Submission to IEEE P 1363 aHD { RSA : Hybrid Dependent RSAa New Public - Key Encryption

This paper describes a new hybrid RSA-based public-key encryption scheme, the HD-RSA. It relies on the recently proposed Dependent{RSA problem, which can be proven as diicult as the original RSA problem, in some circumstances. The basic scheme, using the \one-time pad" symmetric encryption, provides a both very eecient scheme and secure relative to the sole Dependent{RSA problem. A more general proposal, by integrating symmetric encryption schemes, allows much higher rates under a very weak assumption about the symmetric scheme used. The general scheme is rst presented together with a careful study of its security relative to the Dependent{RSA problem. Then, the hardness of this new problem is discussed, namely by proving its equivalence with RSA, for well-chosen exponents. Therefore, it results that this new encryption scheme is semantically secure against any kind of attacks, namely non-adaptive and even adaptive chosen-ciphertext ones. Moreover, with a similar security as OAEP{RSA (PKCS #1 v2.0), this scheme can reach higher speed rates. Furthermore, if one compares it with the DHAES or EPOC (two other IEEE P1363a candidates for encryption), eeciency gets many times better. 3 1 Preliminaries This paper proposes a new hybrid method for encrypting messages using both the Dep-endent{RSA problem and any one-time secure symmetric encryption scheme. It is freely derived from the Eurocrypt '99 paper 23], which is added in appendix. Let us rst more formally deene the required background. For all the problems presented below, we are given a large composite RSA modulus N = pq and an exponent e relatively prime to '(N), the totient function of the modulus N. Let us deene a rst new problem called the Computational Dependent{RSA Problem (C DRSA). e mod N, where = a e mod N. Notation: We denote by Succ(A) the success probability of an adversary A in nding (a + 1) e mod N: Succ(A) = Pr a A(a e mod N) = (a + 1) e mod N]. As it has already been done with the Diie-Hellman problem 14, 8], we can deene a decisional version of this problem, which we therefore call the Decisional Dependent{ RSA Problem (D DRSA): Given a candidate to the Computational Dependent{RSA problem , is it the right solution?