Reducing Public Key Sizes in Bounded CCA-Secure KEMs with Optimal Ciphertext Length

Abstract

Currently, chosen-ciphertext CCA security is considered as the de facto standard security notion for public key encryption PKE, and a number of CCA-secure schemes have been proposed thus far. However, CCA-secure PKE schemes are generally less efficient than schemes with weaker security, e.g., chosen-plaintext security, due to their strong security. Surprisingly, Cramer et al. Asiacrypt 2007 demonstrated that it is possible to construct a PKE scheme from the decisional Diffie-Hellman assumption that yields i bounded CCA BCCA security which is only slightly weaker than CCA security, and ii one group element of ciphertext overhead which is optimal. In this paper, we propose two novel BCCA-secure PKE schemes with optimal ciphertext length that are based on computational assumptions rather than decisional assumptions and that yield shorter or at least comparable public key sizes. Our first scheme is based on the computational bilinear Diffie-Hellman assumption and yields $$O\lambda q$$ group elements of public key length, and our second scheme is based on the factoring assumption and yields $$O\lambda q^2$$ group elements of public key length, while in Cramer et al.'s scheme, a public key consists of $$O\lambda q^2$$ group elements, where $$\lambda $$ is the security parameter and q is the number of decryption queries. Moreover, our second scheme is the first PKE scheme which is BCCA-secure under the factoring assumption and yields optimal ciphertext overhead.