How to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan

Transcription

1 How to Enhance the Security of Public-Key Encryption at Minimum Cost 3 Eiichiro Fujisaki Tatsuaki Okamoto NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan ffujisaki,okamotog@isl.ntt.co.jp Abstract This paper presents a simple and generic conversion from a publickey encryption scheme which is indistinguishable against chosen-plaintext attacks into a public-key encryption scheme which is indistinguishable against adaptive chosen-ciphertext attacks in the random oracle model. The scheme obtained by the conversion is as ecient as the original encryption scheme and the security reduction is very tight in the exact security manner. key words indistinguishability, chosen-plaintext attack, adaptive chosen-ciphertext attack, random oracle model. 1 Introduction 1.1 Motivation One of the important topics in cryptography is to propose a practical and provably-secure public-key encryption scheme. The random oracle paradigm, due to Bellare and Rogaway [1], is a promising way to aim eciency and provable security at the same time Suppose that a public-key encryption primitive, 5, (such as RSA, ElGamal and etc.) is secure in a weaker sense and it is converted to another public-key encryption scheme, 5, by using hash functions. The security of 5 is considered in the hash functions in it being modeled as random oracles (called the random oracle model). Here a random oracle is dened by a public random function that all parties (including adversaries) can make access to. Clearly, the security in this model cannot be guaranteed formally in the standard (not random oracle) model but this paradigm is thought to be a 3 This is the full version of the paper in Proc. PKC'99; the same version of the paper of IEICE Trans. E-83A(1):24{32, Jan

2 good compromise between eciency and provable security. We will give a more details about this paradigm afterward (see also [1]). In [2], Bellare and Rogaway presented a generic and ecient way to convert a one-way trap-door permutation (such as the RSA permutation) to a public-key encryption scheme which is indistinguishable against adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model. The scheme created in this way is called OAEP (Optimal Asymmetric Encryption Padding). However, their method was not applied to a (probabilistic) public-key encryption scheme. Therefore, several (practical) public-key encryption schemes lie outside the range of the OAEP conversion, e.g., the ElGamal, Blum-Goldwasser, and Okamoto-Uchiyama schemes [11, 5, 18]. 1.2 Classication of Encryption Scheme Security The strongest security notion in public-key encryption is that of indistinguishability against adaptive chosen-ciphertext attacks (IND-CCA2) or non-malleability against adaptive chosen-ciphertext attacks (NM-CCA2). In [4], Bellare, Desai, Pointcheval and Rogaway show that IND-CCA2 is equivalent to NM-CCA2. We classify classical security notions in public-key encryption into the pairs of goals and adversary models, following [4] two goals and three adversary models. The goals are indistinguishability (IND) and non-malleability (NM). Indistinguishability (IND), due to Goldwasser and Micali [16], is dened by the adversary's inability, given a challenge ciphertext y, to learn any information about the plaintext x. Sometimes, it is also called \semantical security" (see [16]). Non-malleability (NM), due to Dolev, Dwork and Naor [10], is dened by the adversary's inability, given a challenge ciphertext y, to get a dierent ciphertext y 0 such that the corresponding plaintexts, x and x 0, are meaningfully related. Here a meaningful relation is, for instance, x = x The three adversary models are called chosen-plaintext attack model (CPA), non-adaptive chosen-ciphertext attack model (CCA1), and adaptive chosenciphertext attack model (CCA2). In CPA, the adversary is given only the public key. Of course, she can get the ciphertext of any plaintext chosen by herself. Clearly, in public-key encryption schemes, this attack cannot be avoided. This attack is sometimes called a passive adversary's attack, too. In CCA1, due to Naor and Yung [17], in addition to the public key, the adversary can make access to the decryption oracle although she is only allowed to access to the oracle before given a challenge ciphertext. Sometimes, it is also called a \lunchtime", \lunch-break", or \midnight" attack. In CCA2, as described by Racko and Simon [22], the adversary can make access to the decryption oracle anytime (before or after given a challenge ciphertext). She is only prohibited from asking for the decryption of the challenge ciphertext itself. Each pair of goals and attacks corresponds to each security notion in publickey encryption; IND-CPA, : : :, IND-CCA2, NM-CPA, : : :, NM-CCA2. Among 2

3 each security notion the following relations are satised: NM-CPA 0 NM-CCA1 0 NM-CCA2 60! 60! #6" #6" #" IND-CPA 0 IND-CCA1 0 IND-CCA2 60! 60! Here for security notions, A and B, \A! B" (called A implies B) denotes that any public-key encryption scheme that meets secure notion A meets secure notion B, while \A 6! B" (called A doesn't imply B) denotes at least there is a public-key encryption scheme that meets security notion A and does not meet security notion B. See [4] for more details. 1.3 Random Oracle Model As mentioned above, the random oracle model, due to Bellare and Rogaway [1], is a world where all parties (including adversaries) have access to a public random function oracle. After proving the security of some protocol in this model, we replace the random oracle by some appropriately chosen, randomlike function. Although the security achieved in the random oracle model cannot be guaranteed formally when a practical random-like function is used in place of the random oracle, this paradigm often yields much more ecient schemes than those in the standard model. In addition, this paradigm is believed to remain some informal provable security in our community. Intuitively speaking, it is explained as follows: If a practical random-like function is infeasible to analyze in any way, that is to say, infeasible to guess its output and check that the output is correct, then the proof in the random oracle model is still available in the standard model. Indeed, since it gives us a great deal of benets in the viewpoint of eciency and, though informal, security, the random oracle paradigm has been used in many works. See for examples: [2, 3, 20, 21, 19, 24, 25]. Recently Canetti, Goldreich and Halevi [7] have demonstrated that it is possible to devise cryptographic protocols which are provably secure in the random oracle model but for which no complexity assumption property instantiates the random-oracle-modeled hash function. However, since the examples they used to make the random oracle model paradigm fail were very contrived, the concerns induced by these examples do not appear to apply to any of the concrete practical schemes that have been proven secure in the random oracle model. 1.4 Plaintext Awareness In [2], Bellare and Rogaway proposed a new notion for public-key encryption schemes, called the plaintext awareness. Loosely speaking, a public-key encryption scheme is plaintext-aware if every adversary can output a new ciphertext 3

4 only if she knows the corresponding plaintext. This property is extremely eective in avoiding chosen-ciphertext attacks (CCA1,CCA2). Roughly speaking, in a plaintext-aware encryption scheme, an adversary can't gain her knowledge by asking the decryption oracle. Therefore, it leads to the intuition that if a plaintext-aware encryption scheme is secure against chosen-plaintext attacks (CPA), then it is also secure against adaptive chosen-ciphertext attacks (CCA2). Indeed, that intuition is proven true in [4] Our Results This paper shows a simple and ecient conversion from an IND-CPA secure public-key encryption scheme to an IND-CCA2 secure public-key encryption scheme in the random oracle model. Let 5 := (K; E; D) be a public-key encryption scheme, where K is called the key-generation algorithm, E is the encryption algorithm, and D is the decryption algorithm. Then we convert it to a new public-key encryption scheme, 5 := ( K ; E H ; D H ). The encryption of plaintext x is where E H pk(x; r) = E pk (xjjr); H(xjjr) r is a random string chosen from an appropriate domain, H denotes a hash function, E pk (message; coins) indicates the encryption of the indicated message using the indicated coins as random bits. Then informally we have the following result: Informal Theorem: Suppose that 5 is a public-key encryption scheme which is secure in the sense of IND-CPA. Then, 5 obtained by the above conversion 2 is secure in the sense of IND-CCA2 in the random oracle model (H is modeled as a random oracle). Later we will provide the concrete security reduction in the exact security manner, following [2]. 1.6 Merits and Related Works Goldwasser and Micali [16] dened (polynomial) indistinguishability (or semantical security). IND is the shorthand for \indistinguishability". Nonmalleability (NM) is due to the work of Dolev, Dwork and Naor [10]. As for chosen-ciphertext security, Naor and Yung [17] dened \lunchtime" attack (CCA1) and presented the rst provably secure scheme in the sense of 1 The rst denition in [2] is not enough to prove it, but xed in the latter work [4]. 2 Unless, for any plaintext m, the encryption E pk (m) is probabilistic, the above-mentioned conversion should be slightly changed. See Remark 5.5. ; 4

5 IND-CCA1. Then, Racko and Simon [22] dened adaptive-chosen ciphertext attack (CCA2) and presented a IND-CCA2 secure scheme, and in the same year Dolev, Dwork and Naor [10] showed a NM-CCA2 secure scheme. (Form the above-mentioned work [4], IND-CCA2 has been proven to be equivalent to NM-CCA2.) Since the above-mentioned works are all inecient, it makes sense that one attempts to accomplish a more practical encryption scheme secure against chosen ciphertext attacks. In addition, it is also natural that one considers to incorporate a hash function with an encryption function. Towards this purpose, Damgard [9] and Zheng and Seberry [26] proposed practical schemes respectively. However, the Damgard scheme is known not to be secure against adaptive chosen-ciphertext attacks (CCA2) at least (He conjectured that his scheme is secure against lunchtime attacks (CCA1)). On the other hand, according to [2], the Zheng and Seberry scheme is a IND-CCA2 secure scheme if the hash function in the scheme is replaced by the random oracle. As mentioned above, Bellare and Rogaway [2] presented an IND-CCA2 secure scheme (called OAEP) by incorporating hash functions with a deterministic public-key encryption scheme. The Bellare and Rogaway scheme is more ef- cient than the Zheng and Seberry one. Their conversions are both generic methods and work for trapdoor permutations but not for probabilistic encryption schemes. Our conversion is a generic one to be applied to probabilistic public-key encryption schemes (such as ElGamal). Since our conversion starts from an IND-CPA secure scheme, it is simpler and more ecient than theirs, i.e., our conversion requires only one random function operation, while Bellare-Rogaway and Zheng-Seberry conversions require two random function operations. In addition, the security reduction in our scheme is more ecient (tight) than those of theirs, since we need no additional reduction for indistinguishability (or semantical security). Recently, Cramer and Shoup [8] presented a new public-key encryption scheme based on the ElGamal, which is the rst practical IND-CCA2 secure scheme in the standard model. Compared with theirs, our converted version of the ElGamal scheme has a disadvantage in terms of the assumptions (our scheme in the random oracle model and under the decision Die-Hellman assumption, while the Cramer-Shoup scheme under the universal one-way hash assumption and the decision Die-Hellman assumption), but our scheme still has better eciency, at least twice that of theirs. In addition, since our approach is generic, unlike the Cramer-Shoup scheme, it can be adopted by other IND-CPA secure schemes such as Blum-Goldwasser [5] and Okamoto-Uchiyama [18] schemes. Compared with the converted ElGamal scheme presented by Tsiounis and Yung [25], which is secure in the IND-CCA2 (i.e. NM-CCA2) sense, our converted one is at least twice as ecient as theirs under the same assumptions, the random oracle model and the decision Die-Hellman assumption. 5

6 2 Preliminaries Denition 2.1 [Notations] Let A be a probabilistic algorithm and let A(x 1 ; : : : ; x n ; r) be the result of A on input (x 1 ; : : : ; x n ) and coins r. Dene by y A(x 1 ; : : : ; x n ) the experiment of picking r at random and letting y be A(x 1 ; : : : ; x n ; r). If S is a nite set, let y R S be the operation of picking y at random and uniformly from nite set S. When S; T; : : :, denote probability spaces, Pr[x S; y T ; : p(x; y; : : :)] denotes the probability that the predicate, p(x; y; : : :), is true after the experiments, x S; y T; 1 1 1, are executed in that order. " denote the null symbol and, for list, " denote the operation of letting list be empty. We say function f : N! R + is negligible in k if 8c > 0; 9k 0 2 N(k 0 k! f(k) (1=k) c ). Here we mean R + := fx 2 Rjx > 0g. Moreover, for strings x; y, dene by xjjy the concatenation of x and y, i.e., xy, and dene by x 8 y the bit-wise exclusive-or of x and y. In addition, for n-bit string x, [x] k and [x] k denote the rst and last k-bit strings of x respectively (k n). Denition 2.2 [Public-Key Encryption] A public-key encryption scheme is specied by a triple of algorithm, 5 := (K; E; D), and polynomial and positive integer valued functions, mlen(1) and clen(1), where K, called the key-generation algorithm, is a probabilistic algorithm which on input 1 k (k 2 N) outputs, in polynomial-time in k, a pair of strings (pk; sk), called public and secret keys. E, called the encryption algorithm, is a probabilistic algorithm that takes public-key pk, plaintext x 2 f0; 1g mlen(k) and coins r R f0; 1g clen(k) and outputs ciphertext y 2 f0; 1g 3 in polynomial-time in k. D, called the decryption algorithm, is a deterministic algorithm that takes secret-key sk and ciphertext y and outputs a string x. We require that for any k 2 N if (pk; sk) K(1 k ), x 2 f0; 1g mlen(k) and y E pk (x) then D sk (y) = x. We say that ciphertext y is valid if there exists a plaintext x such that y = E pk (x). Denition 2.3 [Random Oracle] We dene by the set of all maps from the set f0; 1g 3 of nite strings to the set f0; 1g 1 of innite strings. H means that we chose map H from a set of an appropriate nite length (say : f0; 1g a ) to a set of an appropriate nite length (say f0; 1g b ), from at random and uniformly, restricting the domain to f0; 1g a and the range to the rst b bits of output. If all parties (including adversaries) in a public-key encryption scheme, 5, can make access to H, we say that 5 is dened in the random oracle model. 6

7 3 Security Denitions In this section, we give some security denitions on public-key encryption. Basically, we follow the terminology of [2, 4]. We dene simultaneously the security notion of indistinguishability in the random oracle model, with regard to CPA,CCA1, and CCA2. The only dierence lies in whether or not A 1 and A 2 are given decryption oracle. When we say O i (1) = ", where i 2 f1; 2; 3g, we mean O i is the function which, on any input, outputs empty string ". Denition 3.1 [IND-ATK] Let 5 := (K; E; D) be a public-key encryption scheme and let A := (A 1 ; A 2 ) be a pair of probabilistic algorithms (say Adversary). For atk 2 fcpa,cca1,cca2g and k 2 N, let dene Adv ind-atk A;5 (k) := 2 1 Pr[H ; (pk; sk) K(1 k ); (x 0 ; x 1 ; s) A O1;H 1 (pk); b R f0; 1g; y E pk (x b ) : A O2;H 2 (x 0 ; x 1 ; s; y) = b] 0 1: According to each attack, O 1 (1), O 2 (1) are dened as follows: If atk=cpa then O 1 (1) = " and O 2 (1) = " If atk=cca1 then O 1 (1) = D sk (1) and O 2 (1) = " If atk=cca2 then O 1 (1) = D sk (1) and O 2 (1) = D sk (1) A 2 is not allowed to make access to decryption oracle with y itself as a query. We dene that A 1 outputs (x 0, x 1 ) with x 0 6= x 1. We say that 5 is (t; q H ; qd; )-secure in the sense of IND-ATK if for every adversary A that runs at most in time t, achieving Adv ind-atk A;5 (k) <. Particularly, if t(k) is polynomial in k (the fact implies q H and q D are also polynomial in k) and (k) is negligible in k, then we just say that 5 is secure in the sense of IND-ATK. Remark 3.2 The above notation is dened in the random oracle model. In the standard model, one should think A := (A 1 ; A 2 ) is not allowed to make access to H, or just omit the random oracle from the original denition. We dened (t; q H ; qd; )-security above. breaking algorithm. Here, we dene a (t; q H ; qd; )- Denition 3.3 [Breaking Algorithm] Let 5 := (K; E; D) be a public-key encryption scheme. We say that an adversary A is a (t; q H ; qd; )-breaker for 5(1 k ) in IND-ATK if Adv ind-atk A;5 (k) and, moreover, A runs within at most running time t, asking at most q H queries to H(1) and at most qd queries to D sk (1). In addition, q H denotes the number of queries A asks to random function H(1), and similarly, q D denotes the number of queries A asks to decryption oracle D sk (1). In the case of atk = cpa, then qd = 0. In the case of the standard model, then q H = 0. 7

8 Remark is (t; q H ; qd; )-secure if and only if there exists no (t; q H ; qd; )- breaker. Remark 3.5 Let 5 and 5 0 be encryption schemes. Suppose that if 5 is (t; q H ; qd; )- secure, then 5 0 is (t 0 ; q 0 H ; q0 D ; 0 )-secure. We say informally that the reduction from 5 to 5 0 is tight if t t 0 and 0. We don't formalize \tight" in how exactly close they are. We review the notion of Plaintext Awareness, following [2, 4]. Loosely speaking, a public-key encryption scheme is plaintext-aware if every adversary can output a new ciphertext only if she knows the corresponding plaintext. To dene this intuitive notion, Bellare and Rogaway [2] introduced knowledge extractor, whose denition in [2] is incomplete but xed in the latter work [4]. In a plaintext-aware encryption scheme, an adversary can't gain her knowledge by asking the decryption oracle. Therefore, if a plaintext-aware encryption scheme is secure against chosen-plaintext attacks (CPA) (in the following denition, such a scheme is called PA), it is then secure against adaptive chosen-ciphertext attacks (CCA2). Denition 3.6 [Plaintext Awareness (PA)] Let 5 := (K; E; D) be a publickey encryption scheme, let B be an adversary, and let K be an polynomial-time algorithm (say knowledge extractor). For any k 2 N let Succ pa K;B;5 (k) := Pr[H ; (pk; sk) K(1 k ); (; ; y) runb H;Epk (pk) : K(; ; y; pk) = D sk (y)]; where := f(h 1 ; H 1 ); : : : ; (h qh ; H qh )g, := fy 1 ; : : : ; y qe g, and y 62. We describe a supplementary explanation: By (; ; y) runb H;Epk (pk) we mean the following. Run B on input pk and oracles H(1) and E pk (1) and record (; ; y) from B's interaction with its oracles. denotes the set of all B's queries and the corresponding answers of H(1). denotes the set of all the answers (ciphertexts) received as the result of E pk. Here we insist that doesn't include the corresponding queries (plaintexts) from B. y denotes the output of B. We say that K is a (t; (k))-knowledge extractor if Succ pa K;B;5 (k) (k) and K runs within at most running time t (or t steps). We say that 5 is secure in the sense of PA if 5 is secure in the sense of IND-CPA in the random oracle model and there exists a (t; (k))-knowledge extractor K for 5 where t is polynomial in k and (1 0 (k)) is negligible in k. Due to the work of [4], we have the following results. Proposition 3.7 PA! IND-CCA2 in the random oracle model. Corollary 3.8 PA! NM-CCA2 in the random oracle model. Finally we introduce a new property of public-key encryption, called - uniformity. 8

9 For encryption scheme 5, -uniformity is dened as a parameter to evaluate the substantial coin space how uniformly in how many large numbers the variants of the encryption of a message occur. We dene the exact denition below. Denition 3.9 [-uniformity] Let 5 = (K; E; D) be a public-key encryption scheme. For given x 2 f0; 1g mlen and y 2 f0; 1g 3, dene (x; y) = Pr[r R f0; 1g clen : y = E pk (x; r)]: We say that 5 is -uniform (for k 2 N) if, for any x 2 f0; 1g mlen and any y 2 f0; 1g 3, (x; y). For instance, the ElGamal encryption scheme is q 01 -uniform, where ((y; g; p; q); x) indicates a pair of public-key and secret-key such that y = g x mod p, x 2 Z=qZ, and q = # < g > while Okamoto-Uchiyama encryption scheme is (pq) 01 - uniform, where (p; q) is the secret key with regard to public-key n (= p 2 q). 4 Basic Scheme Let k 0 (1) and l(1) be polynomial and positive integer valued functions and let H : f0; 1g k! f0; 1g l(k) be an hash function. Suppose a public-key encryption scheme specied by 5 := (K; E; D) and associated functions, mlen(k) = k and clen(k) = l(k). We introduce a new public-key encryption scheme specied by 5 := ( K ; E H ; D H ) and associated functions, mlen(k) := k0k 0 and clen(k) = k 0 as follows: Basic Scheme 5 := ( K ; E H ; D H ) K(1 k ) := K(1 k ). E H pk : f0; 1g k0k0 2 f0; 1g k0! f0; 1g 3 is dened by E H pk(x; r) := E pk (xjjr); H(xjjr) where x 2 f0; 1g k0k0 and r 2 f0; 1g k0. D H sk (y) : f0; 1g 3! f0; 1g k0k0 [ f"g is dened by where [D sk (y)] k0k0 D H sk(y) := [Dsk (y)] k0k0 if 3 " (null) otherwise denotes the rst (k 0 k 0 )-bit of D sk (y) and 3 means \there exists D sk (y) and then it holds y = E pk D sk (y); H(D sk (y)) For simplicity, we often write just k 0, l for k 0 (k), l(k). ; ". 9

10 5 Security In this section, our goal is to prove Theorem 5.4. In the asymptotic view point, it means that 5 is secure in the sense of IND-CCA2, providing 5 is secure in the sense of IND-CPA. (And the parameter should be negligible in k, precisely speaking...) The security of 5 depends only on the security of the underlying encryption scheme 5 and its -uniformity. We will give a remark (Remark 5.5) in the bottom of this section that mentions -uniformity. To prove the main theorem, we will prepare Lemmas, 5.1 and 5.3. We begin with showing Lemma 5.1. Lemma 5.1 [Knowledge extractor] Suppose that 5 is -uniform and (t; 0; 0; )- secure in the sense of IND-CPA. Then for any q H there exist a (t 0 ; )-knowledge extractor K for 5 such that t 0 = q H (T E (k) + c 1 k) and = 1 0 : TE(1) is the computational running time of the encryption algorithm E pk (1) and c denotes some constant. Remark 5.2 Note that K is the knowledge extractor for 5, not 5. Proof. The specication of K is as follows: Extractor: K(; ; y; pk) for q H times do if y = E pk (h i ; H i ) then x [h i ] k0k0 and break else x " (null) return x. End. Here := f(h 1 ; H 1 ); : : : ;(h qh ; H qh )g. Then, from the specication, K runs within q H (TE(k) + O(1) 1 k) time. Think of the success probability of K. Here let F ail be an event assigned to be true i x 6= D H sk (y) and let AskH be an event assigned to be true i there exists (h i ; H i ) in the list such that y = E pk (h i ; H i ). Then it follows that Pr[F ail] = Pr[F ailjaskh] 1 Pr[AskH]+ Pr[F ailj:askh] 1 Pr[:AskH] Pr[F ailjaskh] + Pr[F ailj:askh] 0 + max (x; y) If AskH is true then K never fail to guess the plaintext x and hence it is clear that Pr[F ailjaskh] = 0. Next in the case that :AskH is true, K outputs ": K judges y is a invalid ciphertext. The probability of K's failure is that of B outputting valid ciphertext y, i.e., Pr[F ailj:askh] = Pr[(pk; sk) K(1 k ); y B(pk); r R f0; 1g l : D s k(y) 6= "]. Therefore, Pr[F ailj:askh]. Hence, = 1 0 Pr[F ail] =

11 Lemma 5.3 [ 5: IND-CPA secure] Suppose that 5 is (t 0 ; 0; 0; 0 )-secure in the sense of IND-CPA. Then, for any q H, 5 is (t; q H ; 0; )-secure in the sense of IND-CPA in the random oracle model where Here c denotes some constant. Proof. t = t 0 0 c 1 q H 1 k; and = 0 + q H 1 2 0(k001) : Suppose for contradiction that there exists a (t; q H ; 0; )-breaker A := (A 1 ; A 2 ) for 5(1 k ) in the sense of IND-CPA in the random oracle model. Then we will show that there exist a constant c 1 and a (t 0 ; 0; 0; 0 )-breaker A 0 := (A 0 1 ; A0 2 ) for 5 in the sense of IND-CPA in the standard model, where t 0 = t + c 1 1 q H 1 k; and 0 0 q H 1 2 0(k 001) : We run A 0 := (A 0 1 ; A0 2) in the IND-CPA and standard model setting, using A := (A 1 ; A 2 ) as oracles respectively. Basically, when A i asks query h, A 0 i works as follows: If h has not been entered in list, A 0 i, choosing l-bit random string H, makes an entry of (h; H) in and answers A i with H. If (h; H) is already in list, A 0 i answers A i with the corresponding H. The list is empty at rst. When A 1 outputs (x 0 ; x 1 ; s), A 0 1 outputs (x 0 jjr 0 ; x 1 jjr 1 ; s) where r 0, r 1 are k 0 -bit random strings generated by A 0 1. Then, outside A 0, y := E pk (X b ; R) is computed using a random bit b 2 f0; 1g and l-bit random string R, where X 0 := (x 0 jjr 0 ) and X 1 := (x 1 jjr 1 ). y is inputted on A 0 2 as well as (X 0 ; X 1 ; s). If A 2 asks either X 0 or X 1 as a query, A 0 2 makes A 2 stop and outputs the corresponding b 2 f0; 1g as an answer, otherwise A 2 follows the basic rule mentioned above. When A 2 asks neither of them, A 0 2 outputs b that A 2 output as an answer. The argument behind the proof is as follows: If A 2 asks a query to A 0 2, which coincides with either (x 0 jjr 0 ) or (x 1 jjr 1 ), it is almost equivalent to D sk (y), because (even unbounded powerful) A 2 has no clue to k 0 -bit random string r b, where b is the complement of bit b. Therefore, if A 2 asks either of them, the corresponding b is expected to be valid. On the other hand, if A 2 asks neither of them, A 2 is expected to output valid b because A 2 cannot distinguish y from a correct ciphertext for A 2. The specication of adversary A 0 := (A 0 1 ; A0 2) is as follows: Adversary: A 0 1(pk) " run A 1 (pk) do while A 1 does not make H-query h. if h 62 h H R f0; 1g l put (h; H) on the list answer A 1 with H else h 2 h 11

12 answer A 1 with H such that (h; H) 2 A 1 outputs (x 0 ; x 1 ; s) r 0 ; r 1 R f0; 1g k 0 return (x 0 jjr 0 ; x 1 jjr 1 ; s). End. Adversary: A 0 2 (x 0jjr 0 ; x 1 jjr 1 ; s; y) run A 2 (x 0 ; x 1 ; s; y) do while A 1 does not make H-query h if h = (x b jjr b ) for b 2 f0; 1g stop A 2 and output b else if h 62 h H R f0; 1g l put (h; H) on the list answer A 1 with H else h 2 h answer A 1 with H such that (h; H) 2 A 2 outputs b return b. End. Here, from Denition 3.1, b is chosen from f0; 1g with probability 1=2, R is an l-bit random string, and y = E pk (x b jjr b ; R). h is the set of h's in. c 1 corresponds to the computational time of comparing a bit to a bit, coin- ipping, and some overhead, depending on details of the underlying model of computation of A 0. Then, from the specication of A 0, it runs within at most running time (t + c 1 1 q H 1 k). We now analyze the success probability of adversary A 0 := (A 0 1 ; A0 2). First we dene the following events: SuccA := [H ; (pk; sk) K(1 k ); (x 0 ; x 1 ; s) A H 1 (pk); b R f0; 1g; r b ; r b R f0; 1g k0 ; y E pk ((x b jjr b ); H(x b jjr b )) : A H 2 (x 0; x 1 ; s; y) = b], and SuccA 0 := [(pk; sk) K(1 k ); (X 0 ; X 1 ; s) A 0 1(pk 0 ); b R f0; 1g; R b ; R b R f0; 1g k0 ; y E pk (X b ; R b ) : A 0 2(X 0 ; X 1 ; s; y) = b]; where b denotes the complement of b. We can dene the advantages of A and A 0, without loss of generality, by Adv ind-atk A; 5 (k) := 2 1 Pr[SuccA] 0 1 and Adv ind-atk A 0 ;5 (k) := 2 1 Pr[SuccA 0 ] 0 1 respectively. Next, let us dene by Ask0 an event assigned to be true i a query of A 2 coincides with (x b jjr b ) and by Ask1 an event assigned to be true i a query of A 2 coincides with (xbjjr b). Then, Pr[SuccA] = Pr[SuccAjAsk0] 1 Pr[Ask0] + Pr[SuccAj (:Ask0) ^Ask1]1Pr[(:Ask0)^Ask1]+ Pr[SuccAj(:Ask0)^(:Ask1)] 1 Pr[(:Ask0)^(:Ask1)], and Pr[SuccA 0 ] = Pr[SuccA 0 jask0]1pr[ask0]+pr[succa 0 j (:Ask0)^Ask1] 1 Pr[(:Ask0)^Ask1]+Pr[SuccA 0 j(:ask0)^ (:Ask1)]1Pr[(:Ask0)^ (:Ask1)]. From the specication of A 0, it is clear that Pr[SuccA 0 jask0] = 1, Pr[SuccA 0 j(:ask0) ^ Ask1] = 0 and Pr[SuccAj (:Ask0) ^ (:Ask1)] = Pr[SuccA 0 j (:Ask0) ^ (:Ask1)]. 12

13 Hence, Pr[SuccA 0 ] is at most Pr[(:Ask0) ^ Ask1]) less than Pr[SuccA] because Pr[SuccA 0 ] 0 Pr[SuccA] = (1 0 Pr[SuccAjAsk0]) 1 Pr[Ask0] 0 Pr[SuccAj (:Ask0) ^ Ask1] 1 Pr[(:Ask0) ^ Ask1] 0 Pr[(:Ask0) ^ Ask1]. Finally, we have Pr[SuccA 0 ] since Pr[(:Ask0) ^ Ask1] qh. 2 k 0 Therefore, we have that q H 2 k0 ; qh. This contradicts the statement of 5 2 k 0 01 being (t 0 ; 0; 0; 0 )-secure in the sense of IND-CPA. From Lemmas, 5.1 and 5.3, when k 0 is polynomial in k and is negligible in k, 5 is secure in the sense of PA in the random oracle model (See Def. 3.6). Therefore, Prop. 3.7, due to the work of [4], guarantee that 5 is secure in the sense of IND-CCA2 in the random oracle model. However, to estimate the exact security reduction, we will give a full description of the proof in the following: Theorem 5.4 [ 5: IND-CCA2 secure] Suppose that 5 is -uniform and (t 0 ; 0; 0; 0 )-secure in the sense of IND-CPA. Then, for any q H, q D, 5 is (t; q H ; q D ; )- secure in the sense of IND-CCA2 in the random oracle model where t = t 0 0 q H 1 (TE(k) + c 1 k); and = 0 1 (1 0 ) 0qD + q H 1 2 0(k001) : T E (1) denotes the computational running time of E pk (1) and c is a constant. Proof. Suppose for contradiction that there exists a (t; q H ; q D ; )-breaker A := (A 1 ; A 2 ) for 5 in the sense of IND-CCA2 in the random oracle model. Then we will construct (t 0 ; 0; 0; 0 )-breaker A 0 := (A 0 1 ; A0 2) for 5 in the sense of IND-CPA (in the standard model), where t 0 = t + q H 1 (TE(k) + c 1 k); and 0 ( 0 q H 1 2 0(k001) ) 1 (1 0 ) qd : The only dierence from the proof in Theorem 5.3 is that A make access to decryption oracle D H sk (1) to ask queries (since A works in the CCA2 attacking situation). Hence adversary A 0, having A as an oracle, must make the answer by herself when A make access to D sk H (1) with a query. Here, from Theorem 5.1, we can utilize knowledge extractor K (for 5) embedding the specication of K in A: If A make access to D sk H (1) with a query, then A0 make the answer, following the the specication of K. Then she can return the correct answer with probability = 1 0 every time. Since A can make access to D H sk (1) at most q D times, 0 ( 0 q H 1 2 0(k001) ) 1 (1 0 ) qd. The specication of adversary A 0 := (A 0 1 ; A0 2) is as follows: Adversary: A 0 1(pk) " 13

14 " run A 1 (pk) do while A 1 makes neither H-query h nor D-query y 0 if A 1 makes H-query h if h 62 h H R f0; 1g l put (h; H) on the list answer A 1 with H else h 2 h answer A 1 with H such that (h; H) 2 else if A 1 makes D-query y 0 run K(; ; y 0 ; pk) K outputs x 0 answer A 1 with x 0 A 1 outputs (x 0 ; x 1 ; s) r 0 ; r 1 R f0; 1g k 0 return (x 0 jjr 0 ; x 1 jjr 1 ; s). End. Adversary: A 0 2 (x 0jjr 0 ; x 1 jjr 1 ; s; y) y run A 2 (x 0 ; x 1 ; s; y) do while A 1 makes neither H-query h nor D-query y 0 if A 1 makes H-query h if [h] k0 = r b stop A 1 and output b else if h 62 h H R f0; 1g l put (h; H) on the list answer A 1 with H else h 2 h answer A 1 with H such that (h; H) 2 else if A 1 makes D-query y 0 run K(; ; y 0 ; pk) K outputs x 0 answer A 1 with x 0 A 1 outputs b return b. End. Here h is the set of h's in. Remark 5.5 The security of 5 depends on the security of the undelying encryption scheme 5 and its -uniformity. As increases to 1, the security parameter (of 5), described in Theorem 5.4, increases (becomes worse). If = 1, then the doesn't make sense any more. The solution of the problem is however easy. 14

15 If the of 5 is not small enough, then, with a large enough random string ^r, transform the underlying encryption algorithm E pk in 5 into ^E pk (x; rjj^r) := E pk (x; r) jj ^r; as the ^-uniformity of ^5 = ( ^K; ^E; ^D) becomes small enough. The ^ of ^5 is then 1 j^rj 01. Then, apply our conversion to ^5. If 5 meets the security notion of IND-CPA, ^5 also meets the same security notion. Therefore, the conversion should meets the security notion of IND-CCA2. 6 Examples: Enhanced Probabilistic Encryptions In this section, we convert IND-CPA secure ones to IND-CCA2 secure ones. Blum-Goldwasser [5], ElGamal [11] and Okamoto-Uchiyama [18] encryption schemes are the candidates, since they are practical and secure in the IND-CPA sense under some reasonable assumptions; factoring, decision Die-Hellman 3, and p-subgroup assumptions, respectively. [Enhanced Blum-Goldwasser scheme] pk := (n) and sk := (n; p; q) where n = pq, jpj = jqj = k=2, and p; q are Blum integers (i.e. prime numbers with p; q 3 (mod 4)). Hash function H: H: f0; 1g k! Z=nZ. Encryption E H : (y 1 ; y 2 ) E H pk (x; r) := (H(xjjr) 2k+1 mod n; x 8 R) where message x 2 f0; 1g k0k 0, r R f0; 1g k 0, and R := LSB[H(xjjr) 2 ] jjlsb[h(xjjr) 22 ] jj jj LSB[H(xjjr) 2k ]. Decryption D H : D H sk (y 1; y 2 ) := [y2 8 ^R] k0k 0 if 3 " (null) otherwise. Here 3 means \y 1 = H(y 2 8 R) 2k+1 mod n" and ^R := LSB[y 20k 1 ]jj jjlsb[y ]. Corollary 6.1 In the random oracle model, the Enhanced Blum-Goldwasser encryption scheme is secure in the sense of IND-CCA2 if the factoring problem is intractable. 3 To our knowledge, Tsiounis and Yung rst proved in [25] that the ElGamal encryption scheme is as secure as the decision Die-Hellman problem. In addition, they also presented a converted ElGamal scheme which is NM-CCA2 secure in the random oracle model. However, our converted one is more ecient than theirs. 15

16 [Enhanced ElGamal scheme] pk := (p; g; y) and sk := (p; g; s) where y = g s mod p, jpj = k + 1, s 2 Z=(p 0 1)Z, and # < g >= p 0 1. Hash function H: f0; 1g k 0! Z=(p 0 1)Z. Encryption E H : (y 1 ; y 2 ) E H pk (x; r) E pk(x; H r) := g H(xjjr) ; (xjjr) 1 y H(xjjr) where message x 2 f0; 1g k0k0 and r R f0; 1g k0. Decryption D H : D H sk(y 1 ; y 2 ) := [y2 1 y s 1] k0k0 if 3 " (null) otherwise. Here 3 means \y 1 = g H(y21ys 1 )) mod p". Corollary 6.2 In the random oracle model, the Enhanced ElGamal encryption scheme is secure in the sense of IND-CCA2 if the decision Die-Hellman problem is intractable. [Enhanced Okamoto-Uchiyama scheme] pk := (n; g; h; k) and sk := (p; q) where n = p 2 q, jnj = k + 1, and g 2 (Z=nZ) 3 such that the order of g p := g p01 mod p 2 is p, and h = g n mod n. Hash function H: H: f0; 1g k! Z=nZ. Encryption E H : E H pk (x; r) := g(xjjr) h H(xjjr) mod n; where message x 2 f0; 1g k0k0 and r R f0; 1g k0. Decryption D: D H sk(y) := ( [ L(yp) L(g p ) mod p]k0k0 if 3 " (null) otherwise where y p := y p01 mod p 2, L(x) := x01, and p X := L(yp) L(g p) means \y = g X h H(X) mod n". mod p and 3 Corollary 6.3 In the random oracle model, the Enhanced Okamoto-Uchiyama encryption scheme is secure in the sense of IND-CCA2 if the p-subgroup problem (see [18]) is intractable. 16

17 7 Conclusion This paper presented a simple and generic conversion from a public-key encryption scheme which is indistinguishable against chosen-plaintext attacks into a public-key encryption scheme which is indistinguishable against adaptive chosenciphertext attacks in the random oracle model. Our conversion incurs minimum cost, i.e., only one hash function operation. Our security reduction is very tight. Finally this paper applied the conversion to some practical public-key encryption schemes, the ElGamal, Blum-Goldwasser and Okamoto-Uchiyama schemes. Acknowledgment We would like to thank Phillip Rogaway for useful discussions and comments. We would also like to thank Yuliang Zheng for pointing out the incomplete summary of related works in the earlier manuscript [12]. References [1] M. Bellare and P. Rogaway, \Random Oracles are Practical: A Paradigm for Designing Ecient Protocols," Proc. of the First ACM Conference on Computer and Communications Security, pp.62{73. [2] M. Bellare and P. Rogaway, \Optimal Asymmetric Encryption How to encrypt with RSA" Advances in Cryptology {EUROCRYPT'94. [3] M. Bellare and P. Rogaway, \The Exact Security of Digital Signatures { How to Sign with RSA and Rabin", Advances in Cryptology { EUROCRYPT'96, pp. 399{416, Proceedings, Lecture Notes in Computer Science No. 1070, Springer-Verlag, [4] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, \Relations Among Notions of Security for Public-Key Encryption Schemes" Advances in Cryptology {CRYPTO'98. [5] M. Blum, and S. Goldwasser, \An ecient probabilistic public-key encryption scheme which hides all partial information", Proceeding of CRYPTO'84, LNCS 196, Springer-Verlag, pp (1985). [6] D. Bleichenbacher, \Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1", Advances in Cryptology { CRYPTO'98, Springer-Verlag, [7] Canetti, R., Goldreich, O. and Halevi, S., \The Random Oracle Methodology, Revisited", Proc. of STOC, ACM Press, pp.209{218 (1998). [8] R. Cramer and V. Shoup, \A practical public key cryptosystem provably secure against adaptive chosen message attack", Advances in Cryptology {CRYPTO'98, Springer-Verlag,

18 [9] I. Damgard, \Towards practical public key systems secure against chosen ciphertext attacks", Advances in Cryptology {CRYPTO'91, pp.445{456, Proceedings, Lecture Notes in Computer Science No. 576, Springer-Verlag, [10] D. Dolev, C. Dwork and M. Naor, \Non-malleable cryptography", Proceeding of STOC91, pp 542{552. [11] T. ElGamal, \A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE Transactions on Information Theory, IT-31, 4, pp.469{472, [12] Fujisaki, E. and Okamoto, T., \How to Enhance the Security of Public-Key Encryption at Minimum Cost", Proc.of PKC'99, LNCS, Springer-Verlag (1999). [13] A. Fiat and A. Shamir, \How to prove yourself: Practical solutions to identication and signature problems", Advances in Cryptology {CRYPTO86, pp.186{194, Proceedings, Lecture Notes in Computer Science No. 263, Springer-Verlag, [14] O. Goldreich and S. Goldwasser and S. Micali, \How to Construct Random Functions", pp.464{479, Proceedings of FOCS84, IEEE, [15] O. Goldreich and S. Goldwasser and S. Micali, \On the Cryptographic Applications of Random Functions", Advances in Cryptology {CRYPTO84, pp.276{288, Proceedings, Lecture Notes in Computer Science No. 196, Springer, [16] S. Goldwasser, and S. Micali, \Probabilistic Encryption", JCSS, vol.28, pp.270{299, [17] M. Naor, and M. Yung \Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks", Proceeding of the 22nd Annual Symposium on Theory of Computing, ACM (STOC), pp.427{437, 1990 [18] T. Okamoto, and S. Uchiyama, \A New Public-Key Cryptosystem as Secure as Factoring", Advances in Cryptology {EUROCRYPT'98, Springer- Verlag, [19] D. Pointcheval, \Strengthened Security for Blind Signature Schemes," Advances in Cryptology {EUROCRYPT'98, Springer-Verlag, [20] D. Pointcheval and J. Stern, \Provably Secure Blind Signature Schemes", Advances in Cryptology {ASIACRYPT'96, pp.252{265, Proceedings, Lecture Notes in Computer Science No. 1163, Springer-Verlag, [21] D. Pointcheval and J. Stern, \Security Proofs for Signature Schemes," Advances in Cryptology {EUROCRYPT'96, pp.387{398, Proceedings, Lecture Notes in Computer Science No. 1070, Springer-Verlag,

19 [22] C. Racko and D.R. Simon, \Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack", Advances in Cryptology { CRYPTO91, pp.433{444, Proceedings, Lecture Notes in Computer Science No. 576, Springer-Verlag, [23] R. Rivest, A. Shamir and L. Adleman, \A Method for Obtaining Digital Signatures and Public Key Cryptosystems", Communications of ACM, 21, 2, pp , [24] V. Shoup, and R. Gennaro, \Securing Threshold Cryptosystems against Chosen Ciphertext Attack", Advances in Cryptology {EUROCRYPT'98, Springer-Verlag, [25] Y. Tsiounis and M. Yung, \On the Security of ElGamal based Encryption", PKC'98, January, [26] Y. Zheng and J. Seberry, \Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks", Advances in Cryptology {CRYPTO'92, pp.292{304, Proceedings, Lecture Notes in Computer Science No. 740, Springer-Verlag,