On the Necessity of Strong Assumptions for the Security of a Class of Asymmetric Encryption Schemes

Abstract

Recently various public key encryption schemes such as DHIES by Abdalla, Bellare and Rogaway and REACT by Okamoto and Pointcheval, whose security against adaptive chosen ciphertext attack (CCA) is based on the Gap problems, have been proposed. Although the Gap problems were proved to be a sufficient assumption for those schemes to be secure against adaptive chosen-cipertext attack, a necessary condition for CCA security of those schemes has not been explicitly discussed.In this paper we clarify the necessary condition for CCA security of those schemes. Namely we prove (in the random oracle model) that the Gap Diffie-Hellman is not only sufficient, but also a necessary assumption for the CCA security of DHIES and Diffie-Hellman version of REACT. We also show that our result applies to a wider class of public key encryption schemes. Furthermore we show that our result implies the equivalence, in the random oracle model, between ‘Strong Diffie-Hellman’ and ‘Oracle Diffie-Hellman’ assumptions proposed by Abdalla, Bellare and Rogaway. Our results may be used as criteria for distinguishing public key encryption schemes whose CCA security is based on strong assumptions (such as Gap Diffie-Hellman) from those schemes based on weaker ones (such as Computational Diffie-Hellman).KeywordsEncryption SchemeRandom OracleMessage Authentication CodeRandom Oracle ModelSecurity NotionThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.