Relaxing Chosen-Ciphertext Security

  • Ran Canetti
  • Hugo Krawczyk
  • Jesper B. Nielsen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


Security against adaptive chosen ciphertext attacks (or, CCA security) has been accepted as the standard requirement from encryption schemes that need to withstand active attacks. In particular, it is regarded as the appropriate security notion for encryption schemes used as components within general protocols and applications. Indeed, CCA security was shown to suffice in a large variety of contexts. However, CCA security often appears to be somewhat too strong: there exist encryption schemes (some of which come up naturally in practice) that are not CCA secure, but seem sufficiently secure “for most practical purposes.”

We propose a relaxed variant of CCA security, called Replayable CCA (RCCA) security. RCCA security accepts as secure the non-CCA (yet arguably secure) schemes mentioned above; furthermore, it suffices for most existing applications of CCA security. We provide three formulations of RCCA security. The first one follows the spirit of semantic security and is formulated via an ideal functionality in the universally composable security framework. The other two are formulated following the indistinguishability and non-malleability approaches, respectively. We show that the three formulations are equivalent in most interesting cases.


Encryption Scheme Security Parameter Decryption Oracle Semantic Security Secure Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    An, J.H., Dodis, Y., Rabin, T.: On the Security of Joint Signature and Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key-exchange protocols. In: 30th STOC (1998)Google Scholar
  3. 3.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 26. Springer, Heidelberg (1998)Google Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password- based protocols secure against dictionary attacks. In: Proceedings of the IEEE. Computer Society Symposium on Research in Security and Privacy, pp. 72–84 (1992)Google Scholar
  6. 6.
    Bleichenbacher, D.: Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  7. 7.
    Canetti, R.: Universally Composable Security: A new paradigm for cryptographic protocols. Extended Abstract appears in 42nd FOCS (2001),
  8. 8.
    Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing Chosen Ciphertext Security (2003), available online at
  9. 9.
    Canetti, R., Goldwasser, S.: A practical threshold cryptosystem resilient against adaptive chosen ciphertext attacks. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 90. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001); Report 2001/040, Full version in: Cryptology ePrint Archive,
  11. 11.
    Cramer, R., Shoup, V.: A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  12. 12.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM. J. Computing 30(2), 391–437 (2000); Preliminary version in 23rd Symposium on Theory of Computing (STOC). ACM, New York (1991)Google Scholar
  13. 13.
    ElGamal, T.: A Public-Key cryptosystem and a Signature Scheme based on Discrete Logarithms. IEEE Transactions IT-31(4), 469–472 (1985)MathSciNetGoogle Scholar
  14. 14.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge Press, New York (2001)zbMATHCrossRefGoogle Scholar
  15. 15.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33(4), 210–217 (1986)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Goldwasser, S., Micali, S.: Probabilistic encryption. JCSS 28(2) (1984)Google Scholar
  17. 17.
    Halevi, S., Krawczyk, H.: Public-Key Cryptography and Password Protocols. ACM Transactions on Information and System Security 2(3), 230–268 (1999)CrossRefGoogle Scholar
  18. 18.
    Hofheinz, D., Mueller-Quade, J., Steinwandt, R.: On Modeling IND-CCA Security in Cryptographic Protocols (2003),
  19. 19.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (Or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 310. Springer, Heidelberg (2001),
  20. 20.
    Krohn, M.: On the definitions of cryptographic security: Chosen-Ciphertext attack revisited. Senior Thesis, Harvard U. (1999)Google Scholar
  21. 21.
    Naor, M., Yung, M.: Public key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (1990)Google Scholar
  22. 22.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Rackoff, C., Simon, D.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  24. 24.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption. In: Crypto Eprint archive entry (2001),
  25. 25.
    Sahai, A.: Non malleable, non-interactive zero knowledge and adaptive chosen ciphertext security, FOCS 1999 (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Ran Canetti
    • 1
  • Hugo Krawczyk
    • 1
    • 2
  • Jesper B. Nielsen
    • 3
  1. 1.IBM T.J. Watson Research CenterNew York
  2. 2.Department of Electrical EngineeringTechnionHaifaIsrael
  3. 3.BRICS, Centre of the Danish National Research Foundation, Department of Computer ScienceUniversity of AarhusArhus CDenmark

Personalised recommendations