Abstract:
This document compares the two published RSA-based hybrid encryption
schemes having linear reduction in their security proof:
RSA-KEM with DEM1 and RSA-REACT.
While the performance of RSA-REACT is worse than the performance of
RSA-KEM+DEM1, a complete proof of its security has already been
published.
This is indeed an advantage, because we show that the security result
for RSA-KEM+DEM1 has a small hole.
We provide here a complete proof of the security of
RSA-KEM+DEM1.
We also propose some changes to RSA-REACT to improve its efficiency
without changing its security, and conclude that this new RSA-REACT is
a generalisation of RSA-KEM+DEM1, with at most the same security,
and with possibly worse performance.
Therefore we show that RSA-KEM+DEM1 should be preferred to RSA-REACT.