#### DMCA

## Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks (1995)

### Cached

### Download Links

- [www.wisdom.weizmann.ac.il]
- [cs.ioc.ee]
- [www.wisdom.weizmann.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. of the 22nd STOC |

Citations: | 279 - 19 self |

### Citations

3814 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...the resulting ciphertext E e B (M ). Only Bob can decrypt the message by applying the decryption key D d B (E e B (M)) = M . Implementations of the notion were suggested by Rivest, Shamir and Adleman =-=[32]-=- and Merkle and Hellman [26]. The exact nature of security of these implementations was not given in a precise form, since an exact definition of security was not known at the time. Rabin [30], nevert... |

3463 | New directions in cryptography
- DIFFIE, HELLMAN
- 1976
(Show Context)
Citation Context ...ways, we use the weakest existential breaking, that is getting any partial extra information about the plaintext when given the ciphertext). A public-key cryptosystem as defined by Diffie and Hellman =-=[8]-=- consists of two stages. In the initiation stage, each receiver Bob publishes a public encryption key e B (say, in some public file), while keeping secret the private decryption key dB . In the second... |

1373 |
Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...thodology of reducing the security property to a well-defined complexity assumption which, in the absence of lower bound proofs, has become the major one in cryptography. Later, Goldwasser and Micali =-=[19]-=- developed the idea of probabilistic encryption, in which the capability to extract any partial information on the plaintext from the ciphertext, is reduced to an underlying hard problem (hard predica... |

1233 | The knowledge complexity of interactive proof systems
- GOLDWASSER, MICALI, et al.
- 1989
(Show Context)
Citation Context ...ionally indistinguishable distributions which originated in [19, 35] plays an important role in defining security in many cryptosystems, in particular in the context of encryptions and zero-knowledge =-=[20, 18]-=-. For a distribution Q , let x 2R Q denote that x is generated by distribution Q. An ensemble of probability distributions Q(x) is polynomial time sampleable if there is a probabilistic polynomial (in... |

744 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context .... Remark 3: Bellare and Goldwasser [2] have shown how to get signatures from non interactive zero-knowledge proof systems combined with the pseudo-random functions of Goldreich, Goldwasser and Micali =-=[15]-=-. Their scheme required a stronger definition of non interactive zero knowledge proof system that is not known to be equivalent to the one used here. Nevertheless it can be implemented under QRA. Rema... |

555 |
Theory and application of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...ion 3 and the proof of security of the scheme in section 4. 2 Background, model and definitions 2.1 Basic definitions The notion of computationally indistinguishable distributions which originated in =-=[19, 35]-=- plays an important role in defining security in many cryptosystems, in particular in the context of encryptions and zero-knowledge [20, 18]. For a distribution Q , let x 2R Q denote that x is generat... |

472 | Non-malleable cryptogra-phy - Dolev, Dwork, et al. - 1991 |

434 | A Hard-Core Predicate for all One-Way Functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ... taken over the coin flips of G; E and M . For implementations of probabilistic encryption see [19, 1, 6, 35, 28]. From the hard core predicate results of Yao [35], Levin [25] and Goldreich and Levin =-=[17]-=- it follows that if there are public-key cryptosystems which are secure in any reasonable sense (i.e. if the plaintext is chosen at random, then it is hard to completely retrieve it given only its cip... |

355 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...n of security and used exchange of new cryptographic keys via interaction. The third one uses "interactive proof-systems of knowledge" as was formalized by Feige, Fiat and Shamir and 5 Tompa=-= and Woll [11, 34]-=-. The sender proves that she knows the ciphertext and thus the CC-attack is reduced to chosen-plaintext one. As mentioned above, Micali [27] has clarified that the claims about chosen ciphertext secur... |

355 |
Digitalized signatures and public key functions as intractable as factorization
- Rabin
- 1979
(Show Context)
Citation Context ...Adleman [32] and Merkle and Hellman [26]. The exact nature of security of these implementations was not given in a precise form, since an exact definition of security was not known at the time. Rabin =-=[30]-=-, nevertheless, has given a scheme where an eavesdropper's ability to extract the complete message when given a ciphertext is computationally equivalent to factoring; this was the first system in whic... |

347 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...ally forgeable) under the assumption that factoring is hard (or that claw-free trapdoors exist). Later, Bellare and Micali [3] showed how to base signatures on any trapdoor permutation. Naor and Yung =-=[29]-=- then showed how to construct a trapdoorless signature, basing it on what they called universal one-way hash functions which they implemented using any 1-1 one-way function. Recently, Rompel [33] has ... |

225 | One-way functions are necessary and sufficient for secure signature
- Rompel
- 1990
(Show Context)
Citation Context ...Yung [29] then showed how to construct a trapdoorless signature, basing it on what they called universal one-way hash functions which they implemented using any 1-1 one-way function. Recently, Rompel =-=[33]-=- has shown how to construct universal one-way hash functions from any one-way function. Remark 3: Bellare and Goldwasser [2] have shown how to get signatures from non interactive zero-knowledge proof ... |

183 |
Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...is a non-interactive proof system as defined above. Currently this assumption is known to be true assuming the intractability of quadratic residuosity [4, 7] or given any trapdoor one-way permutation =-=[12]-=-. Recently, Kilian and Petrank [23, 24] found more efficient implementations of such schemes. Their scheme is for the circuit satisfiability problem. The length of a proof (and the size of the shared ... |

179 |
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...ionally indistinguishable distributions which originated in [19, 35] plays an important role in defining security in many cryptosystems, in particular in the context of encryptions and zero-knowledge =-=[20, 18]-=-. For a distribution Q , let x 2R Q denote that x is generated by distribution Q. An ensemble of probability distributions Q(x) is polynomial time sampleable if there is a probabilistic polynomial (in... |

179 | Hiding information and signatures in trapdoor knapsacks
- Merkle, Member, et al.
- 1978
(Show Context)
Citation Context ... B (M ). Only Bob can decrypt the message by applying the decryption key D d B (E e B (M)) = M . Implementations of the notion were suggested by Rivest, Shamir and Adleman [32] and Merkle and Hellman =-=[26]-=-. The exact nature of security of these implementations was not given in a precise form, since an exact definition of security was not known at the time. Rabin [30], nevertheless, has given a scheme w... |

152 |
One-way functions and pseudorandom generators
- Levin
- 1987
(Show Context)
Citation Context ...y(n) where the probability is taken over the coin flips of G; E and M . For implementations of probabilistic encryption see [19, 1, 6, 35, 28]. From the hard core predicate results of Yao [35], Levin =-=[25]-=- and Goldreich and Levin [17] it follows that if there are public-key cryptosystems which are secure in any reasonable sense (i.e. if the plaintext is chosen at random, then it is hard to completely r... |

128 |
An efficient probabilistic public key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1985
(Show Context)
Citation Context ...ext section.) Furthermore, schemes for cryptosystems which are provably secure as factoring against a chosen plaintext attack such as the Blum-Goldwasser efficient scheme for probabilistic encryption =-=[6]-=- are provably insecure against a chosen-ciphertext attack. (The same basis for its security [1] is the basis for its vulnerability to chosen ciphertext attacks.) Previously, in order to construct mess... |

78 | S.: Resettable zero-knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...can run several proof systems simultaneously, while maintaining the zero-knowledge property. This parallel composition is not known to be true in interactive proof systems (see Goldreich and Krawczyk =-=[16] for evide-=-nce against it). Consider the following "generic" transformation: Let (P 1 ; V 1 ; U 1 ); (P 2 ; V 2 ; U 2 ); : : : ; (P n ; V n ; U n ) be non-interactive proof systems for a language L. Le... |

77 |
Random self-reducibility and zero knowledge interactive proofs of possession of information
- Tompa, Woll
- 1987
(Show Context)
Citation Context ...n of security and used exchange of new cryptographic keys via interaction. The third one uses "interactive proof-systems of knowledge" as was formalized by Feige, Fiat and Shamir and 5 Tompa=-= and Woll [11, 34]-=-. The sender proves that she knows the ciphertext and thus the CC-attack is reduced to chosen-plaintext one. As mentioned above, Micali [27] has clarified that the claims about chosen ciphertext secur... |

55 |
New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs
- BELLARE, GOLDWASSER
- 1990
(Show Context)
Citation Context ...ns which they implemented using any 1-1 one-way function. Recently, Rompel [33] has shown how to construct universal one-way hash functions from any one-way function. Remark 3: Bellare and Goldwasser =-=[2]-=- have shown how to get signatures from non interactive zero-knowledge proof systems combined with the pseudo-random functions of Goldreich, Goldwasser and Micali [15]. Their scheme required a stronger... |

51 |
Non-interactive zero-knowledge proof systems and applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ... are secure against chosen ciphertext attacks (CCS-PKC). We use (single-theorem) non-interactive zero-knowledge proof systems for language membership which were introduced by Blum, Feldman and Micali =-=[4]-=-. In such a system for a language L the prover P and the verifier V share a random string. P can prove to V that x 2 L by sending a message (which is a function of x and the shared string). Improved i... |

47 |
How to Sign Given any Trapdoor Function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ...daptive chosen message attack) with the weakest notion of breaking (existentially forgeable) under the assumption that factoring is hard (or that claw-free trapdoors exist). Later, Bellare and Micali =-=[3]-=- showed how to base signatures on any trapdoor permutation. Naor and Yung [29] then showed how to construct a trapdoorless signature, basing it on what they called universal one-way hash functions whi... |

35 |
Why and how to establish a private code on a public network
- Goldwasser, Micali, et al.
- 1982
(Show Context)
Citation Context ...ractive protocols ( telephone conversations), rather than PKC (mail sending). In interactive protocols the parties exchange messages, and indeed the solutions suggested by Goldwasser, Micali and Tong =-=[22]-=-, Yung [36] and Galil, Haber and Yung [13] were all inherently interactive. (This, of course, did not solve the open problem regarding PKC). The first two were given without the exact notion of securi... |

25 | E.: An efficient non-interactive zero-knowledge proof system for np with general assumptions
- Kilian, Petrank
- 1998
(Show Context)
Citation Context ...s defined above. Currently this assumption is known to be true assuming the intractability of quadratic residuosity [4, 7] or given any trapdoor one-way permutation [12]. Recently, Kilian and Petrank =-=[23, 24]-=- found more efficient implementations of such schemes. Their scheme is for the circuit satisfiability problem. The length of a proof (and the size of the shared random string) of a satisfiable circuit... |

19 |
A secure digital signature scheme
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...text secure cryptosystems made in section 5 of [4] refer to a system with initial interaction as well. Remark 2: More is known about security of signatures than CCS-PKC: Goldwasser, Micali and Rivest =-=[21]-=- have defined a hierarchy of attacks similar to the one given here. They showed how to implement a signature scheme secure against the strongest attack on signature schemes (adaptive chosen message at... |

18 |
Probabilistic quantifiers, adversaries, and complexity classes: An overview
- Zachos
(Show Context)
Citation Context ...ng soundness requirement is: with overwhelming probability over R 2R U(n), 8y 62 L n , 8p 2 f0; 1g , p 2 REJECT (R; y). In order to satisfy this requirement, a quantifier swapping technique of Zachos =-=[37]-=- can be used: For words of length n, R would actually be a sequence of 2n strings R 1 ; R 2 ; : : : R 2n , where each R i 2R U(n). To prove that x 2 L n , for all 1sis2n a proof p i in ACCEPT (R i ; x... |

17 |
Cryptoprotocols: Subscription To a Public Key
- Yung
- 1985
(Show Context)
Citation Context ...tocols ( telephone conversations), rather than PKC (mail sending). In interactive protocols the parties exchange messages, and indeed the solutions suggested by Goldwasser, Micali and Tong [22], Yung =-=[36]-=- and Galil, Haber and Yung [13] were all inherently interactive. (This, of course, did not solve the open problem regarding PKC). The first two were given without the exact notion of security and used... |

10 |
On the complexity of bounded-interaction and non-interactive zero-knowledge proofs
- Kilian
- 1994
(Show Context)
Citation Context ...s defined above. Currently this assumption is known to be true assuming the intractability of quadratic residuosity [4, 7] or given any trapdoor one-way permutation [12]. Recently, Kilian and Petrank =-=[23, 24]-=- found more efficient implementations of such schemes. Their scheme is for the circuit satisfiability problem. The length of a proof (and the size of the shared random string) of a satisfiable circuit... |

5 |
A Uniform Complexity Encryption and Zero-knowledge
- Goldreich
- 1989
(Show Context)
Citation Context ...curity) . These two notions were shown to be equivalent by Goldwasser and Micali [19] (indistinguishability ) semantic), Micali, Rackoff and Sloan [28] (semantic ) indistinguishability) and Goldreich =-=[14]-=- (the uniform case). Under the notion of indistinguishability of encryptions, the cryptosystem is considered to have been broken if the adversary can find two messages m 0 and m 1 in the message space... |

3 |
RSA/Rabin Bits are 1=2 + 1=poly Secure
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...inst a chosen plaintext attack such as the Blum-Goldwasser efficient scheme for probabilistic encryption [6] are provably insecure against a chosen-ciphertext attack. (The same basis for its security =-=[1]-=- is the basis for its vulnerability to chosen ciphertext attacks.) Previously, in order to construct message transmission systems secure against chosen ciphertext attacks, the public-key model was rel... |

3 |
Notions of Security of Public-Key Cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ...ter on to prove non-interactively possession of knowledge of the plaintext. Thus the scheme does not fall into the category of a DiffieHellman PKC. To use the terminology of Micali, Rackoff and Sloan =-=[28], this is at least a-=- "three pass" scheme, whereas the scheme we present is "one and a half pass". In our scheme, non-interactive zero-knowledge proofs of language membership are used in order to show ... |

2 |
Interactive Public-key Cryptosystems, see Symmetric PublicKey Encryption
- Galil, Haber, et al.
- 1986
(Show Context)
Citation Context ...istributions that are indistinguishable to those who do not know the decryption key. From now on we identify the notion of security with that of indistinguishability of encryptions. We now, following =-=[13]-=-, define precisely what we mean by a chosen ciphertext attack: an attack consists of three probabilistic polynomial time machines A; F ; T . Each machine corresponds to a different stage of the attack... |

1 |
Non-Interactive Zero-Knowledge, Manuscript
- Blum, Santis, et al.
(Show Context)
Citation Context ...thus we have a distinguisher for E e 1 . In other words he 1 i has been broken by a plaintext attack only, contradicting our assumption. This concludes the proof of the theorem 2 Using the results of =-=[12, 5]-=- we have: Corollary 4.5 If trapdoor one-way permutations exists, then there exist CCS-PKC. 5 Conclusions and extensions We have shown how to construct a public key system secure against chosen ciphert... |

1 |
RSA/Rabin Bits are 1/2 + l"/poly Secure
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...nst a chosen plaintext attack such as the Blum-sGoldwasser efficient scheme for probabilistic encryptions[6] are provably insecure against a chosen-ciphertext attack. (The same basis for its security =-=[1]-=- is the basis forsits vulnerability to chosen ciphertext attacks.)sPreviously, in order to construct message transmis-ssion systems ecure against chosen ciphertext attacks, thespublic-key model was re... |

1 |
New Paradigms for Digital [19] Signatures and Message Authentication based on Non- interactive Zero-knowledge Proofs, Crypto 89
- Bellare, Goldwasser
(Show Context)
Citation Context ...s which they implemented using any 1-1 one-waysfunction. Recently, Rompel [29] has shown how to con-sstruct universal one-way hash functions from any one-waysfunction.sRemarks3 Bellare and Goldwasser =-=[2]-=- have shown how tosget signatures from non interactive zero-knowledge proofssystems combined with the pseudo-random functions ofsGoldreich, Goldwasser and Micali [13]. Their scheme re-squired a strong... |

1 |
How to Sign Given Any Trap- [20] door Function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ...ptive chosen message attack) with the weakest notionsof breaking (existentially forgeable) under the assump-stion that factoring is hard (or that claw-free trapdoorssexist). Later, Bellare and Micali =-=[3]-=- showed how to basessignatures on any trapdoor permutation. Naor and Yungs[25] then showed how to construct a trapdoor-less signa-sture, basing it on what they called universal one-way hashsfunctions ... |

1 |
An Efficient P,'obabilistic [23] Public-key Encryption that
- Blum, Goldwasser
(Show Context)
Citation Context ... section.) Furthermore, schemessfor cryptosystems which are provably secure as factor-sing against a chosen plaintext attack such as the Blum-sGoldwasser efficient scheme for probabilistic encryptions=-=[6]-=- are provably insecure against a chosen-ciphertext attack. (The same basis for its security [1] is the basis forsits vulnerability to chosen ciphertext attacks.)sPreviously, in order to construct mess... |

1 |
Zero Knowledge Proofs o.fldentity
- Feige, Fiat, et al.
(Show Context)
Citation Context ... of security andsused exchange of new cryptographic keys via interaction.sThe third one uses "interactive proof-systems of knowl-sedge" as was formalized by Feige, Fiat and Shalnir andsTompa and Woll =-=[10, 30]-=-. The sender proves that shesknows the ciphertext and thus the CC-attaek is reducedsto chosen-plaintext one. As mentioned above, Micali [23]shas clarified that the claims about chosen ciphertext se-sc... |

1 |
Symmetric Public-key Cryptosystems, Submitted to
- Galil, Haber, et al.
(Show Context)
Citation Context ...ibutionss429sthat are indistinguishable to those who do not know thesdecryption key. From now on we identify the notion ofssecurity with that of indistinguishability of encryptions.sWe now, following =-=[11]-=-, define precisely what we meansby a chosen ciphertext attack: an attack consists of threesprobabilistic polynomial time machines `4, 9 c, 7-. Eachsmachine corresponds to a different stage of the atta... |

1 |
On the Composition [31
- Goldreich, Krawczyk
- 1989
(Show Context)
Citation Context ... run several proof systems imulta-sneously, while maintaining the zero-knowledge property.sThis parallel composition is not known to be true in in-steractive proof systems (see Goldreich and Krawczyk =-=[14]-=-sfor evidence against it).sConsider the following "generic" transformation: Lets(791, vl ,su l ) ,s(792, v2 ,u2) , . . . ,s(79~, y~,u,)sbe non-interactive proof systems for a language L. Lets(7 9, Y,/... |

1 |
A Hard Predicate for All One- [32] way Functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...z(1,r)s= - rs2 mod x.sBased on the quadratic residuosity assumption (QRA)sthis scheme has the required properties.sFrom the hard core predicate results of Yao [31], Levins[21] and Goldreich and Levin =-=[15]-=- it follows that if theresare public-key cryptosystems which are secure in any rea-ssonable sense (i.e. if the plaintext is chosen at random,sthen it is hard to completely retrieve it given only itssc... |

1 |
Proofs that [33] Yield Nothing But their Validity, and a Methodology of Cryptographic Protocol Design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...lly indistinguishable distri-sbutions which originated in [17, 31] plays an importantsrole in defining security in many cryptosystems, in par-sticular in the context of encryptions and zero-knowledges=-=[18, 16]-=-. For a distribution Q,slet x E n Q denote that x issgenerated by distribution Q. An ensemble of probabilitysdistributions Q(x) is polynomial time sampleable if theresis a probabilistic polynomial (in... |