Chosen Ciphertext Security with Optimal Ciphertext Overhead

Authors:
Masayuki Abe;Eike Kiltz;Tatsuaki Okamoto
Affiliations:
NTT Information Sharing Platform Laboratories, NTT Corporation, Japan;CWI Amsterdam, The Netherlands;NTT Information Sharing Platform Laboratories, NTT Corporation, Japan
Venue:
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Year:
2008

Citing 16
Cited 11

REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
GEM: A Generic Chosen-Ciphertext Secure Encryption Method

CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
On the Round Security of Symmetric-Key Cryptographic Primitives

CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
OAEP Reconsidered

CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption

CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages

PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack

SIAM Journal on Computing
Versatile padding schemes for joint signature and encryption

Proceedings of the 11th ACM conference on Computer and communications security
Direct chosen ciphertext security from identity-based techniques

Proceedings of the 12th ACM conference on Computer and communications security
Tag-KEM/DEM: A New Framework for Hybrid Encryption

Journal of Cryptology
The Random Oracle Model and the Ideal Cipher Model Are Equivalent

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Chosen Ciphertext Security with Optimal Ciphertext Overhead

ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Efficient KEMs with partial message recovery

Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
A generic conversion with optimal redundancy

CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Chosen-Ciphertext security from tag-based encryption

TCC'06 Proceedings of the Third conference on Theory of Cryptography

Chosen Ciphertext Security with Optimal Ciphertext Overhead

ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Compact CCA-Secure Encryption for Messages of Arbitrary Length

Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
On the Security of Padding-Based Encryption Schemes --- or --- Why We Cannot Prove OAEP Secure in the Standard Model

EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Strengthening Security of RSA-OAEP

CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
How to strengthen the security of RSA-OAEP

IEEE Transactions on Information Theory
Chameleon all-but-one TDFs and their application to chosen-ciphertext security

PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
Security of practical cryptosystems using Merkle-Damgård hash function in the ideal cipher model

ProvSec'11 Proceedings of the 5th international conference on Provable security
Plaintext-Awareness of hybrid encryption

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Verified security of redundancy-free encryption from Rabin and RSA

Proceedings of the 2012 ACM conference on Computer and communications security
Publicly verifiable ciphertexts

SCN'12 Proceedings of the 8th international conference on Security and Cryptography for Networks
Publicly verifiable ciphertexts

Journal of Computer Security - Advances in Security for Communication Networks

Quantified Score

Hi-index	0.06

Visualization

Abstract

Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead . While a generic brute-force adversary running in 2 t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t -bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.