Table of Links
-
Concept of Cramer-Shoup with Elliptic Curve and 4.1 Prerequisite
-
Proof: Secure against adaptive-chosen ciphertext attacks
6.1 DDH Assumption and 6.2 CCA Assumption
6.3 IND-CCA 1 - non-adaptive Security
6.4 IND-CCA 2 - adaptive Security (Validity Checking Failure)
4.3 Encryption by Sender
The sender would like to store or transmit the data m. For encryption, we secretly and randomly choose a multiplication factor r ∈ Zq. The factor r is chosen anew for each data m. Even if q is unknown and therefore also Zq, r should automatically be part of Zq, because q is chosen accordingly large. This factor r is used to perform point multiplications on the EC as follows, see Equation 4, 5, and 6:
There we obtain the three points U1, U2, and E of the EC.
To protect against tampering and to ensure integrity, one hash value α is calculated over the three points, see Equation 7:
This hash value must also be encrypted before transmission, see Equation 8:
The encrypted data enc{m} for transmission consists of the following components, see Equation 9:
4.4 Decryption by Receiver
The recipient first verifies the integrity of the received message. For this purpose, we calculate alpha again and compare it with the encrypted version, see Equation 10 and 11:
For the decryption of the message, the factor r is extracted from the two points U1 and E and the factor z is indirectly extracted from the point H, see Equation 12.
Author:
(1) Peter Hillmann, University of the Bundeswehr Munich, Department of Computer Science, Werner-Heisenberg-Weg 39, 85577 Neubiberg, Germany.
This paper is