sign in sign up
<<
Home , Random oracle

Motivation The Encryption Scheme History & Implementation Conclusion

The Cramer-Shoup Cryptosystem

Eileen Wagner

October 22, 2014

1 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. [2]

2 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Outline

1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion

3 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Outline

1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion

4 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

What we’ve seen so far Public-key encryption

Diffie-Hellman key exchange

http://en.wikipedia.org/ wiki/File:Diffie-Hellman_ Key_Exchange.svg

5 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

What we’ve seen so far ElGamal encryption

' Alice $ n Gen: (q, g) ← G(1 ) ' Bob $

x G = hgi a group, |G| = q Decsk (c1, c2) = c2/c1 pk = (g, q, h) - r r x sk = x ← Zq Decsk (c1, c2)= h m/(g ) (g r , hr m) x h := g Decsk (c1, c2)= m

for m ∈ G: get r ← Zq r r Encpk (m) = (g , h m) & %

& % 6 / 28 If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.

Decisional Diffie-Hellman Problem

| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)

Motivation The Encryption Scheme History & Implementation Conclusion

What we’ve seen so far Important results

How secure are our schemes?

7 / 28 Decisional Diffie-Hellman Problem

| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)

Motivation The Encryption Scheme History & Implementation Conclusion

What we’ve seen so far Important results

How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.

7 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

What we’ve seen so far Important results

How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure.

Decisional Diffie-Hellman Problem

| Pr[A(G, q, g, g x , g y , g z ) = 1]−Pr[A(G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n)

7 / 28 For example, in ElGamal, given (c1, c2) an adversary can query (c1, t · c2), which is a valid decryption for tm.

Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security CCA1 vs. CCA2

Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext.

8 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security CCA1 vs. CCA2

Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext.

For example, in ElGamal, given (c1, c2) an adversary can query (c1, t · c2), which is a valid decryption for tm.

8 / 28 → CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack.

Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security CCA1 vs. CCA2

Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.

9 / 28 A CCA1-attack is also called a lunchtime attack.

Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security CCA1 vs. CCA2

Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.

→ CCA2-security is equivalent to non-malleability [1]

9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security CCA1 vs. CCA2

Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts.

→ CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack.

9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Stronger notions of security Recall: OAEP for RSA

Optimal asymmetric encryption

http://en.wikipedia.org/ wiki/File: Oaep-diagram-20080305.png

10 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Outline

1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion

11 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

ElGamal encryption

' Alice $ n Gen: (q, g) ← G(1 ) ' Bob $

x G = hgi a group, |G| = q Decsk (c1, c2) = c2/c1 pk = (g, q, h) - r r x sk = x ← Zq Decsk (c1, c2)= h m/(g ) (g r , hr m) x h := g Decsk (c1, c2)= m

for m ∈ G: get r ← Zq r r Encpk (m) = (g , h m) & %

& % 12 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Cramer-Shoup Cramer-Shoup encryption

' Alice $

n Gen: (q, g1, g2) ← G(1 ) ' Bob $

sk =( x1, x2, y1, y2, z) ← Zq pk = (g1, g2, α := H(u1, u2, e) c, d, h, H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 , d := g1 g2 u1 u2 (u1, u2, e, v) z ( h := g1 verified, v = for m ∈ G: get r ← Zq abort, otherwise r r r u1 := g1 , u2 := g2 , e := h m z Decsk (u1, u2, e, v) = e/u r rα 1 α := H(u1, u2, e), v := c d

Encpk (m) = (u1, u2, e, v) & % 13 / 28 & % z r z r 2 Since u1 = h , Decsk (u1, u2, e, v) = e/u1 = e/h = m

Motivation The Encryption Scheme History & Implementation Conclusion

Cramer-Shoup Cramer-Shoup encryption

Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v

14 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Cramer-Shoup Cramer-Shoup encryption

Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v z r z r 2 Since u1 = h , Decsk (u1, u2, e, v) = e/u1 = e/h = m

14 / 28 Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem.

Motivation The Encryption Scheme History & Implementation Conclusion

Proof of Security Theorem

Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G.

15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Proof of Security Theorem

Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G.

Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem.

15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Proof of Security Proof of Security

'S $ (g , g , u , u ) ← D or R 'A $ 1 2 1-2 (x1, x2, y1, y2, z1, z2) ← Zq m0, m1 ∈ G

x1 x2 y1 y2 z1 z2 z1 z2 c := g1 g2 , d := g1 g2 , h := g1 g2 Decsk (c∗) = e/u1 u2 = mb0

b ← {0, 1} c∗ = (u1-, u2, e, v) e := uz1 uz2 m , α := H(u , u , e) 1 2 b 1 2 ( x1+y1α x2+y2α output b’, D v = u1 u2 ( ⊥, R 1, b = b0 output =  0, b 6= b0 & % & 16 / 28% Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash)

Motivation The Encryption Scheme History & Implementation Conclusion

Features Comparison

One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle

17 / 28 Intractability assumptions are minimal (only DDH & hash)

Motivation The Encryption Scheme History & Implementation Conclusion

Features Comparison

One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption

17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Features Comparison

One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash)

17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Features Computation

The ciphertext is about four times plaintext (not a big deal in most applications) and takes about twice as much computation as ElGamal.

18 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Features Cramer-Shoup encryption

' Alice $

n Gen: (q, g1, g2) ← G(1 ) ' Bob $

sk =( x1, x2, y1, y2, z) ← Zq pk = (g1, g2, α := H(u1, u2, e) c, d, h, H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 , d := g1 g2 u1 u2 (u1, u2, e, v) z ( h := g1 verified, v = for m ∈ G: get r ← Zq abort, otherwise r r r u1 := g1 , u2 := g2 , e := h m z Decsk (u1, u2, e, v) = e/u r rα 1 α := H(u1, u2, e), v := c d

Encpk (m) = (u1, u2, e, v) & % 19 / 28 & % Motivation The Encryption Scheme History & Implementation Conclusion

Outline

1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion

20 / 28 hangs around in bars

Motivation The Encryption Scheme History & Implementation Conclusion

People Ronald Cramer

1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science

21 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

People Ronald Cramer

1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science hangs around in bars 21 / 28 on RateMyProfessors, he has an average rating of 1.4/5

Motivation The Encryption Scheme History & Implementation Conclusion

People Victor Shoup

born ?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory

22 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

People Victor Shoup

born ?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory on RateMyProfessors, he has an average rating of 1.4/5 22 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Implementation Schneier on Cramer-Shoup

“If, in a few years, Cramer-Shoup still looks secure, cryptographers may look at using it instead of other defenses they are already using. But since IBM is going to patent Cramer-Shoup, probably not.” [3]

23 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Outline

1 Motivation What we’ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion

24 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Summary

25 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

Summary

The Cramer-Shoup system is an asymmetric key encryption algorithm based on the ElGamal scheme First efficient scheme proven to be secure against adaptive chosen ciphertext attacks

26 / 28 Motivation The Encryption Scheme History & Implementation Conclusion

thank you!

27 / 28 References

Mihir Bellare and Amit Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In Advances in cryptology—CRYPTO’99, pages 519–536. Springer, 1999. Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology—CRYPTO’98, pages 13–25. Springer, 1998. Bruce Schneier. Cramer-Shoup cryptosystem. Crypto-Gram Newsletter, 15.09.98. 28 / 28