Sciweavers

ASIACRYPT
2008
Springer

Chosen Ciphertext Security with Optimal Ciphertext Overhead

14 years 1 months ago
Chosen Ciphertext Security with Optimal Ciphertext Overhead
Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while re...
Masayuki Abe, Eike Kiltz, Tatsuaki Okamoto
Added 12 Oct 2010
Updated 12 Oct 2010
Type Conference
Year 2008
Where ASIACRYPT
Authors Masayuki Abe, Eike Kiltz, Tatsuaki Okamoto
Comments (0)