## A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack (1998)

### Cached

### Download Links

- [www.mathmagic.cn]
- [eprint.iacr.org]
- [knot.kaist.ac.kr]
- [www.shoup.net]
- [www.zurich.ibm.com]
- [www.zurich.ibm.com]
- DBLP

### Other Repositories/Bibliography

Citations: | 486 - 16 self |

### BibTeX

@INPROCEEDINGS{Cramer98apractical,

author = {Ronald Cramer and Victor Shoup},

title = {A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack},

booktitle = {},

year = {1998},

pages = {13--25},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

A new public key cryptosystem is presented that is provably secure against adaptive chosen ciphertext attack. The scheme is quite practical, and the proof of security relies only on standard intractability assumptions. 1

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...f based on standard intractability assumptions is known. Lim and Lee [10] also proposed practical schemes that were later broken by Frankel and Yung [7]. In a different direction, Bellare and Rogaway =-=[1, 2]-=- have presented practical schemes that are provably secure against adaptive chosen ciphertext attack in an idealized model of computation where a hash function is represented by a random oracle. While... |

1255 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...rs to be no other encryption scheme in the literature that enjoys both of these properties simultaneously. Chosen Ciphertext Security The notion of semantic security (defined by Goldwasser and Micali =-=[8]-=-) captures the notion of security of a public key cryptosystem against chosen plaintext attack. It is now generally accepted that this is a basic requirement of a good cryptosystem. However, it also k... |

475 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...restriction that queries to the oracle may not be identical to the target ciphertext. Security against adaptive chosen ciphertext attack also implies nonmalleabilitys(defined by Dolev, Dwork and Naor =-=[5]), meaning-=- that an adver2 sary cannot take an encryption of some plaintext and "massage" it into an encryption of a different plaintext that is related in some interesting way to the original plaintex... |

363 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Racko, Simon
- 1992
(Show Context)
Citation Context ...lity assumptions. 1 Introduction In this paper, we present and analyze a new public key cryptosystem that is provably secure against adaptive chosen ciphertext attack (as defined by Rackoff and Simon =-=[13]-=-). The scheme is quite practical, requiring just a few exponentiations over a group, and the application of a hash function. Moreover, the proof of security relies only on standard intractability assu... |

338 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...and the collision intractability of the hash function. 1 The hardness of the Diffie-Hellman decision problem is essentially equivalent to the semantic security of the basic El Gamal encryption scheme =-=[6]-=-. Thus, with the additional assumption of a collision-resistant hash function, and just a bit more computation, we get security against adaptive chosen ciphertext attack, whereas the basic El Gamal sc... |

323 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...tion H at random from the family, it is infeasible for an adversary to find two different inputs x and y such that H(x) = H(y). A weaker notion is that of a universal one-way family of hash functions =-=[18]-=-. Here, it should be infeasible for an adversary to choose an input x, draw a random hash function H, and then find a different input y such that H(x) = H(y). Such hash function families are also call... |

263 | Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...ecryption oracle," allowing the adversary to decrypt ciphertexts of his choice. Typically, one distinguishes between a weak form of this attack, known as a lunch-time attack (defined by Naor and =-=Yung [12]-=-), and the strongest possible form, known as an adaptive chosen ciphertext attack (defined by Rackoff and Simon [13]). In a lunch-time attack, the adversary queries the decryption oracle some number o... |

252 | Optimistic fair exchange of digital signatures
- Asokan, Shoup, et al.
(Show Context)
Citation Context ...inst active adversaries. For example, this primitive is used in protocols for authentication and key exchange [11, 10, 2] and in protocols for escrow, certified e-mail, and more general fair exchange =-=[1, 22]-=-. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway's OAEP scheme [4] (a practical but only heuristically secure scheme) as an internet encryption s... |

251 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...f based on standard intractability assumptions is known. Lim and Lee [10] also proposed practical schemes that were later broken by Frankel and Yung [7]. In a different direction, Bellare and Rogaway =-=[1, 2]-=- have presented practical schemes that are provably secure against adaptive chosen ciphertext attack in an idealized model of computation where a hash function is represented by a random oracle. While... |

237 | Lower Bounds for Discrete Logarithms and Related Problems
- Shoup
- 1997
(Show Context)
Citation Context ...ectured to be hard, and have been used as assumptions in proving the security of a variety of cryptographic protocols. Some heuristic evidence for the hardness of all of these problems is provided in =-=[14]-=-, where it is shown that they are hard in a certain natural, structured model of computation. See [15, 11] for further applications and discussion of the Diffie-Hellman decision problem. It is perhaps... |

234 | A modular approach to the design and analysis of authentication and key exchange protocols
- BELLARE, CANETTI, et al.
- 1998
(Show Context)
Citation Context ...werful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange =-=[11, 10, 2]-=- and in protocols for escrow, certified e-mail, and more general fair exchange [1, 22]. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway's OAEP sch... |

153 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...aphic protocols. Some heuristic evidence for the hardness of all of these problems is provided in [14], where it is shown that they are hard in a certain natural, structured model of computation. See =-=[15, 11]-=- for further applications and discussion of the Diffie-Hellman decision problem. It is perhaps worth pointing out that the hardness of the Diffie-Hellman decision problem is equivalent to the security... |

124 | Publicly verifiable secret sharing
- Stadler
- 1996
(Show Context)
Citation Context ...aphic protocols. Some heuristic evidence for the hardness of all of these problems is provided in [14], where it is shown that they are hard in a certain natural, structured model of computation. See =-=[15, 11]-=- for further applications and discussion of the Diffie-Hellman decision problem. It is perhaps worth pointing out that the hardness of the Diffie-Hellman decision problem is equivalent to the security... |

112 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- Shoup, Gennaro
- 1998
(Show Context)
Citation Context ...inst active adversaries. For example, this primitive is used in protocols for authentication and key exchange [11, 10, 2] and in protocols for escrow, certified e-mail, and more general fair exchange =-=[1, 22]-=-. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway's OAEP scheme [4] (a practical but only heuristically secure scheme) as an internet encryption s... |

102 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...n adversary to choose an input x, draw a random hash function H, and then find a different input y such that H(x) = H(y). Such hash function families are also called target collision 7 resistant. See =-=[5]-=- for recent results and further discussion. 3 The Basic Scheme We assume that we have a group G of prime order q, where q is large. We also assume that cleartext messages are (or can be encoded as) el... |

99 |
Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes
- Boneh, Venkatesan
- 1996
(Show Context)
Citation Context ...aphic protocols. Some heuristic evidence for the hardness of all of these problems is provided in [21], where it is shown that they are hard in a certain natural, structured model of computation. See =-=[23, 17, 6]-=- for further applications and discussion of the Diffie-Hellman decision problem. Note that the hardness of the Diffie-Hellman decision problem is equivalent to the semantic security of the basic El Ga... |

29 |
Pseudorandom Number Generation from any OneWay Function
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ...same length. One way to implement F is as follows. First, hash the 1024-bit encoding of h r down to, say, 56 bits using a random but publicly known 2-universal hash function. The left-over hash lemma =-=[9] would imp-=-ly that these 56 bits are fairly close to random. We can then use these 56 bits as a DES key, and generate as many pseudo-random bits as we need using DES in "counter mode." The security pro... |

25 | Practical approaches to attaining security against adaptively chosen ciphertext attacks", Crypto '92
- Zheng, Seberry
(Show Context)
Citation Context ...red to be secure against lunch-time attacks; however, this scheme is not known to be provably secure, and is in fact demonstrably insecure against adaptive chosen ciphertext attack. Zheng and Seberry =-=[16]-=- propose practical schemes that are conjectured to be secure against chosen ciphertext attack, but again, no proof based on standard intractability assumptions is known. Lim and Lee [10] also proposed... |

18 | Another Method for Attaining Security Against Adaptively Chosen Ciphertext Attack
- Lim, Lee
- 1993
(Show Context)
Citation Context ...g and Seberry [16] propose practical schemes that are conjectured to be secure against chosen ciphertext attack, but again, no proof based on standard intractability assumptions is known. Lim and Lee =-=[10]-=- also proposed practical schemes that were later broken by Frankel and Yung [7]. In a different direction, Bellare and Rogaway [1, 2] have presented practical schemes that are provably secure against ... |

16 |
Towards Practical Public-Key Cryptosystems Provably-Secure against Chosen-Ciphertext Attack
- DamgËšard
- 1991
(Show Context)
Citation Context ...ntractability assumptions are completely impractical (albeit polynomial time), as they rely on general and expensive constructions for noninteractive zero-knowledge proofs. Practical Schemes. Damgard =-=[4]-=- proposed a practical scheme that he conjectured to be secure against lunch-time attacks; however, this scheme is not known to be provably secure, and is in fact demonstrably insecure against adaptive... |

9 |
The random oracle model, revisted
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...hile a proof of security in the random oracle model is certainly preferable to no proof at all, a proof in the "real world" would be even better. Indeed, recent work by Canetti, Goldreich, a=-=nd Halevi [3]-=- show that there are cryptographic schemes that are secure in the random oracle model, but insecure in the real world---no matter what hash function is chosen. It is not yet clear what the implication... |

7 |
Method for message authentication from non-malleable crypto systems
- Dwork, Naor
- 1996
(Show Context)
Citation Context ...werful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange =-=[11, 10, 2]-=- and in protocols for escrow, certified e-mail, and more general fair exchange [1, 22]. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway's OAEP sch... |

6 |
Cryptanalysis of immunized LL public key systems
- Frankel, Yung
- 1995
(Show Context)
Citation Context ...gainst chosen ciphertext attack, but again, no proof based on standard intractability assumptions is known. Lim and Lee [10] also proposed practical schemes that were later broken by Frankel and Yung =-=[7]-=-. In a different direction, Bellare and Rogaway [1, 2] have presented practical schemes that are provably secure against adaptive chosen ciphertext attack in an idealized model of computation where a ... |