How to Make the Cramer-Shoup Cryptosystem Secure Against Linear Related-Key Attacks

详细信息    查看全文

• 关键词：Related ; key attacks ; Public ; key encryption ; Cramer ; Shoup cryptosystem
• 刊名：Lecture Notes in Computer Science
• 出版年：2017
• 出版时间：2017
• 年：2017
• 卷：10143
• 期：1
• 页码：150-165
• 丛书名：Information Security and Cryptology
• ISBN：978-3-319-54705-3
• 卷排序：10143

文摘

Related-key attacks allow an adversary to change the key stored in the memory of a physical device via tampering or other means, and subsequently observe the outcomes of the cryptosystem under these modified keys. Cramer and Shoup (CRYPTO 1998) proposed the first practical public-key encryption scheme proven to be secure against adaptive chosen-ciphertext attacks in the standard model. The scheme (CS-PKE for short) has great influence since it embodies the paradigm of hash proof system. However, Wee (PKC 2012) showed that the CS-PKE scheme is not secure in the scenario of related-key attacks when the related-key derivation functions include linear functions. A fascinating problem left open is how to protect the classical CS-PKE scheme secure against linear related-key attacks. In this paper, we propose a simple method to make the Cramer-Shoup scheme secure against linear related-key attacks. The idea is to recompute the public key in the decryption algorithm from the secret key, so that any (dangerous) modification to the secret key could be detected during the decryption phase. The new scheme has the same efficiency as the original one, except for involving six exponentiations to fixed bases in the decryption algorithm. Fortunately, the computing time for one fixed-base exponentiation with precomputations is at least 5 times faster than that of one regular exponentiation.