Fast Cramer-Shoup Cryptosystem Pascal Lafourcade1 a,Leo´ Robert1 b and Demba Sow2 c 1Universite´ Clermont Auvergne, LIMOS CNRS (UMR 6158), Campus des Cezeaux,´ Aubiere,` France 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Senegal Keywords: Public Key Encryption, Cramer-Shoup, IND-CCA2. Abstract: Cramer-Shoup was the first practical adaptive CCA-secure public key encryption scheme. We propose a faster version of this encryption scheme, called Fast Cramer-Shoup. We show empirically and theoretically that our scheme is faster than three versions proposed by Cramer-Shoup in 1998. We observe an average gain of 60% for the decryption algorithm. We prove the IND-CCA2 security of our scheme. The proof only relies on intractability assumptions like DDH. 1 INTRODUCTION Pointcheval, 2011). Finally to conclude the story of OAEP, an computer verified proof has been made Provable security is an important issue in modern in (Barthe et al., 2011). cryptography. It allows us to formally prove the Our goal is to design a faster version of Cramer- security of the encryption schemes by reduction to Shoup scheme. For this, we use the approach pro- difficult problems such as discrete logarithm prob- posed in (Sow and Sow, 2011) to improve the decryp- lem (DL), Computational Decisional Diffie-Hellman tion algorithm of ElGamal (Elgamal, 1985). problem (CDH), Decision Diffie-Hellman problem (DDH) (Boneh, 1998; Joux and Guyen, 2006) or the Contributions: Our main aim is to improve the ef- quadratic residuosity problem. For instance, the DDH ficiency of the Cramer-Shoup public key scheme: problem is used to prove the IND-CPA security of the 1. We design a public key cryptosystem, called Fast ElGamal encryption scheme (Elgamal, 1985). In or- Cramer-Shoup, based on the Generalized ElGa- der to have security against adaptive chosen ciphertext mal encryption scheme (Sow and Sow, 2011). attacks (IND-CCA2), a notion introduced in 1991 by 2. We implemented all these schemes with Dolev et al. (Dolev et al., 1991), Cramer and Shoup GMP (Granlund, 2020) to demonstrate that proposed in 1998 an encryption scheme (Cramer and Fast Cramer-Shoup is the fastest one with a gain Shoup, 1998) that has a verification mechanism in the of 60% for decryption algorithm . decryption algorithm to avoid malleability of the ci- 3. We prove its security against the adaptive chosen phertext and also uses one hash function. ciphertext attack (IND-CCA2) under the (DDH) Fujisaki and Okamoto in (Fujisaki and Okamoto, assumption. 1999) proposed a generic conversion from any IND- CPA cryptosystem into an IND-CCA2 one, in the random oracle model (ROM) (Bellare and Rogaway, Related Works: Shoup and Gennaro (Shoup and 1993). However the design of an IND-CCA2 encryp- Gennaro, 1998) give two ElGamal-like practical tion scheme is not easy, as the story of Optimal Asym- threshold cryptosystems that are secure against adap- tive chosen ciphertext attack in the random oracle metric Encryption Padding (OAEP) (Bellare and Rog- r away, 1994; Pointcheval, 2011) can show. After a first model. They use H(h ) ⊕ m to encrypt the message try by Bellare and Rogaway (Bellare and Rogaway, m, unfortunately the trick of Sow et al. (Sow and Sow, 1994) in 1995, V. Shoup found a problem in (Shoup, 2011) cannot be applied in this case. 2001), that was fixed in (Phan and Pointcheval, 2004; In (Cramer and Shoup, 2002), the authors pro- posed a construction by considering an algebraic a https://orcid.org/0000-0002-4459-511X primitive called universal hash proof systems. They b https://orcid.org/0000-0002-9638-3143 showed that this framework yields not only the origi- c https://orcid.org/0000-0002-1917-2051 nal DDH-based Cramer-Shoup’s scheme but also en- 766 Lafourcade, P., Robert, L. and Sow, D. Fast Cramer-Shoup Cryptosystem. DOI: 10.5220/0010580607660771 In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 766-771 ISBN: 978-989-758-524-1 Copyright c 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved Fast Cramer-Shoup Cryptosystem cryption schemes based on quadratic residuosity and Fast Decryption Algorithm: 4 on Paillier’s assumption (Paillier, 1999). D1 : Parse y (u1;u2;e;v) 2 G ; output reject if y In 2011, a modified variant of ElGamal’s encryp- is not of this form. 0 tion scheme was presented (Sow and Sow, 2011), D2 : Test if u1 and u2 belong to G; reject otherwise. and it is called Generalized ElGamal’s encryption D3 : Compute a = H(u1;u2;e). 0 t z x+ya scheme. This version is faster than ElGamal, encryp- D4 : Test if u1u2 = 1 and v = u1 ; otherwise reject. 0 t tion algorithm is the same as ElGamal’s encryption D5 : Compute b = u1; D6 : Output m = be. mechanism, the key generation algorithm is slower but the decryption process is faster. We adapt this idea z t z Correctness: Verification: We have bu2 = u1u2 = to improve Cramer and Shoup’s encryption scheme. r t rz wr t rz r(tw+z) rkq (g1) g2 = (g2 ) g2 = g2 = g2 = 1 since the x+ya r x+ya wr x+ya order of g2 is q and u1 = (g1) = (g2 ) = wx r wy ra r ra Outline: In Section 2, we propose our public key (g2 ) (g2 ) = c d = v. cryptosystem, called Fast Cramer-Shoup. In Sec- Decryption: The decryption message is be = tion 3, we present the result of our empirically per- t wrt zr r(tw+z) rkq u1e = g2 g2 m = g2 m = g2 m = m, since the formance comparison and our complexity analysis for order of g2 is q. the key generation, encryption and decryption algo- rithms for all versions of Cramer-Shoup. 2.1 Security Proof of Fast Cramer-Shoup Scheme 2 Fast Cramer-Shoup’s As CS1’s proof in (Cramer and Shoup, 2003), to ENCRYPTION SCHEME prove that Fast Cramer-Shoup (FCS) is secure against adaptive chosen ciphertext attack if the DDH assump- We present our Fast Cramer-Shoup’s scheme and tion holds for G and the TCR assumption holds for prove that it is IND-CCA2 secure. Let us recall some HF, we need some notions. notions and definitions like the set of non-negative in- Suppose PKE is a public-key encryption scheme that uses a group scheme in the following natural tegers Z≥0, a security parameter l, a group descrip- l tion G, a computational group scheme G, a probabil- way: on input 1 , the key generation algorithm runs the sampling algorithm of the group scheme on in- ity distribution of group descriptions Sl, hash func- l tions (HF), target collision resistant (TCR) assump- put 1 , yielding a group description G. For a given tion for hash function (HF), some random variables probabilistic, polynomial-time oracle query machine as Coins used in the following are defined in (Cramer A;l 2 Z≥0, and group description G, let us define and Shoup, 2003) (see also (Naor and Yung, 1989)). AdvCCAPKE;A (ljG) to be A’s advantage in an adap- tive chosen ciphertext attack where the key generation algorithm uses the given value of G, instead of running Fast Key Generation Algorithm: the sampling algorithm of the group scheme. For all l probabilistic, polynomial-time oracle query machines G1 : On input 1 for l 2 Z≥0, select a group Gˆ, along with a prime-order subgroup G and choose a gen- A, for all l 2 Z≥0, let QA (l) be an upper bound on the number of decryption oracle queries made by A erator g2 2 G of order q. on input 1l. We assume that Q (l) is a strict bound G2 : Pick random elements x;y;k;t 2 Zq with A in the sense that it holds regardless of the probabilis- log (t) = log2(q) , and compute w0;z 2 such that 2 2 Zq tic choices of A, and regardless of the responses to its kq = tw0 + z and then compute w ≡ w0(mod q). w wx wy z oracle queries from its environment. G3 : Compute g1 = g2 ;c = g2 ;d = g2 and h = g2. R Theorem 2.1. The Fast Cramer-Shoup is secure G4 : Choose a hash function H HF. against adaptive chosen ciphertext attack if: G5 : Return (pk;sk), where pk = (G;H;g1;c;d;h) and sk = (G;H;t;x;y;z). 1. the DDH assumption holds for G; 2. and the target collision resistance (TCR) assump- tion holds for HF. Fast Encryption Algorithm: In particular, for all probabilistic, polynomial- E1 : Choose a random element r 2 Zq and compute, time oracle query machines A, for all E2 : u = gr ; E3 :u = gr ;E4 :u = hr;E5 :e = u m; ˆ 1 1 2 2 3 3 l 2 Z≥0, and all G[G;G;g2;q] 2 [Sl], we have E6 : a = H(u ;u ;e); 1 2 AdvCCAFCS;A (ljG) − AdvCCACS1;A (ljG) ≤ E7 : v = crdra and output y = (u ;u ;e;v). 1 2 QA (l)=q 767 SECRYPT 2021 - 18th International Conference on Security and Cryptography 0 R g Description of Games: Suppose that G4 : We replace step E5 by E5 : r Zq;e g pk = (G;H;g1;c;d;h) and sk = (G;H;t;x;y;z). so Pr[T4] = 1=2, since in game G4, the variable s is Let w = log g , and define x;y;z 2 as follows: g2 1 Zq never used. Define the event R4 to be the event in x = x1 + x2w; y = y1 + y2w and z = z1 + z2w: We game G4 analogous to the event R3 in game G3; that have x = log w c, y = log w d, and z = log h.