Motivation The Encryption Scheme History & Implementation Conclusion
The Cramer-Shoup Cryptosystem
Eileen Wagner
October 22, 2014
1 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. [2]
2 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion
3 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion
4 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far Public-key encryption
Diffie-Hellman key exchange
http://en.wikipedia.org/ wiki/File:Diffie-Hellman_ Key_Exchange.svg
5 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far ElGamal encryption
' Alice $ n Gen: (q, g) ← G(1 ) ' Bob $
x G = hgi a group, |G| = q Decsk (c1, c2) = c2/c1 pk = (g, q, h) - r r x sk = x ← Zq Decsk (c1, c2)= h m/(g ) (g r , hr m) x h := g Decsk (c1, c2)= m
for m ∈ G: get r ← Zq r r Encpk (m) = (g , h m) & %
& % 6 / 28 If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.
Decisional Diffie-Hellman Problem
| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far Important results
How secure are our schemes?
7 / 28 Decisional Diffie-Hellman Problem
| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far Important results
How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.
7 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far Important results
How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.
Decisional Diffie-Hellman Problem
| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)
7 / 28 For example, in ElGamal, given (c1, c2) an adversary can query (c1, t · c2), which is a valid decryption for tm.
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security CCA1 vs. CCA2
Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext.
8 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security CCA1 vs. CCA2
Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext.
For example, in ElGamal, given (c1, c2) an adversary can query (c1, t · c2), which is a valid decryption for tm.
8 / 28 → CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack.
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security CCA1 vs. CCA2
Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.
9 / 28 A CCA1-attack is also called a lunchtime attack.
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security CCA1 vs. CCA2
Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.
→ CCA2-security is equivalent to non-malleability [1]
9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security CCA1 vs. CCA2
Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.
→ CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack.
9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security Recall: OAEP for RSA
Optimal asymmetric encryption padding
http://en.wikipedia.org/ wiki/File: Oaep-diagram-20080305.png
10 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion
11 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
ElGamal encryption
' Alice $ n Gen: (q, g) ← G(1 ) ' Bob $
x G = hgi a group, |G| = q Decsk (c1, c2) = c2/c1 pk = (g, q, h) - r r x sk = x ← Zq Decsk (c1, c2)= h m/(g ) (g r , hr m) x h := g Decsk (c1, c2)= m
for m ∈ G: get r ← Zq r r Encpk (m) = (g , h m) & %
& % 12 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup Cramer-Shoup encryption
' Alice $
n Gen: (q, g1, g2) ← G(1 ) ' Bob $
sk =( x1, x2, y1, y2, z) ← Zq pk = (g1, g2, α := H(u1, u2, e) c, d, h, H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 , d := g1 g2 u1 u2 (u1, u2, e, v) z ( h := g1 verified, v = for m ∈ G: get r ← Zq abort, otherwise r r r u1 := g1 , u2 := g2 , e := h m z Decsk (u1, u2, e, v) = e/u r rα 1 α := H(u1, u2, e), v := c d
Encpk (m) = (u1, u2, e, v) & % 13 / 28 & % z r z r 2 Since u1 = h , Decsk (u1, u2, e, v) = e/u1 = e/h = m
Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup Cramer-Shoup encryption
Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v
14 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup Cramer-Shoup encryption
Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v z r z r 2 Since u1 = h , Decsk (u1, u2, e, v) = e/u1 = e/h = m
14 / 28 Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem.
Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security Theorem
Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G.
15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security Theorem
Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G.
Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem.
15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security Proof of Security
'S $ (g , g , u , u ) ← D or R 'A $ 1 2 1-2 (x1, x2, y1, y2, z1, z2) ← Zq m0, m1 ∈ G
x1 x2 y1 y2 z1 z2 z1 z2 c := g1 g2 , d := g1 g2 , h := g1 g2 Decsk (c∗) = e/u1 u2 = mb0
b ← {0, 1} c∗ = (u1-, u2, e, v) e := uz1 uz2 m , α := H(u , u , e) 1 2 b 1 2 ( x1+y1α x2+y2α output b’, D v = u1 u2 ( ⊥, R 1, b = b0 output = 0, b 6= b0 & % & 16 / 28% Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash)
Motivation The Encryption Scheme History & Implementation Conclusion
Features Comparison
One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle
17 / 28 Intractability assumptions are minimal (only DDH & hash)
Motivation The Encryption Scheme History & Implementation Conclusion
Features Comparison
One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption
17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Features Comparison
One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash)
17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Features Computation
The ciphertext is about four times plaintext (not a big deal in most applications) and takes about twice as much computation as ElGamal.
18 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Features Cramer-Shoup encryption
' Alice $
n Gen: (q, g1, g2) ← G(1 ) ' Bob $
sk =( x1, x2, y1, y2, z) ← Zq pk = (g1, g2, α := H(u1, u2, e) c, d, h, H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 , d := g1 g2 u1 u2 (u1, u2, e, v) z ( h := g1 verified, v = for m ∈ G: get r ← Zq abort, otherwise r r r u1 := g1 , u2 := g2 , e := h m z Decsk (u1, u2, e, v) = e/u r rα 1 α := H(u1, u2, e), v := c d
Encpk (m) = (u1, u2, e, v) & % 19 / 28 & % Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion
20 / 28 hangs around in bars
Motivation The Encryption Scheme History & Implementation Conclusion
People Ronald Cramer
1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science
21 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
People Ronald Cramer
1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science hangs around in bars 21 / 28 on RateMyProfessors, he has an average rating of 1.4/5
Motivation The Encryption Scheme History & Implementation Conclusion
People Victor Shoup
born ?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory
22 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
People Victor Shoup
born ?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory on RateMyProfessors, he has an average rating of 1.4/5 22 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Implementation Schneier on Cramer-Shoup
“If, in a few years, Cramer-Shoup still looks secure, cryptographers may look at using it instead of other defenses they are already using. But since IBM is going to patent Cramer-Shoup, probably not.” [3]
23 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion
24 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Summary
25 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
Summary
The Cramer-Shoup system is an asymmetric key encryption algorithm based on the ElGamal scheme First efficient scheme proven to be secure against adaptive chosen ciphertext attacks
26 / 28 Motivation The Encryption Scheme History & Implementation Conclusion
thank you!
27 / 28 References
Mihir Bellare and Amit Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In Advances in cryptology—CRYPTO’99, pages 519–536. Springer, 1999. Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology—CRYPTO’98, pages 13–25. Springer, 1998. Bruce Schneier. Cramer-Shoup cryptosystem. Crypto-Gram Newsletter, 15.09.98. 28 / 28