The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The...
Transcript of The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The...
![Page 1: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/1.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
The Cramer-Shoup Cryptosystem
Eileen Wagner
October 22, 2014
1 / 28
![Page 2: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/2.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
The Cramer-Shoup system is an asymmetric key encryptionalgorithm, and was the first efficient scheme proven to be secureagainst adaptive chosen ciphertext attack using standardcryptographic assumptions. [2]
2 / 28
![Page 3: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/3.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 MotivationWhat we’ve seen so farStronger notions of security
2 The Encryption SchemeCramer-ShoupProof of SecurityFeatures
3 History & ImplementationPeopleImplementation
4 Conclusion
3 / 28
![Page 4: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/4.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 MotivationWhat we’ve seen so farStronger notions of security
2 The Encryption SchemeCramer-ShoupProof of SecurityFeatures
3 History & ImplementationPeopleImplementation
4 Conclusion
4 / 28
![Page 5: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/5.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far
Public-key encryption
Diffie-Hellmankey exchange
http://en.wikipedia.org/
wiki/File:Diffie-Hellman_
Key_Exchange.svg
5 / 28
![Page 6: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/6.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far
ElGamal encryption
Alice
'
&
$
%
Gen: (q, g)← G(1n)
G = 〈g〉 a group, |G | = q
sk = x ← Zq
pk = (g , q, h)
(g r , hrm)
-
h := g x
for m ∈ G : get r ← Zq
Encpk(m) = (g r , hrm)
Bob
'
&
$
%
Decsk(c1, c2) = c2/cx1
Decsk(c1, c2) = hrm/(g r )x
Decsk(c1, c2) = m
6 / 28
![Page 7: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/7.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far
Important results
How secure are our schemes?
If the Decisional Diffie-Hellman problem is hard, then ElGamalis CPA-secure.
If the RSA-assumption holds, then padded RSA is CCA-secure.
Decisional Diffie-Hellman Problem
|Pr[A(G , q, g , g x , g y , g z) = 1]−Pr[A(G , q, g , g x , g y , g xy ) = 1]| ≤ negl(n)
7 / 28
![Page 8: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/8.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far
Important results
How secure are our schemes?
If the Decisional Diffie-Hellman problem is hard, then ElGamalis CPA-secure.
If the RSA-assumption holds, then padded RSA is CCA-secure.
Decisional Diffie-Hellman Problem
|Pr[A(G , q, g , g x , g y , g z) = 1]−Pr[A(G , q, g , g x , g y , g xy ) = 1]| ≤ negl(n)
7 / 28
![Page 9: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/9.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
What we’ve seen so far
Important results
How secure are our schemes?
If the Decisional Diffie-Hellman problem is hard, then ElGamalis CPA-secure.
If the RSA-assumption holds, then padded RSA is CCA-secure.
Decisional Diffie-Hellman Problem
|Pr[A(G , q, g , g x , g y , g z) = 1]−Pr[A(G , q, g , g x , g y , g xy ) = 1]| ≤ negl(n)
7 / 28
![Page 10: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/10.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
CCA1 vs. CCA2
Malleability
An encryption algorithm is malleable if it is possible for anadversary to transform a ciphertext into another ciphertext whichdecrypts to a related plaintext.
For example, in ElGamal, given (c1, c2) an adversary can query(c1, t · c2), which is a valid decryption for tm.
8 / 28
![Page 11: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/11.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
CCA1 vs. CCA2
Malleability
An encryption algorithm is malleable if it is possible for anadversary to transform a ciphertext into another ciphertext whichdecrypts to a related plaintext.
For example, in ElGamal, given (c1, c2) an adversary can query(c1, t · c2), which is a valid decryption for tm.
8 / 28
![Page 12: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/12.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
CCA1 vs. CCA2
Adaptive chosen ciphertext attacks
An interactive chosen-ciphertext attack in which the adversarysends a number of ciphertexts to be decrypted, then uses theresults of these decryptions to select subsequent ciphertexts.
→ CCA2-security is equivalent to non-malleability [1]A CCA1-attack is also called a lunchtime attack.
9 / 28
![Page 13: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/13.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
CCA1 vs. CCA2
Adaptive chosen ciphertext attacks
An interactive chosen-ciphertext attack in which the adversarysends a number of ciphertexts to be decrypted, then uses theresults of these decryptions to select subsequent ciphertexts.
→ CCA2-security is equivalent to non-malleability [1]
A CCA1-attack is also called a lunchtime attack.
9 / 28
![Page 14: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/14.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
CCA1 vs. CCA2
Adaptive chosen ciphertext attacks
An interactive chosen-ciphertext attack in which the adversarysends a number of ciphertexts to be decrypted, then uses theresults of these decryptions to select subsequent ciphertexts.
→ CCA2-security is equivalent to non-malleability [1]A CCA1-attack is also called a lunchtime attack.
9 / 28
![Page 15: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/15.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Stronger notions of security
Recall: OAEP for RSA
Optimal asymmetricencryption padding
http://en.wikipedia.org/
wiki/File:
Oaep-diagram-20080305.png
10 / 28
![Page 16: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/16.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 MotivationWhat we’ve seen so farStronger notions of security
2 The Encryption SchemeCramer-ShoupProof of SecurityFeatures
3 History & ImplementationPeopleImplementation
4 Conclusion
11 / 28
![Page 17: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/17.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
ElGamal encryption
Alice
'
&
$
%
Gen: (q, g)← G(1n)
G = 〈g〉 a group, |G | = q
sk = x ← Zq
pk = (g , q, h)
(g r , hrm)
-
h := g x
for m ∈ G : get r ← Zq
Encpk(m) = (g r , hrm)
Bob
'
&
$
%
Decsk(c1, c2) = c2/cx1
Decsk(c1, c2) = hrm/(g r )x
Decsk(c1, c2) = m
12 / 28
![Page 18: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/18.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup
Cramer-Shoup encryption
Alice
'
&
$
%
Gen: (q, g1, g2)← G(1n)
sk = (x1, x2, y1, y2, z)← Zq
c := g x11 g x2
2 , d := g y11 g y2
2
h := g z1
pk = (g1, g2,c , d , h,H)
(u1, u2, e, v)
-
for m ∈ G : get r ← Zq
u1 := g r1 , u2 := g r
2 , e := hrm
α := H(u1, u2, e), v := c rd rα
Encpk(m) = (u1, u2, e, v)
Bob
'
&
$
%
α := H(u1, u2, e)
ux1+y1α1 ux2+y2α
2
=
{verified, v
abort, otherwise
Decsk(u1, u2, e, v) = e/uz1
13 / 28
![Page 19: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/19.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup
Cramer-Shoup encryption
Correctness:
1 ux1+y1α1 ux2+y2α
2 = ux11 ux22 uy1α1 uy2α2 = g rx11 g rx2
2 g ry1α1 g ry2α
2 =(g x1
1 g x22 )r (g y1
1 g y22 )rα = c rd rα = v
2 Since uz1 = hr , Decsk(u1, u2, e, v) = e/uz1 = e/hr = m
14 / 28
![Page 20: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/20.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Cramer-Shoup
Cramer-Shoup encryption
Correctness:
1 ux1+y1α1 ux2+y2α
2 = ux11 ux22 uy1α1 uy2α2 = g rx11 g rx2
2 g ry1α1 g ry2α
2 =(g x1
1 g x22 )r (g y1
1 g y22 )rα = c rd rα = v
2 Since uz1 = hr , Decsk(u1, u2, e, v) = e/uz1 = e/hr = m
14 / 28
![Page 21: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/21.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security
Theorem
Cramer-Shoup is CCA2-secure
The Cramer-Shoup cryptosystem is CCA2-secure assuming that(1) we have a universal one-way hash function H, and(2) the Decisional Diffie-Hellman Problem is hard in the group G .
Proof by reduction: Assuming that there is an adversary that canbreak the cryptosystem, and that the hash family is universalone-way, we can use this adversary to solve the DecisionalDiffie-Hellman Problem.
15 / 28
![Page 22: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/22.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security
Theorem
Cramer-Shoup is CCA2-secure
The Cramer-Shoup cryptosystem is CCA2-secure assuming that(1) we have a universal one-way hash function H, and(2) the Decisional Diffie-Hellman Problem is hard in the group G .
Proof by reduction: Assuming that there is an adversary that canbreak the cryptosystem, and that the hash family is universalone-way, we can use this adversary to solve the DecisionalDiffie-Hellman Problem.
15 / 28
![Page 23: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/23.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Proof of Security
Proof of Security
S'
&
$
%
(g1, g2, u1, u2)← D or R
(x1, x2, y1, y2, z1, z2)← Zq
c := g x11 g x2
2 , d := g y11 g y2
2 , h := g z11 g z2
2
-
�
�m0,m1 ∈ G
-c∗ = (u1, u2, e, v)
output =
{1, b = b′
0, b 6= b′
b ← {0, 1}
e := uz11 uz22 mb, α := H(u1, u2, e)
v = ux1+y1α1 ux2+y2α
2
A
'
&
$
%
Decsk(c∗) = e/uz11 uz22 = mb′
{output b’, D
⊥, R
16 / 28
![Page 24: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/24.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Features
Comparison
One of the few CCA2-secure cryptosystems that do notrequire zero-knowledge proofs or the random oracle
Computationally efficient, esp. when using hybrid encryption
Intractability assumptions are minimal (only DDH & hash)
17 / 28
![Page 25: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/25.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Features
Comparison
One of the few CCA2-secure cryptosystems that do notrequire zero-knowledge proofs or the random oracle
Computationally efficient, esp. when using hybrid encryption
Intractability assumptions are minimal (only DDH & hash)
17 / 28
![Page 26: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/26.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Features
Comparison
One of the few CCA2-secure cryptosystems that do notrequire zero-knowledge proofs or the random oracle
Computationally efficient, esp. when using hybrid encryption
Intractability assumptions are minimal (only DDH & hash)
17 / 28
![Page 27: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/27.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Features
Computation
The ciphertext is about four times plaintext (not a big deal in mostapplications) and takes about twice as much computation asElGamal.
18 / 28
![Page 28: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/28.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Features
Cramer-Shoup encryption
Alice
'
&
$
%
Gen: (q, g1, g2)← G(1n)
sk = (x1, x2, y1, y2, z)← Zq
c := g x11 g x2
2 , d := g y11 g y2
2
h := g z1
pk = (g1, g2,c , d , h,H)
(u1, u2, e, v)
-
for m ∈ G : get r ← Zq
u1 := g r1 , u2 := g r
2 , e := hrm
α := H(u1, u2, e), v := c rd rα
Encpk(m) = (u1, u2, e, v)
Bob
'
&
$
%
α := H(u1, u2, e)
ux1+y1α1 ux2+y2α
2
=
{verified, v
abort, otherwise
Decsk(u1, u2, e, v) = e/uz1
19 / 28
![Page 29: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/29.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 MotivationWhat we’ve seen so farStronger notions of security
2 The Encryption SchemeCramer-ShoupProof of SecurityFeatures
3 History & ImplementationPeopleImplementation
4 Conclusion
20 / 28
![Page 30: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/30.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
People
Ronald Cramer
1968*, DutchProfessor at the Centrum Wiskunde & Informatica (CWI) inAmsterdam and the University of LeidenETH Zurich, Institute for Theoretical Computer Science
hangs around in bars
21 / 28
![Page 31: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/31.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
People
Ronald Cramer
1968*, DutchProfessor at the Centrum Wiskunde & Informatica (CWI) inAmsterdam and the University of LeidenETH Zurich, Institute for Theoretical Computer Sciencehangs around in bars
21 / 28
![Page 32: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/32.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
People
Victor Shoup
born ?, USAProfessor at the Courant Institute of Mathematical Sciences (NYU)IBM Zurich Research Laboratory
on RateMyProfessors, he has an average rating of 1.4/5
22 / 28
![Page 33: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/33.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
People
Victor Shoup
born ?, USAProfessor at the Courant Institute of Mathematical Sciences (NYU)IBM Zurich Research Laboratoryon RateMyProfessors, he has an average rating of 1.4/5
22 / 28
![Page 34: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/34.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Implementation
Schneier on Cramer-Shoup
“If, in a few years, Cramer-Shoup still looks secure,cryptographers may look at using it instead of otherdefenses they are already using. But since IBM is goingto patent Cramer-Shoup, probably not.” [3]
23 / 28
![Page 35: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/35.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Outline
1 MotivationWhat we’ve seen so farStronger notions of security
2 The Encryption SchemeCramer-ShoupProof of SecurityFeatures
3 History & ImplementationPeopleImplementation
4 Conclusion
24 / 28
![Page 36: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/36.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Summary
25 / 28
![Page 37: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/37.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
Summary
The Cramer-Shoup system is an asymmetric key encryptionalgorithm based on the ElGamal scheme
First efficient scheme proven to be secure against adaptivechosen ciphertext attacks
26 / 28
![Page 38: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/38.jpg)
Motivation The Encryption Scheme History & Implementation Conclusion
thank you!
27 / 28
![Page 39: The Cramer-Shoup Cryptosystem€¦ · Eileen Wagner October 22, 2014 1/28. Motivation The Encryption Scheme History & ImplementationConclusion The Cramer-Shoup system is an asymmetric](https://reader035.fdocuments.in/reader035/viewer/2022081407/60529f16c037df755718337c/html5/thumbnails/39.jpg)
References
Mihir Bellare and Amit Sahai.Non-malleable encryption: Equivalence between two notions,and an indistinguishability-based characterization.In Advances in cryptology—CRYPTO’99, pages 519–536.Springer, 1999.
Ronald Cramer and Victor Shoup.A practical public key cryptosystem provably secure againstadaptive chosen ciphertext attack.In Advances in Cryptology—CRYPTO’98, pages 13–25.Springer, 1998.
Bruce Schneier.Cramer-Shoup cryptosystem.Crypto-Gram Newsletter, 15.09.98.
28 / 28