## About Generic Conversions from any Weakly Secure Encryption Scheme into a Chosen-Ciphertext Secure Scheme (2001)

Venue: | In Proceedings of the Fourth Conference on Algebraic Geometry, Number Theory, Coding Theory and Cryptography |

Citations: | 1 - 1 self |

### BibTeX

@INPROCEEDINGS{Pointcheval01aboutgeneric,

author = {David Pointcheval},

title = {About Generic Conversions from any Weakly Secure Encryption Scheme into a Chosen-Ciphertext Secure Scheme},

booktitle = {In Proceedings of the Fourth Conference on Algebraic Geometry, Number Theory, Coding Theory and Cryptography},

year = {2001},

pages = {145--162}

}

### OpenURL

### Abstract

Abstract. Since the appearance of public-key cryptography in the seminal Diffie-Hellman paper, many schemes have been proposed, but many have been broken. Indeed, for many people, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, very few practical schemes can be proven in this so-called “standard model ” because such a security level rarely meets with efficiency. A convenient way to achieve some kind of validation of efficient schemes has been to identify some concrete cryptographic objects with ideal random ones: hash functions are considered as behaving like random functions, in the so-called “random oracle model”, and groups are used as black-box groups, in which one has to ask for additions to get new elements, in the so-called “generic model”. In this paper we present some generic designs for asymmetric encryption with provable security in the random oracle model.

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ..., Random Oracle Model, Discrete Logarithm, Diffie-Hellman Problems, Elliptic Curves 1 Introduction 1.1 Motivation Since the beginning of public-key cryptography, with the seminal Diffie-Hellman paper =-=[17]-=-, many suitable problems for cryptography have been proposed (e.g. oneway —possibly trapdoor— functions) and many cryptographic schemes have been designed, together with more or less heuristic proofs ... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...tified with ideal (or black-box) ones. For example, it is by now usual to identify hash functions with ideal random functions, in the so-called “random oracle model” formalized by Bellare and Rogaway =-=[7]-=-. More recently, an other kind of idealization has been introduced in cryptography, the black-box group [39, 59]: a new element necessarily comes from the addition (or the subtraction) of two already ... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...reductions from a well-studied problem (RSA or the discrete logarithm) to an attack against a cryptographic protocol. Firstly, people just tried to produce polynomial reductions, in an asymptotic way =-=[26, 25, 38, 49]-=-. However, such a result has no practical impact on the real security. Indeed, even with a polynomial reduction, one may be able to break the cryptographic protocol within few hours, whereas the reduc... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...btain security arguments, while keeping the efficiency of the designs that use hash functions, few authors suggested using the hypothesis that H behaves like a random function. First, Fiat and Shamir =-=[21]-=- applied it heuristically to provide a signature scheme “as secure as” factorization. Then, Bellare and Rogaway [7, 8] formalized this concept in many fields of cryptography: signature and public-key ... |

695 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ime against the discrete logarithm problem in the multiplicative groups of finite fields, such as the index calculus [32, 27]. However this generic model is still considered valid for elliptic curves =-=[29]-=- and hyper-elliptic curves [30, 31] settings. Non-generic algorithms appeared in some particular cases, such as the anomalous elliptic curves [52], the super-singular curves, where the discrete logari... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...on of the Decisional Diffie-Hellman problem. For both of them, efficiency was a serious drawback: twice, or even more, slower than our proposals. The most famous is of course the Cramer-Shoup variant =-=[16]-=-, which is provably secure in the standard model. However, the security relies on the Decisional DiffieHellman problem and is rather slow, still more than twice as slow as ours. Before this candidate,... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...n has been thereafter defined, the so-called non-malleability [18], but this notion is equivalent to the above one in some specific scenarios [10]. Moreover, it is equivalent to the semantic security =-=[6]-=- in the most interesting scenario. Therefore, we will just focus on the one-wayness and the semantic security. On the other hand, an attacker can play many kinds of attacks: she may just have access t... |

450 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...be negligible. ⎡ ⎤ AdvA = 2 × Pr b,r (kp, ks) ← G(1 ⎣ k ) (m0, m1, s) ← A1(kp) c = E(kp, mb; r) : A2(m0, m1, s, c) = b⎦ − 1. Another notion has been thereafter defined, the so-called non-malleability =-=[18]-=-, but this notion is equivalent to the above one in some specific scenarios [10]. Moreover, it is equivalent to the semantic security [6] in the most interesting scenario. Therefore, we will just focu... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...ions only prove the security when very huge (and thus unpractical) parameters are used. For few years, more efficient reductions have been expected, under the denominations of either “exact security” =-=[9]-=- or “concrete security” [43], which provide practical security results. The ideal situation is reached when one manages to prove that from an attack, one can describe an algorithm against the underlyi... |

314 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...th more or less heuristic proofs of their security relative to the intractability of these problems (namely from the number theory, such as the integer factorization, RSA [51], the discrete logarithm =-=[20]-=- and the Diffie-Hellman [17] problems, or from the complexity theory with some N P-complete problems, such as the knapsack [15] problem or the decoding problem of random linear codes [35]). However, m... |

245 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...hnorr’s identification scheme [53]. 2.3 Discussion About the random oracle model, no one has ever been able to provide a convincing contradiction to this model, but just a theoretical counter-example =-=[13]-=- which uses a classical diagonalization technique on clearly wrong designs for practical purpose! Therefore, this model has been strongly accepted by the community, and is considered as a good one, in... |

204 | Optimal Asymmetric Encryption - How to Encrypt with RSA - Bellare, Rogaway - 1994 |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...applying this conversion to the above El Gamal encryption, one obtains an IND-CCA encryption scheme relative to the DDH problem, in the random oracle model. After, independently, Fujisaki and Okamoto =-=[23]-=- and the author [46] proposed better generic conversions since they apply to any OW-CPA scheme to make it into an IND-CCA one, under the same assumption. This high security level is just at the cost o... |

145 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...thm problem in the multiplicative groups of finite fields, such as the index calculus [32, 27]. However this generic model is still considered valid for elliptic curves [29] and hyper-elliptic curves =-=[30, 31]-=- settings. Non-generic algorithms appeared in some particular cases, such as the anomalous elliptic curves [52], the super-singular curves, where the discrete logarithm problem can be reduced to the f... |

136 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...two already known elements. More recently, Shoup [59] gave lower bounds for generic algorithms against the discrete logarithm, the computational Diffie-Hellman problem [17] and the decisional version =-=[12]-=-. He therefore provided a lower bound for any “generic adversary” against the Schnorr’s identification scheme [53]. 2.3 Discussion About the random oracle model, no one has ever been able to provide a... |

104 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...yption8 exponent, using the Chinese Remainderings Theorem. But recent results prove that semantically secure schemes, in the classical sense as described above, remain secure in multi-user scenarios =-=[5, 4]-=-, whatever the kind of attacks. A general study of these security notions and attacks has been driven in [6], we therefore refer the reader to this paper for more details. However, we can just review ... |

87 |
The oracle DiffieHellman assumptions and an analysis of DHIES
- Abdalla, Bellare, et al.
- 2001
(Show Context)
Citation Context ...ion scheme which reached IND-CCA security. However, this security, whereas it does not require the random oracle model [7], is based on a non-standard assumption, the Oracle Diffie-Hellman Assumption =-=[2]-=-, which is somewhat as strong as the random oracle model, and furthermore requires a MAC. Consequently, the REACT-EG variant is among the most efficient, since it is almost as efficient as the origina... |

79 | How to Enhance the Security of Public-key Encryption at Minimum Cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...pdoor partially one-way permutations [58, 24]. Anyway, there was already no hope to use it with any DL-based primitive, because of the “permutation” requirement. Hopefully, first Fujisaki and Okamoto =-=[22]-=- proposed a generic conversion from any IND-CPA scheme into an IND-CCA one. While applying this conversion to the above El Gamal encryption, one obtains an IND-CCA encryption scheme relative to the DD... |

76 | Solving Simultaneous Modular Equations of Low Degree
- Hastad
- 1988
(Show Context)
Citation Context ...ted under different keys to be sent to many people (e.g. broadcast of encrypted data). This may provide many useful data for an adversary. For example, RSA is well-known to be weak in such a scenario =-=[28, 57]-=-, namely with a small encryption8 exponent, using the Chinese Remainderings Theorem. But recent results prove that semantically secure schemes, in the classical sense as described above, remain secur... |

63 | Discrete Logarithms in GF(p) Using the Number Field Sieve
- Gordon
- 1993
(Show Context)
Citation Context ...e fact that each group element is encoded by a unique string. Typically, algorithms like Pollard’s [48] and Shanks’ [56] algorithms are under the scope of this formalism, while index-calculus methods =-=[32, 27]-=- do not fall in this category. Therefore, generic algorithms just use the group-operation (e.g. the addition) as a black-box: any new element necessarily comes from the addition (or the subtraction) o... |

56 | Non-Malleable Encryption: Equivalence between Two Notions and an Indistinguishability-Based Characterization
- Bellare, Sahai
- 1999
(Show Context)
Citation Context ... = E(kp, mb; r) : A2(m0, m1, s, c) = b⎦ − 1. Another notion has been thereafter defined, the so-called non-malleability [18], but this notion is equivalent to the above one in some specific scenarios =-=[10]-=-. Moreover, it is equivalent to the semantic security [6] in the most interesting scenario. Therefore, we will just focus on the one-wayness and the semantic security. On the other hand, an attacker c... |

40 |
A Family of Jacobians Suitable for Discrete Log Cryptosystems
- Koblitz
- 1988
(Show Context)
Citation Context ...thm problem in the multiplicative groups of finite fields, such as the index calculus [32, 27]. However this generic model is still considered valid for elliptic curves [29] and hyper-elliptic curves =-=[30, 31]-=- settings. Non-generic algorithms appeared in some particular cases, such as the anomalous elliptic curves [52], the super-singular curves, where the discrete logarithm problem can be reduced to the f... |

35 | A knapsack type public key cryptosystem based on arithmetic in finite fields
- Chor, Rivest
- 1985
(Show Context)
Citation Context ...ory, such as the integer factorization, RSA [51], the discrete logarithm [20] and the Diffie-Hellman [17] problems, or from the complexity theory with some N P-complete problems, such as the knapsack =-=[15]-=- problem or the decoding problem of random linear codes [35]). However, most of those schemes have thereafter been broken. The simple fact that a cryptographic algorithm withstands cryptanalytic attac... |

32 | Factorization of a 512-bit RSA Modulus
- Cavallar, Dodson, et al.
- 2000
(Show Context)
Citation Context ...p and q from N, is hard to solve. Indeed, the Number Field Sieve technique [32] which the best known method is super-polynomial in the size of N. And it has been recently used to establish the record =-=[14]-=- of factoring a 512-bit number within three months. A related problem is the well-known RSA problem on which was based the first public-key cryptosystem, the RSA function [51], proposed by Rivest, Sha... |

31 |
A “Paradoxical” Solution to the Signature Problem
- Goldwasser, Micali, et al.
- 1984
(Show Context)
Citation Context ...reductions from a well-studied problem (RSA or the discrete logarithm) to an attack against a cryptographic protocol. Firstly, people just tried to produce polynomial reductions, in an asymptotic way =-=[26, 25, 38, 49]-=-. However, such a result has no practical impact on the real security. Indeed, even with a polynomial reduction, one may be able to break the cryptographic protocol within few hours, whereas the reduc... |

30 | Speeding Up the Discrete Log Computation on Curves with Automorphisms
- Duursma, Gaudry, et al.
- 1999
(Show Context)
Citation Context ...e reduced to the finite field setting,4 because of the Frobenius map which has a trace zero [36], as well as the curves of trace one [61] and more recently when many automorphisms exist on the curve =-=[19]-=-. However these curves were already advised not to be used in practice, but random curves. Anyway, this model seems a somewhat stronger model than the random oracle model. 3 The Intractability Assumpt... |

29 | Extended Notions of Security for Multicast Public Key Cryptosystems
- Baudron, Pointcheval, et al.
(Show Context)
Citation Context ...yption8 exponent, using the Chinese Remainderings Theorem. But recent results prove that semantically secure schemes, in the classical sense as described above, remain secure in multi-user scenarios =-=[5, 4]-=-, whatever the kind of attacks. A general study of these security notions and attacks has been driven in [6], we therefore refer the reader to this paper for more details. However, we can just review ... |

16 |
The Development of the Number Field Sieve, volume 1554
- Lenstra, Lenstra
(Show Context)
Citation Context ...e fact that each group element is encoded by a unique string. Typically, algorithms like Pollard’s [48] and Shanks’ [56] algorithms are under the scope of this formalism, while index-calculus methods =-=[32, 27]-=- do not fall in this category. Therefore, generic algorithms just use the group-operation (e.g. the addition) as a black-box: any new element necessarily comes from the addition (or the subtraction) o... |

8 |
Generating El Gamal Signatures without Knowing the Secret Key
- Bleichenbacher
- 1996
(Show Context)
Citation Context ...ure designed in 1985 and depicted on Figure 1. Whereas existential forgeries were known for that scheme, it was believed to prevent universal forgeries. The first analysis, from Daniel Bleichenbacher =-=[11]-=-, showed such a universal forgery when the generator g is – Initialization g a generator of ⋆ p, where p is a large prime secret key x ∈ ⋆ p−1 public key y = gx mod p – Signature – K ∈ ⋆ p−1 and r = g... |

5 |
DHAES: An Encryption Scheme Based on
- Abdalla, Bellare, et al.
- 1998
(Show Context)
Citation Context ... is provably secure in the standard model. However, the security relies on the Decisional DiffieHellman problem and is rather slow, still more than twice as slow as ours. Before this candidate, DHAES =-=[1]-=- was the most efficient El Gamal-like public-key encryption scheme which reached IND-CCA security. However, this security, whereas it does not require the random oracle model [7], is based on a non-st... |

4 |
RSA–OAEP is Still Alive. Cryptology ePrint Archive 2000/061. November 2000. Available from http://eprint.iacr.org
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ...f M = m‖0 k1 for some m, returns m, otherwise, returns Reject. Fig. 2. The OAEP Construction. Anyway Eiichiro Fujisaki, Tatsuaki Okamoto, Jacques Stern and the author immediately provided a new proof =-=[24]-=-, but then for trapdoor partially one-way permutations, a stronger requirement about the permutation. In other words, the OAEP construction is still secure if recovering more than half of the bits of ... |