Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Presentation on theme: "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."— Presentation transcript:

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998 These slides are partially based on Jonathan Katz’s lecture notes. Benny Applebaum

CCA1 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C=E PK (m b ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA1 secure if any efficient A wins with probability <1/2+neg

DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c  Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]| { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4313611/slides/slide_3.jpg", "name": "DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c  Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]|

Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y )

Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y ) Correctness: Easy…

CSL is CCA1 secure x,y,a,b  Z q ; SK=( x,y,a,b ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a g 4 b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CSL via CCA1 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand”

CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]| { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4313611/slides/slide_7.jpg", "name": "CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure.", "description": "Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

CSL is CCA1 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show that (except w/neg prob) A attacks a perfect cipher. I.e, g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: if A knows only (*) then g 3 x g 4 y is random (from A’s view). Lemma: in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 2

CSL is CCA1 secure Is CSL CCA2 secure? Why the argument fail to prove CCA2 security?

CCA2 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C*=E PK (m b ) D SK (c 1 ) D SK (c p ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA2 secure if any efficient A wins with probability <1/2+neg c’ 1  c* c’ p  c*

The Cramer & Shoup Cryptosystem PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b ’,H) g 1,g 2 are random generators, x,y,a,b,a’,b’  Z q and H is a hash function SK = (x,y,a,b,a’,b’) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, (cd  ) r ), where  =H(g 1 r,g 2 r, h r m) D SK (u,v,w,e): –If e  u a +  a’ v b +  b’ (where  =H(g 1 r,g 2 r, h r m)) then output  –Else, output w/(u x v y ) Correctness: Easy…

CS is CCA2 secure x,y,a,b,a’,b’  Z q ; SK=( x,y,a,b,a’,b’ ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b’,H) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a+  a’ g 4 b +  b’ ) where  =H(g 3,g 4, g 3 x g 4 y m b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CS via CCA2 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand” c’ 1 c’ p

CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]| { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4313611/slides/slide_13.jpg", "name": "CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure.", "description": "Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

CS is CCA2 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: –if A knows only (*) then g 3 x g 4 y is random (from A’s view). –in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Lemma: in phase 3 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 3

Download ppt "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."

Similar presentations