A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack

1 I n t r o d u c t i o n In this paper, we present and analyze a new public key cryptosystem that is provably secure against adaptive chosen ciphertext attack (as defined by Rackoff and Simon [20]). The scheme is quite practical, requiring just a few exponentiations over a group. Moreover, the proof of security relies only on a standard intractability assumption, namely, the hardness of the Diffie-Hellman decision problem in the underlying group. The hardness of the Diffie-Hellman decision problem is essentially equivalent to the semantic security of the basic E1 Gamal encryption scheme [12]. Thus, with just a bit more computation, we get security against adaptive chosen ciphertext attack, whereas the basic E1 Gamal scheme is completely insecure against adaptive chosen ciphertext attack. Actually, the basic scheme we describe also requires a universal one-way hash function. In a typical implementation, this can be efficiently constructed without extra assumptions; however, we also present a hash-free variant as well. While there are several provably secure encryption schemes in the literature, they are all quite impractical. Also, there have been several practical cryptosystems that have been proposed, but none of them have been proven secure under standard intractability assumptions. The significance of our contribution is that it provides a scheme that is provably secure and practical at the same time. There appears to be no other encryption scheme in the literature that enjoys both of these properties simultaneously.