A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack

Yvo Desmedt; Rosario Gennaro; Kaoru Kurosawa; Victor Shoup

doi:10.1007/s00145-009-9051-4

A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack

Yvo Desmedt, Rosario Gennaro, Kaoru Kurosawa, Victor Shoup

Computer Science

Research output: Contribution to journal › Article

Abstract

We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

Original language	English (US)
Pages (from-to)	91-120
Number of pages	30
Journal	Journal of Cryptology
Volume	23
Issue number	1
DOIs	https://doi.org/10.1007/s00145-009-9051-4
State	Published - Jan 2010

Keywords

Chosen ciphertext security
Projective hash proofs
Public key encryption

ASJC Scopus subject areas

Software
Computer Science Applications
Applied Mathematics

Access to Document

10.1007/s00145-009-9051-4

Fingerprint Dive into the research topics of 'A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack'. Together they form a unique fingerprint.

Cite this

Desmedt, Y., Gennaro, R., Kurosawa, K., & Shoup, V. (2010). A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. Journal of Cryptology, 23(1), 91-120. https://doi.org/10.1007/s00145-009-9051-4

@article{b6a69844ead542adb3bcdc51db4a9893,

title = "A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack",

abstract = "We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.",

keywords = "Chosen ciphertext security, Projective hash proofs, Public key encryption",

author = "Yvo Desmedt and Rosario Gennaro and Kaoru Kurosawa and Victor Shoup",

year = "2010",

month = jan,

doi = "10.1007/s00145-009-9051-4",

language = "English (US)",

volume = "23",

pages = "91--120",

journal = "Journal of Cryptology",

issn = "0933-2790",

publisher = "Springer New York",

number = "1",

}

TY - JOUR

T1 - A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack

AU - Desmedt, Yvo

AU - Gennaro, Rosario

AU - Kurosawa, Kaoru

AU - Shoup, Victor

PY - 2010/1

Y1 - 2010/1

N2 - We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

AB - We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

KW - Chosen ciphertext security

KW - Projective hash proofs

KW - Public key encryption

UR - http://www.scopus.com/inward/record.url?scp=74349093152&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=74349093152&partnerID=8YFLogxK

U2 - 10.1007/s00145-009-9051-4

DO - 10.1007/s00145-009-9051-4

M3 - Article

AN - SCOPUS:74349093152

VL - 23

SP - 91

EP - 120

JO - Journal of Cryptology

JF - Journal of Cryptology

SN - 0933-2790

IS - 1

ER -