## REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform (2001)

Venue: | CT-RSA 2001, volume 2020 of LNCS |

Citations: | 76 - 21 self |

### BibTeX

@INPROCEEDINGS{Okamoto01react:rapid,

author = {Tatsuaki Okamoto and David Pointcheval},

title = {REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform},

booktitle = {CT-RSA 2001, volume 2020 of LNCS},

year = {2001},

pages = {159--175},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosen-ciphertext secure encryption scheme from any trapdoor one-way permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor one-way function (a.k.a. weakly secure public-key encryption scheme) and therefore provides security relative to RSA but also to the Diffie-Hellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosen-ciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.

### Citations

2925 | A Method for Obtaining Digital Signatures and Public-Key
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...pecific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman [12], factorization, RSA =-=[37]-=-, elliptic curves [22], McEliece [24], NTRU [19], etc). A very nice result would be a generic and efficient conversion from any such a trapdoor problem into a chosen-ciphertext secure encryption schem... |

2728 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...or Paillier [32]), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman =-=[12]-=-, factorization, RSA [37], elliptic curves [22], McEliece [24], NTRU [19], etc). A very nice result would be a generic and efficient conversion from any such a trapdoor problem into a chosen-ciphertex... |

1341 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...m with efficient decryption process is a challenge with a quite practical impact. 1.3 Achievement: a New and Efficient Conversion The present work provides a new conversion in the random oracle model =-=[4]-=- which is optimal from the computational point of view in both the encryption and decryption phases. Indeed, the encryption needs an evaluation of the oneway function, and the decryption just makes on... |

1184 |
Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ntil few years ago, the description of a cryptosystem, together with some heuristic arguments for security, were enough to convince and to make a scheme to be widely adopted. Formal semantic security =-=[18]-=- and further non-malleability [13] were just seen as theoretical properties. However, after multiple cryptanalyses of international standards [7, 10, 9], provable security has been realized to be impo... |

796 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ...by now more and more required property is the semantic security [18] also known as indistinguishability of encryptions or polynomial security since it is the computational version of perfect security =-=[39]-=-. Definition 4 (Semantic Security). An asymmetric encryption scheme is said to be semantically secure if no polynomial-time attacker can learn any bit of information about the plaintext from the ciphe... |

697 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...s. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman [12], factorization, RSA [37], elliptic curves =-=[22]-=-, McEliece [24], NTRU [19], etc). A very nice result would be a generic and efficient conversion from any such a trapdoor problem into a chosen-ciphertext secure encryption scheme. 1.2 Related Work In... |

463 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ... algebraic problems, and assumptions [25, 1, 2, 19, 26, 29, 31, 34], other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal =-=[20, 41, 40, 11]-=-, D-RSA [33] or Paillier [32]), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Di... |

452 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ... unlimited, and the adversary can therefore ask any query of her choice to the decryption oracle, but of course she is restricted not to use it on the challenge ciphertext. It has already been proven =-=[3]-=- that under this latter attack, the adaptive chosen-ciphertext attacks, denoted CCA, the semantic security and the non-malleability notions are equivalent, and this is the strongest security notion th... |

449 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...n of a cryptosystem, together with some heuristic arguments for security, were enough to convince and to make a scheme to be widely adopted. Formal semantic security [18] and further non-malleability =-=[13]-=- were just seen as theoretical properties. However, after multiple cryptanalyses of international standards [7, 10, 9], provable security has been realized to be important and even became a basic requ... |

315 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...s scheme is deterministic, it is still one-way, even against PCA, relative to the RSA problem: the RSA-cryptosystem is OW-PCA relative to the RSA problem.The El Gamal Cryptosystem. In 1985, El Gamal =-=[14]-=- defined an asymmetric encryption scheme based on the Diffie-Hellman key distribution problem [12]. It works as follows: – An authority chooses and publishes an Abelian group G of order q, denoted mul... |

252 | Public-key Cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...ext of her choice, thanks to the public key. It is denoted CPA. But she may have, for some time, access to a decryption oracle. She then plays a chosen–ciphertext attack, which is either non-adaptive =-=[27]-=- if this access is limited in time, or adaptive [36] if this access is unlimited, and the adversary can therefore ask any query of her choice to the decryption oracle, but of course she is restricted ... |

238 | Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1
- Bleichenbacher
- 1996
(Show Context)
Citation Context ...scheme to be widely adopted. Formal semantic security [18] and further non-malleability [13] were just seen as theoretical properties. However, after multiple cryptanalyses of international standards =-=[7, 10, 9]-=-, provable security has been realized to be important and even became a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. ... |

205 | Optimal Asymmetric Encryption { How to encrypt with RSA
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ... etc). A very nice result would be a generic and efficient conversion from any such a trapdoor problem into a chosen-ciphertext secure encryption scheme. 1.2 Related Work In 1994, Bellare and Rogaway =-=[5]-=- suggested such a conversion, the so-called OAEP (Optimal Asymmetric Encryption Padding). However, its application domain was restricted to trapdoor one-way permutations, which is a very rare object (... |

200 |
A public-key cryptosystem based on algebraic coding theory
- McEliece
- 1978
(Show Context)
Citation Context ...s easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman [12], factorization, RSA [37], elliptic curves [22], McEliece =-=[24]-=-, NTRU [19], etc). A very nice result would be a generic and efficient conversion from any such a trapdoor problem into a chosen-ciphertext secure encryption scheme. 1.2 Related Work In 1994, Bellare ... |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...ew RSA standard – PKCS #1 [38], and has been introduced in many world wide used applications. At PKC ’99, Fujisaki and Okamoto [15, 17] proposed another conversion with further important improvements =-=[16, 35]-=-. Therefore it looked like the expected goal was reached: a generic conversion from any one-way cryptosystem into a chosen-ciphertext secure encryption scheme. However, the resulting scheme is not opt... |

159 | A New Public-Key Cryptosystem as Secure as Factoring
- Okamoto, Uchiyama
(Show Context)
Citation Context ...e a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. Some furthermore introduced new algebraic problems, and assumptions =-=[25, 1, 2, 19, 26, 29, 31, 34]-=-, other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal [20, 41, 40, 11], D-RSA [33] or Paillier [32]), with specific secur... |

137 | The Boomerang Attack
- Wagner
(Show Context)
Citation Context ... strongest scenario considers the adaptive chosen-plaintext/ciphertext attacks, where the adversary has access to both an encryption and a decryption oracle, such as in the so-called boomerang attack =-=[42]-=-. However, just the security against the basic no-plaintext/ciphertext attacks (a.k.a. passive attacks) is enough in our application. Therefore, one can remark that it is a very weak requirement. Inde... |

123 | Pointcheval D.: The Gap–Problems: A new class of problems for the security of cryptographic schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...en, in the next section (Section 3), we describe a new attack scenario, we call the Plaintext-Checking Attack. It then leads to the introduction of a new class of problems, the so-called Gap-Problems =-=[28]-=-. Then in Section 4, we describe our new conversion together with the security proofs. The next section (Section 5) presents some interesting applications of this conversion. Then comes the conclusion... |

109 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- SHOUP, GENNARO
- 2002
(Show Context)
Citation Context ... algebraic problems, and assumptions [25, 1, 2, 19, 26, 29, 31, 34], other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal =-=[20, 41, 40, 11]-=-, D-RSA [33] or Paillier [32]), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Di... |

89 |
The oracle Diffie-Hellman assumptions and an analysis of DHIES
- Abdalla, Bellare, et al.
(Show Context)
Citation Context ...e a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. Some furthermore introduced new algebraic problems, and assumptions =-=[25, 1, 2, 19, 26, 29, 31, 34]-=-, other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal [20, 41, 40, 11], D-RSA [33] or Paillier [32]), with specific secur... |

84 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...istribution on all the possible permutations over the message-space, after just one query to the oracle which is either E sym k for some random k or a random permutation (cf. universal hash functions =-=[8]-=-)! Remark 7. One should remark that the one-time pad provides a perfect semantically secure symmetric encryption: for any t it is (t, 0)-semantically secure, for ℓ = k. 56 3 The Plaintext-Checking At... |

80 | How to enhance the security of public key encryption at minimum cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...called OAEP-RSA, provably chosen-ciphertext secure, and thus became the new RSA standard – PKCS #1 [38], and has been introduced in many world wide used applications. At PKC ’99, Fujisaki and Okamoto =-=[15, 17]-=- proposed another conversion with further important improvements [16, 35]. Therefore it looked like the expected goal was reached: a generic conversion from any one-way cryptosystem into a chosen-ciph... |

71 | A practical mix
- Jakobsson
(Show Context)
Citation Context ... algebraic problems, and assumptions [25, 1, 2, 19, 26, 29, 31, 34], other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal =-=[20, 41, 40, 11]-=-, D-RSA [33] or Paillier [32]), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Di... |

56 | Non-Malleable Encryption: Equivalence between Two Notions and an Indistinguishability-Based Characterization
- Bellare, Sahai
- 1999
(Show Context)
Citation Context ...given ciphertext, a new ciphertext such that the plaintexts are meaningfully related. But we won’t detail it since this notion has been proven equivalent to semantic security against parallel attacks =-=[6]-=-. Indeed, the adversary considered above may obtain, in some situations, more informations than just the public key. With just the public key, we say that she plays a chosen–plaintext attack since she... |

53 |
NTRU: a Ring based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ...e a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. Some furthermore introduced new algebraic problems, and assumptions =-=[25, 1, 2, 19, 26, 29, 31, 34]-=-, other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal [20, 41, 40, 11], D-RSA [33] or Paillier [32]), with specific secur... |

40 | A new public-key cryptosystem
- Naccache, Stern
- 1997
(Show Context)
Citation Context |

40 | Chosen-ciphertext security for any one-way cryptosystem
- Pointcheval
(Show Context)
Citation Context ...ew RSA standard – PKCS #1 [38], and has been introduced in many world wide used applications. At PKC ’99, Fujisaki and Okamoto [15, 17] proposed another conversion with further important improvements =-=[16, 35]-=-. Therefore it looked like the expected goal was reached: a generic conversion from any one-way cryptosystem into a chosen-ciphertext secure encryption scheme. However, the resulting scheme is not opt... |

32 |
Public-Key Cryptosystems Based on Discrete Logarithms Residues
- Paillier
- 1999
(Show Context)
Citation Context |

26 | The Diffie-Hellman protocol
- Maurer, Wolf
(Show Context)
Citation Context ...hether the triple (y = gx , r = gk , s/m) is a DH-triple. It is exactly a DDH Oracle. ⊓⊔ Since no polynomial time reduction (even a probabilistic one) is known from the CDH problem to the DDH problem =-=[23]-=-, the GDH assumption seems as reasonable as the DDH assumption (the reader is referred to [28] for more details). 7 4 Description of REACT 4.1 The Basic Conversion Let us consider (K asym , E asym , D... |

25 |
New Cryptosystem based on Higher Residues
- Naccache, Stern
(Show Context)
Citation Context |

24 | New public key cryptosystem based on the dependent RSA problem
- Pointcheval
(Show Context)
Citation Context |

19 | On the security of RSA padding
- Coron, Naccache, et al.
- 1999
(Show Context)
Citation Context ...scheme to be widely adopted. Formal semantic security [18] and further non-malleability [13] were just seen as theoretical properties. However, after multiple cryptanalyses of international standards =-=[7, 10, 9]-=-, provable security has been realized to be important and even became a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. ... |

19 |
On the Security of El Gamal based Encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context |

16 | EPOC: Efficient Probabilistic Public-Key Encryption. Submission to
- Okamoto, Uchiyama, et al.
- 1998
(Show Context)
Citation Context ...xt was checked by a full re-encryption. In our conversion, this validity is simply checked by a hash value. 4.2 The Hybrid Conversion As it has already been done with some previous encryption schemes =-=[15, 16, 30, 33, 35]-=-, the “one-time pad” encryption can be generalized to any symmetric encryption scheme which is not perfectly secure, but semantically secure against passive attacks. Let us consider two encryption sch... |

15 | Efficient public-key cryptosystems provably secure against active adversaries
- Paillier, Pointcheval
- 1999
(Show Context)
Citation Context ... 1, 2, 19, 26, 29, 31, 34], other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal [20, 41, 40, 11], D-RSA [33] or Paillier =-=[32]-=-), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman [12], factorizat... |

5 |
DHAES: An Encryption Scheme Based on
- Abdalla, Bellare, et al.
- 1998
(Show Context)
Citation Context |

4 | HD–RSA: Hybrid Dependent RSA - a New Public Key Encryption Scheme. Submission to
- Pointcheval
- 1999
(Show Context)
Citation Context ... assumptions [25, 1, 2, 19, 26, 29, 31, 34], other are intricate constructions, over old schemes, to reach c○ Springer-Verlag 2001.2 chosen-ciphertext security (from El Gamal [20, 41, 40, 11], D-RSA =-=[33]-=- or Paillier [32]), with specific security proofs. Indeed, it is easy to describe a one-way cryptosystem from any trapdoor problem. Furthermore, such a trapdoor problems is not so rare (Diffie-Hellman... |

3 |
ISO 9796 and the New Forgery Strategy. Working Draft presented at the Rump Session of Crypto ’99
- Coppersmith, Halevi, et al.
- 1999
(Show Context)
Citation Context ...scheme to be widely adopted. Formal semantic security [18] and further non-malleability [13] were just seen as theoretical properties. However, after multiple cryptanalyses of international standards =-=[7, 10, 9]-=-, provable security has been realized to be important and even became a basic requirement for any new cryptographic protocol. Therefore, for the last few years, many cryptosystems have been proposed. ... |

1 |
On the Power of Misbehaving Adversaries and Cryptanalysis of EPOC
- Joye, Quisquater, et al.
- 2001
(Show Context)
Citation Context ...nce the encryption process is public, the bound p is unknown. A public bound has to be defined, for example n 1/4 which is clearly smaller than p, or 2 k where 2 k < p, q < 2 k+1 (see some remarks in =-=[21]-=- about the EPOC application of this scheme [30].)The Converted Scheme: REACT–Okamoto-Uchiyama. Let us consider two hash functions G and H which output k1-bit strings and k2-bit strings respectively, ... |