Optimal Asymmetric Encryption

Mihir Bellare 1 and Phillip Rogaway 2

1 Advanced Networking Laboratory, IBM T.J. Watson Research Center,

PO Box 704, Yorktown Heights, NY 10598, USA. e-mail: aihirQ~atson, ibm. corn
2 Department of Computer Science, University of California at Davis,
Davis, CA 95616, USA. e-mail: rogawayQcs.ucdavis.edu

A b s t r a c t . Given an arbitrary k-bit to /c-bit trapdoor permutation f

and a hash function, we exhibit an encryption scheme for which (i) any
string z of length slightly less than k bits can be encrypted as f ( r , ) ,
where rffi is a simple probabilistic encoding of z depending on the hash
function; and (ii) the scheme can be proven semantically secure assuming
the hash function is "ideal." Moreover, a slightly enhanced scheme is
shown to have the property that the adversary can create ciphertexts
only of strings for which she "knows" the corresponding plaintexts--
such a scheme is not only semantically secure but also non-malleable
and secure against chosen-ciphertext attack.

1 Introduction

A s y m m e t r i c (i.e. public key) encryption is a goal for which there is a large and
widely-recognized gap between practical schemes and provably-secure ones: the
practical m e t h o d s are efficient but not well-founded, while the provably-secure
schemes have more satisfying security properties but are not nearly as efficient?
The goal of this p a p e r is to (nearly) have it all: to do a s y m m e t r i c encryption in
a way as efficient as any mechanism yet suggested, yet to achieve an assurance
benefit almost as good as t h a t obtained by provable security.
In the setup we consider a sender who holds a k-bit to k~bit t r a p d o o r permu-
tation f and wants to transmit a message z to a receiver who holds the inverse
p e r m u t a t i o n f - l . We concentrate on the case which arises m o s t often in cryp-
tographic practice, where n = Iz[ is at least a little smaller t h a n k.
W h a t practioners want is the following: encryption should require just one
c o m p u t a t i o n of f ; decryption should require just one c o m p u t a t i o n of f - l ; the
length of the enciphered text should be precisely k; and the length n of the
text z t h a t can be encrypted is close to k. Since heuristic schemes achieving
these conditions exist [22, 15], if provable security is provided at the cost of
violating any of these conditions (e.g., two applications of f to encrypt, message
length n + k rather t h a n k) practioners will prefer the heuristic constructions.

3 By a provably-secure scheme we mean here one shown, under some standard

complexity-theoretic assumption, to achieve a notion of security at least as strong
as semantic security [II].
 93

Thus to successfully impact practice one must provide provably-secure schemes

which meet the above constraints.
The heuristic schemes invariably take the following form: one (probabilisti-
cally, invertibly) embeds z into s string rz and then takes the encryption of z
to be f(r~). 4 Let's call such a process a simple-embedding scheme. We will take
as our goal to construct provably-good simple-embedding schemes which allow
n to be close to k.
Assuming an ideal hash function and an arbitrary trapdoor permutation, we
describe and prove secure two simple-embedding schemes that are bit-optimal
(i.e., the length of the string z that can be encrypted by f(r~) is almost k). Our
first scheme achieves semantic security [11], while our second scheme achieves a
notion of plaintext-aware encryption, which we introduce here. This new notion
is very strong, and in particular implies "ambitious" goals like chosen-ciphertext
security and non-malleability [7] in the ideal-hash model which we assume.
The methods of this paper are simple and completely practical. They provide
a good starting point for an asymmetric encryption/key distribution standard.
Next we describe our schemes and their properties. W e refer the reader to
Section 1.7 for discussion of previous work on encryption and comparisons with
ours.

1.1 T h e basic scheme

Recall k is the security parameter, f mapping k-bits to k-bits is the trapdoor
permutation. Let k0 be chosen such that the adversary's running time is signif-
icantly smaller than 2 k~ steps. W e fix the length of the message to encrypt as
n = k - k0 bits (shorter messages can be suitably padded to this length). The
scheme makes use of a "generator" G: {0, 1} ~~ --, {0, 1} '~ and a "hash function"
H: {0, 1~'~ --, {0, 1~ ~~ To encrypt z E {0, 1) '~ choose a random ko-bit r and set
e G(r) ff r e e
Here "H" denotes concatenation. The decryption function ~)G,H is defined in the
obvious way, and the pair (E, ~7) constitutes what we call the "basic" scheme.
We prove security under the assumption that G, H are "ideal." This means
G is a random function of {0, 1~ t~ to {0, 1} n and H is a random function of
{0, 1~'~ ---, {0, 1) ~~ The formal statement of our result is in Theorem 3. It says
that if f is a trapdoor permutation and G, H are ideal then the basic scheme
achieves the notion of semantic security [11] appropriately adjusted to take ac-
count of the presence of G, H .
In practice, G and H are best derived from some standard cryptographic
hash function. (For example, they can he derived from the compression function
of the Secure Hash Algorithm [18] following the methods described in [2]).
4 It is well-known that a naive embedding like r~ = z is no good: besides the usued
deficiencies of any deterministic encryption, f being a trapdoor permutation does
not mean that f ( z ) conceals all the interesting properties of z. Indeed it was exactly
such considerations that helped inspire ideas like semantic security [11] and hardcore
bits [5, 26].
 94

1.2 The plalntext aware scheme

A variety of goals for encryption have come to be known which are actually
stronger than the notion of [11]. These include non-malleability [7] and chosen
ciphertext security. We introduce a new notion of an encryption scheme being
plain~ezt-aware--roughly said, it should be impossible for a party to produce a
valid ciphertext without "knowing" the corresponding plalntext (see Section 3
for a precise definition). In the ideal-hash model that we assume, this notion can
be shown to imply non-malleability and chosen-ciphertext security.
We construct a plalntext-aware encryption scheme by slightly modifying the
basic scheme. Let/c and/Co be as before and let k 1 be another parameter. This
time let r~ : k -- k0 - kl. Let the generator be G: {O, 1} ~~ --* {0, 1}'~+kl and the
hash function H: {0, 1}'~+~1 ~ {0, 1} k0. To encrypt, choose a random k0-bit r
and set

= f(,0 l e GCr) II r e H ( , 0 e G(r))).

The decryption ~)u,s is defined in the obvious way and the pair constitutes the
scheme we call "plalntext-aware."
The formal statement of our results are in Theorems 5 and 6. They say that if
f is a trapdoor permutation and G, H are ideal then the plalntext-aware scheme
is a semantically secure, plalntext-aware encryption. In practice, again, G and
H are derived from some standard cryptographic hash function.

1.3 Efficiency

The function f can be set to any candidate trapdoor permutation such as RSA
[21] or modular squaring [19, 3]. In such a case the time for computing G and
H is negligible compared to the time for computing f, f - 1 . Thus complexity is
discussed only in terms of f, f - 1 computations. In this light our basic encryption
scheme requires just a single application of f to encrypt, a single application
of f - 1 to decrypt, and the length of the ciphertext is k (as long as k _~ n Jr k0).
Our p]alntext-aware scheme requires a single application of f to encrypt, a single
application of f - 1 to decrypt, and the length of the ciphertext is still k (as long
as k >_ n + k 0 + k l ) .
A concrete instantiation of our plaintext aware scheme (using RSA for f and
getting G, H from the Secure Hash Algorithm [18]) is given in Section 7.

1.4 The ideal hash function paradigm

As we indicated above, when proving security we take G, f f to be random, and

when we want a concrete scheme, G, H are instantiated by primitives derived
from a cryptographic hash function. In this regard we are following the paradigm
of [2] who argue that even though results which assume an ideal hash function do
not provide provable security with respect to the standard model of computation,
assuming an ideal hash function and doing proofs with respect to it provides
 95

much greater assurance benefit t h a n purely ad. hoc. protocol design. We refer
the reader to t h a t paper for further discussion of the meaningfulness, motivation
and history of this ideal hash approach.

1.5 Exact security

W e want our results to be meaningful for practice. In particular, this means we

should be able to say meaningful things about the security of our schemes for
specific values of the security parameter (eg. k = 512). This demands not only
that we avoid asymptotics and address security "exactly," but also that we strive
for security reductions which are as efficientas possible,s
Thus the theorem proving the security of our basic scheme quantifies the
resources and success probability of a potential adversary: let her run for time
t, make qsen queries of G and qhash queries of H, and suppose she could "break"
the encryption with probability ~. It then provides an algorithm M and numbers
t~,d such that M inverts the underlying trapdoor permutation f in time t' with
probability C. The strength of the result is in the values of tI,d which are
specified as functions of t, qgen, qhash, e and the underlying scheme p a r a m e t e r s
h, k0, n (h --- k0 + n). Now a user with some idea of the (assumed) strength of a
particular f (eg. RSA on 512 bits) can get an idea of the resources necessary to
break our encryption scheme.

1.6 Extensions

T h e assumption that n = {z{ _< k - h0 - hi can be removed while retaining the

bit o p t i m a l i t y of the scheme: the ideas presented here can be extended to design
an authenticated encryption scheme (provably secure in the ideal-hash model
assuming an arbitrary trapdoor permutation) where encryption still requires one
application of f on a k-bit input; decryption still requires one application of f - 1
on a h-bit input; and now the length of the encrypted text will be max{h, {z t +
ho + hl]..

1.7 P r i o r w o r k in e n c r y p t i o n

We briefly survey relevant prior art in encryption. In the following, f m a p p i n g

k-bits to k-bits is the trapdoor permutation. As above, the following assumes
the length n of the message to be encrypted is at most k. We begin by discussing
work on attaining semantic security, and then move on to stronger goals.

b Exact security is not new: previous works which address it explicitly include [10,
14, 23, 16, 8, 1]. Moreover, although it is true that most theoretical works only
provide asymptotic security guarantees of the form Uthe success probability of a
polynomially bounded adversary is negligible" (everything measured as a function
of the security parameter), the exact security can be derived from examination of
the proof. (However, a lack of concern with the exactness means that in many cases
the reductions are very inefficient, and the results are not useful for practice).
 96

Goldwasser and Micali [11] first suggested encrypting a message by prob-

abilistically encrypting each of its bits: if By denotes a hard core predicate
[5, 26, 10] for the trapdoor permutation f , then the encryption of z = z l . . . z , ,
is EGM(Z) : f ( r x ) I I ' ' ' Hf ( r n ) , where each ri is randomly chosen from the do-
main of f subject to B ! (r~) = z~. This yields an encryption of length O(nk)
which requires n evaluations of f to encrypt and n evaluation of f - 1 to decrypt,
which is not practical.
The more efficient construction of Blum and Goldwasser [4] is based on the
particular choice of f as the modular squaring function [19]. They achieve en-
cryption size n + h. They require O(r~hz/log h) steps to encrypt and O(h s) steps
to decrypt. The encryption is longer than ours by n bits. To compare the time
complexities, take the function f in our scheme to also be squaring. Then their
encryption time is a factor O(n/log k) more than ours. Their decryption time is
a constant factor more than ours.
Of course the above two schemes have the advantage of being based only on
standard assumptions, not the use of an ideal hash function.
The discrete log function simultaneously hides a constant fraction of the bits
of its pre-image [24]. But it is not known to have a trapdoor and hence is not
usable for the problem we are considering.
W h a t we have called simple-embedding schemes are prevalent in computing
practice. One example is the RSA Public Key Cryptography Standard ~ 1 [22],
where r= in the embedding z ~ rffi is essentially z in the low-order bit positions
and a string of random non-zero bytes in the remaining bit positions. A more
refined scheme is described in [15]; a simplified version of it is
= f(( o e O(,.)) II ,').
Of course the problem with both of these schemes is that there is no compelling
reason to believe that z is as hard to compute from f(rffi) as r= is hard to com-
pute from f(rffi)--let alone that all interesting properties of z are well-hidden by
f(r~). Indeed whether or not [22, 15] "work" depends on aspects of f beyond
its being one-way. In particular, it is easy to show that if there exists a trapdoor
permutation then there exists one for which encryption as above is completely
insecure, e
In [2] we suggested the scheme

E~R(=) = f ( " ) II C(,') 9 =.

and proved it semantically secure in the same ideal-hash model used here. In
comparison with the schemes given here, the drawback is that the encryption
size is n + k rather than h.
Now we turn to stronger goals. Chosen-ciphertext security was provably
achieved by [17], but the scheme is extremely inefficient. More practical encryp-
tion schemes which aimed at achieving chosen ciphertext security were proposed
by Damg&rd [6] and Zheng and Seberry [27]. The latter scheme is

~H(z) = f(r) II (c(,,) 9 (= II H(=)),

s B u t f is mandated to be B.SA in both of [22, 15].
 97

matching our plaintext aware scheme in computation but having bit complex-
ity n + k + kl. Non-malleability is provably achieved by [7], but the scheme
is extremely inefficient. An efficient scheme proven in [2] to achieve both non-
malleability and chosen-ciphertext security under the ideal-hash model is

Again the drawback is a bit complexity of n + k + kx.

2 Preliminaries

2.1 Probabilistic algorithms

We shall use notation of [13]. If A is a probabilistic algorithm then A(z, 9,'" ")
refers to to the probability space which to the string a assigns the probability that
A on inputs z, 9 , ' " outputs or. If S is a probability space we denote its support
(the set of elements of positive probability) by [S]. When S is a probability
space, z *- S denotes selecting a random sample from S. We use x, y ~-- S
as shorthand for z ~-- S; 9 ~-- S. For probability spaces S, T , . . . , the notation
Pr[z ~-- S; Y ~-- T; . . . : p ( z , 9 , - " ) ] denotes the probability that the predicate
p(z, 9 , " ") is true after the (ordered) execution of the algorithms z ~-- S, 9 *-- T,
etc.. P P T is short for "probabilistic, polynomial time."
In evaluating the complexity of oracle machines we adopt the usual conven-
tion that all oracle queries receive their answer in unit time.

2.2 Random oracles

We will be discussing schemes which use functions G, H chosen at random from
appropriate spaces (the input and output lengths for G and H depend on para-
meters of the scheme). When stating definitions it is convenient to not have to
worry about exactly what these spaces may be and just write G, H ~-- f~, the lat-
ter being defined as the set of all maps from the set {0, 1)* of finite strings to the
set ~0, 1} c~ of infinite strings. The notation should be interpreted as appropriate
to the context--for example, if the scheme says G maps ~0, 1~a to ~0, 1} ~ then
we can interpret G ~-- f~ as meaning we choose G from f~ at random, restrict the
domain to {0, 1~~, and drop all but the first b bits of output.

2.3 Trapdoor permutations and their security

Our encryption schemes require a trapdoor permutation generator. This is a P P T
algorithm ~ such that ~r(lk) outputs a pair of deterministic algorithms (f, f - l )
specifying a permutation and its inverse on ~0, 1~k.
We associate to Y" an evaluation time Ty(-): for all k, all (f, f - x ) E [Y(I~)]
and all w E {0, 1} ~, the time to compute f(w) (given f and w) is Ty(k). Note
the evaluation time depends on the setting: for example on whether or not there
is hardware available to compute f .
 98

We will be interested in two attributes of a (possibly non-uniform) algorithm

M trying to invert Y(l~)-distributed permutations; namely its running time and
its success probability.

D e f i n i t i o n 1. Let Y be a trapdoor permutation generator. We say that algo-

rithm M (~, e)-inverts Jr(lk) if

Pr[ (f, F 1) {0,1)4;

y~-- f(w): M(f,y)=w]~_e,
and, moreover, in the experiment above, M runs in at most t steps.

RSA [21] is a good candidate function as a secure trapdoor permutation. 7

3 Semantically secure encryption

We extend the definition of semantic security [11] to the random oracle model
in a way which enables us to discuss exact security.

3.1 Encryption schemes

An asymmetric (i.e. public key) encryption scheme is specified by a probabilistic

generator, ~, and an associated plaintezt-length function, n(.). On input 1k, the
generator G outputs s pair of algorithms (s :D), the first of which is probabilistic.
Each of these algorithms has oracle-access to two functions, one called G and
one called H. A user i runs G to get (s T~) and makes the former public while
keeping the latter secret. To encrypt message z E {0, 1}'~(~) using functions G, H ,
anyone can compute y ~ g o ' H ( z ) and send it to i. To decrypt ciphertext y
user i computes z ~-- ~ u , ~ ( y ) . We require ~ G , H ( y ) __ Z for all y G [s
We further demand that D~ : * if there is no z such that y E [ca'H(z)].
An adversary is a (possibly nonuniform) algorithm A with access to oracles
G, H . We assume without loss of generality that an adversary makes no partic-
ular G-query more than once and no particular H-query more than once. For
simplicity we assume that the number of G-queries and H-queries that an ad-
versary makes don't depend on its coin tosses but only, say, on the length of its
input.

3.2 Semantic security

The following definition will be used to discuss (exact) security. It captures the
notion of semantic security [11] appropriately lifted to take into account the
presence of G, H .
7 Candidates like RSA [21] don't quite fit our definition, in that the domain of RSA
is some Z~, a proper subset of of {0, 1~h. Things can be patched in standard ways.
 99

We consider an adversary who runs in two stages. In the find-stage it is given

an encryption algorithm s and outputs a pair z0, z t of messages. It also outputs
a string c which could record, for example, its history and its inputs. Now we pick
at random either z0 or Zl (the choice made according to a bit b) and encrypt
it (under ~) to get y. In the guess-stage we provide A the output z0, Zx, c of
the previous stage, and y, and we ask it to guess b. (We assume wlog that s is
included in c so that we don't need to explicitly provide it again). Its success
probability is its advantage in guessing b.

D e f l n l t l o n 2 . Let G be a generator for an encryption scheme having plaintext-

length function n(.). An adversary A is said to (t, qgen, qha,h, e)-break G(1 ~) if

b ~ (0, 1}; U +-- ea'*z(*b) : A a ' H c y , z o , x t , c) -- b] - ~,

and, moreover, in the experiment above, A runs for at most t steps, makes at
most qsen queries to G, and makes at most qhash queries to H .

Note that t is the total running time; ie. the sum of the times in the two stages.
Similarly qgen, qhash are the total number of G and H queries, respectively.

4 The Basic Encryption Scheme

Let $" be a trapdoor permutation generator and k0(.) a positive integer valued
function such that ko(k) < k for all k > 1. The basic scheme G wi~h parameters
Y and k0(') has an associated plaintext-length function of n(k) = k - ko(k). On
input 1 ~, the generator G runs .7"(1~) to obtain (f, f - x ) . Then it outputs the
pair of algorithms (s •) determined as follows:
(1) On input z of length n = n(k), algorithm s selects a random r of length
k0 = ko(k). It s e t s , = ~e~(r) and t = r ~ C , ) . It sets ~ = s II t and
returns y = f(w).
(2) On input y of length k, algorithm l) computes w = f - t ( y ) . Then it sets s
to the first n bits of w and t to the last ko bits of w. It sets r = t@H(s),
and returns the string z = s a G ( r ) .
The oracles G and H which s and ~P reference above have i n p u t / o u t p u t lengths
of G : {0, 1} ~~ ---, {0, 1) n and H : {0, 1)'* ~ {0, 1) ~~ We use the encoding of f
as the encoding of E and the encoding of f - x as the encoding of 7).
The intuition behind the (semantic) security of this scheme is as follows. We
wish to guarantee that the adversary, given a point y in the range of f , must
recover the complete preimage w = rffi of y if she is to say anything meaningful
about z itself. Well, if the adversary does not recover all of the first n bits
of the preimage, s, then she will have no idea about the value H(s) which
is its hash; a failure to know anything about H(s) implies a failure to know
anything about r = H(s)@t (where t is the last ko bits of w), and therefore G(r),
and therefore z = G(r)@s itself. Now, assuming the adversary does recover s,
 100

a failure to completely recover t will again mean that the adversary fails to
completely recover r, and, in the lack of complete knowledge about r, z@G(r)
is uniformly distributed and so again the adversary can know nothing about z.
Yet the above discussion masks some subtleties and a formal proof of security
is more complex than it might appear. This is particularly the case when one is
interested, as we are here, in achieving the best possible exact security.
The following theorem says that if there is an adversary A who is able to
break the encryption scheme with some success probability, then there is an algo-
rithm M which can invert the underlying trapdoor permutation with comparable
success probability and in comparable time. This implies that if the trapdoor
permutations can't be inverted in reasonable time (which is the implicit assump-
tion) then our scheme is secure. But the theorem says more: it specifies exactly
how the resources and success of M relate to those of A and to the underlying
scheme parameters k, n, ko (k = n + k0).
The inverting algorithm M can by obtained from A in a "uniform" way;
the theorem says there is a "universal" oracle machine U such that M can be
implemented by U with oracle access to A. It is important for practice that the
"description" of U is "small;" this is not made explicit in the theorem but is clear
from the proof. The constant ~ depends only on details of the underlying model
of computation. We write ~, k0 for n(k), ko(k), respectively, when, as below, k is
understood.

T h e o r e r n 3 . Let 0 be the basic encryption scheme with parameters ~ , k0 and let

n be the associated plaintext length. Then there exists an oracle machine U and a
constant .~ such that for each integer k the following is true. SuppoSe A succeeds in
(t, qgen, qh.h, e)-breaking O(lt). Then M = U A succeeds in (g', e')-inverting Jr(lk),
where

g' : g "~- qgen" qha~h " ( Y y ( ] e ) q- ~ k )

et = e- (1 - qsen2 -~~ - q h a s h 2 -*~) -- 2 q s e n 2 -/r 9

The proof of Theorem 3 is in Appendix A.

For reasonable values of k (eg. k ~_ 512) it will be the case that k > n > > k0.
Thus for reasonable values of qs~a, qhalh we'll have e' ~. e-(1-qgen2-k~ Thus the
success probability d achieved here is good in the sense that it is only slightly
less than e and close to optimal. Note also that the expression for d indicates
that A will do best by favoring G-oracle queries over H-oracle queries.
The dominant factor in the time t' taken by the inverting algorithm to com-
pute f - 1 (y) is the time to do qg,n" qhash computations of the underlying f . An
interesting open question is to find a scheme under which the number of com-
putation of f is linear in qg~n + qhash while retaining a value of d similar to
ours.
 101

5 Plaintext aware encryption

We introduce a new notion of an encryption being "plaintext aware." The idea

is that an adversary is "aware" of the decryption of the messages which she
encrypts in the sense that she cannot produce a ciphertext y without "knowing"
the corresponding plaintext. In formalizing this we have relied on definitional
ideas which begin with [12, 9, 25]. Our notion requires that some (universal) al-
gorithm K (the "knowledge extractor") can usually decrypt whatever ciphertext
an adversary B m a y output, just by watching the G, H-queries which B makes.
Let B be an adversary which given an encryption algorithm $ outputs a
string y (intuitively, the ciphertext). The notation (y, r) +- runBC'H(s means
the following. We run the algorithm B c J / ( C ) which outputs Y. We record in
the process the transcripts of its interaction with its oracles. Thus there is a list
rgea which for each G-oracle query g made by B records g and the answer G(g);
similarly for H:
rgcn = (gl, G(gl)),..., (gq,.=, G(gq,.=))
Tha,h = (~l,~(~l)),''',(]'t,h,,,h,H(~gh..h))"
The pair (rgen, ~a~h) constitutes ~'.
D e f l n l t l o n 4 . Let ~ be a generator for an encryption scheme and let B be an
adversary that outputs a string. An algorithm K is said to be a (t, e)-plsintext
extractor for B, G(1 ~) if
Pr[ (r 9) G, H (y, r..Ba'H(e) :
y, 9a,H(y) ] _< ,,
and K runs in at most t steps in the experiment above.
The information we provide K about B is only B's output y and the transcript
of her oracle interactions r. We could more generally also provide B's coin tosses;
we omit to do this only because the stronger notion we define above is achieved
by our scheme.
Note we don't give K oracle access to G, H: it is required to find the plaintext
corresponding to y given only B's "view" of the oracle. The rest is random
anyway so it makes no difference.
A complexity-theoretic notion for a plaintext aware encryption can be easily
created out of the exact definition given above. Also, a definition for the standard
(random oracle devoid) model is easily obtained. But in this case, we would
definitely allow K access to B's coin tosses.
As previously mentioned, demanding awareness of a secure encryption scheme
is asking a lot. In the random oracle model, we can show that a plaintext aware
scheme is non-malleable and also secure against chosen-ciphertext attack. We
omit proofs of this, but the intuition is quite clear. For example, a chosen-
ciphertext attack will not help because the adversary already "knows" the plain-
text of any ciphertext y whose decryption she might request from an available
decryption box.
 102

6 The Plaintext-Aware Encryption Scheme

Let .7- be a trapdoor permutation generator. Let /co(') and /C1(') be positive
integer valued functions such that/co(k) +/Cl(/C) < k for all k > 1. The plainCezZ-
aware scheme G with parameters Y,/co,/Cl has an associated plaintext-length
function of n(/c) = k -/co(k) -/Cl(/C). On input 1~, the generator G runs Y(1 ~)
to obtain ( f , / - x). Then it outputs the pair of algorithms (s ~ ) determined as
fonows:
(1) On input z of length n = n(/c), algorithm s selects a random r of length
ko =/co(k). It sets s = zOninG(r) and t = r~H(s). It sets w = s II t and
returns y = f(w).
(2) On input y of length k, algorithm :D computes w = f-X(y). Then it sets s
to the first n-6kl bits o f w and t to the last/co bits ofw. It sets r = t$H(s).
It sets z to the first n bits of s~G(r) and z to the last/Cl bits of s@G(r).
If z = 0 kx then it returns z, else it returns *.
The oracles G and H which s a n d / ) reference above have i n p u t / o u t p u t lengths
of G: {0, 1} ~~ --~ {0, 1} n and H: {0, 1} n --~ {0, 1} ~~
The semantic security of this scheme as given by the following theorem is a
consequence of Theorem 3.

T h e o r e m S . Let ~ be the plaintextoaware encryption scheme with parameters ~',

k0, kl and let n be the associated plaintext length. Then there exists an oracle
machine Tor and a constant )~ such that for each integer k the following is true.
Suppose A succeeds in (t, qgen, qha~h,e)-breaking {7(1~). Then M = U A succeeds in
(t'e')-inverting ~', where
t' = t + qgen " q h a s h 9 (Ty-(/C) - 6 ,~/C)

f/ ---- f- (1 -- qgen 2 - / c ~ -- qhash 2 - n - / e l ) -- 2 q s e n 2 - ~ .

Proof. Let ~' be the generator for the basic scheme with parameters ~T and ko--
the associated plaintext-length function is n'(k) = k - ko(k) = n(k) + kl(k). Let
A ' be the adversary for ~' who (i) in the find-stage runs A to get (z0, Zl, c) and
outputs (zoo ~*, z,0 tl, c); and (ii) in the guess-stage removes the padded zeroes
from the messages and runs A. Now apply Theorem 3 to A'. []
The intuition for the plaintext awareness of our encryption scheme can be de-
scribed as follows. Let y be the string output by B. If she hasn't asked G(r),
then almost certainly the first n -6 kl bits of the preimage of y won't end with
the right substring 0~*; and if she hasn't asked H(s), then she can't know r; but
if the adversary does know s, then certainly she knows its first n bits, which is z.
To discuss exact security it is convenient to say that adversary B(.) is a
(~,qsen, qha~h)-adversar~J for {7(1~) if for all (E,•) E [G(lk)], B(s runs in at
most t steps, makes qsen G-queries and makes qhash H-queries.

T h e o r e m 6 . Let ~ be the plaintext-aware encryption scheme with parameters ~',

ko, kl and let n be the associated plaintext length. Then there exists an oracle
 103

machine K and a constant ~ such that for each integer 4 the following is true.
Suppose B is a (t, qgen, qhuh)-adversary for 0(1~). Then K = U B is a (t',e')-
plaintext extractor for B, ~, where

t' = t q2 qgen " qhash " ( T ~ r ( k ) -k ~ 4 )

eI -- qgen2-/~o if- 2 -kl .

As before, one interesting open question is to device a scheme with t ~ linear in

qgen q- qhash rather than quadratic. Another nice open question is whether one
can achieve plaintext aware encryption in the standard (random oracle devoid)
model given a standard complexity theoretic assumption.

7 Sample RSA based instantiation

We provide here a concrete instantiation of our plaintext aware encryption

scheme (omitting only certain minor details). We use RSA as the trapdoor per-
mutation and construct the functions G, fir out of the (revised) NIST Secure
Hash Algorithm [18]. (Other hash algorithms such as MD5 [20] would do as
well).
Let f be the RSA function [21], so f ( z ) - z e rood N is specified by (e, N)
where N is the h-bit product of two large primes and (e, ~o(N)) = 1. We de-
mand 4 > 512 bits (larger values are recommended). Our scheme will allow the
encryption of any string meg whose length is at most 4 - 320 bits (thus the
minimal permitted security parameter allows 192 bits (e.g., three 64-bit keys)
to be encrypted.) Let D = (1 ~ i < N : gcd(i, N) -- 1} C_ {0, 1} t be the set of
valid domain points for f .
Our probabilistic encryption scheme depends on the message meg to encrypt,
an arbitrary-length string rand_coins, the security parameter 4, the function f ,
and a predicate IND(z) which should return true if and only i f z E D. Our scheme
further uses a 32-bit string key_data (whose use we do not specify here), and a
string desc which provides a complete description of the function f (i.e., it says
"This is RSA using N and e ' ) encoded according to conventions not specified
here.
We denote by SHAd(z) the 160-bit result of SHA (Secure Hash Algorithm)
applied to z, except that the 160-bit "starting value" in the algorithm description
is taken to be A B C D E = at. Let SHA~(z) denote the first t-bits of SHA#(z).
Fix the notation (i) for i encoded as a binary 32-bit word. We define the function
fir~(z) for string z, number t, and 160-bit a~ to be the s prefix of

SHAS~ I[ SHA~(( 1 ).z) II SHAS~~ [[ .--

Let K0 be a fixed, randomly-chosen 160-bit string (which we do not specify

here).
Our scheme is depicted in Figure 7. Basically, we augment the string nzsg
which we want to encrypt by tacking on a word to indicate its length; including
41 = 128 bits of redundancy; incorporating a 32-bit field key_data whose use we
 104

ENCRYPT ( msg, rand_coins )

o = SHAKo(desc);
0"1 = SHA~(< 1 ));
a2 = S H A ~ ( ( 2 ));
a3 = SHA.(( 3 ));
i~-O;
repeat
T e-- H12S(t
0 1 %.%
i ) II rand_coins);
z *-- key_data II <lmsgl) II 0 *=s II 0 II msg;
,--

128(=),
~ r@Ho, -- .

i r i+1;
until IND(v,);
return f(v,);

F i g . 1. A sample instantiation of the plsintext-awsre encryption scheme.

do not specify; and adding enough additional padding to fill out the length of
the string we have made to k - 128 bits. The resulting string z now plays the
same role as the z of our basic scheme, and a separate 128-bit r is then used to
encrypt it.
We comment that in the concrete scheme shown in Figure 7 we have elected
to make our generator and hash function sensitive both to our scheme itself
(via K0) and to the particular function f (via desc). Such "key separation" is
a generally-useful heuristic to help ensure that when the same key is used in
multiple (separately-secure) algorithms that the internals of these algorithms do
not interact in such a way as to jointly compromise security. The use of "key
variants" o l , o's and ~'s is motivated similarly. Our choice to only use half the
bits of SHA has to do with a general "deficiency" in the use of SHA-like hash
functions to instantiate random oracles; see [2] for a discussion.

Acknowledgments
We thank Don Johnson for an early discussion on this problem, where he de-
scribed the m e t h o d of [15]. We thank Silvio Micali for encouraging us to find and
present the exact security of our constructions. Thanks also to (anonymous) Eu-
rocrypt reviewers for their comments and corrections.
This work was carried out while the second author worked for IBM in Austin,
Texas (System Design (Jamil Bissar), PSP LAN Systems).

References

I. M. BBLr.AI~, J. KmhcN AND P. I~OGAWAY,"On the security of cipher-block

chaining,~ Proceedings of Crypto 94.
 105

2. S. BELLAR~ AND P. ROGAWAY, "Random oracles are practical: a paradigm for

designing ei~cient protocols," Proceedings o~ the First Annual Conference on
Computer and Communications Security, A C M , 1993.
3. L. BLUM, M. BLUM, AND M. SHUB, "A Simple Unpredictable Pseudo-Random
Number Generator," S I A M Journal on Computing 15(2), 364-383, M a y 1986.
4. S. B L U M AND S. GOLDWASSER, "An ei~cient probabilistic public-key encryp-
tion scheme which hides all partial information," Advances in Cryptology -
Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, Springer-
Verlag, B. Blakley, ed., 1985.
5. M. B L U M AND S. MICALI, "How to generate cryptographically strong sequences
of pseudo-random bits," S I A M Journal on Computing 13(4), 850-864, November
1084.
6. I. DAMG.~RD, "Towards practical public key cryptosystems secure against chosen
ciphertext attacks," Advances in Cryptology - Crypto 91 Proceedings, Lecture
Notes in Computer Science Vol. 576, Springer-Verlag, J. Feigenbaum, ed., 1991.
7. D. DOLBV, C. D W O R K AND M. NAOR, "Non-malleable cryptography," Proceed-
ings o[ the Twenty Third Annual Symposium on the Theory of Computing,
A C M , 1991.
8. S. EVEN, O. GOLDREICH AND S. MICALI, "On-line/O~f line digital signatures,"
Manuscript. Preliminary version in Adva~nces in Cryptology - Crypto 89
Procee~ngs, Lecture Notes in Computer Science Vol. 435, Springer-Verlag,
G. Brassard, ed., 1989.
9. U. FEIGB, A. FIAT AND A. SHAMIR, "Zero knowledge proofs of identity," Journal
of Cryptology, Vol. 1, pp. 77-94, 1987.
10. O. GOLDREICH AND L. LEVIN, "A hard predicate for all one-way functions," Pro-
ceedings of the Twenty First Annual Symposium on the Theory of Computing,
A C M , 1980.
11. S. GOLDWASSER AND S. MICALI, "Probabilistic Encryption," Journal of Com-
puter and System Sciences 28, 270-299, April 1984.
12. S. GOLDWASSEIt, S. MIGALI AND C. RAOKOFF, "The knowledge complexity of
interactive proof systems," S I A M J. of Comp., Vol. 18, No. 1, 186-208, Febru-
ary 1989.
13. S. GOLDWASSER, S. MICALI AND R. RIVEST, ~'A digits] signature scheme se-
cure against adaptive chosen-message attacks," S I A M Journal of Computing,
17(2):281-308, April 1988.
14. R. IMPAGLIAZZO, L. LEVIN AND M. LUBY, "Pseudo-random generation from
one-way functions," Procee~ngs of the Twenty First Annual Symposium on the
Theory of Computing, ACM, 1989.
15. D. Johnson, A. Lee, W. Martin, S. Matyas and J. Wilkins, "Hybrid key distri-
bution scheme giving key record recovery," IBM Technical Dislcosure Bulletin,
37(2A), 5-16, February 1994.
16. T. LBZOHTON AND S. MICALI, "Provably fast and secure digital signature algo-
rithms based on secure hash functions," Manuscript, March 1993.
17. M. N A O R AND M. YUNG, "Public-key cryptosystems provably secure against
chosen ciphertext attacks," Proceedings of the Twenty Second Annual Sympo-
sium on the Theory of Computing, A C M , 1990.
18. National Institute of Standards, FIPS Publication 180, "Secure Hash Standard,"
1993.
 106

19. M. RABIN, "Digitslized signatures and public-key functions as intractable as

factorization," MIT Laboratory for Computer Science TR-212, January 1979.
20. R. tLrVBST, "The MD5 message-digest algorithm," IETF Network Working
Group, RFC 1321, April 1992.
21. R. RXVBST, A. SHAmm, AND L. ADLBMAN, "A method for obtaining digital sig-
natures and public key cryptosystems," CACM 21 (1978).
22. RSA Data Security, Inc., "PKCS #1: RSA Encryption Standard," ffune 1991.
23. C. SOHNOm~, "Efficient identification and signatures for smart cards," Advances
in Cryptology - Crypto 89 Proceedings, Lecture Notes in Computer Science
Vol. 435, Springer-Verlag, G. Brassard, ed., 1989.
24. A. SCHRWT AND A. SHAMm, "The discrete log is very discreet," Proceedings
of the Twenty Second Annual Symposium on the Theory of Computing, ACM,
1990.
25. M. ToMPA AND H. WOLL, "Random self-reducibility and sero-knowledge inter-
active proofs of possession of information," UCSD TR CS92-244, 1992.
26. A. YAO, "Theory and applications of trapdoor functions," Proceedings of the
Twenty Third Annual Symposium on the Foundations of Computer Science,
IEEE, 1982.
27. Y. ZHENG AND J. SEBE~tY, "Practical approaches to attaining security against
adaptively chosen ciphertext attacks, ~ Advances in Cryptology - Crypto 92
Proceedings, Lecture Notes in Computer Science Vol. 740, Springer-Verlag,
E. BrickeU, ed., 1992.

A Proof of Theorem 3

We first define the behavior of inverting algorithm M. M is given (an encoding

of) a function f : {0, 1} k --* {0, 1} k and a string y E {0, 1} ~. It is trying to find
w = f-l(y).

(1) M begins by constructing ~ from / as specified by our basic scheme. It then

initializes two lists, called its G-list and its H-list, to empty. It picks a bit
b +- {0, 1} at random. Then it simulates the two stages of A as indicated
in the next two steps.
(2) M simulates the find-stage of A by running A on input (s find). M provides
A with fair random coins and simulates A's random oracles G and H as
follows. When A makes an oracle call h of H , machine M provides A with
a random string Hh of length k0, and adds h to the H-list. Similarly when
A makes an oracle call g of G, machine M provides A with a r a n d o m string
Gg of length n and adds g to the G-list. Let (Zo, zl, c) be the output with
which A halts.
(3) Now M starts simulating the guess-stage of A. It runs A on input (y, zo, z l ,
c). It responds to oracle queries as follows.
(3.1) Suppose A makes H-query h. M provides A with a random string Hh
of length h and adds h to the H-list. Then for each g on the G-list M
constructs zoh,9 = h tl g ~ H h and computes Yh,g = / ( w h , 9 ) . If there
is some h, g such that V~,,g = Y then M sets w* = Wh,g.
 107

(3.2) Suppose A makes G-query g. Then for each h on the H-list M con-
structs the string wh,g = h II g@Hh and computes Yh,g = f(wh,~).
(3.2.1) If there are h, g such t h a t Yh,g = Y then M sets w* = wn,g. It
sets Gg = h(~Zb, a d d s g to the G-list, and returns Gg to A.
(3.2.2) Else (ie. there are no h, g such t h a t Yh,g = Y) M provides A
with a r a n d o m string Gg of length n and adds g to the G-list.
The output of M is w* if this string was defined in the above experiment, and
fail otherwise. Note t h a t the H-list and G-list include the queries of b o t h the
find and guess stages of A's execution.
It is easy to verify t h a t the a m o u n t of time ~' to carry out G a m e 1 is as claimed.
It is also easy to verify t h a t there is a universal machine U such t h a t the com-
putation of M can be done by U A.
We note t h a t as soon as M successfully finds a point w* = f - Z ( y ) , it could stop
and o u t p u t w*. Not only do we have it go on, but some variables and actions
(such as the usage of the bit b in Step (3.2.1) come into play only after w* is
found. These "unnecessary" actions do not affect the success probability of M
but we put t h e m in to simplify our exposition of the analysis of M ' s success
probability. The intuition is t h a t A in the above experiment is trying to predict
b and M is trying to make the distribution provided to A look like t h a t which
A would expect were A running under the experiment which defines A's success
in breaking the encryption scheme. Unfortunately, M does not provide A with
a simulation which is quite perfect. Let us now proceed to the analysis.
We consider the probability space given by the above experiment. T h e inputs
f , y to M are drawn at r a n d o m according to (f, f - l ) 4-- ~'(lk); y ,-- {0, 1} ~. We
call this " G a m e 1" and we let P r l ['] denote the corresponding probability.
Let w = f - l ( y ) and write it as w = s [[ ~ where Is I = n and : k0. Let r be
the r a n d o m variable t~H(s). We consider the following events.

FBAD is true if:

- G-oracle query r was m a d e in the find-stage, and
- G, • {sE)zo, sE)zl}.
GBAD is true if:
- G-oracle query r was m a d e in the guess stage, and
- at the point in time t h a t it was made, the H-oracle query s was not on
the H-list, and
- G,. r {8~zo, sE)=1}.
G = ~FBAD A -GBAD.

W = AskR A AskS.

We let Pr2 ['] = P r l [" [ G] denote the probability distribution, in G a m e 1, con-

ditioned on G being true, and call this " G a m e 2."
 108

Now consider the experiment which defines the advantage of A. Namely, first
choose ( f . , f , z ) ._ j r ( l k ) and let s be the corresponding encryption function
under the basic scheme. Then choose

G., H. *- fl; (z~, z;, c*) ~-- Aa"z~" (s find);

b. C0, z}; y* , -

and run A (y*, =L c*). Let Pr; [.] be the corresponding distribution and
Game 1" the game.
Now consider playing Game 1" a little bit differently. As before, choose ( f . , f , z )
~-- ~ ( 1 ~) and let E* be the corresponding encryption function. But now choose
y* *- C0,1} k uniformly at random first, and then select the rest according to
the distribution which makes the outcome the same as in Game-l*. (This is
possible because the distribution on y*-values in Game 1" is indeed uniform).
We let Game 2* be this different way of playing Game 1".
We claim that Game 2 and Game 2* are identical in the sense that the view of
A at any point in these two games is the same. Indeed we have chosen the event
G so that the oracle queries we are returning in Game 1 will mimic Game 2* as
long as G remains true.
We omit details to formally justify these claims, but a good way to get some
intuition is to assume for simplicity that the End-stage is trivial and A always
outputs the same strings z~, z~, c*. Now if y* is fixed then the conditional dis-
tribution on G., H . can be described as follows: Pick H . at random; pick G.(g)
to be random whenever g ~ t~H.(s). But G.(t~H.(s)) must be constrained to
be either s ~ z ~ or s@z~, the choice of which being at random.
To proceed further with our analysis (of Game 1), let us introduce the following
additional events:

FAskS is true if H-oracle query s was made in the find stage.

AskR is true if, at the end of Game 1, r is on the G-list.

AskS is true if, at the end of Game 2, s is on the H-list.

The first step is to show that the probability that the good event fails is low.

L e m m a 7. The probability that the good event fails is upper bounded by

Prz [-~G] _~ qgen2-~~ -t- qh~h2 -'~ 9

Proof. The intuition is that as long as H-query s has not been made, each G-
query has probability only 2 -~~ of being r. Now, --G = FBADV GBAD. In GBAD
is already included the fact that no H-query of s has been made before the G-
query r. But in FBAD it could be that H-query s was made. But the probability
 109

of FAskS is small since s II t - f - 1 ( y ) is determined at random after the find-

stage. The proof that follows captures all this by conditioning on FAskS. We
have:

Pr~ [-~G] = Pr~ [~G I FAskS]. Pr~ [FAskS]

+ Pr, [-,G I-~FAskS]-Prl [--,FAskS]
_< Pr~ [FAskS] + Pr: [~G I ~FAskS]
_< Pr: [FAskS] + Prl [AskR I --,FAskS] .

The random choice of y implies that Prl [FAskS] < (]hash2-n. On the other hand
P r l [AskR I -,FAskS] _< qgen2 -k~ []

We think of A in Game 1 as trying to predict b. With this in mind, let "A =

b" denote the event that A is successful in predicting bit b. We analyze this
probability to show that in Game 2 either W is true or A has little advantage
in predicting b. Notice that if W is true then M successfully finds w = f - 1 (y).
Following this we will use the equivalence with Game 2* to relate this to ~, and
finally we will use L e m m a 7 to get a conclusion for Game 1.

Recall that h = k0 + n is the "security parameter" of the original trapdoor

permutation.

L e m m a 8. The winning probability in Game 2 is bounded below by:

2qgen2- k
Pr2 [W] _> Pr2 [A ---b] 21
Prl [G]

Proof. We upper bound Pr2 [A ----hi:

Pr2 [A = b] = Pr2 [,4 = b I W]. er~ [W]

+ Pr2 [A -- ~ I -~AskR]-Pr2 [-~AskR]

§ Pr2 [A = b I AskRA -,AskS]. Pr2 [AskR A --,AskS]
< Pr2 [W] + Pr~ [_4 = b I -,AskR]

§ Pr2 [AskR A -~AskS] . (1)

Now we wish to upper bound the last two terms above. If-~AskR then clearly .4
has no advantage in predicting b:
Pr2 [.4 -- b l -~AskR] _<1/2. (2)
On the other hand let RBS be the event that r is on the G-list and at the time
it was put there, s was not on the H-list. Recall that k = h0 + n. One can check
 110

that:
Prx [AskR A -~AskS A G] = Prl [RBS A G, E {8~zo, $ ~ g l } ]
= Prl [RBS]. Prl [G, E {,E)zo,,(~zx} I RBS]

~ qgen2-k~ 92 " 2-'*

: 2qgen 2-k . (3)

Using (3) we have

Prl [AskR A "~AskS A G]
Pr2 [AskR A -~AskS] =
Prl [G]
< 2qge"2-~ (4)
-- Prl [G]

Now put the bounds provided by (2) and (4) into (1) to get
2qse,2 -~
P r 2 [ A = b ] _< Pr2[VV] + 8 9 Prl[G]

This concludes the proof of the ]emma. []

The equivalence of Game 2 and Game 2* implies Pr2 [A = b] = e + 1/2 so that
from Lemma 8 (making the conditioning on G explicit) we get
2qgen 2 - ~
Prl ~ I G] >_ - Prl [G] (5)

Using (5) and Lemma 7 we get

Prl [W] = Prl ~ / I G]. Prl [G]

> (e 2qgen2-k
- _ - PrI[G] ) ' P r l [ G ]
= e . P E I [G] - 2qgen2 -k

~_ e" (1 -- qsen2 -k~ -- qh~h2-") -- 2qs,n2 -k 9

However as we remarked earlier, eI ~_ Prl ~/], so the proof is concluded.

B Proof of Theorem6

We define the plaintext extractor K. Let (f, f - l ) E [~'(1~)] and let uc be the
corresponding encryption function as constructed by our plaintext-aware scheme.
Let r : (Tgen , Thash) where
Tgen = (7"1,G 1 ) , . . . , (Pq,on, Gqlto=)
= (,1,H1), ....
 111

We call r l , . . . , rg,. n the G-list a n d s t , . . . , sgh.~ the H-list. T h e inputs to K are

C, y, 1". It proceeds as follows.
(1) For i = 1 , . . . , qgen a n d j = 1 , . . . , qh~h machine K
(1.1) Sets z i d to the first n bits of ,i(3Gj a n d z~,i to the remaining hi bits
of s~Gj
(1.2) Sets wi,j = al II and computes Vij= f(w,,j).
(2) If there is an i , j such t h a t y i j = V a n d z~j = 0 tt then K o u t p u t s z i j ; else
it o u t p u t s *.
For the analysis let w = f - x ( V ) a n d write it as w = s [[ * where Is[ = n + k l a n d
]*[ = k0. Let r be the r a n d o m variable *@H(,). Let x, z be the r a n d o m variables
defined by writing s a G ( r ) = z II z where tzl = n a n d ]z] = ix. We consider the
following events.

FAIL is true if the o u t p u t of K is different f r o m Z~G,H(v).

AskR is true if r is on the G-list.

Asks is true if s is on the H-list.

We now b o u n d the failure probability.

Pr [FAIL] = Pr [FAIL I -~AskR] 9Pr [-~AskR]

+ Pr [FAIL I AskR A AskS]. Pr [AskR A AskS]
+ Pr [FAIL I AskR A -~AskS] 9Pr [AskR A -~AskS]
_< Pr [FAIL ( -~AskR] + Pr [FAIL ] AskR A AskS]
+ Pr [AskR A --AskS] .

If r is not on the G-list then the probability t h a t z = 0 ~1 is at m o s t 2 - h , so

t h a t in this case an o u t p u t of * is success. T h u s P r [FAIL I -~AskR] _< 2 - t * .
If r is on the G-list and s is on the H-list then there are i, j such t h a t w = wl,j.
So K will d e c r y p t correctly. T h a t is, Pr [FAIL I AskR A AskS] = 0.
If s is not on the H-list then H ( s ) is u n i f o r m l y distributed and hence so is r. So
Pr [AskR A --AskS] < Pr [AskR I -~AskS] < qs,n2 -~~ .
This concludes the proof.