Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

We revisit a long-lived folklore impossibility result for factoring-based encryption and properly establish that reaching maximally secure one-wayness (i.e. equivalent to factoring) and resisting chosen-ciphertext attacks (CCA) are incompatible goals for single-key cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple RO-model schemes such as Rabin/RW-SAEP[+]/OAEP[+][+], EPOC-2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a key-preserving reduction. We extend this impossibility to arbitrary reductions assuming non-malleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n′≠n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in Naor-Yung or Dolev-Dwork-Naor constructions.

[1]  Tal Malkin,et al.  Generalized Environmental Security from Number Theoretic Assumptions , 2006, TCC.

[2]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[3]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[4]  Hugh C. Williams,et al.  A modification of the RSA public-key encryption procedure (Corresp.) , 1980, IEEE Trans. Inf. Theory.

[5]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[6]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[7]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[8]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[9]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[10]  Oded Goldreich,et al.  RSA/Rabin Least Significant Bits are 1/2 + 1/(poly(log N)) Secure , 1985, CRYPTO.

[11]  N. Demytko,et al.  A New Elliptic Curve Based Analogue of RSA , 1994, EUROCRYPT.

[12]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[13]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[14]  Tatsuaki Okamoto,et al.  EPOC: Efficient Probabilistic Public-Key Encryption (Submission to P1363a) , 1998 .

[15]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[16]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[17]  Daniel R. L. Brown Unprovable Security of RSA-OAEP in the Standard Model , 2006 .

[18]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[19]  David Jao,et al.  Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? , 2004, ASIACRYPT.

[20]  A. Bosselaers PKCS # 1 : RSA Encryption Standard , 1991 .

[21]  Tatsuaki Okamoto,et al.  New Public-Key Schemes Based on Elliptic Curves over the Ring Zn , 1991, CRYPTO.

[22]  Manuel Blum,et al.  An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information , 1985, CRYPTO.

[23]  Oded Goldreich,et al.  RSA/Rabin least significant bits are \( \tfrac{1} {2} + \tfrac{1} {{poly \left( {\log N} \right)}} \) secure (Extended Abstract) , 1984 .