Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption
When a proof is given that some cryptosystem is semantically secure under Chosen Ciphertext Attack (CCA) under some complexity assumption, one generally checks whether one-wayness can be guaranteed under a weaker assumption. The authors revisit a long-lived folklore impossibility result for factoring-based encryption and properly establish that reaching maximally secure one-wayness (i.e. equivalent to factoring) and resisting Chosen Ciphertext Attacks (CCA) are incompatible goals for single-key cryptosystems. They pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model.