Fujisaki–Okamoto hybrid encryption revisited

At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security techniques initiated by Shoup in [25] insofar as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Consequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of easily verifiable primitive is formalized, showing its connection with the gap problems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the easily verifiable primitives. For the remaining primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.

[1]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[2]  David Pointcheval,et al.  Chosen-Ciphertext Security for Any One-Way Cryptosystem , 2000, Public Key Cryptography.

[3]  Moti Yung,et al.  On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC , 2001, CT-RSA.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Tatsuaki Okamoto,et al.  A Chosen-Cipher Secure Encryption Scheme Tightly as Secure as Factoring , 2001 .

[6]  Jean-Sébastien Coron,et al.  Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages , 2002, Public Key Cryptography.

[7]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[8]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[9]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[10]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[11]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[12]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[13]  Rosario Gennaro,et al.  Paillier's cryptosystem revisited , 2001, CCS '01.

[14]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[15]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[16]  Jacques Stern,et al.  Why Provable Security Matters? , 2003, EUROCRYPT.

[17]  A. W. Dent Implementation attack against EPOC-2 public-key cryptosystem , 2002 .

[18]  Junji Shikata,et al.  Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks , 2003, Public Key Cryptography.

[19]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[20]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[21]  Jean-Sébastien Coron,et al.  GEM: A Generic Chosen-Ciphertext Secure Encryption Method , 2002, CT-RSA.

[22]  Tsuyoshi Takagi,et al.  A Reject Timing Attackon an IND-CCA2 Public-Key Cryptosystem , 2002, ICISC.

[23]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[24]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[25]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.