Chosen Ciphertext Security with Optimal Ciphertext Overhead
スポンサーリンク
概要
- 論文の詳細を見る
Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.
- 2010-01-01
著者
-
ABE Masayuki
NTT Information Sharing Platform Laboratories, NTT Corporation
-
Abe Masayuki
Ntt Information Sharing Platform Laboratories Ntt Corporation
-
KILTZ Eike
CWI Amsterdam
-
OKAMOTO Tatsuaki
NTT Information Sharing Platform Laboratories, NTT Corporation
-
Okamoto Tatsuaki
Ntt Information Sharing Platform Laboratories Ntt Corporation
-
Okamoto Tatsuaki
Ntt Information Sharing Platform Laboratories
-
Abe Masayuki
Ntt Information Sharing Platform Laboratories
関連論文
- Chosen Ciphertext Security with Optimal Ciphertext Overhead
- Flaws in Robust Optimistic Mix-Nets and Stronger Security Notions(Protocol, Cryptography and Information Security)
- Tag-KEM from Set Partial Domain One-Way Permutations
- Flexible-Routing Anonymous Networks Using Optimal Length of Ciphertext(Application)(Cryptography and Information Security)
- 1-out-of-n Signatures from a Variety of Keys (Asymmetric Cipher) (Cryptography and Information Security)
- M+1-st Price Auction Using Homomorphic Encryption(Special Section on Cryptography and Information Security)
- Lenient/Strict Batch Verification in Several Groups(Special Section on Cryptography and Information Security)
- Delegation Chains Secure up to Constant Length(Special Section on Cryptography and Information Security)
- Universally Verifiable Mix-Net with Verification Work Independent of the Number of Mix-Servers
- Key Size Evaluation of Provably Secure RSA-based Encryption Schemes