## Using Hash Functions as a Hedge against Chosen Ciphertext Attack (2000)

### Cached

### Download Links

- [www.zurich.ibm.com]
- [www.zurich.ibm.com]
- [www.zurich.ibm.com]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 70 - 7 self |

### BibTeX

@INPROCEEDINGS{Shoup00usinghash,

author = {Victor Shoup},

title = {Using Hash Functions as a Hedge against Chosen Ciphertext Attack},

booktitle = {},

year = {2000},

pages = {275--288},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.

### Citations

2929 | New directions in cryptography - Diffie, Hellman - 1976 |

1419 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...aor [7] presented a cryptosystem that could be proven secure in this sense using a reasonable intractability assumption. However, their scheme was quite impractical. Subsequently, Bellare and Rogaway =-=[1, 2]-=- presented schemes that were quite practical, but lacked a proof of security in the standard model of computation. However, the schemes can be proven secure in the random oracle model, wherein a crypt... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...sen Ciphertext Attack Victor Shoup IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland sho@zurich.ibm.com June 21, 1999 Abstract The cryptosystem recently proposed by Cramer and Shoup =-=[5]-=- is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability... |

470 | Non-malleable cryptography
- Dolev, Dwork, et al.
(Show Context)
Citation Context ... community that the "right" definition of security for a public key cryptosystem is security against adaptive chosen ciphertext attack, as defined by Rackoff and Simon [13] and Dolev, Dwork,=-= and Naor [7]-=-. At least, this is the definition of security that allows the cryptosystem to be deployed safely in the widest range of applications. This is IBM Research Report RZ 3139. 1 Dolev, Dwork, and Naor [7]... |

358 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...on in the cryptographic research community that the "right" definition of security for a public key cryptosystem is security against adaptive chosen ciphertext attack, as defined by Rackoff =-=and Simon [13]-=- and Dolev, Dwork, and Naor [7]. At least, this is the definition of security that allows the cryptosystem to be deployed safely in the widest range of applications. This is IBM Research Report RZ 313... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... secure against adaptive chosen ciphertext attack, under the DDH assumption for G, and assuming UOWH is a secure universal one-way hash function. Although there are theoretical constructions for UOWH =-=[12]-=-, a reasonable construction would be to use the compression function of SHA-1, in conjunction with the constructions in [3] or [15]. With this approach, the security of UOWH can be based on the assump... |

277 | Authentication and authenticated key exchanges
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...me of any kind—except in the random oracle model. Indeed, it appears to be a widely held misconception that the security of the Diffie-Hellman key exchange protocol [DH76] and variants thereof (e.g., =-=[DvOW92]-=-) is implied by the CDH assumption. This is simply not the case—under any reasonable definition of security, except in the random oracle model. One can use the DDH assumption, however, as the basis fo... |

249 | Optimal Asymmetric Encryption
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...aor [7] presented a cryptosystem that could be proven secure in this sense using a reasonable intractability assumption. However, their scheme was quite impractical. Subsequently, Bellare and Rogaway =-=[1, 2]-=- presented schemes that were quite practical, but lacked a proof of security in the standard model of computation. However, the schemes can be proven secure in the random oracle model, wherein a crypt... |

233 | A modular approach to the design and analysis of authentication and key exchange protocols - Bellare, Canetti, et al. - 1998 |

232 | Lower bounds for discrete logarithms and related problems
- Shoup
(Show Context)
Citation Context ...t is correct with all but negligible probability. The CDH assumption is the assumption that no such "good" algorithm exists. Using well-known random-self reductions, along with the results o=-=f [11] or [14], the exis-=-tence of such a "good" algorithm is equivalent to the existence of a probabilistic algorithm that outputs a correct answer with non-negligible probability, where the probability is taken ove... |

209 | The decision Diffie–Hellman problem, in - Boneh - 1998 |

184 | How to Recycle Random Bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ...ments λ ∈ G to l-bit strings. Many efficient constructions for PIH exist that do not require any intractability assumptions. We will want to apply the Entropy Smoothing Theorem (see [Lub96, Ch. 8] or =-=[IZ89]-=-) to PIH, assuming that the input λ is a random group element. To do this effectively, the relative sizes of q and l must be chosen � appropriately, so that 2l /q is a negligible quantity. We also nee... |

180 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...he hardness of certain “interactive” problems, and as such they do not qualify as “intractability assumptions” in the usual sense of the term. Furthermore, using random oracles does not seem to help. =-=[FO99]-=- present a scheme that can be proven secure against adaptive chosen ciphertext attack under the CDH assumption in the random oracle model. Moreover, they present a fairly general method of converting ... |

161 | Signature Schemes Based on the Strong RSA Assumption
- Cramer, Shoup
(Show Context)
Citation Context ...lso be proved in the random oracle model under a weaker intractability assumption. This same "hedging with hash" security approach has also been applied to digital signature schemes: Cramer =-=and Shoup [4]-=- presented and analyzed a practical signature scheme that is secure in the standard model under the so-called Strong RSA assumption, but is also secure in the random oracle model under the ordinary RS... |

156 | Pseudorandomness and Cryptographic Applications - Luby - 1996 |

152 | Number-theoretic constructions of efficient pseudo-random functions - Naor, Reingold - 1997 |

143 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...se the DDH assumption, however, as the basis for proving the security of such schemes (see, e.g., [BCK98, Sho99]). The DDH assumption appears to have first surfaced in the cryptographic literature in =-=[Bra93]-=-. For other applications and discussion of the DDH, see [Bon98, NR97]. As in the previous section, we have suppressed many details in the above discussion, e.g., there is an implicit security paramete... |

134 |
LFSR-based Hashing and Authentication
- Krawczyk
(Show Context)
Citation Context ...rings to strings of arbitrary length. We assume here that 1=2 l is a negligible quantity. We need a hash function AXUH suitable for message authentication, i.e., an almost XOR-universal hash function =-=[8]-=-. We assume that AXUH is keyed by an l-bit string and hashes arbitrary bit strings to l-bit strings. Many efficient constructions for AXUH exist that do not require any intractability assumptions. To ... |

123 | Publicly Verifiable Secret Sharing
- Stadler
- 1996
(Show Context)
Citation Context ... that for all inputs, its output is correct with all but negligible probability. The DDH is the assumption that no such "good" algorithm exists. Using the random-self reduction presented 4 b=-=y Stadler [16], the exis-=-tence of such a "good" algorithm is equivalent to the existence of a probabilistic statistical test distinguishing the distributions (g; g x ; g y ; g z ) and (g; g x ; g y ; g xy ), where g... |

112 | Securing threshold cryptosystems against chosen ciphertext attack
- Shoup, Gennaro
(Show Context)
Citation Context ...Y98], but rather than basing the proof of security on the hardness of a specific problem, it is based on the assumption that the adversary behaves in a specific way, similar to as was done in [ZS92]. =-=[SG98]-=- present two schemes; the first can be proved secure against adaptive chosen ciphertext attack in the random oracle model under the CDH, while the proof of security for the second relies on the DDH. B... |

101 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...ne-way hash function. Although there are theoretical constructions for UOWH [12], a reasonable construction would be to use the compression function of SHA-1, in conjunction with the constructions in =-=[3]-=- or [15]. With this approach, the security of UOWH can be based on the assumption that the SHA-1 compression function is second-preimage collision resistant, a potentially much weaker assumption than ... |

88 | More flexible exponentiation with precomputation
- Lim, Lee
- 1994
(Show Context)
Citation Context ...ntiations, all with respect to the same base u1. An implementation can and should exploit this to get a significantly more efficient decryption algorithm by using precomputation techniques (see, e.g. =-=[LL94]-=-). Remark 4. The reduction given in the proof of Theorem 3 is perhaps not as efficient as one would like. If T is the time required to solve the DDH problem, and Q queries are made to the random oracl... |

80 | On Formal Models for Secure Key Exchange - Shoup - 1999 |

70 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ... is to first solve the DL problem. However, there remains the possibility that the DL problem is hard and the CDH problem is easy, or that the CDH problem is hard, and the DDH problem is easy. Maurer =-=[10] has shown-=- that under certain circumstances, an algorithm for solving the CDH problem can be used to solve the DL problem. This reduction is a "generic" reduction that does not depend on the represent... |

56 | DHIES: An Encryption Scheme Based on the Diffie-Hellman Problem. Cryptology ePrint Archive: Report
- Abdalla, Bellare, et al.
- 1999
(Show Context)
Citation Context ... as that in [TY98], and argues why it would be quite difficult using known techniques to prove that such is scheme is secure against adaptive chosen ciphertext attack even in the random oracle model. =-=[ABR98]-=- present a scheme for which security against adaptive chosen ciphertext attack can only be proved under non-standard assumptions—these assumptions relate 3sto the hardness of certain “interactive” pro... |

48 | On the security of ElGamal based encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...ignatures). However, this type of hedging is much more expensive computationally, and much less elegant than the type of hedging we are advocating here. Other Diffie-Hellman based encryption schemes. =-=[TY98]-=- present a scheme, but it cannot be proved secure against adaptive chosen ciphertext attack under any intractability assumption, even in the random oracle model. There is indeed a security analysis in... |

47 | A composition theorem for universal one-way hash functions
- Shoup
- 2000
(Show Context)
Citation Context ...hash function. Although there are theoretical constructions for UOWH [12], a reasonable construction would be to use the compression function of SHA-1, in conjunction with the constructions in [3] or =-=[15]-=-. With this approach, the security of UOWH can be based on the assumption that the SHA-1 compression function is second-preimage collision resistant, a potentially much weaker assumption than full col... |

37 | Diffie-Hellman Oracles
- Maurer, Wolf
- 1994
(Show Context)
Citation Context ...ts output is correct with all but negligible probability. The CDH assumption is the assumption that no such “good” algorithm exists. Using well-known random-self reductions, along with the results of =-=[MW96]-=- or [Sho97], the existence of such a “good” algorithm is equivalent to the existence of a probabilistic algorithm that outputs a correct answer with non-negligible probability, where the probability i... |

25 | Practical approaches to attaining security against adaptively chosen ciphertext attacks", Crypto '92
- Zheng, Seberry
(Show Context)
Citation Context ...is in [TY98], but rather than basing the proof of security on the hardness of a specific problem, it is based on the assumption that the adversary behaves in a specific way, similar to as was done in =-=[ZS92]-=-. [SG98] present two schemes; the first can be proved secure against adaptive chosen ciphertext attack in the random oracle model under the CDH, while the proof of security for the second relies on th... |

14 |
Die-Hellman oracles
- Maurer, Wolf
(Show Context)
Citation Context ...ts output is correct with all but negligible probability. The CDH assumption is the assumption that no such "good" algorithm exists. Using well-known random-self reductions, along with the r=-=esults of [11] or [14], -=-the existence of such a "good" algorithm is equivalent to the existence of a probabilistic algorithm that outputs a correct answer with non-negligible probability, where the probability is t... |