## Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack (2001)

Venue: | SIAM Journal on Computing |

Citations: | 193 - 11 self |

### BibTeX

@ARTICLE{Cramer01designand,

author = {Ronald Cramer and Victor Shoup},

title = {Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack},

journal = {SIAM Journal on Computing},

year = {2001},

volume = {33},

pages = {167--226}

}

### Years of Citing Articles

### OpenURL

### Abstract

A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first public-key encryption schemes in the literature that are simultaneously practical and provably secure.

### Citations

8563 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
- 1990
(Show Context)
Citation Context ...1λ , Γ, ρ,1κ )] ≤ 2−κ . Lemma 3 follows from Lemma 2 using standard “amplification” techniques, making use of standard results on tail inequalities for the binomial distribution (c.f., Section C.5 in =-=[CLRS02]-=-). Given 1 λ , Γ, ρ, and 1 κ , algorithm A1 invokes algorithm A as a subroutine O(P(λ) 2 κ) times with inputs (1 λ , Γ, ρ ′ ), where each ρ ′ ∈ Tλ,Γ is independently sampled from RSR(1 λ , Γ, ρ); addi... |

2739 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... a subroutine O(P(λ) 2 κ) times to “calibrate” A, calculating an estimate of 4.4 Further discussion Pr[ τ = 1 : ρ ′ R ← Tλ,Γ; τ R ← A(1 λ , Γ, ρ ′ ) ]. The CDH assumption was introduced informally by =-=[DH76]-=-. Since then, there have been many papers that deal with the DL and CDH assumptions, and cryptographic applications based on them. The DDH assumption appears to have first surfaced in the cryptographi... |

2491 | Vanstone,Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

1344 | Random oracles are practical: A paradigm for designing efcient protocols
- Bellare, Rogaway
(Show Context)
Citation Context ...adversary and the algorithms implementing the cryptosystem have \oracle access." This approach has been used implicitly and informally for some time; however, it was formalized by Bellare and Rog=-=away [BR93]-=-, and has subsequently been used quite a bit in the cryptographic research community. More precisely, we shall analyze the security the scheme HEG and later CS3b in an idealized model of computation w... |

1186 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...on of the extended abstract [CS98], and also includes results originally presented in the extended abstract [Sho00b]. 1.1 Chosen ciphertext security Semantic security, dened by Goldwasser and Micali [=-=GM84]-=-, captures the intuition that an adversary should not be able to obtain any partial information about a message given its encryption. However, this guarantee of secrecy is only valid when the adversar... |

1124 |
A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ... on a couple of other standard intractability assumptions. The hardness of the Decisional Die-Hellman problem is essentially equivalent to the semantic security of the basic ElGamal encryption scheme =-=[ElG85]-=-. Thus, with just a bit more computation, we get security against adaptive chosen ciphertext attack, whereas the basic ElGamal scheme is completely insecure against this type of attack. While there ar... |

724 | Pseudo-random generation from one-way functions (extended abstracts
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ...o obtain a \one time pad" of length jmj, and then compute sm . A pseudo-random bit generator can be built from an arbitrary one-way permutation [GL89], or even from an arbitrary one-way function=-= [ILL89, HILL99]-=-. These constructions, however, are not very practical. In a practical implementation, it is perfectly reasonable to stretch the key K by using it as the key to a dedicated block cipher, and then eval... |

637 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...and quite practical encryption schemes that are secure against adaptive chosen ciphertext attack under dierent assumptions | one scheme relies on Paillier's Decision Composite Residuosity assumption [=-=Pai99]-=-, while the other (somewhat less practical) scheme relies on the classical Quadratic Residuosity assumption. 1.4 Outline of paper Our paper consists of two parts. Part 1. In thesrst part, we take care... |

630 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...t modify network trac or otherwise actively participate in a protocol using the encryption scheme. For a similar, but slightly dierent, approach to modeling encryption as an \idealized" process, =-=see [Can00-=-]. See also [BBM00] for another generalization of the denition of adaptive chosen ciphertext attack to a setting involving many users and messages. 4 Intractability Assumptions Related to the Discrete... |

463 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...r to be no other public-key encryption schemes in the literature that enjoy both of these properties simultaneously. This paper is a signicantly revised and extended version of the extended abstract [=-=CS98-=-], and also includes results originally presented in the extended abstract [Sho00b]. 1.1 Chosen ciphertext security Semantic security, dened by Goldwasser and Micali [GM84], captures the intuition tha... |

452 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ginal protocol occurs with essentially the same probability in the idealized protocol. 3.4 Further discussion The denition of security we have presented here is from [RS91]. It is called IND-CCA2 in [=-=BDPR98]-=-. It is known to be equivalent to other notions, such as non-malleability [DDN91, BDPR98, DDN00], which is called NM-CCA2 in [BDPR98]. There are other, weaker notions of security for a public-key encr... |

450 | M.: Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ve chosen ciphertext attack." 1.2 Previous work Provably Secure Schemes. Naor and Yung [NY90] presented thesrst scheme provably secure against lunch-time attacks. Subsequently, Dolev, Dwork, and =-=Naor [DDN91-=-] presented a scheme that is provably secure against adaptive chosen ciphertext attack. Racko and Simon [RS91] present and prove the security of an encryption scheme, but their scheme is actually not ... |

371 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...and the key K using a pseudo-random bit generator to obtain a \one time pad" of length jmj, and then compute sm . A pseudo-random bit generator can be built from an arbitrary one-way permutation=-= [GL89]-=-, or even from an arbitrary one-way function [ILL89, HILL99]. These constructions, however, are not very practical. In a practical implementation, it is perfectly reasonable to stretch the key K by us... |

340 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...n In this paper, we present and analyze a new public-key encryption scheme, and several variants, proving that they are secure against adaptive chosen ciphertext attack (as dened by Racko and Simon [R=-=S91]-=-) under standard intractability assumptions. The schemes are quite practical, requiring just a few exponentiations in a group for both encryption and decryption. Moreover, the proofs of security of th... |

314 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...iscussion As already mentioned, our notion of a target collision resistant hash function is a special case of the more general notion of a universal one-way hash function, introduced by Naor and Yung =-=[NY89]-=-. In their presentation, the hash functions mapped bit strings to bit strings, but of course, using appropriate formatting, we can easily make such a function a map from tuples of elements of the grou... |

252 | Public-key Cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...1 version 2, and for use in the SET protocol for electronic commerce. There are also intermediate notions of security, between semantic security and adaptive chosen ciphertext security. Naor and Yung =-=[NY90]-=- propose an attack model where the adversary has access to the decryption oracle only prior to obtaining the target ciphertext, and the goal of the adversary is to obtain partial information about the... |

249 |
New directions in cryptography
- Die, Hellman
- 1976
(Show Context)
Citation Context ...r discussion It is clear that the DDH assumption is at least as strong as the CDH assumption, which in turn is at least as strong as the DL assumption. The CDH assumption was introduced informally by =-=[DH76]-=-. Since then, there have been many papers that deal with the DL and CDH assumptions, and cryptocraphic applications based on them. The DDH assumption appears to havesrst surfaced in the cryptographic ... |

247 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...ying intractability assumption. Nor do they even rule out the possibility of breaking the scheme without finding some kind of weakness in the hash function, as shown by Canetti, Goldreich, and Halevi =-=[CGH98]-=-. 1.3 Further progress Subsequent to the publication of the extended abstract [CS98] on which the present paper is based, some further progress in this area has been made. Canetti and Goldwasser [CG99... |

241 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...against adaptive chosen ciphertext attack is the \right" notion of security for a general-purpose public-key encryption scheme. This is exemplied by the adoption of Bellare and Rogaway's OAEP sch=-=eme [BR94]-=- (a practical but only heuristically secure scheme) as the internet encryption standard PKCS#1 version 2, and for use in the SET protocol for electronic commerce. There are also intermediate notions o... |

240 | Optimistic fair exchange of digital signatures
- Asokan, Shoup, et al.
(Show Context)
Citation Context ...ive adversaries. For example, this primitive is used in protocols for authentication and key exchange [DN96, DDN00, Sho99] and in protocols for escrow, certied e-mail, and more general fair exchange [=-=ASW00]. It -=-is by now generally recognized in the cryptographic research community that security against adaptive chosen ciphertext attack is the \right" notion of security for a general-purpose public-key e... |

240 | Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard
- Bleichenbacher
- 2002
(Show Context)
Citation Context ...encryption standard RSA PKCS#1 version 2, and for use in the SET protocol for electronic commerce. Another motivation for security against adaptive chosen ciphertext attack is Bleichenbacher’s attack =-=[Ble98]-=- on the the widely used SSL key establishment protocol, which is based on RSA PKCS#1 version 1 — Bleichenbacher showed how to break this protocol by mounting a specific chosen ciphertext attack (SSL s... |

223 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...e [Sma99]. We refer the reader to two excellent surveys [MW00] and [Bon98]. The latter focuses exclusively on the DDH assumption, while the former discusses both the CDH and DDH assumptions. Also see =-=[Sho97]-=-, where it is shown that the DDH is hard in a “generic” model of computation. 5 Target Collision Resistant Hash Functions In this section, we define the notion of a target collision resistant hash fun... |

197 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ..., to use generic, randomly generated elliptic curves; indeed, for another special class of elliptic curves, the DL assumption is false [Sma99]. We refer the reader to two excellent surveys [MW00] and =-=[Bon98]-=-. The latter focuses exclusively on the DDH assumption, while the former discusses both the CDH and DDH assumptions. Also see [Sho97], where it is shown that the DDH is hard in a “generic” model of co... |

197 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ... to the notion of security for universal one-way hash functions. As was shown in [NY89], universal one-way hash functions can be built from arbitrary one-way permutations. This result was extended by =-=[Rom90]-=-, who showed that universal one-way hash functions can be built (albeit less efficiently) from arbitrary one-way functions. In practice, to build a universal one-way hash function, one can use a dedic... |

184 | How to recycle random bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ...b 0 , the distribution f(KDF ; dk (a; b); KDF ; dk (a; b 0 )) : dk RsKDF.KeySpace ; g is the uniform distribution over all pairs of bits strings of length KDF.OutLen(). By the Leftover Hash Lemma [ILL=-=89, -=-IZ89], it follows that if KDF is pair-wise independent, then for all 0/1-valued, probabilistic, polynomial-time algorithms A, for all 2 Z0 , and all [ ^ G; G; g; q] 2 [S ], AdvDist KDF;A ( j ) 2 k ... |

152 | Signature schemes based on the strong RSA assumption
- Cramer, Shoup
(Show Context)
Citation Context ...` 1 ()-bit number is a Sophie Germain prime is s =` 1 () 2 ). If such a density estimate were true, then a simple trial and error method forsnding Sophie Germain primes would terminate quickly. See [C=-=S-=-00] for more information on eciently generating such primes. Since the subgroup G of Z p of order q is just the subgroup of quadratic residues, testing if a given element ( mod p) 2 Z p lies in G ca... |

149 | Number-theoretic constructions of efficient pseudorandom functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...) is U(Dλ,Γ) if ρ ∈ Dλ,Γ, and is U(Tλ,Γ) if ρ /∈ Dλ,Γ. This was first observed by Stadler [Sta96], who needed the result to prove the security of a particular protocol, and later by Naor and Reingold =-=[NR97]-=-, who also pointed out some of its broader implications. The algorithm RSR is very simple. Given 1 λ , the group description Γ[ ˆ G, G, g, q], and ρ = (a, b, c) ∈ G 3 , the algorithm computes (a ′ , b... |

141 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ... present paper is based, some further progress in this area has been made. Canetti and Goldwasser [CG99] presented a threshold-decryption variant of our scheme. Also, the authors of the present paper =-=[CS01]-=- have generalized and extended the basic ideas underlying our encryption scheme, obtaining new and quite practical encryption schemes that are secure against adaptive chosen ciphertext attack under di... |

136 | An Efficient Off-Line Electronic Cash System Based on the Representation Problem
- Brands
- 1993
(Show Context)
Citation Context ...ere have been many papers that deal with the DL and CDH assumptions, and cryptographic applications based on them. The DDH assumption appears to have first surfaced in the cryptographic literature in =-=[Bra93]-=-, although as that paper notes, the DDH assumption is actually needed to prove the security of a number of previously proposed protocols. Indeed, the famous Diffie-Hellman key exchange cannot be prove... |

131 | RSAOAEP Is Secure under the RSA Assumption
- Fugisaki, Okamoto, et al.
- 2001
(Show Context)
Citation Context ...bility that OAEP in conjunction with a specic one-way trapdoor permutation scheme is secure. Indeed, it is shown in [Sho01] that OAEP with exponent-3 RSA is secure, and this result is generalized in [=-=FOPS01]-=- to arbitraryexponent RSA. A new scheme, OAEP+, is also presented in [Sho01], which can be proven secure in the random oracle model, using an arbitrary one-way trapdoor permutation. Further variations... |

123 | Pointcheval D.: The Gap–Problems: A new class of problems for the security of cryptographic schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...used in the proofs of Theorems 8, 9, 10, along with the arguments in x10.6, into a single proof, which we have unraveled to some extent here. Our presentation here was somewhat in uenced by the paper =-=[OP01]-=-, which formally introduces the notion of the CDH assumption relative to an oracle for the DDH problem. The security reduction in Theorem 10 is quite inecient: we have to perform many simulations usin... |

120 | Publicly verifiable secret sharing
- Stadler
- 1996
(Show Context)
Citation Context ...gorithm RSR such that for all λ ∈ Z≥0, for all Γ ∈ [Sλ], and for all ρ ∈ Tλ,Γ, the distribution RSR(1 λ , Γ, ρ) is U(Dλ,Γ) if ρ ∈ Dλ,Γ, and is U(Tλ,Γ) if ρ /∈ Dλ,Γ. This was first observed by Stadler =-=[Sta96]-=-, who needed the result to prove the security of a particular protocol, and later by Naor and Reingold [NR97], who also pointed out some of its broader implications. The algorithm RSR is very simple. ... |

109 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- SHOUP, GENNARO
- 2002
(Show Context)
Citation Context ...ed in [Sho01], which can be proven secure in the random oracle model, using an arbitrary one-way trapdoor permutation. Further variations of OAEP and OAEP+ are discussed in [Bon01]. Shoup and Gennaro =-=[SG98]-=- also give ElGamal-like schemes that are secure against adaptive chosen ciphertext attack in the random oracle model, and that are also amenable to ecient threshold decryption. We stress that although... |

104 | Public-key Encryption in a Multi-User Setting: Security Proofs and Improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...rac or otherwise actively participate in a protocol using the encryption scheme. For a similar, but slightly dierent, approach to modeling encryption as an \idealized" process, see [Can00]. See a=-=lso [BBM00-=-] for another generalization of the denition of adaptive chosen ciphertext attack to a setting involving many users and messages. 4 Intractability Assumptions Related to the Discrete Logarithm Problem... |

97 |
Collision-Resistant Hashing: Towards Making UOWHFs Practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...eit less eciently) from arbitrary one-way functions. In practice, to build a universal one-way hash function, one can use a dedicated cryptographic hash function, like SHA-1 [SHA95]. Constructions in =-=[BR97]-=- and [Sho00a] show how to build a general-purpose universal one-way hash function using the underlying compression function of SHA-1, assuming the latter is second pre-image collision resistant. Actua... |

97 | OAEP Reconsidered
- Shoup
(Show Context)
Citation Context ...he so-called random oracle model, wherein a hash function is represented by a random oracle. Actually, it turns out that the proof of security of the OAEP scheme in [BR94] issawed: as demonstrated in =-=[Sho01], the-=-re can be no standard \black box" security proof based on an arbitrary one-way trapdoor permutation. However, the negative result in [Sho01] does not rule out the possibility that OAEP in conjunc... |

89 |
The oracle Diffie-Hellman assumptions and an analysis of DHIES
- Abdalla, Bellare, et al.
(Show Context)
Citation Context ... DHAES scheme as well. The DHAES scheme needs to hash both group elements because it allows the possibility of a group G whose order is a composite number. In a revised version of DHAES, called DHIES =-=[ABR01]-=-, the group G is required to have prime order, and only the shared Diffie-Hellman key is hashed. However, as we have seen, there are still some security benefits to be gained from hashing both group e... |

84 | The discrete logarithm problem on elliptic curves of trace one
- Smart
(Show Context)
Citation Context ...es of elliptic curves for cryptographic applications, and instead, to use generic, randomly generated elliptic curves; indeed, for another special class of elliptic curves, the DL assumption is false =-=[Sma99]-=-. We refer the reader to two excellent surveys [MW00] and [Bon98]. The latter focuses exclusively on the DDH assumption, while the former discusses both the CDH and DDH assumptions. 5 Target Collision... |

84 | More flexible exponentiation with precomputation - Lim, Lee - 1994 |

73 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...istance and collision resistance is that in the former, one of the two inputs is not under the control of the adversary, while in the latter, both inputs are under the control of the adversary. Simon =-=[Sim98]-=-, in fact, gives a kind of separation result, which suggests that collision resistance is a strictly stronger notion of security than target collision resistance. 6 The New Encryption Scheme: Basic Ve... |

67 |
Fast exponentiation with precomputation
- Brickell, Gordon, et al.
- 1993
(Show Context)
Citation Context ...cheme CS1b, the decryption algorithm has to compute either three or four (if we test if a q = 1 G ) powers of a, and possibly one power of c (if we test if c q = 1 G ). Special algorithmic techniques =-=[BGMW92, LL9-=-4] can be employed to compute these several powers of a signicantly faster than computing several powers of dierent group elements. Remark 9 In an actual implementation, it is strongly recommended to ... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ... of these properties simultaneously. This paper is a signicantly revised and extended version of the extended abstract [CS98], and also includes results originally presented in the extended abstract [=-=Sho00b-=-]. 1.1 Chosen ciphertext security Semantic security, dened by Goldwasser and Micali [GM84], captures the intuition that an adversary should not be able to obtain any partial information about a messag... |

65 | Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
- 2003
(Show Context)
Citation Context ...g m · m ′ , from which one then computes m. There are some very special families of elliptic curves for which the DDH assumption does not hold, but for which the CDH assumption still appears to stand =-=[JN01]-=-. How these results are to be interpreted is a bit unclear. On the one hand, perhaps they cast some doubt on the DDH assumption in general. On the other hand, perhaps they only illustrate that very sp... |

63 | An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack
- Canetti, Goldwasser
- 1999
(Show Context)
Citation Context ...GH98]. 1.3 Further progress Subsequent to the publication of the extended abstract [CS98] on which the present paper is based, some further progress in this area has been made. Canetti and Goldwasser =-=[CG99]-=- presented a threshold-decryption variant of our scheme. Also, the authors of the present paper [CS01] have generalized and extended the basic ideas underlying our encryption scheme, obtaining new and... |

60 |
Simplified OAEP for the RSA and Rabin Functions
- Boneh
- 2001
(Show Context)
Citation Context ...eme, OAEP+, is also presented in [Sho01], which can be proven secure in the random oracle model, using an arbitrary one-way trapdoor permutation. Further variations of OAEP and OAEP+ are discussed in =-=[Bon01]-=-. Shoup and Gennaro [SG98] also give ElGamal-like schemes that are secure against adaptive chosen ciphertext attack in the random oracle model, and that are also amenable to ecient threshold decryptio... |

59 | A heuristic asymptotic formula concerning the distribution of prime numbers - Bateman, Horn - 1962 |

54 | DHIES: An encryption scheme based on the Diffie-Hellman problem
- Abdalla, Bellare, et al.
- 2001
(Show Context)
Citation Context ...n if we hash both keys instead of just one. Of course, these improved security reductions for HEG carry over to the security reduction for CS3b in the random oracle model. The DHAES encryption scheme =-=[ABR99]-=-, which is a hybrid ElGamal encryption scheme that has been proposed for standardization, also hashes both the ephemeral and shared Diffie-Hellman 60skeys to derive a symmetric key. Indeed, the DHAES ... |

51 |
A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized
- Manger
(Show Context)
Citation Context ... model any notion of time at all, so such attacks fall outside of the model. While some cryptosystems are vulnerable to actual attacks given this type of timing information — notably, Manger’s attack =-=[Man01]-=- on RSA PKCS #1 version 2 — we know of no actual timing attack along these lines on CS1b. Remark 10 For the same reasons as discussed in the previous remark, it is important that any “error code” retu... |

45 | A Composition Theorem for Universal One-Way Hash Functions
- Shoup
- 2000
(Show Context)
Citation Context ...iently) from arbitrary one-way functions. In practice, to build a universal one-way hash function, one can use a dedicated cryptographic hash function, like SHA-1 [SHA95]. Constructions in [BR97] and =-=[Sho00a]-=- show how to build a general-purpose universal one-way hash function using the underlying compression function of SHA-1, assuming the latter is second pre-image collision resistant. Actually, in our a... |

38 |
The Decision Die-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ..., to use generic, randomly generated elliptic curves; indeed, for another special class of elliptic curves, the DL assumption is false [Sma99]. We refer the reader to two excellent surveys [MW00] and =-=[Bon98-=-]. The latter focuses exclusively on the DDH assumption, while the former discusses both the CDH and DDH assumptions. 5 Target Collision Resistant Hash Functions In this section, we dene the notion of... |