A New and Improved Paradigm for Hybrid Encryption Secure Against Chosen-Ciphertext Attack

We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM).Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt’97, Springer LNCS, vol. 1233, pp. 256–266, 1997) (based on the Cramer–Shoup scheme in CRYPTO’98, Springer LNCS, vol. 1462, pp. 13–25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts.This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie–Hellman (DDH) Assumption.Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer–Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie–Hellman (CDH) Assumption.

[1]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[2]  Victor Shoup,et al.  Using Hash Functions as a Hedge against Chosen Ciphertext Attack , 2000, EUROCRYPT.

[3]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[4]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[5]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[6]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[7]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[8]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[9]  Javier Herranz,et al.  The Kurosawa-Desmedt Key Encapsulation is not Chosen-Ciphertext Secure , 2006, IACR Cryptol. ePrint Arch..

[10]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption , 2008, Journal of Cryptology.

[11]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[12]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[13]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[14]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[15]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[16]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[17]  Rosario Gennaro,et al.  A Note on An Encryption Scheme of Kurosawa and Desmedt , 2004, IACR Cryptol. ePrint Arch..

[18]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.