Abstract
The cryptosystem recently proposed by Cramer and Shoup [CS98] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; indeed, the scheme is slightly more efficient than the one originally presented by Cramer and Shoup; we prove that the scheme is secure if the Decisional Diffie-Hellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Abdalla, M. Bellare, and P. Rogaway. DHAES: an encryption scheme based on the Diffie-Hellma problem. Submission to IEEE P1363, 1998.
M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In 30th Annual ACM Symposium on Theory of Computing, 1998.
D. Boneh. The Decision Diffie-Hellman Problem. In Ants-III, pages 48–63, 1998. Springer LNCS 1423.
M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62–73, 1993.
M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology-Crypto’ 94, pages 92–111, 1994.
M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. In Advances in Cryptology—Crypto’ 97, 1997.
S. Brands. An efficient off-line electronic cash system based on the representation problem, 1993. CWI Technical Report, CS-R9323.
R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology-Crypto’ 98, pages 13–25, 1998.
R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. In 6th ACM Conf. on Computer and Communications Security, 1999.
D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.
W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, 22:644–654, 1976.
W. Diffie, P. van Oorschot, and M. Wiener. Authentication and authenticated key exchange. Designs, Code, and Cryptography, 2:107–125, 1992.
E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Advances in Cryptology-Crypto’ 99, pages 537–554, 1999.
R. Impagliazzo and D. Zuckermann. How to recycle random bits. In 30th Annual Symposium on Foundations of Computer Science, pages 248–253, 1989.
H. Krawczyk. LFSR-based hashing and authentication. In Advances in Cryptology—Crypto’ 94, pages 129–139, 1994.
C. H. Lim and P. J. Lee. More flexible exponentiation with precomputation. In Advances in Cryptology-Crypto’ 94, pages 95–107, 1994.
M. Luby. Pseudorandomness and Cryptographic Applications. Princeton University Press, 1996.
U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Advances in Cryptology-Crypto’ 94, pages 271–281, 1994.
U. Maurer and S. Wolf. Diffie-Hellman oracles. In Advances in Cryptology-Crypto’ 96, pages 268–282, 1996.
M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th Annual Symposium on Foundations of Computer Science, 1997.
M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing, 1989.
C. Rackoff and D. Simon. Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology-Crypto’ 91, pages 433–444, 1991.
V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Advances in Cryptology—Eurocrypt’ 98, 1998.
V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology—Eurocrypt’ 97, 1997.
V. Shoup. On formal models for secure key exchange. IBM Research Report RZ 3120, April 1999.
V. Shoup. A composition theorem for universal one-way hash functions. In Advances in Cryptology—Eurocrypt 2000, pages 445–452, 2000.
M. Stadler. Publicly verifible secret sharing. In Advances in Cryptology—Eurocrypt’ 96, pages 190–199, 1996.
Y. Tsiounis and M. Yung. On the security of ElGamal based encryption. In PKC’ 98, 1998.
Y. Zheng and J. Seberry. Practical approaches to attaining security against adaptively chosen ciphertext attacks. In Advances in Cryptology-Crypto’ 92, pages 292–304, 1992.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shoup, V. (2000). Using Hash Functions as a Hedge against Chosen Ciphertext Attack. In: Preneel, B. (eds) Advances in Cryptology — EUROCRYPT 2000. EUROCRYPT 2000. Lecture Notes in Computer Science, vol 1807. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45539-6_19
Download citation
DOI: https://doi.org/10.1007/3-540-45539-6_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-67517-4
Online ISBN: 978-3-540-45539-4
eBook Packages: Springer Book Archive