Table of Links
-
Concept of Cramer-Shoup with Elliptic Curve and 4.1 Prerequisite
-
Proof: Secure against adaptive-chosen ciphertext attacks
6.1 DDH Assumption and 6.2 CCA Assumption
6.3 IND-CCA 1 - non-adaptive Security
6.4 IND-CCA 2 - adaptive Security (Validity Checking Failure)
6 Proof: Secure against adaptive-chosen ciphertext attacks
Our presented crypto schema is cryptographic strong, so we can proven the resistance against CCA. The evidence for CPA is therefore obsolete. In short, even without having to get too deep into the proof, we refer to existing once for the fundamental CS schema [11,55,5]. However, against ECC have been identified some theoretical attack approaches [56]. A part of them use the currently strongest attack vector based on active attacks, which is directly countered by our schema.
The proof on security is given by contradiction based on the EC F(x) and follows [55,57]. The main advantage of the proof is that it does not relay on a zero-knowledge assumption.
6.1 DDH Assumption
6.2 CCA Assumption
We assume a decryption ”oracle” that correctly decrypts any given ciphertext. An attacker chooses two messages m1 and m2, where m1 ̸= m2. These both messages are send to an encryption service, which only returns randomly one of the messages encrypted. The attacker is allowed a polynomial-time access to our decryption ”oracle”, also after obtaining a ciphertext returned from the encryption service. The direct transmission of a ciphertext is excluded in this case. The attacker now guesses which message the encryption service has provided. If this fits better with a probability than 1/2 + δ, then the opponent has an advantage defined by δ.
A crypto system is said to be indistinguishable chosen ciphertext attacks (IND-CCA) secure, if the advantage δ is negligible for any polynomial time attacker.
6.3 IND-CCA 1 - non-adaptive Security
From the public key, the attacker can get the information:
Since these equations are linearly independent, this happens with only negligible probability. Based on the validity check, the cases can be proved and the schema is IND-CCA 1 secure.
6.4 IND-CCA 2 - adaptive Security (Validity Checking Failure)
For this proof, we need to divide the value of the secret key z in z1 and z2. From the public key V , the attacker can get the following information:
Suppose that this is not a DDH tuple:
Then the challenge ciphertext is as follows:
Therefore, the attacker can get the following information:
If the attacker queries an invalid ciphertext to the decryption oracle, say:
As for this decryption query, we should consider the followings cases:
Based on the validity check, all cases can be proved and the schema is IND-CCA 2 secure. This is currently the strongest notion of security. In addition, our cryptographic system is highly efficient in terms of computation, especially in the context of hybrid systems for encryption and signature. In addition, the comparatively small key size enables the system to be used in mobile and wireless applications with low transmission bandwidth, such as smart cards. This also makes it ideal for the Internet of Things and banking.
Author:
(1) Peter Hillmann, University of the Bundeswehr Munich, Department of Computer Science, Werner-Heisenberg-Weg 39, 85577 Neubiberg, Germany.
This paper is