Advertisement

Using Hash Functions as a Hedge against Chosen Ciphertext Attack

  • Victor Shoup
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)

Abstract

The cryptosystem recently proposed by Cramer and Shoup [CS98] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; indeed, the scheme is slightly more efficient than the one originally presented by Cramer and Shoup; we prove that the scheme is secure if the Decisional Diffie-Hellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.

Keywords

Hash Function Random Oracle Decryption Algorithm Random Oracle Model Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. ABR98.
    M. Abdalla, M. Bellare, and P. Rogaway. DHAES: an encryption scheme based on the Diffie-Hellma problem. Submission to IEEE P1363, 1998.Google Scholar
  2. BCK98.
    M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In 30th Annual ACM Symposium on Theory of Computing, 1998.Google Scholar
  3. Bon98.
    D. Boneh. The Decision Diffie-Hellman Problem. In Ants-III, pages 48–63, 1998. Springer LNCS 1423.Google Scholar
  4. BR93.
    M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62–73, 1993.Google Scholar
  5. BR94.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology-Crypto’ 94, pages 92–111, 1994.Google Scholar
  6. BR97.
    M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. In Advances in Cryptology—Crypto’ 97, 1997.Google Scholar
  7. Bra93.
    S. Brands. An efficient off-line electronic cash system based on the representation problem, 1993. CWI Technical Report, CS-R9323.Google Scholar
  8. CS98.
    R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology-Crypto’ 98, pages 13–25, 1998.Google Scholar
  9. CS99.
    R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. In 6th ACM Conf. on Computer and Communications Security, 1999.Google Scholar
  10. DDN91.
    D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.Google Scholar
  11. DH76.
    W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, 22:644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  12. DvOW92.
    W. Diffie, P. van Oorschot, and M. Wiener. Authentication and authenticated key exchange. Designs, Code, and Cryptography, 2:107–125, 1992.CrossRefGoogle Scholar
  13. FO99.
    E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Advances in Cryptology-Crypto’ 99, pages 537–554, 1999.Google Scholar
  14. IZ89.
    R. Impagliazzo and D. Zuckermann. How to recycle random bits. In 30th Annual Symposium on Foundations of Computer Science, pages 248–253, 1989.Google Scholar
  15. Kra94.
    H. Krawczyk. LFSR-based hashing and authentication. In Advances in Cryptology—Crypto’ 94, pages 129–139, 1994.Google Scholar
  16. LL94.
    C. H. Lim and P. J. Lee. More flexible exponentiation with precomputation. In Advances in Cryptology-Crypto’ 94, pages 95–107, 1994.Google Scholar
  17. Lub96.
    M. Luby. Pseudorandomness and Cryptographic Applications. Princeton University Press, 1996.Google Scholar
  18. Mau94.
    U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Advances in Cryptology-Crypto’ 94, pages 271–281, 1994.Google Scholar
  19. MW96.
    U. Maurer and S. Wolf. Diffie-Hellman oracles. In Advances in Cryptology-Crypto’ 96, pages 268–282, 1996.Google Scholar
  20. NR97.
    M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th Annual Symposium on Foundations of Computer Science, 1997.Google Scholar
  21. NY89.
    M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing, 1989.Google Scholar
  22. RS91.
    C. Rackoff and D. Simon. Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology-Crypto’ 91, pages 433–444, 1991.Google Scholar
  23. SG98.
    V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Advances in Cryptology—Eurocrypt’ 98, 1998.Google Scholar
  24. Sho97.
    V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology—Eurocrypt’ 97, 1997.Google Scholar
  25. Sho99.
    V. Shoup. On formal models for secure key exchange. IBM Research Report RZ 3120, April 1999.Google Scholar
  26. Sho00.
    V. Shoup. A composition theorem for universal one-way hash functions. In Advances in Cryptology—Eurocrypt 2000, pages 445–452, 2000.Google Scholar
  27. Sta96.
    M. Stadler. Publicly verifible secret sharing. In Advances in Cryptology—Eurocrypt’ 96, pages 190–199, 1996.Google Scholar
  28. TY98.
    Y. Tsiounis and M. Yung. On the security of ElGamal based encryption. In PKC’ 98, 1998.Google Scholar
  29. ZS92.
    Y. Zheng and J. Seberry. Practical approaches to attaining security against adaptively chosen ciphertext attacks. In Advances in Cryptology-Crypto’ 92, pages 292–304, 1992.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Victor Shoup
    • 1
  1. 1.IBM Zürich Research LabRüschlikonSwitzerland

Personalised recommendations