Chosen-Ciphertext Secure RSA-Type Cryptosystems

This paper explains how to design fully secure RSA-type cryptosystems from schemes only secure against passive attacks, in the standard model. We rely on instance-independence assumptions, which, roughly speaking, conjecture that for certain problems, an interactive access to a solver for another problem does not help the challenger. Previously, instance-independence assumptions were used in a "negative" way, to prove that certain schemes proven in the random oracle model were not provable in the standard model. Our paradigm applies virtually to all (weakly secure) RSA-type encryption schemes for which public-key RSA exponent can be arbitrarily chosen. As an illustration, we present a chosen-ciphertext secure variant of the Naccache-Stern encryption scheme.

[1]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[2]  Eike Kiltz,et al.  Practical Chosen Ciphertext Secure Encryption from Factoring , 2009, EUROCRYPT.

[3]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[4]  Marc Girault,et al.  An Identity-based Identification Scheme Based on Discrete Logarithms Modulo a Composite Number , 1991, EUROCRYPT.

[5]  Hugo Krawczyk,et al.  Chameleon Signatures , 2000, NDSS.

[6]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[7]  Helger Lipmaa,et al.  On the CCA1-Security of Elgamal and Damgård's Elgamal , 2010, Inscrypt.

[8]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[9]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[10]  Jonathan Katz,et al.  Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption , 2005, CT-RSA.

[11]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[12]  Jacques Stern,et al.  Linear Bandwidth Naccache-Stern Encryption , 2008, SCN.

[13]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[14]  Pascal Paillier,et al.  Impossibility Proofs for RSA Signatures in the Standard Model , 2007, CT-RSA.

[15]  Jacques Stern,et al.  A New Public-Key Cryptosystem , 1997, EUROCRYPT.

[16]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[17]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[18]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[19]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[20]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[21]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[22]  Vinod Vaikuntanathan,et al.  Adaptive One-Way Functions and Applications , 2008, CRYPTO.

[23]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[24]  Kristian Gjøsteen,et al.  A New Security Proof for Damgård's ElGamal , 2006, CT-RSA.

[25]  David Pointcheval,et al.  New Public Key Cryptosystems Based on the Dependent-RSA Problems , 1999, EUROCRYPT.

[26]  Hideki Imai,et al.  Efficient hybrid encryption from ID-based encryption , 2010, Des. Codes Cryptogr..

[27]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[28]  Jacques Stern,et al.  Security Analysis of a Practical "on the fly" Authentication and Signature Generation , 1998, EUROCRYPT.

[29]  Silvio Micali,et al.  Efficient, perfect polynomial random number generators , 2004, Journal of Cryptology.

[30]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[31]  Gary L. Miller Riemann's Hypothesis and Tests for Primality , 1976, J. Comput. Syst. Sci..

[32]  David Pointcheval,et al.  Chosen-Ciphertext Security without Redundancy , 2003, ASIACRYPT.

[33]  Alexander W. Dent,et al.  A Brief History of Provably-Secure Public-Key Encryption , 2008, AFRICACRYPT.

[34]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[35]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2006 .

[36]  Eike Kiltz,et al.  Chosen-Ciphertext Security from Tag-Based Encryption , 2006, TCC.

[37]  Jorge Luis Villar,et al.  Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption , 2006, ASIACRYPT.

[38]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[39]  Jean-Sébastien Coron,et al.  Security Analysis of the Gennaro-Halevi-Rabin Signature Scheme , 2000, EUROCRYPT.

[40]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[41]  Rosario Gennaro,et al.  Paillier's cryptosystem revisited , 2001, CCS '01.

[42]  Victor Shoup,et al.  Why Chosen Ciphertext Security Matters , 2000 .