# REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform

@inproceedings{Okamoto2001REACTRE, title={REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform}, author={Tatsuaki Okamoto and David Pointcheval}, booktitle={CT-RSA}, year={2001} }

Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosen-ciphertext secure encryption scheme from any trapdoor one-way permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and…

## 264 Citations

### Efficient public key encryption with smallest ciphertext expansion from factoring

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2008

The first scheme is a generic asymmetric encryption padding scheme based on trapdoor permutations and the second one is its application to the Rabin-Williams function which has a very fast encryption algorithm which achieves the optimal bandwidth w.r.t. the ciphertext expansion.

### A low-cost alternative for OAEP

- Computer Science, MathematicsS&D4RCES '11
- 2011

This paper presents the design principle of the proposed Alternative Asymmetric Encryption Padding (AAEP) in two variants, a modified scheme, which guarantees that regardless of the input values, all outputs of AAEP will be different within some period of time.

### On the Selective Opening Security of Practical Public-Key Encryption Schemes

- Computer Science, MathematicsPublic Key Cryptography
- 2015

It is shown that two well-known and widely employed public-key encryption schemes – RSA Optimal Asymmetric Encryption Padding and Diffie-Hellman Integrated Encryption Standard – are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model.

### Selective opening security of practical public-key encryption schemes

- Computer Science, MathematicsIET Inf. Secur.
- 2016

Two well-known and widely employed public-key encryption schemes are shown to be secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model.

### Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages

- Computer Science, MathematicsPublic Key Cryptography
- 2002

Two generic constructions, gem-1 and gem-2, are put forward which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length.

### Chosen-Ciphertext Security without Redundancy

- Computer Science, MathematicsASIACRYPT
- 2003

This is the first IND-CCA cryptosystem based on any trapdoor one-way permutation without redundancy, and more interestingly, the bandwidth is optimal: the ciphertext is over k more bits only than the plaintext, where 2 − k is the expected security level.

### Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks

- Computer Science, MathematicsASIACRYPT
- 2001

The twin-encryption paradigm proposed by Naor and Yung is rehabilitate to present generic conversions from a large family of IND-CPA scheme into a (threshold) IND-CCA one in the random oracle model, which provides the first example of threshold cryptosystem secure against chosen-ciphertext attacks based on the factorization problem.

### Using Transposition Padding to Get CCA2 Security From Any Deterministic Encryption Schemes

- Computer Science, MathematicsIEEE Access
- 2019

A new transpositional padding encryption scheme is proposed, which has three novel attributes, and is proven to be indistinguishable under adaptively chosen ciphertext attacks without random oracle that assumes a variant of the standard RSA problem.

### On the KDM-CCA Security from Partial Trapdoor One-Way Family in the Random Oracle Model

- Computer Science, MathematicsComput. J.
- 2019

It is proved that the twisted Pointcheval’s scheme achieves the KDM-CCA security without introducing any new assumption, which means that any suitable problem providing a one-way cryptosystem can be efficiently derived into a chosen-ciphertext attack (CCA) secure public key encryption (PKE) scheme.

### How to Encrypt Properly with RSA

- Computer Science, Mathematics
- 2002

A formal and complete proof was found in joint work by the author and others that rearmed the strong level of security provided by RSA{OAEP, however, this new security proof still does not guarantee security for key sizes used in practice due to the ineciency of the security reduction (the reduction to inverting RSA takes quadratic time).

## References

SHOWING 1-10 OF 47 REFERENCES

### Chosen-Ciphertext Security for Any One-Way Cryptosystem

- Computer Science, MathematicsPublic Key Cryptography
- 2000

This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor one-way function, in the random oracle model, and presents the first scheme whose security is relative to the factorization of large integers, with a perfect reduction.

### How to Enhance the Security of Public-Key Encryption at Minimum Cost

- Computer Science, MathematicsPublic Key Cryptography
- 1999

This paper presents a simple and efficient conversion from a semantically secure public-key encryption scheme against passive adversaries to a non-malleable (or semantically secure) public-key…

### A New Public-Key Cryptosystem as Secure as Factoring

- Computer Science, MathematicsEUROCRYPT
- 1998

This paper proposes a novel public-key cryptosystem, which is practical, provably secure and has some other interesting properties as follows: It can be proven to be as secure as the intractability of factoring n = p2q (in the sense of the security of the whole plaintext) against passive adversaries.

### New Public Key Cryptosystems Based on the Dependent-RSA Problems

- Computer Science, MathematicsEUROCRYPT
- 1999

Two variants are derived with improved security properties, namely against adaptive chosen-ciphertext attacks, in the random oracle model, and all those schemes are more or less as efficient as the original RSA encryption scheme and reach semantic security.

### HD-RSA: Hybrid Dependent RSA a New Public-Key Encryption Scheme

- Computer Science, Mathematics
- 1999

It results that this new encryption scheme is semantically secure against any kind of attacks, namely non-adaptive and even adaptive chosen-ciphertext ones, and can reach higher speed rates if one compares it with the DHAES or EPOC, which gets many times better.

### Optimal Asymmetric Encryption

- Computer Science, MathematicsEUROCRYPT
- 1994

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

### The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES

- Computer Science, MathematicsCT-RSA
- 2001

In this paper, natural assumptions under which DHIES achieves security under chosen-ciphertext attack are found and the assumptions made about the Diffie-Hellman problem are investigated, and they provide security lower bounds.

### Optimal Asymmetric Encryption-How to Encrypt with RSA

- Computer Science, Mathematics
- 1995

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which the adversary knows the corresponding plaintexts, and is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

### DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 1999

This paper describes a Diffie-Hellman based encryption scheme, DHIES (formerly named DHES and DHAES), which is now in several (draft) standards. The scheme is as efficient as ElGamal encryption, but…

### Securing Threshold Cryptosystems against Chosen Ciphertext Attack

- Computer Science, MathematicsJournal of Cryptology
- 2001

This paper presents two very practical threshold cryptosystems and proves that they are secure against chosen ciphertext attack in the random oracle model, and not only are these protocols computationally very efficient, but they are also non-interactive, which means they can be easily run over an asynchronous communication network.