The Cramer-Shoup Cryptosystem

Transcription

1 The Cramer-Shoup Cryptosystem Eileen Wagner October 22, / 28

2 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. [2] 2 / 28

3 Outline 1 Motivation What we ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 3 / 28

4 Outline 1 Motivation What we ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 4 / 28

5 What we ve seen so far Public-key encryption Diffie-Hellman key exchange wiki/file:diffie-hellman_ Key_Exchange.svg 5 / 28

6 What we ve seen so far ElGamal encryption Alice Gen: (q, g) G(1 n ) Bob G = g a group, G = q pk = (g, q, h) sk = x Z q (g r, h r m) h := g x for m G: get r Z q Enc pk (m) = (g r, h r m) Dec sk (c 1, c 2 ) = c 2 /c1 x Dec sk (c 1, c 2 ) = h r m/(g r ) x Dec sk (c 1, c 2 ) = m 6 / 28

7 What we ve seen so far Important results How secure are our schemes? 7 / 28

8 What we ve seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. 7 / 28

9 What we ve seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. Decisional Diffie-Hellman Problem Pr[A(G, q, g, g x, g y, g z ) = 1] Pr[A(G, q, g, g x, g y, g xy ) = 1] negl(n) 7 / 28

10 Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. 8 / 28

11 Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. For example, in ElGamal, given (c 1, c 2 ) an adversary can query (c 1, t c 2 ), which is a valid decryption for tm. 8 / 28

12 Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. 9 / 28

13 Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. CCA2-security is equivalent to non-malleability [1] 9 / 28

14 Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack. 9 / 28

15 Stronger notions of security Recall: OAEP for RSA Optimal asymmetric encryption padding wiki/file: Oaep-diagram png 10 / 28

16 Outline 1 Motivation What we ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 11 / 28

17 ElGamal encryption Alice Gen: (q, g) G(1 n ) Bob G = g a group, G = q pk = (g, q, h) sk = x Z q (g r, h r m) h := g x for m G: get r Z q Enc pk (m) = (g r, h r m) Dec sk (c 1, c 2 ) = c 2 /c1 x Dec sk (c 1, c 2 ) = h r m/(g r ) x Dec sk (c 1, c 2 ) = m 12 / 28

18 Cramer-Shoup Cramer-Shoup encryption Alice Gen: (q, g 1, g 2 ) G(1 n ) Bob sk = (x 1, x 2, y 1, y 2, z) Z q c := g x1 h := g z 1 1 g x2 2 y1, d := g1 g y2 2 for m G: get r Z q pk = (g 1, g 2, c, d, h, H) (u 1, u 2, e, v) α := H(u 1, u 2, e) u x1+y1α 1 u x2+y2α 2 { verified, = abort, v otherwise u 1 := g r 1, u 2 := g r 2, e := hr m α := H(u 1, u 2, e), v := c r d rα Enc pk (m) = (u 1, u 2, e, v) Dec sk (u 1, u 2, e, v) = e/u z 1 13 / 28

19 Cramer-Shoup Cramer-Shoup encryption Correctness: 1 u x 1+y 1 α 1 u x 2+y 2 α 2 = u x 1 2 = g rx 1 2 )rα = c r d rα = v (g x 1 1 g x 2 2 )r (g y 1 1 g y 2 1 ux 2 2 uy 1α 1 u y 2α 1 g rx 2 2 g ry 1α 1 g ry 2α 2 = 14 / 28

20 Cramer-Shoup Cramer-Shoup encryption Correctness: 1 u x 1+y 1 α 1 u x 2+y 2 α 2 = u x 1 2 = g rx 1 2 )rα = c r d rα = v (g x 1 1 g x 2 2 )r (g y 1 1 g y 2 1 ux 2 2 uy 1α 1 u y 2α 1 g rx 2 2 g ry 1α 1 g ry 2α 2 = 2 Since u z 1 = hr, Dec sk (u 1, u 2, e, v) = e/u z 1 = e/hr = m 14 / 28

21 Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. 15 / 28

22 Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem. 15 / 28

23 Proof of Security Proof of Security S (g 1, g 2, u 1, u 2 ) D or R (x 1, x 2, y 1, y 2, z 1, z 2 ) Z q c := g x1 1 g x2 2 b {0, 1}, d := g y1 1 g y2 2 v = u x1+y1α 1 u x2+y2α 2 { 1, b = b output = 0, b b z1, h := g1 g z2 2 e := u z1 1 uz2 2 m b, α := H(u 1, u 2, e) m 0, m 1 G A c = (u 1, u 2, e, v) Dec sk (c ) = e/u z1 1 uz2 2 = m b { output b, D, R 16 / 28

24 Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle 17 / 28

25 Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption 17 / 28

26 Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash) 17 / 28

27 Features Computation The ciphertext is about four times plaintext (not a big deal in most applications) and takes about twice as much computation as ElGamal. 18 / 28

28 Features Cramer-Shoup encryption Alice Gen: (q, g 1, g 2 ) G(1 n ) Bob sk = (x 1, x 2, y 1, y 2, z) Z q c := g x1 h := g z 1 1 g x2 2 y1, d := g1 g y2 2 for m G: get r Z q pk = (g 1, g 2, c, d, h, H) (u 1, u 2, e, v) α := H(u 1, u 2, e) u x1+y1α 1 u x2+y2α 2 { verified, = abort, v otherwise u 1 := g r 1, u 2 := g r 2, e := hr m α := H(u 1, u 2, e), v := c r d rα Enc pk (m) = (u 1, u 2, e, v) Dec sk (u 1, u 2, e, v) = e/u z 1 19 / 28

29 Outline 1 Motivation What we ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 20 / 28

30 Motivation The Encryption Scheme History & Implementation Conclusion People Ronald Cramer 1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science 21 / 28

31 Motivation The Encryption Scheme History & Implementation Conclusion People Ronald Cramer 1968*, Dutch Professor at the Centrum Wiskunde & Informatica (CWI) in Amsterdam and the University of Leiden ETH Zurich, Institute for Theoretical Computer Science hangs around in bars 21 / 28

32 People Victor Shoup born?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory 22 / 28

33 People Victor Shoup born?, USA Professor at the Courant Institute of Mathematical Sciences (NYU) IBM Zurich Research Laboratory on RateMyProfessors, he has an average rating of 1.4/5 22 / 28

34 Implementation Schneier on Cramer-Shoup If, in a few years, Cramer-Shoup still looks secure, cryptographers may look at using it instead of other defenses they are already using. But since IBM is going to patent Cramer-Shoup, probably not. [3] 23 / 28

35 Outline 1 Motivation What we ve seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 24 / 28

36 Summary 25 / 28

37 Summary The Cramer-Shoup system is an asymmetric key encryption algorithm based on the ElGamal scheme First efficient scheme proven to be secure against adaptive chosen ciphertext attacks 26 / 28

38 thank you! 27 / 28

39 References Mihir Bellare and Amit Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In Advances in cryptology CRYPTO 99, pages Springer, Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology CRYPTO 98, pages Springer, Bruce Schneier. Cramer-Shoup cryptosystem. Crypto-Gram Newsletter, / 28