A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack

Yvo Desmedt, Rosario Gennaro, Kaoru Kurosawa, Victor Shoup

Research output: Contribution to journalArticle

Abstract

We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

Original languageEnglish (US)
Pages (from-to)91-120
Number of pages30
JournalJournal of Cryptology
Volume23
Issue number1
DOIs
StatePublished - Jan 2010

Fingerprint

Encryption
Cryptography
Data encapsulation
Paradigm
Attack
Encapsulation
Diffie-Hellman
Module
Random Oracle
Exponentiation
Random Oracle Model
Public key
Standard Model
Generalise

Keywords

  • Chosen ciphertext security
  • Projective hash proofs
  • Public key encryption

ASJC Scopus subject areas

  • Applied Mathematics
  • Computer Science Applications
  • Software

Cite this

A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. / Desmedt, Yvo; Gennaro, Rosario; Kurosawa, Kaoru; Shoup, Victor.

In: Journal of Cryptology, Vol. 23, No. 1, 01.2010, p. 91-120.

Research output: Contribution to journalArticle

Desmedt, Yvo ; Gennaro, Rosario ; Kurosawa, Kaoru ; Shoup, Victor. / A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. In: Journal of Cryptology. 2010 ; Vol. 23, No. 1. pp. 91-120.
@article{b6a69844ead542adb3bcdc51db4a9893,
title = "A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack",
abstract = "We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.",
keywords = "Chosen ciphertext security, Projective hash proofs, Public key encryption",
author = "Yvo Desmedt and Rosario Gennaro and Kaoru Kurosawa and Victor Shoup",
year = "2010",
month = "1",
doi = "10.1007/s00145-009-9051-4",
language = "English (US)",
volume = "23",
pages = "91--120",
journal = "Journal of Cryptology",
issn = "0933-2790",
publisher = "Springer New York",
number = "1",

}

TY - JOUR

T1 - A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack

AU - Desmedt, Yvo

AU - Gennaro, Rosario

AU - Kurosawa, Kaoru

AU - Shoup, Victor

PY - 2010/1

Y1 - 2010/1

N2 - We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

AB - We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message using a symmetric encryption algorithm (the Data Encapsulation Module or DEM). Our scheme is a modification of the hybrid scheme presented by Shoup in (Euro-Crypt'97, Springer LNCS, vol. 1233, pp. 256-266, 1997) (based on the Cramer-Shoup scheme in CRYPTO'98, Springer LNCS, vol. 1462, pp. 13-25, 1998). Its major practical advantage is that it saves the computation of one exponentiation and produces shorter ciphertexts. This efficiency improvement is the result of a surprising observation: previous hybrid schemes were proven secure by proving that both the KEM and the DEM were CCA2-secure. On the other hand, our KEM is not CCA2-secure, yet the whole scheme is, assuming the Decisional Diffie-Hellman (DDH) Assumption. Finally we generalize our new scheme in two ways: (i) we show that security holds also if we use projective hash families (as the original Cramer-Shoup), and (ii) we show that in the random oracle model we can prove security under the weaker Computational Diffie-Hellman (CDH) Assumption.

KW - Chosen ciphertext security

KW - Projective hash proofs

KW - Public key encryption

UR - http://www.scopus.com/inward/record.url?scp=74349093152&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=74349093152&partnerID=8YFLogxK

U2 - 10.1007/s00145-009-9051-4

DO - 10.1007/s00145-009-9051-4

M3 - Article

AN - SCOPUS:74349093152

VL - 23

SP - 91

EP - 120

JO - Journal of Cryptology

JF - Journal of Cryptology

SN - 0933-2790

IS - 1

ER -