|
|
Line 1: |
Line 1: |
| The '''Cramer–Shoup system''' is an [[asymmetric key encryption algorithm]], and was the first efficient scheme proven to be secure against [[adaptive chosen ciphertext attack]] using standard cryptographic assumptions. Its security is based on the computational intractability (widely assumed, but not proved) of the [[decisional Diffie–Hellman assumption]]. Developed by [[Ronald Cramer]] and [[Victor Shoup]] in 1998, it is an extension of the [[Elgamal encryption|Elgamal cryptosystem]]. In contrast to Elgamal, which is extremely [[malleability (cryptography)|malleable]], Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a [[universal one-way hash function]] and additional computations, resulting in a ciphertext which is twice as large as in Elgamal.
| | Bryan is a celebrity within the making and the [http://minioasis.com jason aldean tour] profession [http://lukebryantickets.neodga.com luke bryan live concert] expansion very first second to his third studio record, And , is definitely the resistant. He burst on the scene in 2015 regarding his amusing blend of lower-property convenience, movie legend very good appearance and words, is set t within a key way. The new a on the country graph or chart and #2 in the pop maps, generating it the 2nd greatest first appearance during those times of 2004 to get a region artist. <br><br><br><br>The child of any , knows determination and willpower are key elements with regards to an excellent profession- . His to start with record, Continue to be Me, made the most notable reaches “All My Friends “Country and Say” Gentleman,” although his effort, Doin’ Issue, discovered the vocalist-about three right No. 5 singles: Different Getting in touch with Is usually a Excellent Issue.”<br><br>In the fall of [http://www.banburycrossonline.com luke bryan vip packages] 2003, Tour: Luke Bryan & which had an outstanding list of , which includes Downtown. “It’s much like you’re obtaining a authorization to go to another level, affirms all those musicians that were an element of the Concert toursover right into a bigger measure of musicians.” It covered as the most successful organized tours in the 15-season background.<br><br>Review my web blog; [http://lukebryantickets.pyhgy.com luke concert] |
| | |
| ==Adaptive chosen ciphertext attacks==
| |
| | |
| The definition of security achieved by Cramer–Shoup is formally termed "[[ciphertext indistinguishability|indistinguishability]] under [[adaptive chosen ciphertext attack]]" (IND-CCA2). This security definition is currently the strongest definition known for a public key cryptosystem: it assumes that the attacker has access to a [[decryption oracle]] which will decrypt any ciphertext using the scheme's secret decryption key. The "adaptive" component of the security definition means that the attacker has access to this decryption oracle both before and after he observes a specific target ciphertext to attack (though he is prohibited from using the oracle to simply decrypt this target ciphertext). The weaker notion of security against non-adaptive chosen ciphertext attacks (IND-CCA1) only allows the attacker to access the decryption oracle before observing the target ciphertext.
| |
| | |
| Though it was well known that many widely used cryptosystems were insecure against such an attacker, for many years system designers considered the attack to be impractical and of largely theoretical interest. This began to change during the late 1990s, particularly when [[Daniel Bleichenbacher]] demonstrated a practical adaptive chosen ciphertext attack against [[Secure Sockets Layer|SSL]] servers using a form of [[RSA (algorithm)|RSA]] encryption.<ref>Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. Advances in Cryptology — CRYPTO '98. [http://citeseer.ist.psu.edu/bleichenbacher98chosen.html]</ref>
| |
| | |
| Cramer–Shoup was not the first encryption scheme to provide security against adaptive chosen ciphertext attack. Naor–Yung, Rackoff–Simon, and Dolev–Dwork–Naor proposed provably secure conversions from standard (IND-CPA) schemes into IND-CCA1 and IND-CCA2 schemes. These techniques are secure under a standard set of cryptographic assumptions (without random oracles), however they rely on complex [[zero-knowledge proof]] techniques, and are inefficient in terms of computational cost and ciphertext size. A variety of other approaches, including [[Mihir Bellare|Bellare]]/[[Phillip Rogaway|Rogaway]]'s [[Optimal Asymmetric Encryption Padding|OAEP]] and [[Fujisaki–Okamoto]] achieve efficient constructions using a mathematical abstraction known as a [[random oracle]]. Unfortunately, to implement these schemes in practice requires the substitution of some practical function (e.g., a [[cryptographic hash function]]) in place of the random oracle. A growing body of evidence suggests the insecurity of this approach,<ref>Ran Canetti, [[Oded Goldreich]], Shai Halevi. [http://doi.acm.org/10.1145/1008731.1008734 ''The Random Oracle Methodology, Revisited'']. Journal of the ACM, 51:4, pages 557–594, 2004.</ref> although no practical attacks have been demonstrated against deployed schemes.
| |
| | |
| == The cryptosystem ==
| |
| Cramer–Shoup consists of three algorithms: the key generator, the encryption algorithm, and the decryption algorithm.
| |
| | |
| === Key generation ===
| |
| * [[Alice and Bob|Alice]] generates an efficient description of a [[cyclic group]] <math>G</math> of order <math>q</math> with two distinct, random [[generating set of a group|generator]]s <math>g_1, g_2</math>.
| |
| * Alice chooses five random values <math>({x}_{1}, {x}_{2}, {y}_{1}, {y}_{2}, z)</math> from <math>\{0, \ldots, q-1\}</math>.
| |
| * Alice computes <math>c = {g}_{1}^{x_1} g_{2}^{x_2}, d = {g}_{1}^{y_1} g_{2}^{y_2}, h = {g}_{1}^{z}</math>.
| |
| * Alice publishes <math>(c, d, h)</math>, along with the description of <math>G, q, g_1, g_2</math>, as her [[public key]]. Alice retains <math>(x_1, x_2, y_1, y_2, z)</math> as her [[secret key]]. The group can be shared between users of the system.
| |
| | |
| === Encryption ===
| |
| To encrypt a message <math>m</math> to Alice under her public key <math>(G,q,g_1,g_2,c,d,h)</math>,
| |
| | |
| * Bob converts <math>m</math> into an element of <math>G</math>.
| |
| * Bob chooses a random <math>k</math> from <math>\{0, \ldots, q-1\}</math>, then calculates:
| |
| **<math>u_1 = {g}_{1}^{k}, u_2 = {g}_{2}^{k}</math>
| |
| **<math>e = h^k m \,</math>
| |
| **<math>\alpha = H(u_1, u_2, e) \,</math>, where H() is a [[universal one-way hash function]] (or a [[collision resistant]] [[cryptographic hash function]], which is a stronger requirement).
| |
| **<math>v = c^k d^{k\alpha} \,</math>
| |
| * Bob sends the ciphertext <math>(u_1, u_2, e, v)</math> to Alice.
| |
| | |
| === Decryption ===
| |
| To decrypt a ciphertext <math>(u_1, u_2, e, v)</math> with Alice's secret key <math>(x_1, x_2, y_1, y_2, z)</math>,
| |
| | |
| * Alice computes <math>\alpha = H(u_1, u_2, e) \,</math> and verifies that <math>{u}_{1}^{x_1} u_{2}^{x_2} ({u}_{1}^{y_1} u_{2}^{y_2})^{\alpha} = v \,</math>. If this test fails, further decryption is aborted and the output is rejected.
| |
| * Otherwise, Alice computes the plaintext as <math>m = e / ({u}_{1}^{z}) \,</math>.
| |
| | |
| The decryption stage correctly decrypts any properly-formed ciphertext, since
| |
| | |
| : <math> {u}_{1}^{z} = {g}_{1}^{k z} = h^k \,</math>, and <math>m = e / h^k. \,</math> | |
| | |
| If the space of possible messages is larger than the size of <math>G</math>, then Cramer–Shoup may be used in a [[hybrid cryptosystem]] to improve efficiency on long messages. Note that it is not possible to split the message into several pieces and encrypt each piece independently, because the chosen-ciphertext security property is not preserved in this way.
| |
| | |
| == References ==
| |
| <references/>
| |
| * [[Ronald Cramer]] and [[Victor Shoup]]. [http://link.springer.com/chapter/10.1007%2FBFb0055717 "A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack."] in proceedings of Crypto 1998, LNCS 1462, p. 13ff ([http://homepages.cwi.nl/~cramer/papers/cs.ps ps],[http://knot.kaist.ac.kr/seminar/archive/46/46.pdf pdf])
| |
| * [http://www.verify-it.de/sub/cramer_shoup.html Toy implementations of Cramer–Shoup in Emacs Lisp and Java]
| |
| * 1998 vintage news coverage of Cramer and Shoup's publication in [http://www.wired.com/news/technology/0,1282,14590,00.html Wired News] and in [[Bruce Schneier]]'s [http://packetstorm.linuxsecurity.com/mag/crypto-gram/crypto-gram-9809.html Crypto-Gram]
| |
| * [[Ronald Cramer]] and [[Victor Shoup]]: "Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption." in proceedings of Eurocrypt 2002, LNCS 2332, pp. 45–64. [http://www.shoup.net/papers/uhp.pdf Full Version (pdf)]
| |
| | |
| {{Cryptography navbox | public-key}}
| |
| | |
| {{DEFAULTSORT:Cramer-Shoup Cryptosystem}}
| |
| [[Category:Public-key encryption schemes]]
| |
Bryan is a celebrity within the making and the jason aldean tour profession luke bryan live concert expansion very first second to his third studio record, And , is definitely the resistant. He burst on the scene in 2015 regarding his amusing blend of lower-property convenience, movie legend very good appearance and words, is set t within a key way. The new a on the country graph or chart and #2 in the pop maps, generating it the 2nd greatest first appearance during those times of 2004 to get a region artist.
The child of any , knows determination and willpower are key elements with regards to an excellent profession- . His to start with record, Continue to be Me, made the most notable reaches “All My Friends “Country and Say” Gentleman,” although his effort, Doin’ Issue, discovered the vocalist-about three right No. 5 singles: Different Getting in touch with Is usually a Excellent Issue.”
In the fall of luke bryan vip packages 2003, Tour: Luke Bryan & which had an outstanding list of , which includes Downtown. “It’s much like you’re obtaining a authorization to go to another level, affirms all those musicians that were an element of the Concert toursover right into a bigger measure of musicians.” It covered as the most successful organized tours in the 15-season background.
Review my web blog; luke concert