Reducing public key sizes in bounded CCA-secure KEMs with optimal ciphertext length

Abstract

Currently, chosen-ciphertext (CCA) security is considered as the de facto standard security notion for public key encryption (PKE), and a number of CCA-secure schemes have been proposed thus far. However, CCA-secure PKE schemes are generally less efficient than schemes with weaker security, e.g., chosen-plaintext security, due to their strong security. Surprisingly, Cramer et al. (Asiacrypt 2007) demonstrated that it is possible to construct a PKE scheme from the decisional Diffie- Hellman assumption that yields (i) bounded CCA (BCCA) security which is only slightly weaker than CCA security, and (ii) one group element of ciphertext overhead which is optimal. In this paper, we propose two novel BCCA-secure PKE schemes with optimal ciphertext length that are based on computational assumptions rather than decisional assumptions and that yield shorter (or at least comparable) public key sizes. Our first scheme is based on the computational bilinear Diffie-Hellman assumption and yields O(λq) group elements of public key length, and our second scheme is based on the factoring assumption and yields O(λq2) group elements of public key length, while in Cramer et al.’s scheme, a public key consists of O(λq2) group elements, where λ is the security parameter and q is the number of decryption queries. Moreover, our second scheme is the first PKE scheme which is BCCA-secure under the factoring assumption and yields optimal ciphertext overhead.