Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

Paillier, Pascal; Villar, Jorge L.

doi:10.1007/11935230_17

Cited by 37 publications

(48 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that, at this point, we are still in a setting with an all-powerful oracle Σ and the non-interactive problem may indeed be easy relative to this oracle, without contradicting the presumed hardness in the standard model. Now we apply meta-reduction techniques, as put forward for example in [7,9,14,28], to remove the oracle Σ from the scenario. Given R we show how to build a meta-reduction M (a "reduction for the reduction") to derive an efficient solver for the problem, but now without any reference to the magic adversary and Σ (right part of Figure 1).…”

Section: The Idea Behind Our Resultsmentioning

confidence: 99%

“…The other approach uses meta-reductions [4,7,8,9,14,28] and usually treats the adversary as a black box. In our case, we show that no black-box reduction to arbitrary (non-interactive) cryptographic problems can exist.…”

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

“…This limitation does not hold for our results. -Meta-reduction separations such as [4,8,28] consider the impossibility of reductions from secure encryption or signatures to a given RSA instance. Yet, they often fall short of providing any meaningful claim if other assumptions enter the security proof, e.g., the result in [28] does not hold anymore if two RSA instances are given or an additional collision-resistant hash function is used in the design.…”

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

“…-Meta-reduction separations such as [4,8,28] consider the impossibility of reductions from secure encryption or signatures to a given RSA instance. Yet, they often fall short of providing any meaningful claim if other assumptions enter the security proof, e.g., the result in [28] does not hold anymore if two RSA instances are given or an additional collision-resistant hash function is used in the design. In comparison, our general approach covers such cases as we can easily combine non-interactive problems P 1 , P 2 into more complex problems like P 1 ∨P 2 and P 1 ∧P 2 , requiring to break one of the two problems and both of them, respectively.…”

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

See 3 more Smart Citations

On the Impossibility of Three-Move Blind Signature Schemes

Fischlin

Schröder

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We investigate the possibility to prove security of the wellknown blind signature schemes by Chaum, and by Pointcheval and Stern in the standard model, i.e., without random oracles. We subsume these schemes under a more general class of blind signature schemes and show that finding security proofs for these schemes via black-box reductions in the standard model is hard. Technically, our result deploys metareduction techniques showing that black-box reductions for such schemes could be turned into efficient solvers for hard non-interactive cryptographic problems like RSA or discrete-log. Our approach yields significantly stronger impossibility results than previous meta-reductions in other settings by playing off the two security requirements of the blind signatures (unforgeability and blindness).

show abstract

Section: The Idea Behind Our Resultsmentioning

confidence: 99%

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

Section: The Essence Of Our Meta-reduction and Impossibility Of Randomentioning

confidence: 99%

See 2 more Smart Citations

On the Impossibility of Three-Move Blind Signature Schemes

Fischlin

Schröder

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Finally, in the realm of factoring/RSA-based CCA encryption, Paillier and Villar [30] and Brown et al [6], showed uninstantiability results analogous to already-mentioned RSA signature result of Paillier [28].…”

Section: Other Related Workmentioning

confidence: 73%

On the Instantiability of Hash-and-Sign RSA Signatures

Dodis

Haitner

Tentes

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several "uninstantiability" results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of Z * n . In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes.Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.

show abstract

A limitation on security evaluation of cryptographic primitives with fixed keys

Kawai

Hanaoka

Ohta

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we discuss security of public-key cryptographic primitives in the case that the public key is fixed. In the standard argument, security of cryptographic primitives are evaluated by estimating the average probability of being successfully attacked where keys are treated as random variables. In contrast to this, in practice, a user is mostly interested in the security under his specific public key, which has been already fixed. However, it is obvious that such security cannot be mathematically guaranteed because for any given public key, there always potentially exists an adversary, which breaks its security. Therefore, the best what we can do is just to use a public key such that its effective adversary is not likely to be constructed in the real life and, thus, it is desired to provide a method for evaluating this possibility. The motivation of this work is to investigate (in)feasibility of predicting whether for a given fixed public key, its successful adversary will actually appear in the real life or not. As our main result, we prove that for any digital signature scheme or public key encryption scheme, it is impossible to reduce any fixed key adversary in any weaker security notion than the de facto ones (i.e., existential unforgery against adaptive chosen message attacks or indistinguishability against adaptive chosen ciphertext attacks) to fixed key adversaries in the de facto security notion in a black-box manner. This result means that, for example, for any digital signature scheme, impossibility of extracting the secret key from a fixed public key will never imply existential unforgery against chosen message attacks under the same key as long as we consider only black-box analysis.

show abstract

Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption

Cited by 37 publications

References 17 publications

On the Impossibility of Three-Move Blind Signature Schemes

On the Impossibility of Three-Move Blind Signature Schemes

On the Instantiability of Hash-and-Sign RSA Signatures

A limitation on security evaluation of cryptographic primitives with fixed keys

Contact Info

Product

Resources

About