A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security

  • Ueli Maurer
  • Johan Sjödin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)


Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently implemented than PRFs. Damgård and Nielsen (CRYPTO ’02) have shown how to construct an efficient symmetric encryption scheme based on any weak PRF that is provably secure against chosen-plaintext attacks. The main ingredient is a range-extension construction for weak PRFs. By using well-known techniques, they also showed how their scheme can be made secure against the stronger chosen-ciphertext attacks.

The results of our paper are three-fold. First, we give a range-extension construction for weak PRFs that is optimal within a large and natural class of reductions (especially all known today). Second, we propose a construction of a regular PRF from any weak PRF. Third, these two results imply a (for long messages) much more efficient chosen-ciphertext secure encryption scheme than the one proposed by Damgård and Nielsen. The results also give answers to open questions posed by Naor and Reingold (CRYPTO ’98) and by Damgård and Nielsen.


  1. 1.
    Aiello, W., Rajagopalan, S., Venkatesan, R.: High-speed pseudorandom number generation with small memory. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 290–304. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Bao, F., Deng, R.H., Zhu, H.: Variations of Diffie-Hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proc. of the 38th Symposium on Foundations of Computer Science, pp. 394–403. IEEE Computer Society Press, Los Alamitos (1997)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–328. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    Blum, A., Furst, M.L., Kearns, M.J., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Damgård, I.B., Nielsen, J.B.: Expanding pseudorandom functions; or: From known-plaintext security to chosen-plaintext security. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 449–464. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Goldreich, O.: Foundations of Cryptography – Volume II – Basic Applications. Cambridge University Press, Cambridge (2004)Google Scholar
  11. 11.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Katz, J., Yung, M.: Complete characterization of security notions for probabilistic private-key encryption. In: Proc. of the 32nd Annual Symposium on Theory of Computing, pp. 245–254. ACM Press, New York (2000)Google Scholar
  14. 14.
    Keller, M.: Constructing weak pseudorandom functions with prescribed structure. Semester Thesis, ETH Zurich (2006)Google Scholar
  15. 15.
    Kent, S., Atkinson, R.: IP encapsulating security payload (ESP). Request for Comments 2406 (November 1998)Google Scholar
  16. 16.
    Minematsu, K., Tsunoo, Y.: Expanding weak PRF with small key size. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 284–298. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999)Google Scholar
  18. 18.
    Naor, M., Reingold, O.: From unpredictability to indistinguishability: A simple construction of pseudo-random functions from mACs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 267–282. Springer, Heidelberg (1998)Google Scholar
  19. 19.
    Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comp. Sys. Sci. 58(2), 336–375 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)CrossRefMathSciNetGoogle Scholar
  21. 21.
    Pietrzak, K., Sjödin, J.: Weak pseudorandom functions in minicrypt. Manuscript (November 2006)Google Scholar
  22. 22.
    Pietrzak, K., Sjödin, J.: Domain extension for weak PRFs; the good, the bad, and the ugly. In: Advances in Cryptology — EUROCRYPT ’07, this proceedings (2007)Google Scholar
  23. 23.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)Google Scholar
  24. 24.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comp. Sys. Sci. 22, 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Ueli Maurer
    • 1
  • Johan Sjödin
    • 1
  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland

Personalised recommendations