Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Similar presentations


Presentation on theme: "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."— Presentation transcript:

1 Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998 These slides are partially based on Jonathan Katz’s lecture notes. Benny Applebaum

2 CCA1 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C=E PK (m b ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA1 secure if any efficient A wins with probability <1/2+neg

3 DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c  Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]|

4 Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y )

5 Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y ) Correctness: Easy…

6 CSL is CCA1 secure x,y,a,b  Z q ; SK=( x,y,a,b ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a g 4 b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CSL via CCA1 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand”

7 CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

8 CSL is CCA1 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show that (except w/neg prob) A attacks a perfect cipher. I.e, g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: if A knows only (*) then g 3 x g 4 y is random (from A’s view). Lemma: in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 2

9 CSL is CCA1 secure Is CSL CCA2 secure? Why the argument fail to prove CCA2 security?

10 CCA2 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C*=E PK (m b ) D SK (c 1 ) D SK (c p ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA2 secure if any efficient A wins with probability <1/2+neg c’ 1  c* c’ p  c*

11 The Cramer & Shoup Cryptosystem PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b ’,H) g 1,g 2 are random generators, x,y,a,b,a’,b’  Z q and H is a hash function SK = (x,y,a,b,a’,b’) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, (cd  ) r ), where  =H(g 1 r,g 2 r, h r m) D SK (u,v,w,e): –If e  u a +  a’ v b +  b’ (where  =H(g 1 r,g 2 r, h r m)) then output  –Else, output w/(u x v y ) Correctness: Easy…

12 CS is CCA2 secure x,y,a,b,a’,b’  Z q ; SK=( x,y,a,b,a’,b’ ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b’,H) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a+  a’ g 4 b +  b’ ) where  =H(g 3,g 4, g 3 x g 4 y m b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CS via CCA2 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand” c’ 1 c’ p

13 CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

14 CS is CCA2 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: –if A knows only (*) then g 3 x g 4 y is random (from A’s view). –in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Lemma: in phase 3 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 3


Download ppt "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."

Similar presentations


Ads by Google