Journal on Computing

Volumn 33, Issue 1, 2003, Pages 167-226

  Cramer, Ronald ^a   Shoup, Victor ^b  

^a AARHUS UNIVERSITY   (Denmark)

^b POLYTECHNIC UNIVERSITY   (United States)

Author keywords

Chosen ciphertext security; Cryptography; Decisional Diffie Hellman assumption; Public key encryption

Indexed keywords

ALGORITHMS; COMPUTATIONAL COMPLEXITY; COMPUTER CRIME; GAME THEORY; PROBABILITY DISTRIBUTIONS; SAMPLING; SECURITY OF DATA; SET THEORY; THEOREM PROVING;

CIPHERTEXT ATTACK; DECISIONAL DIFFIE-HELLMAN ASSUMPTIONS; INTRACTABILITY ASSUMPTIONS; PUBLIC KEY ENCRYPTION;

PUBLIC KEY CRYPTOGRAPHY;

EID: 1842616017     PISSN: 00975397     EISSN: None     Source Type: Journal    
DOI: 10.1137/S0097539702403773     Document Type: Article

References (62)

1. M. Abdalla. M. Bellare, and P. Rogaway, DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem, Cryptoloty ePrint Archive, Report 1999/007, http;//eprint.iacr.org (1999).
2. M. Abdalla, M. Bellare, and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES, in Topics in Cryptology - CT-RSA 2001, Lecture Notes in Comput. Sci. 2020, D. Naccache, ed., Springer-Verlag, Heidelberg, 2001, pp. 143-158.
3. N. Asokan, V. Shoup, and M. Waidner, Optimistic fair exchange of digital signatures, IEEE Journal of Selected Areas in Communications, 18 (2000), pp. 593-610.
4. E. Bach and J. Shallit, Algorithmic Number Theory, Vol. 1, MIT Press, Cambridge, MA, 1996.
5. P. Bateman and R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers, Math. Comp., 16 (1962), pp. 363-367.
6. P. Bateman and R. Horn, Primes represented by irreducible polynomials in one variable, in Theory of Numbers, Proc. Sympos. Pure Math. 8, A. L. Whiteman, ed., AMS, Providence, RI, 1965, pp. 119-132.
7. M. Bellare, A. Boldyreva, and S. Micali, Public-key encryption in a multi-user setting: Security proofs and improvements, in Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Comput. Sci. 1807, B. Preneel, ed., Springer-Verlag, Heidelberg, 2000, pp. 259-274.
8. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology - Crypto '98, Lecture Notes in Comput. Sci. 1462, H. Krawczyk, ed., Springer-Verlag, Heidelberg, 1998, pp. 26-45.
9. M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, 1993, pp. 62-73.
10. M. Bellare and P. Rogaway, Optimal asymmetric encryption, in Advances in Cryptology - Eurocrypt '94, Lecture Notes in Comput. Sci. 950, A. De Santis, ed., Springer-Verlag, Heidelberg, 1994, pp. 92-111.
11. M. Bellare and P. Rogaway, Collision-resistant hashing: Towards making UOWHFs practical, in Advances in Cryptology - Crypto '97, Lecture Notes in Comput. Sci. 1294, B. S. Kaliski, Jr., ed., Springer-Verlag, Heidelberg, 1997, pp. 470-484.
12. I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, Cambridge University Press, Cambridge, UK, 1999.
13. D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology - Crypto '98, Lecture Notes in Comput. Sci. 1462, H. Krawczyk, ed., Springer-Verlag, Heidelberg, 1998, pp. 1-12.
14. D. Boneh, The decision Diffie-Hellman problem, in ANTS-III, Lecture Notes in Comput. Sci. 1423 J. P. Buhler, ed., Springer-Verlag, Berlin 1998 pp. 48-63.
15. D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology - Crypto 2001, Lecture Notes in Comput. Sci. 2139, J. Kilian, ed., Springer-Verlag, Heidelberg, 2001, pp. 275-291.
16. S. Brands, An Efficient Off-Line Electronic Cash System Based on the Representation Problem, CWI Technical report CS-R9323, Centre for Mathematics and Computer Science, Amsterdam, 1993.
17. E. F. Brickell, D. M. Gordon, K. S. McCurley, and D. B. Wilson, Fast exponentiation with precomputation, in Advances in Cryptology - Eurocrypt '92, Lecture Notes in Comput. Sci. 658 R. A. Rueppel, ed., Springer-Verlag, Heidelberg, 1993 pp. 200-207.
18. R. Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols, Cryptology ePrint Archive, Report 2000/067, http:/eprint.iacr.org (2000).
19. R. Canetti, O. Goldreich, and S. Halevi, The random oracle methodology, revisited, in Proceedings of the 30th Annual ACM Symposium on Theory of Computing, Dallas, TX, 1998, pp. 209-218.
20. R. Canetti and S. Goldwasser, An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack, in Advances in Cryptology - Eurocrypt '99, Lecture Notes in Comput. Sci. 1592, J. Stern, ed., Springer-Verlag, Heidelberg, 1999, pp. 90-106.
21. T. Cormen, C. Leiserson, R. Rivest, and C. Stein, Introduction to Algorithms, 2nd ed., MIT Press, Cambridge, MA, 2002.
22. R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Advances in Cryptology - Crypto '98, Lecture Notes in Comput. Sci. 1462, H. Krawczyk, ed., Springer-Verlag, Heidelberg, 1998, pp. 13-25.
23. R. Cramer and V. Shoup, Signature schemes based on the strong RSA assumption, ACM Transactions on Information and Systems Security, 3 (2000), pp. 161-185.
24. R. Cramer and V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public key encryption, in Advances in Cryptology - Eurocrypt 2002, L. R. Knudsen, ed., Springer-Verlag, Heidelberg, 2002, pp. 45-64.
25. I. Damgård, Towards practical public key cryptosystems secure against chosen ciphertext attacks, in Advances in Cryptology - Crypto '91, Lecture Notes in Comput. Sci. 576, J. Feigenbaum, ed., Springer-Verlag, Heidelberg, 1992, pp. 445-456.
26. W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Information Theory, 22 (1976), pp. 644-654.
27. D. Dolev, C. Dwork, and M. Naor, Non-malleable cryptography, in Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, New Orleans, LA, 1991, pp. 542-552.
28. D. Dolev, C. Dwork, and M. Naor, Nonmalleable cryptography, SIAM J. Comput., 30 (2000), pp. 391-437.
29. C. Dwork and M. Naor, Method for Message Authentication from Non-malleable Cryptosystems, U.S. Patent No. 05539826, 1996.
30. T. ElGamal, A public key cryptosystem and signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, 31 (1985), pp. 469-472.
31. Y. Frankel and M. Yung, Cryptanalysis of immunized LL public key systems, in Advances in Cryptology - Crypto '95, Lecture Notes in Comput. Sci. 963, D. Coppersmith, ed., Springer-Verlag, Heidelberg, 1995, pp. 287-296.
32. E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, RSA-OAEP is secure under the RSA assumption, in Advances in Cryptology - Crypto 2001, Lecture Notes in Comput. Sci. 2139, J. Kilian, ed., Springer-Verlag, Heidelberg, 2001, pp. 260-274.
33. O. Goldreich and L. A. Levin, A hard-core predicate for all one-way functions, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, Seattle, WA, 1989, pp. 25-32.
34. S. Goldwasser and S. Micali, Probabilistic encryption, J. Comput. System Sci., 28 (1984), pp. 270-299.
35. J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, A pseudorandom generator from any one-way function, SIAM J. Comput., 28 (1999), pp. 1364-1396.
36. R. Impagliazzo, L. Levin, and M. Luby, Pseudo-random number generation from any one-way function, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, Seattle, WA, 1989, pp. 12-24.
37. R. Impagliazzo and D. Zuckermann, How to recycle random bits, in Proceedings of the 30th Annual Symposium on Foundations of Computer Science, Research Triangle Park, NC, 1989, pp. 248-253.
38. A. Joux and K. Nguyen, Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups, Cryptology ePrint Archive, Report 2001/003, http://eprint.iacr.org (2001).
39. C. H. Lim and P. J. Lee, Another method for attaining security against adaptively chosen ciphertext attacks, in Advances in Cryptology - Crypto '93, Lecture Notes in Comput. Sci. 773, D. R. Stinson, ed., Springer-Verlag, Heidelberg, 1994, pp. 420-434.
40. C. H. Lim and P. J. Lee, More flexible exponentiation with precomputation, in Advances in Cryptology - Crypto '94, Lecture Notes in Comput. Sci. 839, Y. G. Desmedt, ed., Springer-Verlag, Heidelberg, 1994, pp. 95-107.
41. J. Manger, A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS # 1 v2.0, in Advances in Cryptology - Crypto 2001, Lecture Notes in Comput. Sci. 2139, J. Kilian, ed., Springer-Verlag, Heidelberg, 2001, pp. 230-238.
42. U. Maurer and S. Wolf, Diffie-Hellman, decision Diffie-Hellman, and discrete logarithms, in Proceedings of the IEEE International Symposium on Information Theory (ISIT '98), Cambridge, MA, 1998, p. 327.
43. U. Maurer and S. Wolf, The Diffie-Hellman protocol, Des. Codes Cryptogr., 19 (2000), pp. 147-171.
44. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997.
45. M. Naor and O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in Proceedings of the 38th Annual Symposium on Foundations of Computer Science, Miami Beach, FL, 1997, pp. 458-467.
46. M. Naor and M. Yung, Universal one-way hash functions and their cryptographic applications, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, Seattle, WA, 1989, pp. 33-43.
47. M. Naor and M. Yung, Public-key cryptosystems probably secure against chosen ciphertext attacks, in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, MD, 1990, pp. 427-437.
48. T. Okamoto and D. Pointcheval, The gap-problems: A new class of problems for the security of cryptographic schemes, in Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001), Cheju Island, Korea, 2001.
49. P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in Advances in Cryptology - Eurocrypt '99, Lecture Notes in Comput. Sci. 1592, J. Stern, ed., Springer-Verlag, Heidelberg, 1999, pp. 223-238.
50. C. Rackoff and D. Simon, Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology - Crypto '91, Lecture Notes in Comput. Sci. 576, J. Feigenbaum, ed., Springer-Verlag, Heidelberg, 1992, pp. 433-444.
51. J. Rompel, One-way functions are necessary and sufficient for digital signatures, in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, MD, 1990, pp. 387-394.
52. Secure Hash Standard, FIPS Publication 180-1, National Institute of Standards and Technology (NIST), Gaithersburg, MD, 1995.
53. V. Shoup, Lower bounds for discrete logarithms and related problems, in Advances in Cryptology - Eurocrypt '97, Lecture Notes in Comput. Sci. 1233, W. Fumy, ed., Springer-Verlag, Heidelberg, 1997, pp. 256-266.
54. V. Shoup, On Formal Models for Secure Key Exchange, Cryptology ePrint Archive, Report 1999/012, http://eprint.iacr.org (1999).
55. V. Shoup, A composition theorem for universal one-way hash functions, in Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Comput. Sci. 1807, B. Predneel, ed., Springer-Verlag, Heidelberg, 2000, pp. 445-452.
56. V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Comput. Sci. 1807, B. Preneel, ed., Springer-Verlag, Heidelberg, 2000, pp. 275-288.
57. V. Shoup, OAEP reconsidered, in Advances in Cryptology - Crypto 2001, Lecture Notes in Comput. Sci. 2139, J. Kilian, ed., Springer-Verlag, Heidelberg, 2001, pp. 239-259.
58. V. Shoup and R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack, J. Cryptology, 5 (2002), pp. 75-96.
59. D. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?, in Advances in Cryptology - Eurocrypt '98, Lecture Notes in Comput. Sci. 1403, G. Goos and K. Nyberg, eds., Springer-Verlag, Heidelberg, 1998, pp. 334-345.
60. N. Smart, The discrete logarithm problem on elliptic curves of trace one, J. Cryptology, 12 (1999), pp. 193-196.
61. M. Stadler, Publicly verifiable secrete sharing, in Advances in Cryptology - Eurocrypt '96, Lecture Notes in Comput. Sci. 1070, U. Maurer, ed., Springer-Verlag, Heidelberg, 1996, pp. 190-199.
62. Y. Zheng and J. Seberry, Practical approaches to attaining security against adaptively chosen ciphertext attacks, in Advances in Cryptology - Crypto '92, Lecture Notes in Comput. Sci. 740, E. F. Brickell, ed., Springer-Verlag, Heidelberg, 1993, pp. 292-304.