REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
GEM: A Generic Chosen-Ciphertext Secure Encryption Method
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
On the Round Security of Symmetric-Key Cryptographic Primitives
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Versatile padding schemes for joint signature and encryption
Proceedings of the 11th ACM conference on Computer and communications security
Direct chosen ciphertext security from identity-based techniques
Proceedings of the 12th ACM conference on Computer and communications security
Tag-KEM/DEM: A New Framework for Hybrid Encryption
Journal of Cryptology
The Random Oracle Model and the Ideal Cipher Model Are Equivalent
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Efficient KEMs with partial message recovery
Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
A generic conversion with optimal redundancy
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Chosen-Ciphertext security from tag-based encryption
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Compact CCA-Secure Encryption for Messages of Arbitrary Length
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Strengthening Security of RSA-OAEP
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
How to strengthen the security of RSA-OAEP
IEEE Transactions on Information Theory
Chameleon all-but-one TDFs and their application to chosen-ciphertext security
PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
Security of practical cryptosystems using Merkle-Damgård hash function in the ideal cipher model
ProvSec'11 Proceedings of the 5th international conference on Provable security
Plaintext-Awareness of hybrid encryption
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Verified security of redundancy-free encryption from Rabin and RSA
Proceedings of the 2012 ACM conference on Computer and communications security
Publicly verifiable ciphertexts
SCN'12 Proceedings of the 8th international conference on Security and Cryptography for Networks
Publicly verifiable ciphertexts
Journal of Computer Security - Advances in Security for Communication Networks
Hi-index | 0.06 |
Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead . While a generic brute-force adversary running in 2 t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t -bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.