Sponge-based CCA2 secure asymmetric encryption for arbitrary length message (extended version)

Abstract

OAEP and other similar schemes, proven secure in random-oracle model, require one or more hash functions with an output size larger than those of the standard hash functions. In this paper, we show that by using the popular Sponge construction in the OAEP framework, we can eliminate the need for such a hash function. We provide a new scheme in the OAEP framework and call our scheme Sponge-based asymmetric encryption padding (SpAEP). The scheme SpAEP is based on two functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardised for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilises the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. Prior to this work, the only scheme proven secure in the ideal permutation model was OAEP-3R. However this scheme is not efficient in practice as it utilises a full domain permutation which is hard to find and construct efficiently in practice. Therefore, the author of OAEP-3R provided another version of OAEP-3R but in random oracle model. Our scheme SpAEP utilises the ideal permutation model in a novel manner which makes SpAEP efficient and practical to construct a public key encryption. We also propose a key encapsulation mechanism for hybrid encryption using SpAEP with any trapdoor one-way permutation.