Download presentation

Presentation is loading. Please wait.

Published byVincent Francis Golden Modified about 1 year ago

1
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998 These slides are partially based on Jonathan Katz’s lecture notes. Benny Applebaum

2
CCA1 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b {0,1} C=E PK (m b ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA1 secure if any efficient A wins with probability <1/2+neg

3
DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]|

4
Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b Z q SK = (x,y,a,b) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e u a v b then output –Else, output w/(u x v y )

5
Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b Z q SK = (x,y,a,b) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e u a v b then output –Else, output w/(u x v y ) Correctness: Easy…

6
CSL is CCA1 secure x,y,a,b Z q ; SK=( x,y,a,b ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) D SK (c 1 ) D SK (c p ) b {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a g 4 b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CSL via CCA1 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand”

7
CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

8
CSL is CCA1 secure Claim 3: |Pr[A’=1|Rand]| ½ + negl Proof: Show that (except w/neg prob) A attacks a perfect cipher. I.e, g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1 r’ ) Except w/neg prob 0,r r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y (*) We saw: if A knows only (*) then g 3 x g 4 y is random (from A’s view). Lemma: in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u log g2 v and D SK (u,v,w,e) Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 2

9
CSL is CCA1 secure Is CSL CCA2 secure? Why the argument fail to prove CCA2 security?

10
CCA2 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b {0,1} C*=E PK (m b ) D SK (c 1 ) D SK (c p ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA2 secure if any efficient A wins with probability <1/2+neg c’ 1 c* c’ p c*

11
The Cramer & Shoup Cryptosystem PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b ’,H) g 1,g 2 are random generators, x,y,a,b,a’,b’ Z q and H is a hash function SK = (x,y,a,b,a’,b’) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, (cd ) r ), where =H(g 1 r,g 2 r, h r m) D SK (u,v,w,e): –If e u a + a’ v b + b’ (where =H(g 1 r,g 2 r, h r m)) then output –Else, output w/(u x v y ) Correctness: Easy…

12
CS is CCA2 secure x,y,a,b,a’,b’ Z q ; SK=( x,y,a,b,a’,b’ ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b’,H) D SK (c 1 ) D SK (c p ) b {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a+ a’ g 4 b + b’ ) where =H(g 3,g 4, g 3 x g 4 y m b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CS via CCA2 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand” c’ 1 c’ p

13
CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

14
CS is CCA2 secure Claim 3: |Pr[A’=1|Rand]| ½ + negl Proof: Show g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1 r’ ) Except w/neg prob 0,r r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y (*) We saw: –if A knows only (*) then g 3 x g 4 y is random (from A’s view). –in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Lemma: in phase 3 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u log g2 v and D SK (u,v,w,e) Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 3

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google