Fujisaki-Okamoto IND-CCA hybrid encryption revisited

At Crypto’99, Fujisaki and Okamoto [10] presented a nice generic transformation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. From this transformation, two specific candidates to standardization were designed: EPOC-2 [9] and PSEC2 [16], based on Okamoto-Uchiyama and El Gamal primitives, respectively. Since then, several cryptanalysis of EPOC have been published, one in the Chosen Ciphertext Attack game and others making use of a poor implementation that is vulnerable to reject timing attacks. The aim of this work is to avoid these attacks from the generic transformation, identifying the properties that an asymmetric scheme must hold to obtain a secure hybrid scheme. To achieve this, some ambiguities in the proof of the generic transformation [10] are described, which can lead to false claims. As a result the original conversion is modified and the range of asymmetric primitives that can be used is shortened. In second place, the concept of Easy Verifiable Primitive is formalized, showing its connection with the Gap problems. Making use of these ideas, a new security proof for the modified transformation is given. The good news is that the reduction is tight, improving the concrete security claimed in the original work for the Easy Verifiable Primitives. For the rest of primitives the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.

[1]  David Pointcheval,et al.  Chosen-Ciphertext Security for Any One-Way Cryptosystem , 2000, Public Key Cryptography.

[2]  Jean-Sébastien Coron,et al.  GEM: A Generic Chosen-Ciphertext Secure Encryption Method , 2002, CT-RSA.

[3]  Moti Yung,et al.  On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC , 2001, CT-RSA.

[4]  Tsuyoshi Takagi,et al.  A reject timing attack on an IND-CCA2 public-key cryptosystem , 2003 .

[5]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[6]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[7]  A. W. Dent Implementation attack against EPOC-2 public-key cryptosystem , 2002 .

[8]  Junji Shikata,et al.  Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks , 2003, Public Key Cryptography.

[9]  Rosario Gennaro,et al.  Paillier's cryptosystem revisited , 2001, CCS '01.

[10]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[11]  Tatsuaki Okamoto,et al.  A Chosen-Cipher Secure Encryption Scheme Tightly as Secure as Factoring , 2001 .

[12]  Jean-Sébastien Coron,et al.  Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages , 2002, Public Key Cryptography.

[13]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[16]  Tsuyoshi Takagi,et al.  A Reject Timing Attackon an IND-CCA2 Public-Key Cryptosystem , 2002, ICISC.

[17]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[18]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..