Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Published byVincent Francis Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."— Presentation transcript:

1 Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998 These slides are partially based on Jonathan Katz’s lecture notes. Benny Applebaum

2 CCA1 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C=E PK (m b ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA1 secure if any efficient A wins with probability <1/2+neg

3 DDH Assumption Let G be a cyclic group of (prime) order q DH tuple: (g,g a,g b,g ab ) Rand tuple (g,g a,g b,g c ) where g is a random generator and a,b,c  Z q DDH Assumption: Hard to distinguish Rand from DDH |Pr[A(DH)=1]-Pr[A(Rand)=1]|<negl, for any poly-time A

4 Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y )

5 Cramer & Shoup Lite PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) – g 1,g 2 are random generators and x,y,a,b  Z q SK = (x,y,a,b) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, c r ) D SK (u,v,w,e): –If e  u a v b then output  –Else, output w/(u x v y ) Correctness: Easy…

6 CSL is CCA1 secure x,y,a,b  Z q ; SK=( x,y,a,b ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b ) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a g 4 b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CSL via CCA1 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand”

7 CSL is CCA1 secure Thm. Under the DDH, CSL is CCA1 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|<negl follows from DDH Assum. and since A’ is poly-time 2.Claim: Pr[A’=1|DH]=Pr[A CCA1 breaks CSL] 3.Claim: |Pr[A’=1|Rand]|  ½ + negl Hence: Pr[A CCA1 breaks CSL] =Pr[A’=1|DH]  |Pr[A’=1|Rand]|+negl  1/2+negl

8 CSL is CCA1 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show that (except w/neg prob) A attacks a perfect cipher. I.e, g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: if A knows only (*) then g 3 x g 4 y is random (from A’s view). Lemma: in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 2

9 CSL is CCA1 secure Is CSL CCA2 secure? Why the argument fail to prove CCA2 security?

10 CCA2 Security Generate (PK,SK) PK D SK (c 1 ) D SK (c p ) b  {0,1} C*=E PK (m b ) D SK (c 1 ) D SK (c p ) A c1c1 cpcp (m 0,m 1 ) b’ A wins if b=b’. The scheme is CCA2 secure if any efficient A wins with probability <1/2+neg c’ 1  c* c’ p  c*

11 The Cramer & Shoup Cryptosystem PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b ’,H) g 1,g 2 are random generators, x,y,a,b,a’,b’  Z q and H is a hash function SK = (x,y,a,b,a’,b’) E PK (m): choose r  Z q ; set C=(g 1 r,g 2 r, h r m, (cd  ) r ), where  =H(g 1 r,g 2 r, h r m) D SK (u,v,w,e): –If e  u a +  a’ v b +  b’ (where  =H(g 1 r,g 2 r, h r m)) then output  –Else, output w/(u x v y ) Correctness: Easy…

12 CS is CCA2 secure x,y,a,b,a’,b’  Z q ; SK=( x,y,a,b,a’,b’ ) PK= (g 1,g 2,h=g 1 x g 2 y, c= g 1 a g 2 b, d= g 1 a’ g 2 b’,H) D SK (c 1 ) D SK (c p ) b  {0,1} C=(g 3,g 4, g 3 x g 4 y m b, g 3 a+  a’ g 4 b +  b’ ) where  =H(g 3,g 4, g 3 x g 4 y m b ) A c1c1 cpcp (m 0,m 1 ) b’ Assume that A breaks CS via CCA2 Construct A’ that breaks DDH A’ (g 1,g 2,g 3,g 4 ) If b=b’ then output “DDH” otherwise output “Rand” c’ 1 c’ p

13 CS is CCA2 secure Thm. Under the DDH, CS is CCA2 secure. Proof: 1.|Pr[A’(DH)=1]-Pr[A’(Rand)=1]|<negl follows from DDH Assum. and since A’ is poly-time 2.Claim: Pr[A’=1|DH]=Pr[A CCA2 breaks CS] 3.Claim: |Pr[A’=1|Rand]|  ½ + negl Hence: Pr[A CCA2 breaks CS] =Pr[A’=1|DH]  |Pr[A’=1|Rand]|+negl  1/2+negl

14 CS is CCA2 secure Claim 3: |Pr[A’=1|Rand]|  ½ + negl Proof: Show g 3 x g 4 y is random (according to A’s view). Let (g 1,g 2 = g 1 ,g 3 = g 1 r,g 4 = g 1  r’ ) Except w/neg prob  0,r  r’ From PK, A knows h=g 1 x g 2 y ; that is, log g1 h=x+ y  (*) We saw: –if A knows only (*) then g 3 x g 4 y is random (from A’s view). –in phase 2 (except w/neg prob) A doesn’t learn info regarding (x,y). Lemma: in phase 3 (except w/neg prob) A doesn’t learn info regarding (x,y). Proof: A query (u,v,w,e) is bad if log g1 u  log g2 v and D SK (u,v,w,e)   Claim 4: (except w/neg prob) A’s queries are all good Claim 5: If A’s queries are all good then A does not learn additional info regarding (x,y) in phase 3

Download ppt "Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998."

Similar presentations

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
7. Asymmetric encryption-

7. Asymmetric encryption-
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google