ECCS: Elliptic Curve Cryptography Cramer Shoup

Question

Introduction

I know how to do Cramer-Shoup with cyclic groups. But how do I do it in elliptic curve cryptography (ECC)?

Cramer-Shoup with cyclic groups

Following was taken from Wikipedia: https://en.wikipedia.org/wiki/Cramer%E2%80%93Shoup_cryptosystem

Key Generation

Alice generates an efficient description of a cyclic group $G$ of order $q$ with two distinct, random generators $g_1, g_2$.
Alice chooses five random values $({x}_{1}, {x}_{2}, {y}_{1}, {y}_{2}, z)$ from $\{0, \ldots, q-1\}$.
Alice computes $c = {g}_{1}^{x_1} g_{2}^{x_2}, d = {g}_{1}^{y_1} g_{2}^{y_2}, h = {g}_{1}^{z}$.
Alice publishes $(c, d, h)$, along with the description of $G, q, g_1, g_2$, as her public key. Alice retains $(x_1, x_2, y_1, y_2, z)$ as her secret key. The group can be shared between users of the system.

Encryption

To encrypt a message $m$ to Alice under her public key $(G,q,g_1,g_2,c,d,h)$,

Bob converts $m$ into an element of $G$.
Bob chooses a random $k$ from $\{0, \ldots, q-1\}$, then calculates:
- $u_1 = {g}_{1}^{k}, u_2 = {g}_{2}^{k}$
- $e = h^k m$
- $\alpha = H(u_1, u_2, e)$, where ''H''() is a universal one-way hash function (or a collision-resistant cryptographic hash function, which is a stronger requirement).
- $v = c^k d^{k\alpha}$
Bob sends the ciphertext $(u_1, u_2, e, v)$ to Alice.

Decryption

To decrypt a ciphertext $(u_1, u_2, e, v)$ with Alice's secret key $(x_1, x_2, y_1, y_2, z)$,

Alice computes $\alpha = H(u_1, u_2, e) \,$ and verifies that ${u}_{1}^{x_1} u_{2}^{x_2} ({u}_{1}^{y_1} u_{2}^{y_2})^{\alpha} = v \,$. If this test fails, further decryption is aborted and the output is rejected.
Otherwise, Alice computes the plaintext as $m = e / ({u}_{1}^{z}) \,$.

The decryption stage correctly decrypts any properly-formed ciphertext, since

$ {u}_{1}^{z} = {g}_{1}^{k z} = h^k \,$, and $m = e / h^k. \,$

If the space of possible messages is larger than the size of $G$, then Cramer–Shoup may be used in a hybrid cryptosystem to improve efficiency on long messages.

Questions

How to convert Cramer-Shoup into ECC?
How do I prove the security of ECC Cramer-Shoup?

Literature

Cramer, Ronald, and Victor Shoup (1998). “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. Hugo Krawczyk. Springer-Verlag, Berlin, 13–25.

Crosspost: https://math.stackexchange.com/questions/3643951/elliptic-curve-public-key-encryption-schemes-cramer-shoup

poncho · Answer 1 · 2020-04-27T15:46:11.080

How to convert Cramer-Shoup into ECC?

Because Cramer-Shoup restricts itself to using only group operations (and never using a single value as both a scalar and a group member), it can translate directly into elliptic curve group operations. What you quoted are the operations listed in multiplicative form, and so:

When the protocol says to select a cyclic group $G$ of order $q$, you'd pick an elliptic curve, with $q$ being the order of the large prime subgroup.
When the protocol specifies $g^x$, this is the point multiplication of $g$ times the scalar $x$, that is, what is more typically written as $x \cdot g = \underbrace{g+g+...+g}_{x\text{ times}}$
When the protocol specifies $gh$, this is point addition of $g$ and $h$, which is more typically written as $g+h$
When the protocol specifies $g/h$, this is point subtraction of $g$ and $h$, which is more typically written as $g-h$

For example, the original has $c = g_1^{x_1} g_2^{x_2}$; this would be understood as (written in additive notation) $c = x_1\cdot g_1 + x_2 \cdot g_2$. That is, you perform the point multiplication of the scalar $x_1$ with the point $g_1$, and you perform the point multiplication of $x_2$ with the point $g_2$, and then you add the two resulting points.

The hardest part would be the conversion of $m$ into an elliptic curve point. Of course, you can avoid the issue entirely if you're doing hybrid crypto (just pick a valid point $m$ randomly, and then use $KDF(m)$ as the transmitted symmetric key). If that doesn't work for your scenario, one alternative method is to encode the value $m$ into some of the bits of the $x$ coordinate, and they try random settings of the remaining bits until you get a valid $x$ coordinate (e.g. if you're using a Weierstrass curve with $p>3$, then $x^3 + ax + b$ is a quadratic residue); then, select the $y$ coordinate from the two possibilities randomly.

How do I prove the security of ECC Cramer-Shoup?

The proof in the original Cramer-Shoup paper assumed that the Decisional Diffie-Hellman problem was hard in the group; as long as you select a curve where that is also hard (pairing friendly curves are not an option), the original proof would apply.