## Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption (2001)

### Cached

### Download Links

- [www.shoup.net]
- [www.brics.dk]
- [www.iacr.org]
- [eprint.iacr.org]
- [shoup.net]
- [www.shoup.net]
- DBLP

### Other Repositories/Bibliography

Citations: | 141 - 7 self |

### BibTeX

@INPROCEEDINGS{Cramer01universalhash,

author = {Ronald Cramer and Victor Shoup},

title = {Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption},

booktitle = {},

year = {2001},

pages = {45--64},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present several new and fairly practical public-key encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's Decision Composite Residuosity (DCR) assumption [7], while another is based in the classical Quadratic Residuosity (QR) assumption. The analysis is in the standard cryptographic model, i.e., the security of our schemes does not rely on the Random Oracle model. We also introduce the notion of a universal hash proof system. Essentially, this is a special kind of non-interactive zero-knowledge proof system for an NP language. We do not show that universal hash proof systems exist for all NP languages, but we do show how to construct very ecient universal hash proof systems for a general class of group-theoretic language membership problems. Given an ecient universal hash proof system for a language with certain natural cryptographic indistinguishability properties, we show how to construct an ecient public-key encryption schemes secure against adaptive chosen ciphertext attack in the standard model. Our construction only uses the universal hash proof system as a primitive: no other primitives are required, although even more ecient encryption schemes can be obtained by using hash functions with appropriate collision-resistance properties. We show how to construct ecient universal hash proof systems for languages related to the DCR and QR assumptions. From these we get corresponding public-key encryption schemes that are secure under these assumptions. We also show that the Cramer-Shoup encryption scheme (which up until now was the only practical encryption scheme that could be proved secure against adaptive chosen ciphertext attack under a reasonable assumption, namely, the Decision...

### Citations

1341 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...een proposed and heuristically proved secure against adaptive chosen ciphertext. More precisely, these schemes are proven secure under reasonable intractability assumptions in the Random Oracle model =-=[1]-=-. The Random Oracle model is an idealized model of computation in which a cryptographic hash function is modeled as a black box, access to which is allowed only through explicit oracle queries. While ... |

674 |
Universal Classes of Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...Universal Projective Hashing Before dening universal projective hash functions, we present various basic denitions of families of hash functions related to the general notion of \universal hashing&quo=-=t; [2,-=- 9]. 3.1 Universal Hashing Let H, X, be non-emptysnite sets, and let F : H X ! be a function. We write F h (x) for F applied to (h; x); moreover, it will often be natural to view h 2 H as a function... |

631 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...w and fairly practical public-key encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's Decision Composite Residuosity (DCR) assumption =-=[7]-=-, while another is based in the classical Quadratic Residuosity (QR) assumption. The analysis is in the standard cryptographic model, i.e., the security of our schemes does not rely on the Random Orac... |

450 | Non-malleable cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ence in the design and analysis of cryptographic protocols has shown that security against adaptive chosen ciphertext attack is both necessary and sucient in many applications. Dolev, Dwork, and Naor =-=[4]-=- introduced the notion of non-malleable encryption, which turns out to be equivalent to the notion of security against adaptive chosen ciphertext attack (at least, when one considers the strongest pos... |

340 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...right" notion of security for security for a general-purpose public-key encryption scheme is that of security against adaptive chosen ciphertext attack. This notion was introduced by Racko and Si=-=mon [8-=-]. While there are weaker notions of security, such as that dened by Naor and Yung [6], experience in the design and analysis of cryptographic protocols has shown that security against adaptive chosen... |

332 |
New hash functions and their use in authentication and set equality. Journal of computer and system sciences, 22(3):265–279
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...Universal Projective Hashing Before dening universal projective hash functions, we present various basic denitions of families of hash functions related to the general notion of \universal hashing&quo=-=t; [2,-=- 9]. 3.1 Universal Hashing Let H, X, be non-emptysnite sets, and let F : H X ! be a function. We write F h (x) for F applied to (h; x); moreover, it will often be natural to view h 2 H as a function... |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...function (CRHF), then we still get a scheme that is secure against adaptive chosen ciphertext attack. With a somewhat more rened analysis, one can show that a universal one-way hash function (UOWHF) [=-=NY1]-=- suces. This analysis requires some additional, special properties of the subset membership problem; namely, that elements of XnL can be eciently sampled at random, and that given appropriate \trapdoo... |

253 | Public key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...eme is that of security against adaptive chosen ciphertext attack. This notion was introduced by Racko and Simon [8]. While there are weaker notions of security, such as that dened by Naor and Yung [6=-=]-=-, experience in the design and analysis of cryptographic protocols has shown that security against adaptive chosen ciphertext attack is both necessary and sucient in many applications. Dolev, Dwork, a... |

193 | Design and analysis of practical public-key encryption schemes secure against chosen ciphertext attack - Cramer, Shoup |

148 | Pseudorandomness and Cryptographic Applications - Luby - 1996 |

20 |
The random oracle model revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...ght still be subject to an attack \in the real world," even though the stated intractability assumption is true, and even if there are no particular weaknesses in the cryptographic hash function =-=(see [CGH]-=-). 1.1 Our contributions We present several new and fairly practical public-key encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's De... |

13 |
A Practical Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attacks
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ntil now, the only practical scheme that has been proposed that can be proven secure against adaptive chosen ciphertext attack under a reasonable intractability assumption is that of Cramer and Shoup =-=[3]-=-. This scheme is based on the Decision Die-Hellman (DDH) assumption, and is not much less ecient than traditional ElGamal encryption. Other practical schemes have been proposed and heuristically prove... |