## Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks (2000)

### Cached

### Download Links

- [www.iacr.org]
- [www.mathmagic.cn]
- [www.di.ens.fr]
- [hal.inria.fr]
- [www.di.ens.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | IN PROC. OF ASIACRYPT |

Citations: | 33 - 3 self |

### BibTeX

@INPROCEEDINGS{Fouque00thresholdcryptosystems,

author = {Pierre-Alain Fouque and David Pointcheval},

title = {Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks},

booktitle = {IN PROC. OF ASIACRYPT},

year = {2000},

pages = {351--368},

publisher = {SpringerVerlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Semantic security against chosen-ciphertext attacks (IND-CCA) is widely believed as the correct security level for public-key encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving IND-CCA. Both are El Gamal-like schemes and thus are based on the same intractability assumption, namely the Decisional Diffie-Hellman problem. In this article we rehabilitate the twin-encryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) IND-CPA scheme into a (threshold) IND-CCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosen-ciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.

### Citations

1754 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...ever, for the clarity of the description we use RSA moduli with safe primes. Set m = p ′ q ′ . Let β be an element randomly chosen in Z ∗ n. The secret key sk = β × m is shared with the Shamir scheme =-=[46]-=- modulo mn. Let v be a square that generates with overwhelming probability the cyclic group of squares in Z ∗ n 2. The verification keys vki are obtained with the formula v ∆ski mod n 2 . Encryption A... |

1331 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...valid ciphertext, he necessarily “knows” the corresponding plaintext. Therefore, a decryption oracle is unuseful for an adversary. But this latter notion is meaningful only in the random oracle model =-=[6]-=-. For few years, several efficient schemes have been proposed which achieve this high security level. Most of them have only been proven in the random oracle model [7,27,48,36,25,26,38,34] using the p... |

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ryptosystems, Chosen-Ciphertext Attacks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem =-=[31,41,4]-=-. Therefore a lot of works [26,25, 38,34] have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung... |

829 | How to prove yourself: practical solutions to identification and signature problems - Fiat, Shamir - 1986 |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ich achieve this high security level. Most of them have only been proven in the random oracle model [7,27,48,36,25,26,38,34] using the plaintext-awareness property, but only one in the standard model =-=[14]-=-. 1.2 Threshold Cryptosystems On the one hand, in public-key cryptography in general, the ability of decrypting or signing is restricted to the owner of the secret key. This means that only one people... |

448 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ryptosystems, Chosen-Ciphertext Attacks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem =-=[31,41,4]-=-. Therefore a lot of works [26,25, 38,34] have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung... |

448 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2006
(Show Context)
Citation Context ...old cryptosystems tries to attack the two following properties : – Security of the underlying primitive. In the case of cryptosystem, it means one-wayness, semantic security [31], or non-malleability =-=[16]-=-. – Robustness. This means that corrupted players should not be able to prevent uncorrupted servers from decrypting ciphertexts. This notion is useful only in the presence of active adversaries. In ot... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...ryptosystems, Chosen-Ciphertext Attacks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem =-=[31,41,4]-=-. Therefore a lot of works [26,25, 38,34] have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung... |

312 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ... to compute a shared random. This method is unfortunately specific to the Cramer-Shoup cryptosystem. The second method used by Shoup and Gennaro [48] follows Lee and Lim paper [32], with the El Gamal =-=[17]-=- cryptosystem, but in the random oracle model [6]. First, they tried to add a non-interactive zero-knowledge proof of knowledge of discrete logarithm, using the Schnorr signature [44]. But they remark... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...ith the El Gamal [17] cryptosystem, but in the random oracle model [6]. First, they tried to add a non-interactive zero-knowledge proof of knowledge of discrete logarithm, using the Schnorr signature =-=[44]-=-. But they remarked that the decryption simulation without the secret key would require an exponential time, because of a combinatorial explosion of the forking lemma [39]. This explosion can be avoid... |

279 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ... using the Schnorr signature [44]. But they remarked that the decryption simulation without the secret key would require an exponential time, because of a combinatorial explosion of the forking lemma =-=[39]-=-. This explosion can be avoided under stronger assumption [45]. They finally used non-interactive zero-knowledge proofs of membership (as in [33]) to avoid thes354 P.-A. Fouque and D. Pointcheval rewi... |

249 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...erefore a lot of works [26,25, 38,34] have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung in =-=[33]-=- proposed a weaker security notion that they called lunch-time attack (a.k.a. indifferent, or non-adaptive, chosenciphertext attack). The adversary can only ask decryption of ciphertexts before he rec... |

204 | Optimal Asymmetric Encryption - How to Encrypt with RSA
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...iphertext secure cryptosystems. Indeed, the sender proves that he knows the plaintext and thus CCA is reduced to CPA. A similar notion has thereafter been defined, the so-called “plaintext-awareness” =-=[7,4]-=-, which means that when someone builds a valid ciphertext, he necessarily “knows” the corresponding plaintext. Therefore, a decryption oracle is unuseful for an adversary. But this latter notion is me... |

202 | Practical threshold signatures
- Shoup
- 2000
(Show Context)
Citation Context ...hout trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments =-=[43,29, 28,22,40,47]-=- as well. For distributing the decryption process, similar techniques can be used, until one just wants to prevent chosen-plaintext attacks from passive adversaries (see below for precise definitions)... |

190 |
A threshold cryptosystem without a trusted party
- Pedersen
- 1991
(Show Context)
Citation Context ...f a group of servers. First, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm =-=[37,30,21]-=-, and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar t... |

171 | Secure integration of asymmetric and symmetric encryption schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...cks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem [31,41,4]. Therefore a lot of works =-=[26,25, 38,34]-=- have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung in [33] proposed a weaker security notio... |

149 | A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system
- Damgård, Jurik
- 1992
(Show Context)
Citation Context ...tem secure under chosen-ciphertext attacks, even against active and adaptive adversaries. It is based on the Paillier’s cryptosystem [35,19]. Another version to share Paillier cryptosystem appears in =-=[15]-=-. In this part, we describe the cryptosystems and we insist on the proofs of membership which are specific. 4.1 The El Gamal Cryptosystem Description of the El Gamal Cryptosystem. Let p be a strong pr... |

131 | Secure distributed key generation for discrete-log based cryptosystems
- Gennaro, Jarecki, et al.
(Show Context)
Citation Context ...f a group of servers. First, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm =-=[37,30,21]-=-, and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar t... |

128 | RSA-OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ... only in the random oracle model [6]. For few years, several efficient schemes have been proposed which achieve this high security level. Most of them have only been proven in the random oracle model =-=[7,27,48,36,25,26,38,34]-=- using the plaintext-awareness property, but only one in the standard model [14]. 1.2 Threshold Cryptosystems On the one hand, in public-key cryptography in general, the ability of decrypting or signi... |

124 | Efficient generation of shared rsa keys
- Boneh, Franklin
- 1997
(Show Context)
Citation Context ...rst, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA =-=[10,24,20]-=- settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar techniques can be used, u... |

122 | T.Rabin, “Robust Threshold DSS Signatures
- Gennaro, Jarecki
(Show Context)
Citation Context ...hout trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments =-=[43,29, 28,22,40,47]-=- as well. For distributing the decryption process, similar techniques can be used, until one just wants to prevent chosen-plaintext attacks from passive adversaries (see below for precise definitions)... |

113 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ....): ASIACRYPT 2001, LNCS 2248, pp. 351–368, 2001. c○ Springer-Verlag Berlin Heidelberg 2001s352 P.-A. Fouque and D. Pointcheval used non-interactive zero-knowledge proof systems (proofs of membership =-=[9,8]-=-) to show the consistency of the ciphertext, but not to prove that the people who built the ciphertext necessarily “knew its decryption”. Later Rackoff and Simon [41] refined this construction replaci... |

109 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- SHOUP, GENNARO
- 2002
(Show Context)
Citation Context ... only in the random oracle model [6]. For few years, several efficient schemes have been proposed which achieve this high security level. Most of them have only been proven in the random oracle model =-=[7,27,48,36,25,26,38,34]-=- using the plaintext-awareness property, but only one in the standard model [14]. 1.2 Threshold Cryptosystems On the one hand, in public-key cryptography in general, the ability of decrypting or signi... |

104 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ... same message under two different public keys, the resulting twin-cryptosystem is still IND-CPA. This result can be shown by applying hybrid techniques [31] and it has already been formally proven in =-=[3,2]-=-, with a advantage loss (divided by 2). Now, we show how to make the reduction. The attacker B receives a given public key pk and we show how this attacker can use the adversary A that breaks IND-CCA ... |

83 | A Simplified Approach to Threshold and Proactive RSA
- Rabin
- 1998
(Show Context)
Citation Context ... trusted party. This has been done in both the discrete logarithm [37, 30, 21], and the RSA [10, 24, 20] settings. For signature schemes, the signing process has been distributed in both environments =-=[43, 29, 28, 22, 40, 47]-=- as well. For distributing the decryption process, similar techniques can be used, until one just wants to prevent chosen-plaintext attacks from passive adversaries (see below for precise definitions)... |

79 | Practical multi-candidate election system
- Baudron, Fouque, et al.
- 2001
(Show Context)
Citation Context ...s amazing to note that the Generic Conversion of Paillier cryptosystem keeps the homomorphic properties, namely that E(M1 + M2) ≡E(M1) ×E(M2) and E(M) k ≡E(kM). For example, in voting scheme, such as =-=[15,1]-=-, the authority can check the universally checkable proofs of validity of ciphertext and compute the tally. However, the result will no longer be a ciphertext that withstands CCA. 5 Conclusion In this... |

79 | Robust and efficient sharing of rsa functions
- Gennaro, Jarecki, et al.
- 1996
(Show Context)
Citation Context ...hout trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments =-=[43,29, 28,22,40,47]-=- as well. For distributing the decryption process, similar techniques can be used, until one just wants to prevent chosen-plaintext attacks from passive adversaries (see below for precise definitions)... |

78 | How to enhance the security of public-key encryption at minimum cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...cks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem [31,41,4]. Therefore a lot of works =-=[26,25, 38,34]-=- have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung in [33] proposed a weaker security notio... |

76 | REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform - Okamoto, Pointcheval - 2001 |

74 | Sharing decryption in the context of voting or lotteries
- Fouque, Poupard, et al.
- 2001
(Show Context)
Citation Context ... with a valid pair of plaintext-ciphertext. It therefore obtains the decryption share σi. If the pair is not valid (the ciphertext does not encrypt the given plaintext) the oracle may output anything =-=[19]-=-. This is therefore the basic security notion (for both IND-CPA and IND-CCA) in the threshold setting: IND-TCPA and IND-TCCA respectively. As explained in the motivation of threshold cryptosystems, su... |

66 |
How to share a function securely
- Santis, Desmedt, et al.
- 1994
(Show Context)
Citation Context |

55 | M.: Robust Efficient Distributed RSA-Key Generation
- Frankel, MacKenzie, et al.
- 1998
(Show Context)
Citation Context ...rst, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA =-=[10,24,20]-=- settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar techniques can be used, u... |

41 | Security of Signed ElGamal Encryption
- Schnorr, Jakobsson
- 2000
(Show Context)
Citation Context ...decryption simulation without the secret key would require an exponential time, because of a combinatorial explosion of the forking lemma [39]. This explosion can be avoided under stronger assumption =-=[45]-=-. They finally used non-interactive zero-knowledge proofs of membership (as in [33]) to avoid thes354 P.-A. Fouque and D. Pointcheval rewinding, and thus the combinatorial explosion in the decryption ... |

40 | Chosen-ciphertext security for any one-way cryptosystem
- Pointcheval
(Show Context)
Citation Context ...cks 1 Introduction 1.1 Chosen-Ciphertext Security Semantic security against chosen-ciphertext attacks represents the correct security definition for a cryptosystem [31,41,4]. Therefore a lot of works =-=[26,25, 38,34]-=- have recently proposed schemes to convert any one-way function into a cryptosystem secure according to this security notion. Before this notion, Naor and Yung in [33] proposed a weaker security notio... |

32 |
Public-Key Cryptosystems Based on Discrete Logarithms Residues
- Paillier
- 1999
(Show Context)
Citation Context ...second example will provide the first RSA-based threshold cryptosystem secure under chosen-ciphertext attacks, even against active and adaptive adversaries. It is based on the Paillier’s cryptosystem =-=[35,19]-=-. Another version to share Paillier cryptosystem appears in [15]. In this part, we describe the cryptosystems and we insist on the proofs of membership which are specific. 4.1 The El Gamal Cryptosyste... |

29 | Extended Notions of Security for Multicast Public Key Cryptosystems
- Baudron, Pointcheval, et al.
(Show Context)
Citation Context ... same message under two different public keys, the resulting twin-cryptosystem is still IND-CPA. This result can be shown by applying hybrid techniques [31] and it has already been formally proven in =-=[3,2]-=-, with a advantage loss (divided by 2). Now, we show how to make the reduction. The attacker B receives a given public key pk and we show how this attacker can use the adversary A that breaks IND-CCA ... |

28 | Identification protocols secure against reset attacks
- Bellare, Fischlin, et al.
- 2001
(Show Context)
Citation Context ...decryption process cannot rewind the machine. The problem is the same as in the resettable zero-knowledge setting. Therefore, the same techniques of proof of membership in a hard language can be used =-=[5]-=-. We can note here that the proof of knowledge of Rackoff and Simon is actually a proof of membership. In this cryptosystem, there are two keys as in [33] : one which belongs to the receiver but the o... |

22 | Fully Distributed Threshold RSA under Standard Assumptions, Cryptology ePrint Archive, Report 2001/008
- Fouque, Stern
- 2001
(Show Context)
Citation Context ...rst, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm [37,30,21], and the RSA =-=[10,24,20]-=- settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar techniques can be used, u... |

19 |
On the Security of El Gamal based Encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...hertext (M.y r ,g r ). To decrypt a ciphertext a =(α, β), the receiver computes α/β x . It is well-known that the semantic security of El Gamal is based on the Decisional Diffie-Hellman (DDH) problem =-=[49]-=-. IND-CPA Threshold Version of El Gamal Cryptosystem. The secret key x is split with Shamir secret sharing scheme. Each server has a share ski of the secret key sk and a verification key vki = g ski .... |

18 | Another Method for Attaining Security Against Adaptively Chosen Ciphertext Attack
- Lim, Lee
- 1993
(Show Context)
Citation Context ...ted way. 1.3 Related Work There are two methods to distribute the decryption process of a cryptosystem. Whereas the first one uses randomness, the second follows the model described by Lee and Lim in =-=[32]-=- where the usual decryption process for attaining cryptosystems immune against CCA is reversed: the receiver starts checking whether the ciphertext is valid before decrypting. The first method has bee... |

15 | Efficient public key cryptosystems provably secure against active adversaries
- Paillier, Pointcheval
- 1999
(Show Context)
Citation Context ... only in the random oracle model [6]. For few years, several efficient schemes have been proposed which achieve this high security level. Most of them have only been proven in the random oracle model =-=[7,27,48,36,25,26,38,34]-=- using the plaintext-awareness property, but only one in the standard model [14]. 1.2 Threshold Cryptosystems On the one hand, in public-key cryptography in general, the ability of decrypting or signi... |

12 | One round threshold discrete-log key generation without private channels
- FOUQUE, STERN
(Show Context)
Citation Context ...f a group of servers. First, the key generation process has to be distributed, in order to generate the shares of each server, without trusted party. This has been done in both the discrete logarithm =-=[37,30,21]-=-, and the RSA [10,24,20] settings. For signature schemes, the signing process has been distributed in both environments [43,29, 28,22,40,47] as well. For distributing the decryption process, similar t... |

10 |
Witness Based Cryptographic Program Checking and Robust Function Sharing
- Frankel, Gemmell, et al.
(Show Context)
Citation Context ...turns it to the user. If we want to withstand active adversaries, the combiner must decide when he receives decryption shares σi whether they are valid or not. A nice way is to use checking protocols =-=[23]-=-, and verification keys are consequently needed. The goal of checking protocols is to allow each server to prove to others that it has achieved its task correctly. Semantic Security. In the following,... |

6 | On Adaptive vs. Non-adaptive Security of Multiparty Protocols
- Canetti, Damg˚ard, et al.
(Show Context)
Citation Context ...e their choice along the attack, adaptively. It has been proven that passive and adaptive adversaries are equivalent to passive and non-adaptive adversaries, when the number of servers is logarithmic =-=[11]-=-. One may remark that in the particular case where ℓ = 1and t =0,weare back to the classical situation, where passive/active and (non)-adaptive adversaries are meaningless. 3 Generic Conversions into ... |

6 |
Non-Malleable Non-Interactive Zero-Knowledge and Chosen-Ciphertext Security
- Sahai
- 1999
(Show Context)
Citation Context ...cannot be changed by someone who does not know a witness. Indeed, they did not use any non-malleable property for the non-interactive zero-knowledge proof. Recently, this property has been considered =-=[42]-=-, but only for theoretical proof systems. In this paper, we use the idealized assumption of the random oracle model [6], which assumes that some functions behave like truly random functions. This allo... |

4 |
Proving Security against Chosen-Ciphertext Attacks
- Blum, Feldman, et al.
- 1989
(Show Context)
Citation Context ....): ASIACRYPT 2001, LNCS 2248, pp. 351–368, 2001. c○ Springer-Verlag Berlin Heidelberg 2001s352 P.-A. Fouque and D. Pointcheval used non-interactive zero-knowledge proof systems (proofs of membership =-=[9,8]-=-) to show the consistency of the ciphertext, but not to prove that the people who built the ciphertext necessarily “knew its decryption”. Later Rackoff and Simon [41] refined this construction replaci... |

3 |
An Efficient Threshold PKC Secure Against Adaptive CCA
- Canetti, Goldwasser
(Show Context)
Citation Context ...attaining cryptosystems immune against CCA is reversed: the receiver starts checking whether the ciphertext is valid before decrypting. The first method has been proposed by Canetti and Goldwasser in =-=[12]-=-. In the Cramer-Shoup cryptosystem [14], the receiver can check the validity of a ciphertext by using one part of the secret key, before decrypting the valid ciphertext using the second part of the se... |

3 |
Optimal-Resilience Proactive Public-Key Cryptosystems
- MacKenzie, Yung
- 1997
(Show Context)
Citation Context |