Rethinking Chosen-Ciphertext Security under Kerckhoﬀs’ Assumption Seungjoo Kim 1 , Masahiro Mambo 2 , and Yuliang Zheng 3 1 KISA (Korea Information Security Agency), 78, Garag-Dong, Songpa-Gu, Seoul 138-803, Korea skim@kisa.or.kr − http://www.crypto.re.kr 2 Graduate School of Information Sciences, Tohoku University, Kawauchi Aoba Sendai, 980-8576 Japan mambo@icl.isc.tohoku.ac.jp − http://www.icl.isc.tohoku.ac.jp/˜mambo/ 3 UNC Charlotte, 9201 University City Blvd, Charlotte, NC 28223 yzheng@uncc.edu − http://www.sis.uncc.edu/˜yzheng/ Abstract. Any software claiming to cryptographically protect the data should use an encryption algorithm that meets public standards, and has an extensive history of independent cryptanalytic validation. However, even though they encrypt with strong encryption algorithm, most ex- isting public-key cryptosystems, including RSA-OAEP, do not consider the “memory reconstruction attack” or the “memory core-dump attack” mounted by computer forensic software, information stealing viruses, or other accidental reasons. To deal with this situation, this paper attempts to analyze the existing provably secure cryptosystems under “Kerckhoﬀs’ assumption” : an attacker knows all details of the cryptosystem except the key information, which security consequently rests entirely upon. Keywords. Kerckhoﬀs’ assumption, provable security, chosen-ciphertext se- curity. 1 Introduction A basic rule of cryptography is to use published, public algorithms and proto- cols. This principle, called Kerckhoﬀs’ assumption (also called Kerckhoﬀs’ law or Kerckhoﬀs’ principle) was ﬁrst stated in 1883 by Auguste Kerckhoﬀs : A cryp- tosystem should be designed to be secure if everything is known about it except the key information. It was reformulated (perhaps independently) by Claude Shannon as “the enemy knows the system”. In that form it is called Shannon’s Maxim. Kerckhoﬀs’ assumption was one of six design principles laid down by Kerck- hoﬀs for military ciphers. Kerckhoﬀs’ six cipher design principles were [22]: 1. The system must be practically, if not mathematically, undecipherable.