Hybrid Damgård Is CCA1-Secure under the DDH Assumption
نویسندگان
چکیده
In 1991, Damgård proposed a simple public-key cryptosystem that he proved CCA1-secure under the Diffie-Hellman Knowledge assumption. Only in 2006, Gjøsteen proved its CCA1-security under a more standard but still new and strong assumption. The known CCA2-secure public-key cryptosystems are considerably more complicated. We propose a hybrid variant of Damgård’s public-key cryptosystem and show that it is CCA1-secure if the used symmetric cryptosystem is CPA-secure, the used MAC is unforgeable, the used key-derivation function is secure, and the underlying group is a DDH group. The new cryptosystem is the most efficient known CCA1-secure hybrid cryptosystem based on standard assumptions.
منابع مشابه
On CCA1-Security of Elgamal And Damgård’s Elgamal
We establish the complete complexity landscape surrounding CCA1-security of Elgamal and Damgård’s Elgamal (DEG). Denote by X [i] the assumption that the adversary, given a non-adaptive oracle access to the Y oracle with i free variables cannot break the assumption X . We show that the CCA1-security of Elgamal is equivalent to the DDH assumption. We then give a simple alternative to Gjøsteen’s p...
متن کاملBlackbox Construction of a More Than Non-Malleable CCA1 Encryption Scheme from Plaintext Awareness
We construct a Non-Malleable Chosen Ciphertext Attack (NM-CCA1) encryption scheme from any encryption scheme that is also plaintext aware and weakly simulatable. We believe this is the first construction of a NM-CCA1 scheme that follows strictly from encryption schemes with seemingly weaker or incomparable security definitions to NM-CCA1. Previously, the statistical Plaintext Awareness #1 (PA1)...
متن کاملOn the CCA1-Security of Elgamal and Damgård's Elgamal
It is known that there exists a reduction from the CCA1security of Damg̊ard’s Elgamal (DEG) cryptosystem to what we call the ddh assumption. We show that ddh is unnecessary for DEGCCA1, while DDH is insufficient for DEG-CCA1. We also show that CCA1-security of the Elgamal cryptosystem is equivalent to another assumption ddh, while we show that ddh is insufficient for Elgamal’s CCA1-security. Fin...
متن کاملMore efficient DDH pseudorandom generators
In this paper, we first show a DDH Lemma, which states that a multi-variable version of the decisional Diffie-Hellman problem is hard under the standard DDH assumption, where the group size is not necessarily known. Our proof, based on a self-reducibility technique, has a small reduction complexity. Using DDH Lemma, we extend the FSS pseudorandom generator of Farashahi et al. to a new one. The ...
متن کاملA New Paradigm of Hybrid Encryption Scheme
In this paper, we show that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup [12] by using a KEM which is not necessarily IND-CCA secure. Nevertheless, our scheme is secure in the sense of IND-CCA under the DDH assumption in...
متن کامل