## Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption (2004)

### Cached

### Download Links

- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.cs.umd.edu]
- [cgis.cs.umd.edu]
- [www.cs.umd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 78 - 8 self |

### BibTeX

@INPROCEEDINGS{Boneh04improvedefficiency,

author = {Dan Boneh and Jonathan Katz},

title = {Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption},

booktitle = {},

year = {2004},

pages = {87--103},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Recently, Canetti, Halevi, and Katz showed a general method for constructing CCA-secure encryption schemes from identity-based encryption schemes in the standard model. We improve the efficiency of their construction, and show two specific instantiations of our resulting scheme which offer the most efficient encryption (and, in one case, key generation) of any CCA-secure encryption scheme to date.

### Citations

1417 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...latively small number of encryption schemes have been rigorously proven secure against adaptive chosen-ciphertext attacks in the standard model 1 (i.e., without resorting to the use of random oracles =-=[2]-=-). Schemes based on general assumptions are known [17, 30, 27], but these rely on generic non-interactive zero-knowledge proofs [4, 18] and do not currently lead to practical solutions. More interesti... |

1226 | Identity-based encryption from the weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...uctions [13, 14, 19, 15, 25]. The second, and more recent, method [11] constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme =-=[7, 12]-=- (which can in turn be constructed in the standard model based on specific number-theoretic assumptions [10, 5, 6, 34]). Overall, the most efficient CCA-secure encryption scheme currently known is a h... |

862 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ugh one-time signatures are “easy” to construct in theory, and are more efficient than “full-blown” signatures (i.e., those which are existentially unforgeable under an adaptive chosen-message attack =-=[20]-=-), they still have their price. In particular: • One-time signatures based on cryptographic hash functions such as SHA-1 can be designed to allow very efficient signing; key generation, on the other h... |

791 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...ge remains hidden from an adversary who does not know SKID even if that adversary is given SKID ′ for multiple identities ID ′ �= ID. The concept of identity-based encryption was introduced by Shamir =-=[31]-=-, and provably-secure IBE schemes in the random oracle model were demonstrated by Boneh and Franklin [7] and Cocks [12]. More recently, provably-secure IBE schemes in the standard model have been deve... |

750 | Construction of pseudo random generators from one-way functions
- Hastad, Impaglizzo, et al.
(Show Context)
Citation Context ...g x is good, the min-entropy of x — given pub and com — is at least 255 bits since every ˜x ∈ Nx is equally likely. Viewing h as a strong extractor (or, equivalently, applying the leftover-hash lemma =-=[22]-=-) we see that {h,H(x),h(x)} has statistical difference at most 2−64 from {h,H(x),U128}, where U128 represents the uniform distribution over {0,1} 128 . The theorem follows easily. A concrete scheme. G... |

666 | Universally composable security: A new paradigm for cryptographic protocols - Canetti - 2001 |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...wo general methodologies for constructing such schemes are known. The first methodology is based on the “smooth hash proof systems” of Cramer and Shoup [14], and has led to a variety of constructions =-=[13, 14, 19, 15, 25]-=-. The second, and more recent, method [11] constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn b... |

470 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ption scheme to date. Keywords: Chosen-ciphertext security, Identity-based encryption, Public-key encryption. 1 Introduction Security against adaptive chosen-ciphertext attacks (i.e., “CCA-security”) =-=[29, 17, 1]-=- has become the de facto level of security for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schem... |

469 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ption scheme to date. Keywords: Chosen-ciphertext security, Identity-based encryption, Public-key encryption. 1 Introduction Security against adaptive chosen-ciphertext attacks (i.e., “CCA-security”) =-=[29, 17, 1]-=- has become the de facto level of security for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schem... |

357 |
Non-interactive zero knowledge proof of knowledge and chosen ciphertext attack", Crypto
- Racko, Simon
(Show Context)
Citation Context ...ption scheme to date. Keywords: Chosen-ciphertext security, Identity-based encryption, Public-key encryption. 1 Introduction Security against adaptive chosen-ciphertext attacks (i.e., “CCA-security”) =-=[29, 17, 1]-=- has become the de facto level of security for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schem... |

347 |
New hash functions and their use in authentication and set equality
- WEGMAN, CARTER
- 1981
(Show Context)
Citation Context ... message authentication code. We remark that efficient schemes satisfying this definition can be constructed without any computational assumptions using, e.g., almost strongly universal hash families =-=[35]-=-. Definition 5 (Message authentication) A message authentication code (Mac,Vrfy) is secure against a one-time chosen-message attack if the success probability of any ppt adversary A in the following g... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...ion evaluation, and is secure under the assumption that SHA-1 is second-preimage resistant (the scheme can be easily modified so as to be secure under the weaker assumption of the existence of UOWHFs =-=[28]-=-). This encapsulation scheme may have other applications, and thus the scheme — as well as the relatively simple proof of security we provide for this encapsulation scheme here (cf. Theorem 2) — may b... |

249 | Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS
- Bleichenbacher
(Show Context)
Citation Context ...ity for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schemes not meeting this notion of security =-=[3, 24, 23]-=-; is helpful in defending against “active” attackers who may modify messages in transit (see [32]); and, finally, allows encryption schemes to be developed and then securely “plugged in” to higher-lev... |

249 | Identity-Based Encryption Without Random Oracles
- Waters
(Show Context)
Citation Context ...e from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn be constructed in the standard model based on specific number-theoretic assumptions =-=[10, 5, 6, 34]-=-). Overall, the most efficient CCA-secure encryption scheme currently known is a hybrid encryption system due to Kurosawa and Desmedt [25] which builds on the original proposal of Cramer and Shoup [13... |

216 | Chosen-ciphertext security from identity-based encryption
- Canetti, Halevi, et al.
- 2004
(Show Context)
Citation Context ... known. The first methodology is based on the “smooth hash proof systems” of Cramer and Shoup [14], and has led to a variety of constructions [13, 14, 19, 15, 25]. The second, and more recent, method =-=[11]-=- constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn be constructed in the standard model based ... |

208 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...e from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn be constructed in the standard model based on specific number-theoretic assumptions =-=[10, 5, 6, 34]-=-). Overall, the most efficient CCA-secure encryption scheme currently known is a hybrid encryption system due to Kurosawa and Desmedt [25] which builds on the original proposal of Cramer and Shoup [13... |

175 |
Multiple non-interactive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...andard model 1 (i.e., without resorting to the use of random oracles [2]). Schemes based on general assumptions are known [17, 30, 27], but these rely on generic non-interactive zero-knowledge proofs =-=[4, 18]-=- and do not currently lead to practical solutions. More interesting from a practical point of view are efficient schemes based on specific number-theoretic assumptions; two general methodologies for c... |

161 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security
- Sahai
- 1999
(Show Context)
Citation Context ... rigorously proven secure against adaptive chosen-ciphertext attacks in the standard model 1 (i.e., without resorting to the use of random oracles [2]). Schemes based on general assumptions are known =-=[17, 30, 27]-=-, but these rely on generic non-interactive zero-knowledge proofs [4, 18] and do not currently lead to practical solutions. More interesting from a practical point of view are efficient schemes based ... |

149 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public key encryption. Cryptology ePrint Archive, Report 2001/085
- Cramer, Shoup
- 2001
(Show Context)
Citation Context ...ased on specific number-theoretic assumptions; two general methodologies for constructing such schemes are known. The first methodology is based on the “smooth hash proof systems” of Cramer and Shoup =-=[14]-=-, and has led to a variety of constructions [13, 14, 19, 15, 25]. The second, and more recent, method [11] constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) ide... |

148 | Practical verifiable encryption and decryption of discrete logarithms
- Camenisch, Shoup
- 2003
(Show Context)
Citation Context ...wo general methodologies for constructing such schemes are known. The first methodology is based on the “smooth hash proof systems” of Cramer and Shoup [14], and has led to a variety of constructions =-=[13, 14, 19, 15, 25]-=-. The second, and more recent, method [11] constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn b... |

122 |
Non-interactive zeroknowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...andard model 1 (i.e., without resorting to the use of random oracles [2]). Schemes based on general assumptions are known [17, 30, 27], but these rely on generic non-interactive zero-knowledge proofs =-=[4, 18]-=- and do not currently lead to practical solutions. More interesting from a practical point of view are efficient schemes based on specific number-theoretic assumptions; two general methodologies for c... |

111 |
Constructing digital signatures from one-way functions’, SRI intl. CSL-98
- Lamport
- 1979
(Show Context)
Citation Context ...et key msk). Though conceptually simple, this transformation does add noticeable overhead to the underlying IBE scheme: encryption requires the sender to generate keys for a one-time signature scheme =-=[26]-=- and also to compute a signature using the keys just generated; decryption requires the receiver to verify a signature with respect to the verification key included as part of the ciphertext. Although... |

105 | Secure identity based encryption without random oracles - Boneh, Boyen - 2004 |

70 | Using hash functions as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ... used to encrypt a random key, and the data is then encrypted using some symmetric-key encryption scheme and this key. In fact, “encryption” of the symmetric key is not required; “encapsulation” (cf. =-=[33]-=-) — which may be more efficient — is enough. It is well known that if both the public-key encapsulation scheme and the underlying symmetric-key encryption scheme are CCA-secure, then the resulting hyb... |

68 | E cient selective-ID secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...e from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn be constructed in the standard model based on specific number-theoretic assumptions =-=[10, 5, 6, 34]-=-). Overall, the most efficient CCA-secure encryption scheme currently known is a hybrid encryption system due to Kurosawa and Desmedt [25] which builds on the original proposal of Cramer and Shoup [13... |

67 | A Framework for Passwordbased Authenticated Key Exchange
- Gennaro, Lindell
- 2003
(Show Context)
Citation Context ...wo general methodologies for constructing such schemes are known. The first methodology is based on the “smooth hash proof systems” of Cramer and Shoup [14], and has led to a variety of constructions =-=[13, 14, 19, 15, 25]-=-. The second, and more recent, method [11] constructs a CCA-secure encryption scheme from any semantically-secure (or, “CPA-secure”) identity-based encryption (IBE) scheme [7, 12] (which can in turn b... |

67 | Practical and provably-secure commitment schemes from collision-free hashing
- Halevi, Micali
- 1996
(Show Context)
Citation Context ...can the receiver verify the correctness of tag. Indeed, this feature of our scheme complicates the security proof somewhat (and in particular we must be careful to avoid circular arguments). Adapting =-=[16, 21]-=-, we show how encapsulation of the mac key can be done both efficiently and securely using, e.g., SHA-1: encapsulation requires only a single hash function evaluation, and is secure under the assumpti... |

48 | A New Paradigm of Hybrid Encryption Scheme
- Kurosawa, Desmedt
- 2004
(Show Context)
Citation Context |

43 | The Random Oracle Methodology - Canetti, Goldreich, et al. |

29 | Why Chosen Ciphertext Security Matters
- Shoup
- 1998
(Show Context)
Citation Context ... subtle attacks that have been demonstrated against schemes not meeting this notion of security [3, 24, 23]; is helpful in defending against “active” attackers who may modify messages in transit (see =-=[32]-=-); and, finally, allows encryption schemes to be developed and then securely “plugged in” to higher-level protocols which may then be executed in arbitrary environments (see, e.g., [8, Sec. 8.2.2]). N... |

17 | An Identity-Based Encryption Scheme Based on Quadratic Residues. Cryptography and Coding, LNCS vol. 2260 - Cocks - 2001 |

17 | On the power of misbehaving adversaries and security analysis of the original EPOC
- Joye, Quisquater, et al.
(Show Context)
Citation Context ...ity for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schemes not meeting this notion of security =-=[3, 24, 23]-=-; is helpful in defending against “active” attackers who may modify messages in transit (see [32]); and, finally, allows encryption schemes to be developed and then securely “plugged in” to higher-lev... |

6 |
On the Existence of Statistically-Hiding Bit Commitment and Fail-Stop Signatures
- Damgard, Pedersen, et al.
- 1993
(Show Context)
Citation Context ...can the receiver verify the correctness of tag. Indeed, this feature of our scheme complicates the security proof somewhat (and in particular we must be careful to avoid circular arguments). Adapting =-=[16, 21]-=-, we show how encapsulation of the mac key can be done both efficiently and securely using, e.g., SHA-1: encapsulation requires only a single hash function evaluation, and is secure under the assumpti... |

3 |
A Simpler Construction of CCA-Secure Public-Key Encryption Under General Assumptions. Adv
- Lindell
- 2003
(Show Context)
Citation Context ... rigorously proven secure against adaptive chosen-ciphertext attacks in the standard model 1 (i.e., without resorting to the use of random oracles [2]). Schemes based on general assumptions are known =-=[17, 30, 27]-=-, but these rely on generic non-interactive zero-knowledge proofs [4, 18] and do not currently lead to practical solutions. More interesting from a practical point of view are efficient schemes based ... |

1 |
The Impact of Decryption
- Howgrave-Graham, Nguyen, et al.
- 2003
(Show Context)
Citation Context ...ity for public-key encryption schemes. The reasons for this are many: CCA security helps protect against subtle attacks that have been demonstrated against schemes not meeting this notion of security =-=[3, 24, 23]-=-; is helpful in defending against “active” attackers who may modify messages in transit (see [32]); and, finally, allows encryption schemes to be developed and then securely “plugged in” to higher-lev... |