## Efficient Public-Key Cryptosystems Provably Secure against Active Adversaries (1999)

### Cached

### Download Links

- [www.gemplus.com]
- [www.gemplus.com]
- [www.di.ens.fr]
- [ftp.ens.fr]
- [www.gemplus.com]
- [www.gemplus.com]
- [www.myoops.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Proc. of Asiacrypt'99, Lecture Notes in Computer Science |

Citations: | 15 - 4 self |

### BibTeX

@INPROCEEDINGS{Paillier99efficientpublic-key,

author = {Pascal Paillier and David Pointcheval},

title = {Efficient Public-Key Cryptosystems Provably Secure against Active Adversaries},

booktitle = {Proc. of Asiacrypt'99, Lecture Notes in Computer Science},

year = {1999},

pages = {165--179},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks. Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (IND-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable. We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods. Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP.

### Citations

3231 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... has to verify is the one-wayness of its encryption function, but this notion does not suffice to evaluate (and get people convinced of) the strength of an encryption scheme. A typical example is RSA =-=[18]-=- which, although very popular and widely used in many cryptographic applications, suffers from being malleable and consequently requires an additional treatment (some probabilistic padding) on the pla... |

3006 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...kamoto conversion methods. Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP. 1 Introduction Diffie and Hellman's famous paper =-=[7]-=- initiated the paradigm of asymmetric cryptography in the late seventies but since, very few trapdoor mechanisms were found that fulfill satisfactory security properties. Of course, the first security... |

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...awareness, where the adversary attempts to produce a valid ciphertext without knowing the corresponding plaintext. This additional security notion was only properly defined in the random oracle model =-=[2]-=-. 1.2 The Random Oracle Model The random oracle model was proposed by Bellare and Rogaway [2] to provide heuristic (yet satisfactorily convincing) proofs of security. In this model, hash functions are... |

1255 | Probabilistic encryption - Goldwasser, Micali - 1984 |

486 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ition to a non-standard one. Independently, Shoup and Gennaro [20] proposed another converted scheme NM-CCA2 in the random oracle model under the D-DH assumption only. The same year, Cramer and Shoup =-=[6]-=- also presented an El Gamal-based cryptosystem, the first to be simultaneously pratical and provably NM-CCA2 secure in the standard model, provided that the D-DH assumption holds. Several authors have... |

475 | Relations among Notions of Security for Public-Key Encryption Schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...cle model. We make use of specific techniques that differ from those of [3] and [10]. We begin by briefly surveying known notions of security for public-key encryption schemes, refering the reader to =-=[1]-=- for their formal definitions and connections. # Springer-Verlag 1999. 2 1.1 Notions of Security Formalizing another security criterion that an encryption scheme should verify beyond one-wayness, Gold... |

475 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ld not be able to learn any information whatsoever about a plaintext, its length excepted, given its encryption. The property of non-malleability (NM), independently proposed by Dolev, Dwork and Naor =-=[8]-=-, supposes that, given the encryption of a plaintext x, the attacker cannot produce the encryption of a related plaintext x 0 . Here, rather than learning some information about x, the adversary will ... |

363 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Racko, Simon
- 1992
(Show Context)
Citation Context ...ks (CCA1) (also known as lunchtime or midnight attacks), wherein the adversary gets, in addition, access to a decryption oracle before being given the challenge ciphertext. Finally, Rackoff and Simon =-=[17]-=- defined adaptive chosen-ciphertext attacks (CCA2) as a scenario in which the adversary queries the decryption oracle before and after being challenged; her only restriction here is that she may not f... |

338 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...om a security viewpoint, this impacts all three adversary models by giving the attacker an additional access to the random oracles of the scheme. 1.3 Related Work The basic El Gamal encryption scheme =-=[9]-=-, which one-wayness relates to the celebrated Diffie-Hellman (DH) problem, was recently proven semantically secures(i.e. secure in the sense of IND-CPA) by Tsiounis and Yung [22] under 3 the Decision ... |

274 | New directions in cryptography - Die, Hellman - 1976 |

263 | Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...xt attack (CPA), the adversary has access to an encryption oracle, hence to the encryption of any plaintext she wants. Clearly, in a public-key setting, this scenario cannot be avoided. Naor and Yung =-=[13]-=- consider non-adaptive chosen-ciphertext attacks (CCA1) (also known as lunchtime or midnight attacks), wherein the adversary gets, in addition, access to a decryption oracle before being given the cha... |

250 | A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1 - Bleichenbacher - 1998 |

218 | Optimal Asymmetric Encryption { How to Encrypt with RSA
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...ay sometimes appear insufficient, as shown by Bleichenbacher [4] and more recently by Coron, Naccache and Stern [5]. This motivates the construction of provably secure padding techniques such as OAEP =-=[3]-=- or Fujisaki-Okamoto [10]. Considerable efforts have recently been made to investigate cryptosystems achieving provable security against active adversaries at reasonable encryption and/or decryption c... |

173 | A new public-key cryptosystem as secure as factoring
- Okamoto, Uchiyama
- 1998
(Show Context)
Citation Context ...rovably NM-CCA2 secure in the random oracle model under the hypothesis that the decisional version of the D-RSA Problem is intractable. Naccache and Stern [12], and independently Okamoto and Uchiyama =-=[14]-=- investigated different approaches based on high degree residues. The one-wayness (resp. semantic security) of their schemes is ensured by the Prime Residuosity assumption (resp. the hardness of disti... |

112 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- Shoup, Gennaro
- 1998
(Show Context)
Citation Context ...therefore proposed a converted scheme provably secure in the sense of NM-CCA2 in the random oracle model, under the D-DH assumption in addition to a non-standard one. Independently, Shoup and Gennaro =-=[20]-=- proposed another converted scheme NM-CCA2 in the random oracle model under the D-DH assumption only. The same year, Cramer and Shoup [6] also presented an El Gamal-based cryptosystem, the first to be... |

86 | How to Enhance the Security of Public-Key Encryption at Minimum Cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...fficient, as shown by Bleichenbacher [4] and more recently by Coron, Naccache and Stern [5]. This motivates the construction of provably secure padding techniques such as OAEP [3] or Fujisaki-Okamoto =-=[10]-=-. Considerable efforts have recently been made to investigate cryptosystems achieving provable security against active adversaries at reasonable encryption and/or decryption cost. Our paper introduces... |

35 |
Public-Key Cryptosystems Based on Discrete Logarithms Residues
- Paillier
- 1999
(Show Context)
Citation Context ...ree residues. The one-wayness (resp. semantic security) of their schemes is ensured by the Prime Residuosity assumption (resp. the hardness of distinguishing prime-degree residues). Finally, Paillier =-=[15]-=- proposed an encryption scheme based on composite-degree residues wherein semantic security relies on a similar assumption (see below). In 94, Bellare and Rogaway [3] proposed OAEP, a specific hash-ba... |

25 |
A New Cryptosystem based on Higher Residues
- Naccache, Stern
- 1998
(Show Context)
Citation Context ...SA Problem, and provided efficient variants provably NM-CCA2 secure in the random oracle model under the hypothesis that the decisional version of the D-RSA Problem is intractable. Naccache and Stern =-=[12]-=-, and independently Okamoto and Uchiyama [14] investigated different approaches based on high degree residues. The one-wayness (resp. semantic security) of their schemes is ensured by the Prime Residu... |

24 | New public key cryptosystem based on the dependent RSA problem - Pointcheval |

22 |
On the Security of El Gamal based Encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...amal encryption scheme [9], which one-wayness relates to the celebrated Diffie-Hellman (DH) problem, was recently proven semantically secures(i.e. secure in the sense of IND-CPA) by Tsiounis and Yung =-=[22]-=- under 3 the Decision Diffie-Hellman (D-DH) assumption. However, just like RSA, the original scheme remains totally unsecure regarding active attacks. The same authors therefore proposed a converted s... |

5 | Fast RSA-type cryptosystems using N-adic expansion - Takagi - 1997 |

1 |
A New Signature Forgery Strategy
- Stern
- 1999
(Show Context)
Citation Context ...ternal paradigm instead of being inherently provided, although this empirical approach may sometimes appear insufficient, as shown by Bleichenbacher [4] and more recently by Coron, Naccache and Stern =-=[5]-=-. This motivates the construction of provably secure padding techniques such as OAEP [3] or Fujisaki-Okamoto [10]. Considerable efforts have recently been made to investigate cryptosystems achieving p... |

1 |
A New Signature Forgery Strategy. Available from http://www.rsa.com/rsalabs
- Stern
(Show Context)
Citation Context ...ternal paradigm instead of being inherently provided, although this empirical approach may sometimes appear insufficient, as shown by Bleichenbacher [4] and more recently by Coron, Naccache and Stern =-=[5]-=-. This motivates the construction of provably secure padding techniques such as OAEP [3] or Fujisaki-Okamoto [10]. Considerable efforts have recently been made to investigate cryptosystems achieving p... |

1 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols - Paillier, Pointcheval - 1993 |