Download presentation

Presentation is loading. Please wait.

Published byVincent Francis Golden Modified over 2 years ago

1
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998 These slides are partially based on Jonathan Katz’s lecture notes. Benny Applebaum

2
CCA1 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b {0,1} C=E PK (m b ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA1 secure if any efficient A wins with probability <1/2+neg

3
DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]|

4
Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b Z q SK = (x,y,a,b) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e u a v b then output –Else, output w/(u x v y )

5
Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b Z q SK = (x,y,a,b) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e u a v b then output –Else, output w/(u x v y ) Correctness: Easy…

6
CSL is CCA1 secure x,y,a,b Z q ; SK=( x,y,a,b ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) D SK (c 1 ) D SK (c p ) b {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a g 4 b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CSL via CCA1 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand”

7
CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

8
CSL is CCA1 secure Claim 3: |Pr[A’=1|Rand]| ½ + negl Proof: Show that (except w/neg prob) A attacks a perfect cipher. I.e, g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1 r’ ) Except w/neg prob 0,r r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y (*) We saw: if A knows only (*) then g 3 x g 4 y is random (from A’s view). Lemma: in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u log g2 v and D SK (u,v,w,e) Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 2

9
CSL is CCA1 secure Is CSL CCA2 secure? Why the argument fail to prove CCA2 security?

10
CCA2 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b {0,1} C*=E PK (m b ) D SK (c 1 ) D SK (c p ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA2 secure if any efficient A wins with probability <1/2+neg c’ 1 c* c’ p c*

11
The Cramer & Shoup Cryptosystem PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b ’,H) g 1,g 2 are random generators, x,y,a,b,a’,b’ Z q and H is a hash function SK = (x,y,a,b,a’,b’) E PK (m): choose r Z q ; set C=(g 1 r,g 2 r, h r m, (cd ) r ), where =H(g 1 r,g 2 r, h r m) D SK (u,v,w,e): –If e u a + a’ v b + b’ (where =H(g 1 r,g 2 r, h r m)) then output –Else, output w/(u x v y ) Correctness: Easy…

12
CS is CCA2 secure x,y,a,b,a’,b’ Z q ; SK=( x,y,a,b,a’,b’ ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b’,H) D SK (c 1 ) D SK (c p ) b {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a+ a’ g 4 b + b’ ) where =H(g 3,g 4, g 3 x g 4 y m b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CS via CCA2 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand” c’ 1 c’ p

13
CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|

14
CS is CCA2 secure Claim 3: |Pr[A’=1|Rand]| ½ + negl Proof: Show g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1 r’ ) Except w/neg prob 0,r r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y (*) We saw: –if A knows only (*) then g 3 x g 4 y is random (from A’s view). –in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Lemma: in phase 3 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u log g2 v and D SK (u,v,w,e) Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 3

Similar presentations

OK

CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on machine translation patent Ppt on soil pollution Ppt on world book day costumes Resource based view ppt online Ppt on central excise duty Ppt on atrial septal defect in adults Ppt on current trends in information technology Ppt on 60 years of indian parliament building Ppt on odisha cultured Ppt online open file