Cramer–Shoup cryptosystem

The Cramer- Shoup cryptosystem is a system developed by Ronald Cramer and Victor Shoup asymmetric cryptosystem, which can be seen as an extension of the ElGamal encryption method. It was the first practical encryption method that was in the standard model ( without random oracle ) against adaptive chosen-ciphertext attacks safely. The safety of the procedure depends on the difficulty of the Decisional Diffie -Hellman problem.

The procedure

Like all asymmetric encryptions is also the Cramer- Shoup method of three algorithms.

Key generation

  • First you choose a ( multiplicatively written here ) cyclic group of prime order, and in these two producers. Additionally, a cryptographic hash function must be defined. These values ​​are public parameters and can be used by several users simultaneously.
  • Then as random secret key can be selected.
  • From these, the public key is computed.

Encoding

To encrypt a message using the public key steps are as follows:

  • It is chosen a random.
  • That is the encryption of the message as in ElGamal.
  • , A universal one-way hash function collision resistant hash function is or.
  • . This element ensures that an attacker can not use parts of the cipher to generate more cryptograms, thus ensuring the necessary security for the non- deformability

The cipher consists of then.

Decryption

To decrypt a cipher text with the secret key will result in one of two steps.

  • First, we calculated and checked if. If this is not the case, the decryption is aborted and an error message.
  • If not, we can calculate the plaintext.

Correctness

The correctness of the procedure follows from

Instantiation

As a security level we choose the default length for generic applications of 128 bits. This results in an output length of 256 bits results for the hash function. SHA -256 can be assumed to be collision-resistant.

You need a group in which the discrete logarithm is hard to compute, such as. You simply select a prime number with a length of 3248 bits, so that the group has a multiplicative subgroup of prime order, which should have a length of 256 bit. This means that should apply. From the choice of parameters results in a length of bit of the secret key, and bit for the public key. A cipher is bit long.

Public-key cryptography Decisional Diffie–Hellman assumption
206126
de