## Secure Hybrid Encryption from Weakened Key Encapsulation (2007)

Venue: | Advances in Cryptology – CRYPTO 2007 |

Citations: | 35 - 8 self |

### BibTeX

@INPROCEEDINGS{Hofheinz07securehybrid,

author = {Dennis Hofheinz and Eike Kiltz},

title = {Secure Hybrid Encryption from Weakened Key Encapsulation},

booktitle = {Advances in Cryptology – CRYPTO 2007},

year = {2007},

pages = {553--571},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We put forward a new paradigm for building hybrid encryption schemes from constrainedchosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated

### Citations

1331 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...mes (based on computationally secure primitives), and also more efficient single-pass schemes (see, e.g., [31]). 2 This is reminiscent to the notion of "plaintext awareness" for public-key encryption =-=[6]-=- where it is infeasible for an adversary to come up with a valid ciphertext without being aware of the corresponding plaintext. Our definition is weaker in the sense that it only requires the adversar... |

1110 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- El-Gamal
- 1985
(Show Context)
Citation Context ...Ej] - Pr[Ej]| <= 1/p which is Equation (9). 4.3 Comparison with Cramer-Shoup and Kurosawa-Desmedt The following table summarizes the key-encapsulation part of the (only IND-CPA secure) ElGamal scheme =-=[16]-=-, the Cramer-Shoup encryption scheme [14], the Kurosawa-Desmedt scheme [24], and ours. Scheme Ciphertext Encapsulated Key ElGamal gr hr Cramer-Shoup gr, ^gr, (utv)r hr Kurosawa-Desmedt gr, ^gr (utv)r ... |

622 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...reader familiar with this concept we briefly sketch a computational hash-proof system based on Paillier's Decision Composite Residuosity (DCR) assumption [13]. For more details we refer the reader to =-=[27, 13]-=-. Let p1, q1, p2, q2 be primes where p1 = 2p2 + 1 and q1 = 2q2 + 1. Define N1 = p1q1 and N2 = p2q2. Consider Z*N2 1 = GN1 * GN2 * G2 * T . The subgroup G t, Z*N2 1 given by G = GN1 * GN2 is cyclic of ... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...the random oracle model) and in general methods for constructing such schemes. The first practical IND-CCA secure PKE scheme without random oracles was proposed in a seminal paper by Cramer and Shoup =-=[12, 14]-=-. Their construction was later generalized to hash proof systems [13]. In [36, 14] Cramer and Shoup also give a hybrid variant that encrypts messages of arbitrary length. The idea is to conceptually s... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...n and analysis of encryption schemes in the public-key setting (PKE schemes) that are secure against a very strong type of attacks -- indistinguishability against chosen-ciphertext attacks (IND-CCA1) =-=[30, 15]-=-. In this work, we are interested in practical schemes with proofs of security under reasonable security assumptions (without relying on heuristics such as the random oracle model) and in general meth... |

329 | New hash functions and their use in authentication and set equality - Wegman, Carter - 1981 |

313 | Universal One-way Hash Functions and Their Applications. [STOC
- Naor, Yung
- 1989
(Show Context)
Citation Context ...n collision-resistance, so that, in particular, any practical collision-resistant function can be used. Also note that our notion of TCR is related to the stronger notion of universal one-way hashing =-=[25]-=-, where in the security experiment of the latter the target value c* is chosen by the adversary (but before seeing the hash key s). Commonly [14, 24] this function is implemented using a dedicated cry... |

214 | H.: How to break MD5 and other hash functions
- Wang, Yu
(Show Context)
Citation Context ...ity by implementing the TCR function with a dedicated hash function like SHA-x or MD5 (what potentially renders the whole scheme insecure given the recent progress in attacking certain hash functions =-=[38, 39]-=-), one must either resort to inefficient generic constructions of TCR functions [25, 33], or one can use the "hash-free technique" described in [14]. With this latter technique, one can get rid of the... |

199 | Chosen-ciphertext security from identity-based encryption
- Boneh, Canetti, et al.
(Show Context)
Citation Context ...eir schemes could be explained through hash proof systems; security of all efficient TCRbased schemes had to be proved separately. Surprisingly, almost all practical standard-model encryption schemes =-=[12, 14, 24, 2, 11, 10, 22, 23]-=- are based on the difficulty of Decision Diffie-Hellman (DDH) or stronger assumptions. This is contrasted by the existence of many natural groups in which the DDH assumption is known to be wrong; exam... |

197 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...hat potentially renders the whole scheme insecure given the recent progress in attacking certain hash functions [38, 39]), one must either resort to inefficient generic constructions of TCR functions =-=[25, 33]-=-, or one can use the "hash-free technique" described in [14]. With this latter technique, one can get rid of the TCR function completely; however, this comes at the cost of additional elements in the ... |

189 | Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...ral security definition for KEMs that is completely independent of any particular symmetric primitive. We think that this is more natural and more closely follows the spirit of the 3sKEM/DEM approach =-=[14]-=-, where (for good reason) KEM and DEM are viewed as independent components. Independent from this work Shacham [34] also proposes a family of hybrid encryption schemes from the n-Linear assumptions. H... |

139 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ...emes. The first practical IND-CCA secure PKE scheme without random oracles was proposed in a seminal paper by Cramer and Shoup [12, 14]. Their construction was later generalized to hash proof systems =-=[13]-=-. In [36, 14] Cramer and Shoup also give a hybrid variant that encrypts messages of arbitrary length. The idea is to conceptually separate the key-encapsulation (KEM) part from the symmetric (DEM) par... |

137 | OCB: A block-cipher mode of operation for efficient authenticated encryption
- Rogaway, Bellare, et al.
- 2003
(Show Context)
Citation Context ...encryption is a quite general symmetric primitive and examples include "encrypt-then-mac" schemes (based on computationally secure primitives), and also more efficient single-pass schemes (see, e.g., =-=[31]-=-). 2 This is reminiscent to the notion of "plaintext awareness" for public-key encryption [6] where it is infeasible for an adversary to come up with a valid ciphertext without being aware of the corr... |

114 | Moni Naor. Nonmalleable cryptography - Dolev, Dwork - 2000 |

71 | Direct chosen ciphertext security from identity-based techniques
- Boyen, Mei, et al.
- 2005
(Show Context)
Citation Context ...eir schemes could be explained through hash proof systems; security of all efficient TCRbased schemes had to be proved separately. Surprisingly, almost all practical standard-model encryption schemes =-=[12, 14, 24, 2, 11, 10, 22, 23]-=- are based on the difficulty of Decision Diffie-Hellman (DDH) or stronger assumptions. This is contrasted by the existence of many natural groups in which the DDH assumption is known to be wrong; exam... |

70 | Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications - Vernam - 1926 |

68 | E cient selective-ID secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ... from the challenge ciphertext) then the alternative decapsulation algorithm yields the correct session key K. This is done using an algebraic trick from selective-ID secure identity-based encryption =-=[8]-=-. * If the queried ciphertext is inconsistent then the alternative decapsulation algorithm yields one virtual session key K that is uniformly distributed over G (in an information theoretic sense). Th... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ... first practical IND-CCA secure PKE scheme without random oracles was proposed in a seminal paper by Cramer and Shoup [12, 14]. Their construction was later generalized to hash proof systems [13]. In =-=[36, 14]-=- Cramer and Shoup also give a hybrid variant that encrypts messages of arbitrary length. The idea is to conceptually separate the key-encapsulation (KEM) part from the symmetric (DEM) part. Generally,... |

55 | TagKEM/DEM: A New Framework for Hybrid Encryption, Cryptology ePrint Archive: Report 2005/027
- Abe, Gennaro, et al.
- 2005
(Show Context)
Citation Context ...ion we provide computational hash-proof systems from the n-Linear assumptions hence explaining IND-CCCA security of our class of KEMs from the n-Linear assumptions. 1.2 Discussion and related work In =-=[1]-=- (which is the full version of [2]), Abe et al. address the question from [24] about the existence of a natural weaker security condition for KEMs. They propose the notion of LCCA secure KEMs with res... |

52 | Chosen-ciphertext security from tag-based encryption
- Kiltz
- 2006
(Show Context)
Citation Context ...eir schemes could be explained through hash proof systems; security of all efficient TCRbased schemes had to be proved separately. Surprisingly, almost all practical standard-model encryption schemes =-=[12, 14, 24, 2, 11, 10, 22, 23]-=- are based on the difficulty of Decision Diffie-Hellman (DDH) or stronger assumptions. This is contrasted by the existence of many natural groups in which the DDH assumption is known to be wrong; exam... |

51 | Y.: Efficient Collision Search Attacks on SHA-0
- Wang, Yu, et al.
- 2005
(Show Context)
Citation Context ...ity by implementing the TCR function with a dedicated hash function like SHA-x or MD5 (what potentially renders the whole scheme insecure given the recent progress in attacking certain hash functions =-=[38, 39]-=-), one must either resort to inefficient generic constructions of TCR functions [25, 33], or one can use the "hash-free technique" described in [14]. With this latter technique, one can get rid of the... |

45 |
Bounds for Discrete Logarithms and Related Problems
- Lower
- 1997
(Show Context)
Citation Context ...e 2-Linear assumption, and the n-Linear assumptions become strictly weaker as the parameter n grows. More precisely, 1-Linear = DDH, and n-Linear implies n + 1-Linear, but (in the generic group model =-=[35]-=-) n + 1-Linear is still hard relative to an n-Linear oracle. In fact, for n >= 2 the n-Linear assumption does not seem to be invalid in any obvious sense even in the groups from [19], in which the DDH... |

37 | Unforgeable encryption and chosen ciphertext secure modes of operation - Katz, Yung - 2011 |

34 |
Separating Decision Diffie-Hellman from Computational DiffieHellman in cryptographic groups
- Joux, Nguyen
(Show Context)
Citation Context ...ps and certain non prime-order groups likeZ* p. This often overlooked fact may turn into a serious problem in case DDH turns out to bewrong in all cryptographically interesting groups. In particular, =-=[19]-=- give evidence that groups with easy DDH problem, but hard computational Diffie-Hellman problem exist. [19] interpret this as an argument to rely on weaker assumptions than DDH. 1.1 Our contributions ... |

26 | A Cramer-Shoup encryption scheme from the Linear assumption and from progressively weaker Linear variants. Cryptology ePrint Archive, Report 2007/074
- Shacham
- 2007
(Show Context)
Citation Context ...t this is more natural and more closely follows the spirit of the 3sKEM/DEM approach [14], where (for good reason) KEM and DEM are viewed as independent components. Independent from this work Shacham =-=[34]-=- also proposes a family of hybrid encryption schemes from the n-Linear assumptions. His schemes can be viewed as a (slightly less efficient) CramerShoup variant of our schemes from Section 5.2. The 2-... |

25 | A provable-security treatment of the key-wrap problem
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ...ide privacy (indistinguishability against one-time attacks) and authenticity (ciphertext authenticity against one-time attacks). This is simulataneously captured (similar to the more-time attack case =-=[32]-=-) by defining the ae-otadvantage of an adversary Bae Advae-otAE,Bae (k) = r'r'r'Pr[K $A~ K(k) ; b $A~ {0, 1} ; b0 $A~ BLoRb(*,*),DoRb(*) ae (1k) : b = b0] - 1/2r'r'r' . Here, LoRb(M0, M1) returns A~ A... |

20 | Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman
- Kiltz
- 2007
(Show Context)
Citation Context ... it to be interesting since it constitutes the first efficient DDH-based encryption scheme that is not based on hash proof systems. Constrained chosen-ciphertext secure KEM from n-Linear. Building on =-=[9, 21]-=- we introduce a new class of purely algebraic intractability assumptions, the n-Linear assumptions, where n >= 1 is a parameter. They are such that the DDH assumption equals the 1-Linear assumption, t... |

19 |
BoyenetHovav Shacham: “Short Group Signatures
- Boneh, Xavier
(Show Context)
Citation Context ... it to be interesting since it constitutes the first efficient DDH-based encryption scheme that is not based on hash proof systems. Constrained chosen-ciphertext secure KEM from n-Linear. Building on =-=[9, 21]-=- we introduce a new class of purely algebraic intractability assumptions, the n-Linear assumptions, where n >= 1 is a parameter. They are such that the DDH assumption equals the 1-Linear assumption, t... |

19 | A note on an encryption scheme of Kurosawa and Desmedt. Cryptology ePrint Archive, Report 2004/194
- Gennaro, Shoup
- 2004
(Show Context)
Citation Context ...ch that, in combination with sufficiently strong symmetric encryption, chosenciphertext secure hybrid encryption can be guaranteed. Extending the work of Cramer and Shoup [13], it was demonstrated in =-=[24, 2, 17]-=- that a variant of hash-proof systems (HPS) can be combined with symmetric encryption and a message authentication code (MAC) to obtain hybrid encryption. If the hash-proof system is universal2, then ... |

19 | About the security of ciphers (semantic security and pseudo-random permutations - Phan, Pointcheval - 2004 |

14 |
The Kurosawa-Desmedt key encapsulation is not chosen-ciphertext secure. Cryptology ePrint Archive, Report 2006/207
- Hofheinz, Herranz, et al.
- 2006
(Show Context)
Citation Context ...t expansion by replacing some of its algebraic components with information theoretically secure symmetric primitives. More recently, the KEM part of their scheme was indeed shown to be not CCA secure =-=[18]-=-. One natural open problem from [24] is if there exists a weaker yet natural security condition on the KEM such that, in combination with sufficiently strong symmetric encryption, chosenciphertext sec... |

13 | Stateful public-key cryptosystems: How to encrypt with one 160-bit exponentiation
- BELLARE, KOHNO, et al.
- 1994
(Show Context)
Citation Context ...sult for the KD scheme from a more general theorem that we will prove in Section 6. (A similar result about combining the Kurosawa-Desmedt scheme with authenticated encryption was already obtained in =-=[4]-=- in the context of statefull encryption.) However, there is one crucial difference in case one needs a scheme that is provably secure solely on the DDH assumption. Note that security (of the KD scheme... |

8 | On the Limitations of the Spread of an IBE-to-PKE Transformation
- Kiltz
- 2006
(Show Context)
Citation Context |

5 |
Multirecipient encryption schemes: How to save on bandwidth and computation without sacrificing security
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ... decryption does not depend on the knowledge of ! = logg(h) anymore. Hence, similar to the Cramer-Shoup scheme, this implicit-rejection scheme can be used in the setting of multi-recipient encryption =-=[3]-=-, where one single message is being simultaneously sent to a set of n different recipients. 4.5 A hash-free variant Similar to [14] we can also give a hash-free variant of our scheme that abandons the... |

4 |
Pippenger’s exponentiation algorithm. Available at: http://cr.yp.to/papers.html
- Bernstein
- 2002
(Show Context)
Citation Context ...e key K = c! = hr, as in encapsulation. Encryption takes four standard exponentiations plus one application of TCR, where the generation of ij can also be carried out as a single multi-exponentiation =-=[7]-=-. Decryption takes two exponentiations plus one application of TCR, where the two exponentiations can also be viewed as one sequential exponentiation [7] (which is as efficient as a multi-exponentiati... |

2 | On a variation of Kurosawa-Desmedt encryption scheme. Cryptology ePrint Archive
- Phong, Ogata
- 2006
(Show Context)
Citation Context ... natural security condition on the key encapsulation part. We assess the constructive appeal of this framework by demonstrating that the original Kurosawa-Desmedt scheme [24], along with its variants =-=[2, 29]-=- and all hash-proof systems based schemes [13, 24], can be thoroughly explained through it. We furthermore present a new IND-CCCA secure KEM from the DDH assumption and show how to build a class of pr... |