Motivation The Encryption Scheme History & Implementation Conclusion The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 Motivation The Encryption Scheme History & Implementation Conclusion The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. [2] 2 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 3 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 4 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Public-key encryption Diffie-Hellman key exchange http://en.wikipedia.org/ wiki/File:Diffie-Hellman_ Key_Exchange.svg 5 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far ElGamal encryption ' Alice $ n Gen: (q; g) G(1 ) ' Bob $ x G = hgi a group, jGj = q Decsk (c1; c2) = c2=c1 pk = (g; q; h) - r r x sk = x Zq Decsk (c1; c2)= h m=(g ) (g r ; hr m) x h := g Decsk (c1; c2)= m for m 2 G: get r Zq r r Encpk (m) = (g ; h m) & % & % 6 / 28 If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? 7 / 28 Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. 7 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) 7 / 28 For example, in ElGamal, given (c1; c2) an adversary can query (c1; t · c2), which is a valid decryption for tm. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. 8 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. For example, in ElGamal, given (c1; c2) an adversary can query (c1; t · c2), which is a valid decryption for tm. 8 / 28 ! CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. 9 / 28 A CCA1-attack is also called a lunchtime attack. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. ! CCA2-security is equivalent to non-malleability [1] 9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. ! CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack. 9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security Recall: OAEP for RSA Optimal asymmetric encryption padding http://en.wikipedia.org/ wiki/File: Oaep-diagram-20080305.png 10 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 11 / 28 Motivation The Encryption Scheme History & Implementation Conclusion ElGamal encryption ' Alice $ n Gen: (q; g) G(1 ) ' Bob $ x G = hgi a group, jGj = q Decsk (c1; c2) = c2=c1 pk = (g; q; h) - r r x sk = x Zq Decsk (c1; c2)= h m=(g ) (g r ; hr m) x h := g Decsk (c1; c2)= m for m 2 G: get r Zq r r Encpk (m) = (g ; h m) & % & % 12 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption ' Alice $ n Gen: (q; g1; g2) G(1 ) ' Bob $ sk =( x1; x2; y1; y2; z) Zq pk = (g1; g2; α := H(u1; u2; e) c; d; h; H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 ; d := g1 g2 u1 u2 (u1; u2; e; v) z ( h := g1 verified; v = for m 2 G: get r Zq abort; otherwise r r r u1 := g1 ; u2 := g2 ; e := h m z Decsk (u1; u2; e; v) = e=u r rα 1 α := H(u1; u2; e); v := c d Encpk (m) = (u1; u2; e; v) & % 13 / 28 & % z r z r 2 Since u1 = h , Decsk (u1; u2; e; v) = e=u1 = e=h = m Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v 14 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v z r z r 2 Since u1 = h , Decsk (u1; u2; e; v) = e=u1 = e=h = m 14 / 28 Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem. Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. 15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem. 15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Proof of Security 'S $ (g ; g ; u ; u ) D or R 'A $ 1 2 1-2 (x1; x2; y1; y2; z1; z2) Zq m0; m1 2 G x1 x2 y1 y2 z1 z2 z1 z2 c := g1 g2 ; d := g1 g2 ; h := g1 g2 Decsk (c∗) = e=u1 u2 = mb0 b f0; 1g c∗ = (u1-; u2; e; v) e := uz1 uz2 m ; α := H(u ; u ; e) 1 2 b 1 2 ( x1+y1α x2+y2α output b'; D v = u1 u2 ( ?; R 1; b = b0 output = 0; b 6= b0 & % & 16 / 28% Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash) Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle 17 / 28 Intractability assumptions are minimal (only DDH & hash) Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption 17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash) 17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Features Computation The ciphertext is about four times plaintext (not a big deal in most applications) and takes about twice as much computation as ElGamal.