sign in sign up
<<
Home , Random oracle

Fast Cramer-Shoup Cryptosystem

Pascal Lafourcade1 a,Leo´ Robert1 b and Demba Sow2 c 1Universite´ Clermont Auvergne, LIMOS CNRS (UMR 6158), Campus des Cezeaux,´ Aubiere,` France 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Senegal

Keywords: Public Key Encryption, Cramer-Shoup, IND-CCA2.

Abstract: Cramer-Shoup was the first practical adaptive CCA-secure public key encryption scheme. We propose a faster version of this encryption scheme, called Fast Cramer-Shoup. We show empirically and theoretically that our scheme is faster than three versions proposed by Cramer-Shoup in 1998. We observe an average gain of 60% for the decryption algorithm. We prove the IND-CCA2 security of our scheme. The proof only relies on intractability assumptions like DDH.

1 INTRODUCTION Pointcheval, 2011). Finally to conclude the story of OAEP, an computer verified proof has been made Provable security is an important issue in modern in (Barthe et al., 2011). . It allows us to formally prove the Our goal is to design a faster version of Cramer- security of the encryption schemes by reduction to Shoup scheme. For this, we use the approach pro- difficult problems such as discrete logarithm prob- posed in (Sow and Sow, 2011) to improve the decryp- lem (DL), Computational Decisional Diffie-Hellman tion algorithm of ElGamal (Elgamal, 1985). problem (CDH), Decision Diffie-Hellman problem (DDH) (Boneh, 1998; Joux and Guyen, 2006) or the Contributions: Our main aim is to improve the ef- quadratic residuosity problem. For instance, the DDH ficiency of the Cramer-Shoup public key scheme: problem is used to prove the IND-CPA security of the 1. We design a public key cryptosystem, called Fast ElGamal encryption scheme (Elgamal, 1985). In or- Cramer-Shoup, based on the Generalized ElGa- der to have security against adaptive chosen ciphertext mal encryption scheme (Sow and Sow, 2011). attacks (IND-CCA2), a notion introduced in 1991 by 2. We implemented all these schemes with Dolev et al. (Dolev et al., 1991), Cramer and Shoup GMP (Granlund, 2020) to demonstrate that proposed in 1998 an encryption scheme (Cramer and Fast Cramer-Shoup is the fastest one with a gain Shoup, 1998) that has a verification mechanism in the of 60% for decryption algorithm . decryption algorithm to avoid malleability of the ci- 3. We prove its security against the adaptive chosen phertext and also uses one hash function. ciphertext attack (IND-CCA2) under the (DDH) Fujisaki and Okamoto in (Fujisaki and Okamoto, assumption. 1999) proposed a generic conversion from any IND- CPA cryptosystem into an IND-CCA2 one, in the random oracle model (ROM) (Bellare and Rogaway, Related Works: Shoup and Gennaro (Shoup and 1993). However the design of an IND-CCA2 encryp- Gennaro, 1998) give two ElGamal-like practical tion scheme is not easy, as the story of Optimal Asym- threshold cryptosystems that are secure against adap- tive chosen ciphertext attack in the random oracle metric Encryption (OAEP) (Bellare and Rog- r away, 1994; Pointcheval, 2011) can show. After a first model. They use H(h ) ⊕ m to encrypt the message try by Bellare and Rogaway (Bellare and Rogaway, m, unfortunately the trick of Sow et al. (Sow and Sow, 1994) in 1995, V. Shoup found a problem in (Shoup, 2011) cannot be applied in this case. 2001), that was fixed in (Phan and Pointcheval, 2004; In (Cramer and Shoup, 2002), the authors pro- posed a construction by considering an algebraic a https://orcid.org/0000-0002-4459-511X primitive called universal hash proof systems. They b https://orcid.org/0000-0002-9638-3143 showed that this framework yields not only the origi- c https://orcid.org/0000-0002-1917-2051 nal DDH-based Cramer-Shoup’s scheme but also en-

766

Lafourcade, P., Robert, L. and Sow, D. Fast Cramer-Shoup Cryptosystem. DOI: 10.5220/0010580607660771 In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 766-771 ISBN: 978-989-758-524-1 Copyright c 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

Fast Cramer-Shoup Cryptosystem

cryption schemes based on quadratic residuosity and Fast Decryption Algorithm: 4 on Paillier’s assumption (Paillier, 1999). D1 : Parse ψ ← (u1,u2,e,v) ∈ G ; output reject if ψ In 2011, a modified variant of ElGamal’s encryp- is not of this form. 0 tion scheme was presented (Sow and Sow, 2011), D2 : Test if u1 and u2 belong to G; reject otherwise. and it is called Generalized ElGamal’s encryption D3 : Compute α = H(u1,u2,e). 0 t z x+yα scheme. This version is faster than ElGamal, encryp- D4 : Test if u1u2 = 1 and v = u1 ; otherwise reject. 0 t tion algorithm is the same as ElGamal’s encryption D5 : Compute β = u1; D6 : Output m = βe. mechanism, the key generation algorithm is slower but the decryption process is faster. We adapt this idea z t z Correctness: Verification: We have βu2 = u1u2 = to improve Cramer and Shoup’s encryption scheme. r t rz wr t rz r(tw+z) rkq (g1) g2 = (g2 ) g2 = g2 = g2 = 1 since the x+yα r x+yα wr x+yα order of g2 is q and u1 = (g1) = (g2 ) = wx r wy rα r rα Outline: In Section 2, we propose our public key (g2 ) (g2 ) = c d = v. cryptosystem, called Fast Cramer-Shoup. In Sec- Decryption: The decryption message is βe = tion 3, we present the result of our empirically per- t wrt zr r(tw+z) rkq u1e = g2 g2 m = g2 m = g2 m = m, since the formance comparison and our complexity analysis for order of g2 is q. the key generation, encryption and decryption algo- rithms for all versions of Cramer-Shoup. 2.1 Security Proof of Fast Cramer-Shoup Scheme

2 Fast Cramer-Shoup’s As CS1’s proof in (Cramer and Shoup, 2003), to ENCRYPTION SCHEME prove that Fast Cramer-Shoup (FCS) is secure against adaptive chosen ciphertext attack if the DDH assump- We present our Fast Cramer-Shoup’s scheme and tion holds for G and the TCR assumption holds for prove that it is IND-CCA2 secure. Let us recall some HF, we need some notions. notions and definitions like the set of non-negative in- Suppose PKE is a public-key encryption scheme that uses a group scheme in the following natural tegers Z≥0, a security parameter λ, a group descrip- λ tion Γ, a computational group scheme G, a probabil- way: on input 1 , the key generation algorithm runs the sampling algorithm of the group scheme on in- ity distribution of group descriptions Sλ, hash func- λ tions (HF), target collision resistant (TCR) assump- put 1 , yielding a group description Γ. For a given tion for hash function (HF), some random variables probabilistic, polynomial-time oracle query machine as Coins used in the following are defined in (Cramer A,λ ∈ Z≥0, and group description Γ, let us define and Shoup, 2003) (see also (Naor and Yung, 1989)). AdvCCAPKE,A (λ|Γ) to be A’s in an adap- tive chosen ciphertext attack where the key generation algorithm uses the given value of Γ, instead of running Fast Key Generation Algorithm: the sampling algorithm of the group scheme. For all λ probabilistic, polynomial-time oracle query machines G1 : On input 1 for λ ∈ Z≥0, select a group Gˆ, along with a prime-order subgroup G and choose a gen- A, for all λ ∈ Z≥0, let QA (λ) be an upper bound on the number of decryption oracle queries made by A erator g2 ∈ G of order q. on input 1λ. We assume that Q (λ) is a strict bound G2 : Pick random elements x,y,k,t ∈ Zq with A in the sense that it holds regardless of the probabilis- log (t) = log2(q) , and compute w0,z ∈ such that 2 2 Zq tic choices of A, and regardless of the responses to its kq = tw0 + z and then compute w ≡ w0(mod q). w wx wy z oracle queries from its environment. G3 : Compute g1 = g2 ,c = g2 ,d = g2 and h = g2. R Theorem 2.1. The Fast Cramer-Shoup is secure G4 : Choose a hash function H ← HF. against adaptive chosen ciphertext attack if: G5 : Return (pk,sk), where pk = (Γ,H,g1,c,d,h) and sk = (Γ,H,t,x,y,z). 1. the DDH assumption holds for G; 2. and the target collision resistance (TCR) assump- tion holds for HF. Fast Encryption Algorithm: In particular, for all probabilistic, polynomial- E1 : Choose a random element r ∈ Zq and compute, time oracle query machines A, for all E2 : u = gr ; E3 :u = gr ;E4 :u = hr;E5 :e = u m; ˆ 1 1 2 2 3 3 λ ∈ Z≥0, and all Γ[G,G,g2,q] ∈ [Sλ], we have E6 : α = H(u ,u ,e); 1 2 AdvCCAFCS,A (λ|Γ) − AdvCCACS1,A (λ|Γ) ≤ E7 : v = crdrα and output ψ = (u ,u ,e,v). 1 2 QA (λ)/q

767 SECRYPT 2021 - 18th International Conference on Security and Cryptography

0 R γ Description of Games: Suppose that G4 : We replace step E5 by E5 : r ← Zq;e ← g pk = (Γ,H,g1,c,d,h) and sk = (Γ,H,t,x,y,z). so Pr[T4] = 1/2, since in game G4, the variable σ is Let w = log g , and define x,y,z ∈ as follows: g2 1 Zq never used. Define the event R4 to be the event in x = x1 + x2w, y = y1 + y2w and z = z1 + z2w. We game G4 analogous to the event R3 in game G3; that have x = log w c, y = log w d, and z = log h. R g2 g2 g2 is, 4 is the event that in game G4, some ciphertext ψ As a notation convention, whenever a particular is submitted to the decryption oracle that is rejected ciphertext is under consideration in some context, the in step D40 but that would have passed the test in step following values are also implicitly defined in that D4. We show that this modification has no effect; context: u1,u2,u3,e,v ∈ G where ψ = (u1,u2,e,v) and more precisely: Pr[T4] = Pr[T3], and pr[r4] = pr[r3] z u3 = u ; the random r ∈ q, where r = log w u1. G . We modify the decryption oracle with a spe- 2 Z g1 5 For the target ciphertext ψ∗, we also denote by cial rejection rule: if the adversary submits a ci- ∗ ∗ ∗ ∗ ∗ ∗ u1,u2,u3,e ,v ∈ G and r ∈ Zq the corresponding phertext ψ for decryption at a point in time after values. The probability space defining the attack the encryption oracle has been invoked, such that ∗ ∗ ∗ ∗ game is then determined by the following, mutually (u1,u2,e) 6= (u1,u2,e ) but α = α , then the decryp- independent, random variables: the coin tosses Coins tion oracle immediately outputs reject and halts (be- 0 of A; the values H,w,x1,x2,y1,y2,z1,z2 generated by fore executing step D4 ). to analyze this game, we the key generation algorithm; the values σ ∈ {0,1} define two events. first, we define the event C5 to be ∗ and r ∈ Zq generated by the encryption oracle. the event that the decryption oracle in game G5 re- G0 : Original attack game, let σˆ ∈ {0,1} be jects a ciphertext using the special rejection rule. We the output of A and T0 the event σ = σˆ , so define the event R5 to be the event in game G5 that AdvCCAFCS,A (λ|Γ) = |Pr[T0] − 1/2| some ciphertext ψ is submitted to the decryption or- 0 G1 : We now modify game G0 to obtain game G1. acle that is rejected in step D4 but that would have These two games are identical, except that instead of passed the test in step D4. note that such a cipher- using the encryption algorithm as given to compute text is not rejected by the special rejection rule, since the target ciphertext ψ∗, we use a modified encryption that rule is applied before step D40 is executed. Now, algorithm, in which steps E4 and E7 are replaced by it is clear that games G4 and G5 proceed identically 0 z 0 x+yα until event C occurs. By difference lemma, we have E4 :u3 = u2 and E7 :v = u1 . The change we have 5 ∗ ∗ |Pr[R ] − Pr[R ]| ≤ Pr[C ] C made is purely conceptual. The values of u3 and v 5 4 5 . Now, if event 5 occurs are exactly the same in game G1 as they were in G0 with non-negligible probability, we immediately get so Pr[T1] = Pr[T0] an algorithm that contradicts the target collision re- G2 : We modify the encryption oracle, replacing sistance assumption; 0 R rˆ step E3 by E3 :r ˆ ← Zq \{r};u2 ← g2 Lemma 2.3. There exists a probabilistic algorithm Lemma 2.2. There exists a probabilistic algorithm A2, whose running time is essentially the same as that of A, such that: A1, whose running time is essentially the same as that of A, such that Pr[C5] ≤ AdvTCRHF,A2 (λ|Γ) + 1/q. (2)

|Pr[T2] − Pr[T1]| ≤ AdvDDHG,A1 (λ|Γ) + 3/q. (1) Finally, we show that R5 occurs with negligible G3 : We modify the decryption algorithm, replac- probability, based on information theoretic consider- 0 w ing steps D4 and D5 with D4 : Test if u1 = u2 and ations: we have Pr[R5] ≤ Q (λ)/q. x+yα A v = u1 ; output reject and halt if this is not the 0 z case. D5 :u3 = u2. Note that the decryption ora- Theorem 2.1. To prove this theorem, let us fix A, λ, cle now make use of w, but does not make use of and Γ[Gˆ,G,g2,q]. Consider the attack game G0 as x1,x2,y1,y2,z1,z2, except indirectly through the val- defined above (or see §6.2 in (Cramer and Shoup, ues x,y,z. Now, let R3 be the event that in game G3, 2003)). This is the game that attacker A plays against some ciphertext ψ is submitted to the decryption or- the scheme FCS for the given values of λ and Γ. We acle that is rejected in step D40 but that would have adopt all the notations conventions established at the passed the test in step D4. Note that if a ciphertext beginning of §6.2 in (Cramer and Shoup, 2003). We 0 passes the test in D4 , it would also have passed the now modify game G0 to obtain a new game GFCS. test in D4. It is clear that games G2 and G3 proceed GameFCS. In this game, we modify the decryp- identically until the event R3 occurs. In particular, the tion oracle so that in place of steps D4 and D5 in 0 0 events T2 ∧ ¬R3 and T3 ∧ ¬R3 are identical. So by CS1, we execute steps D4 and D5 as in the scheme difference lemma |Pr[T3] − Pr[T2]| ≤ Pr[R3], and so FCS. (Note that in the FCS encryption algorithm the it suffices to bound Pr[R3]. We introduce auxiliary random parameter generated is r instead of u in CS1 ∗ games G4 and G5 below to do this. scheme. So the parameter u in CS1 corresponds

768 Fast Cramer-Shoup Cryptosystem

∗ Key Generation Algorithms to r here). We emphasize that in game GFCS, we Original x = x + x w,y = y + y w z = z + z w 0.1 have 1 2 1 2 , and 1 2 , Standard Efficient where w,x ,x ,y ,y ,z , and z are generated by the −2 1 2 1 2 1 2 8 · 10 Fast key generation algorithm of CS1. −2 0 6 · 10 Let TFCS be the event that σ = σ in game GFCS. 4 · 10−2

We remind the reader that games G0 and GFCS all op- Time in seconds erate on the same underlying probability space: all 2 · 10−2 ∗ 0 of the variables Coins,H,w,x1,x2,y1,y2,z1,z2,σ,r 29 210 211 212 that ultimately determine the events T0, and TFCS Size parameter have the same values in games G and G ; all 0 FCS Figure 1: Average execution time for key generation algo- that changes is the functional behavior of the de- rithms depending of the security parameter size. cryption oracle. It is straightforward to verify that AdvCCAFCS,A (λ|Γ) = |Pr[TFCS] − 1/2| Table 1: Comparison of Original, Standard, Efficient and Let us define the event RFCS to be the event that Fast Cramer-Shoup (minimum in bold). some ciphertext is rejected in game G in step D40 FCS Key Generation that would have passed the test in D4 in CS1 scheme Number of Original Standard Efficient Fast Generator 2 2 1 1 in (Cramer and Shoup, 2003). It is clear that games Random 6 5 4 4 G0 and GFCS all proceed identically until event RFCS Multiplication 3 2 0 3 Exponentiation 6 5 4 4 occurs. In particular, we have the events T0 ∧ ¬RFCS, and TFCS ∧ ¬RFCS are identical. So by difference lemma, we have |Pr[T0]−Pr[TFCS]| ≤ Pr[RFCS]. So it suffices to show that Pr[RFCS] ≤ QA (λ)/q. To do this, (i) for 1 ≤ i ≤ QA (λ), let RFCS be the event that there is 3 PERFORMANCES an ith ciphertext submitted to the decryption oracle in EVALUATION game GFCS, and that this ciphertext is rejected in step D40, but would have passed the test in step D4 in CS1 We study the complexity and the performance of Fast scheme in (Cramer and Shoup, 2003). The bound will Cramer-Shoup encryption scheme with the following follow immediately from the following lemma. variants of Cramer-Shoup encryption scheme: Orig- Lemma 2.4. For all 1 ≤ i ≤ QA (λ), we have inal CS, Standard CS, Efficient CS, Fast Cramer- Pr[R(i) ] ≤ 1/q. Shoup protocols. We study the number of operations FCS performed for key generation, encryption and decryp- Proof. The proof of this lemma is almost identical to tion. We present complexity results in Table 1 to Ta- Lemma 10 in (Cramer and Shoup, 2003). Note that ble 3. We also implemented those with the library in game GFCS, the encryption oracle uses the ”real” GMP (Granlund, 2020). encryption algorithm, and so itself does not leak any The tests are performed with security parameters additional information about (x1,x2,y1,y2). This is in of size 512, 1024, 2048 and 4096 bits. The average contrast to game G5, where the encryption oracle does execution time of all schemes is carried out under the leak additional information. same conditions in terms of generation of the values Fix 1 ≤ i ≤ QA (λ). Consider the quantities: X := and sizes of the security parameters. Indeed, given (Coins,H,w,z,σ,r∗) and X0 := (x,y). The values of X the size of a security parameter, we perform 1000 tri- and X0 completely determine the adversary’s entire als with new parameters: a prime number and some behavior in game G5, and hence determine if there random plaintexts that are generated for each trial. is an ith decryption oracle query, and if so, the value Then, we measure the execution time during one ex- of the corresponding ciphertext. Let us call X and ecution of each algorithm. Finally, we compute the X0 relevant if for these values of X and X0, there is mean value for each algorithm (we do not present the an ith decryption oracle query, and the correspond- corresponding standard deviations since they are very ing ciphertext passes steps D1 and D2 in CS1 scheme low). in (Cramer and Shoup, 2003). It will suffice to prove that conditioned on any Key Generation Algorithms: By studying the 0 fixed, relevant values of X and X , the probability that complexity of the key generation algorithm of Ta- (i) RFCS occurs is bounded by 1/q. The remainder of the ble 1, we notice that Fast CS and Efficient CS are the argument is exactly as in Lemma 10 in (Cramer and fastest in terms of number of operations. The differ- Shoup, 2003), except using X, X0, and the notion of ence lies in the multiplication where Fast CS has three relevant as defined here. of them while Efficient CS has none. One would ex-

769 SECRYPT 2021 - 18th International Conference on Security and Cryptography

Full Decryption algorithms Verification algorithms Actual Decryption computations ·10−2 ·10−2 ·10−2

8 Original Original Original Standard Standard Standard Efficient Efficient Efficient 6 Fast 4 Fast 2 Fast

4 2 1 Time in seconds Time in seconds 2 Time in seconds

0 0 0

29 210 211 212 29 210 211 212 29 210 211 212 Size parameter Size parameter Size parameter (a) Full decryption. (b) Verification phases. (c) Decryption phases. Figure 2: Average execution time for decryption algorithms.

Table 2: Comparison for key parameters. Decryption Algorithms: We observe in Figure 2a Public Key Parameters that the fastest is Fast Cramer-Shoup followed by Ef- Number of Original Standard Efficient Fast Elements 5 5 5 5 ficient CS which is not obvious when we are looking Secret Key Parameters at the number of total computations. Elements 6 5 4 4 Indeed there are two components in this algo- Table 3: Comparison for decryption algorithms. rithm, the verification phase and the actual decryp- Verification tion. The verification is used for checking the in- Number of Original Standard Efficient Fast Sum 2 2 1 1 tegrity of messages if the outputs are valid and the de- Multiplication 3 3 1 2 cryption computation is executed leading to retrieve Exponentiation 2 2 2 3 Decryption the plaintext. In Figure 2a, we observe that Fast Number of Original Standard Efficient Fast Cramer-Shoup has a faster execution time. For verifi- Inverse 2 1 1 0 Multiplication 2 1 1 1 cation phase, we observe in Figure 2b that the average Exponentiation 2 1 1 0 execution time of the Fast CS and Efficient CS proto- cols have the same average execution time. In both pect a longer execution time for Fast CS but this is cases the second verification is the same. The differ- not the case (Figure 1). It can be explained by the fact ence is then on the first verification. The Efficient CS w that the Fast CS key generation algorithm computes protocol uses one modular exponent, u1 = u2; while z w z an Euclidean division leading to kq = wt + z where k ours uses two modular exponents, βu2 = u1 u2 = 1. is generated in Zq. Hence its size is the same as q but t Despite the result given in Table 3, there is actually no √∗ is generated in Z q and its size is half of q. Since z is difference between those two computations in terms the remainder of the euclidean division, its order size of execution time since elements t and z of Fast CS is the same as t. Thus the cost for computing h = gz is have their size equal to half the size of w in the Ef- half of the cost for computing h = gz where z has an ficient CS. Hence, the overall execution time for the order size equal to the size of q. This gain seems to verification of our protocol Fast CS is the same as Ef- be compensated with the three additional multiplica- ficient CS protocol. For the decryption phase, it is tions. To conclude for key generation, the two fastest clear that Fast CS protocol is faster than Original for algorithms are Efficient CS and Fast CS, while the two decryption since the number of exponents is reduced. slowest are Original CS and Standard CS. Moreover, We can also say from Table 3 that Fast CS is faster the number of secret parameters are also in favour of than Standard CS and Efficient CS at decryption. We Efficient CS and Fast CS as depicted in Table 2. observe in Figure 2c that Standard CS and Efficient CS have the same execution time. This result is ex- pected since they both use the same computation with −z the same elements size, i.e., eu1 = m. The latter Encryption Algorithms: We can see that all computation uses one exponentiation and one inver- schemes have the same number of exponents, multi- sion to end with a multiplication. The Fast Cramer- plication and generation of random number in the en- Shoup decryption algorithm requires to recover m as cryption algorithm. Thus the average execution time follows βe = m where β has been computed in the ver- is the same. We observe empirically that timings are ification phase. Thus, the decryption consists of only equal for all protocols since the number of computa- one multiplication. The gain comes from the fact that tions are equals. In all protocols, the ciphertexts are we have one inverse less to compute, and also one mainly computed with parameters of the same order exponentiation less to compute. The gain of the over- size. We do not give the curve results since the aver- all execution time of decryption phase for our proto- age execution time is the same in all cases. col is more than 60%. Note that the curve related to

770 Fast Cramer-Shoup Cryptosystem

Fast Cramer-Shoup is not zero but since this curve is proofs and a paradigm for adaptive chosen ciphertext composed of only one multiplication, the comparison secure public-key encryption. In In L. Knudsen, ed- with a modular exponent, an inversion and a multipli- itor, Proceedings of Eurocrypt 2002, volume 2332 of cation, is in favor of the stand alone multiplication. LNCS, pages 45–64. Dolev, D., Dwork, C., and Naor, M. (1991). Non-malleable cryptography. In Proceedings of the Twenty-Third Annual ACM Symposium on Theory of Computing, 4 CONCLUSION STOC ’91, page 542–552, New York, NY, USA. As- sociation for Computing Machinery. We propose an IND-CCA2 Public Key cryptosystem Elgamal, T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithms. In called Fast Cramer-Shoup. It is an improvement of CRYPTO, IT-31(4), volume 4, pages 469–472. Cramer-Shoup scheme. We prove the IND-CCA2 se- Fujisaki, E. and Okamoto, T. (1999). How to enhance the curity of this new scheme. We also implement in security of public-key encryption at minimum cost. In GMP (Granlund, 2020) our scheme to compare it to Public Key Cryptography, pages 53–68, Berlin, Hei- Cramer-Shoup schemes. In the future, we aim at ap- delberg. Springer Berlin Heidelberg. plying our technique to other schemes that are based Granlund, T. (2020). GNU MP: The GNU Multiple Preci- on Cramer-Shoup like for instance (Kurosawa and sion Arithmetic Library, 6.2.0 edition. Trieu Phong, 2014; Abdalla et al., 2015). Joux, A. and Guyen, K. (2006). Separating decision diffie- hellman to diffie-hellman in cryptographic groups. Kurosawa, K. and Trieu Phong, L. (2014). Kurosawa- desmedt key encapsulation mechanism, revisited. In REFERENCES Pointcheval, D. and Vergnaud, D., editors, Progress in Cryptology – AFRICACRYPT 2014, pages 51–68, Abdalla, M., Benhamouda, F., and Pointcheval, D. Cham. Springer International Publishing. (2015). Public-key encryption indistinguishable un- Naor, M. and Yung, M. (1989). Universal one-way hash der plaintext-checkable attacks. In Katz, J., editor, functions and their cryptographic applications. In In Public-Key Cryptography – PKC 2015, pages 332– 21st Annual ACM Symposium on Theory of Comput- 352, Berlin, Heidelberg. Springer Berlin Heidelberg. ing. Barthe, G., Gregoire,´ B., Lakhnech, Y., and Zanella Paillier, P. (May 1999). Public-key cryptosystems based on Beguelin,´ S. (2011). Beyond provable security. Verifi- composite degree residuosity classes. In In J. Stern, able IND-CCA security of OAEP. In Topics in Cryp- editor, Proceedings of Eurocrypt 1999, volume 1592 tology – CT-RSA 2011, volume 6558 of Lecture Notes of LNCS, pages 223–38. in Computer Science, pages 180–196. Springer. Phan, D. H. and Pointcheval, D. (2004). Oaep 3-round: A Bellare, M. and Rogaway, P. (1993). Random oracles are generic and secure asymmetric encryption padding. In practical: A paradigm for designing efficient proto- Advances in Cryptology - ASIACRYPT 2004, 10th In- cols. In Proceedings of the 1st ACM Conference on ternational Conference on the Theory and Application Computer and Communications Security, CCS ’93, of Cryptology and Information Security, Jeju Island, page 62–73, New York, NY, USA. Association for Korea, December 5-9, 2004, Proceedings, volume Computing Machinery. 3329 of Lecture Notes in Computer Science, pages Bellare, M. and Rogaway, P. (1994). Optimal asymmetric 63–77. Springer. encryption. In Santis, A. D., editor, Advances in Cryp- Pointcheval, D. (2011). OAEP: Optimal Asymmetric En- tology - EUROCRYPT ’94, Workshop on the Theory cryption Padding, pages 882–884. Springer US, and Application of Cryptographic Techniques, Peru- Boston, MA. gia, Italy, May 9-12, 1994, Proceedings, volume 950 Shoup, V. (2001). Oaep reconsidered. In Proceedings of Lecture Notes in Computer Science, pages 92–111. of the 21st Annual International Cryptology Confer- Springer. ence on Advances in Cryptology, CRYPTO ’01, page Boneh, D. (1998). The decision diffie-hellman problem. 239–259, Berlin, Heidelberg. Springer-Verlag. In In Proceedings of the Third Algorithmic Number Shoup, V. and Gennaro, R. (1998). Securing threshold cryp- Theory Symposium, volume 1423, pages 48–63. tosystems against chosen ciphertext attack. In In Ad- Cramer, R. and Shoup, V. (1998). A practical public key vances in Cryptology-Eurocrypt ’98. cryptosystem provably secure against adaptive chosen Sow, D. and Sow, D. (2011). A new variant of el gamal’s en- ciphertext attack. In Proc. of the 18th Annual Interna- cryption and signatures schemes. JP Journal of Alge- tional Cryptology Conference on Advances in Cryp- bra, Number Theory and Applications, 20(1):21–39. tology, crypto’98, pages 13–25. Cramer, R. and Shoup, V. (2003). Design and analy- sis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Jour- nal on Computing, 33(1):167–226. Cramer, R. and Shoup, V. (May 2002). Universal hash

771