Reducing Public Key Sizes in Bounded CCA-Secure KEMs with Optimal Ciphertext Length
Currently, chosen-ciphertext (CCA) security is considered as the de facto standard security notion for public key encryption (PKE), and a number of CCA-secure schemes have been proposed thus far. However, CCA-secure PKE schemes are generally less efficient than schemes with weaker security, e.g., chosen-plaintext security, due to their strong security. Surprisingly, Cramer et al. (Asiacrypt 2007) demonstrated that it is possible to construct a PKE scheme from the decisional Diffie-Hellman assumption that yields (i) bounded CCA (BCCA) security which is only slightly weaker than CCA security, and (ii) one group element of ciphertext overhead which is optimal.
In this paper, we propose two novel BCCA-secure PKE schemes with optimal ciphertext length that are based on computational assumptions rather than decisional assumptions and that yield shorter (or at least comparable) public key sizes. Our first scheme is based on the computational bilinear Diffie-Hellman assumption and yields \(O(\lambda q)\) group elements of public key length, and our second scheme is based on the factoring assumption and yields \(O(\lambda q^2)\) group elements of public key length, while in Cramer et al.’s scheme, a public key consists of \(O(\lambda q^2)\) group elements, where \(\lambda \) is the security parameter and q is the number of decryption queries. Moreover, our second scheme is the first PKE scheme which is BCCA-secure under the factoring assumption and yields optimal ciphertext overhead.
KeywordsBounded CCA security Factoring CBDH assumption
The authors would like to thank the members of the study group “Shin-Akarui-Angou-Benkyou-Kai”.
- 2.Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC, pp. 103–112 (1988)Google Scholar
- 5.Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract). In: STOC, pp. 542–552 (1991)Google Scholar
- 15.Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437 (1990)Google Scholar
- 16.Pereira, M., Dowsley, R., Hanaoka, G., Nascimento, A.C.A.: Public key encryption schemes with bounded CCA security and optimal ciphertext length based on the CDH assumption. In: Burmester, M., Tsudik, G., Magliveras, S., Ilic, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 299–306. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 17.Shmuely, Z.: Composite diffie-hellman public-key generating systems are hard to break. Technical report 356, Computer Science Department, Technion, Israel, (1985)Google Scholar