How to Make the Cramer-Shoup Cryptosystem Secure Against Linear Related-Key Attacks
Autor: | Shuai Han, Shengli Liu, Zhuo Wei, Baodong Qin, Yu Chen |
---|---|
Rok vydání: | 2017 |
Předmět: |
060201 languages & linguistics
Theoretical computer science Computer science business.industry Hash function Cramer–Shoup cryptosystem 06 humanities and the arts 02 engineering and technology Encryption Public-key cryptography 0602 languages and literature 0202 electrical engineering electronic engineering information engineering Hybrid cryptosystem Cryptosystem 020201 artificial intelligence & image processing business Goldwasser–Micali cryptosystem Standard model (cryptography) |
Zdroj: | Information Security and Cryptology ISBN: 9783319547046 Inscrypt |
DOI: | 10.1007/978-3-319-54705-3_10 |
Popis: | Related-key attacks allow an adversary to change the key stored in the memory of a physical device via tampering or other means, and subsequently observe the outcomes of the cryptosystem under these modified keys. Cramer and Shoup (CRYPTO 1998) proposed the first practical public-key encryption scheme proven to be secure against adaptive chosen-ciphertext attacks in the standard model. The scheme (CS-PKE for short) has great influence since it embodies the paradigm of hash proof system. However, Wee (PKC 2012) showed that the CS-PKE scheme is not secure in the scenario of related-key attacks when the related-key derivation functions include linear functions. A fascinating problem left open is how to protect the classical CS-PKE scheme secure against linear related-key attacks. In this paper, we propose a simple method to make the Cramer-Shoup scheme secure against linear related-key attacks. The idea is to recompute the public key in the decryption algorithm from the secret key, so that any (dangerous) modification to the secret key could be detected during the decryption phase. The new scheme has the same efficiency as the original one, except for involving six exponentiations to fixed bases in the decryption algorithm. Fortunately, the computing time for one fixed-base exponentiation with precomputations is at least 5 times faster than that of one regular exponentiation. |
Databáze: | OpenAIRE |
Externí odkaz: |