Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2 t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.

, , , ,
J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 355–371, 2008.
Practical Approaches to Secure Computation
Annual International Conference on the Theory and Applications of Cryptology & Information Security

Abe, M., Kiltz, E., & Okamoto, T. (2008). Chosen Ciphertext Security with Optimal Ciphertext Overhead. In Lecture Notes in Computer Science. Springer.