KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited

Jinyong Chang, Rui Xue


An encryption scheme is key-dependent message chosen plaintext attack (KDM-CPA) secure means that it is secure even if an adversary obtains encryptions of messages that depend on the secret key. However, there are not many schemes that are KDM-CPA secure, let alone key-dependent message chosen ciphertext attack (KDM-CCA) secure. So far, only two general constructions, due to Camenisch, Chandran, and Shoup (Eurocrypt 2009), and Hofheinz (Eurocrypt 2013), are known to be KDM-CCA secure in the stand model. Another scheme, a concrete implementation, was recently proposed by Qin, Liu and Huang (ACISP 2013), where a KDM-CCA secure scheme was obtained from the classic Cramer-Shoup (CS) cryptosystem w.r.t. a new family of functions. In this paper, we revisit the KDM-CCA security of the CS-scheme and prove that, in two-user case, the CS-scheme achieves KDM-CCA security w.r.t. richer ensembles, which covers the result of Qin et al.. In addition, we present another proof about the result in (QLH13) by extending our approach used in two-user case to n-user case, which achieves a tighter reduction to the decisional Diffie-Hellman (DDH) assumption.


  1. Backes, M., Pfitzmann, B., Scedrov, A. (2008). Keydependent message security under active attacks - BRSIM/UC-soundness of dolev-yao-style encryption with key cycles. Journal of Computer Security. Vol. 16(5), pp. 497-530.
  2. Barak, B., Haitner, I., Hofheinz, D., Ishai, Y. (2010). Bounded key-dependent message security. In EUROCRYPT'10. LNCS, vol. 6110, pp. 423-444. Springer, Heidelberg.
  3. Black, J., Rogaway, P., Shrimpton, T. (2002). Encryptionscheme security in the presence of key-dependent messages. In SAC'02. LNCS, vol. 2595, pp. 62-75. Springer, Heidelberg.
  4. Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R. (2008). Circular-secure encryption from decision Diffie-Hellman. In CRYPTO'08. LNCS, vol. 5157, pp. 108-125. Springer, Heidelberg.
  5. Brakerski, Z., Goldwasser, S., Kalai, Y.T. (2011). Blackbox circular-secure encryption beyond affine functions. In TCC'11. LNCS, vol. 6597, pp. 201-218. Springer, Heidelberg.
  6. Camenisch, J., Chandran, N., Shoup, V. (2009). A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In EUROCRYPT'09. LNCS, vol. 5479, pp. 351- 368. Springer, Heidelberg.
  7. Camenisch, J., Lysyanskaya, A. (2001). An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In EUROCRYPT'01. LNCS, vol. 2045, pp. 93-118. Springer, Heidelberg.
  8. Cash, D., Green, M. and Hohenberger, S. (2012). New definitions and separations for circular security. In PKC'12. LNCS, vol. 7293, pp. 540-557. Springer, Heidelberg.
  9. Cramer, R., Shoup, V. (2002). Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In EUROCRYPT'02. LNCS, vol. 2332, pp. 45-64. Springer, Heidelberg.
  10. Galindo, D., Herranz, J., Villar, J. (2012). Identity-based encryption with master keydependent message security and leakage-resilience. In ESORICS'12. LNCS, vol. 7459, pp. 627-642. Springer, Heidelberg.
  11. Goldwasser, S., Micali, S. (1984). Probabilistic encryption. J. Comput. Syst. Science. Vol. 28(2), pp. 270-299.
  12. Hofheinz, D. (2013). Circular chosen-ciphertext security with compact ciphertexts. In EUROCRYPT'13. LNCS, vol. 7881, pp. 520-536. Springer, Heidelberg.
  13. Naor, M., Yung, M. (1990). Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC'90. pp. 427-437. ACM.
  14. Qin, B., Liu, S., Huang, Z. (2013). Key-dependent message chosen-ciphertext security of the Cramer-Shoup cryptosystem. In ACISP'13. LNCS, vol. 7959, pp. 136- 151. Springer, Heidelberg.
  15. Rackoff, C., Simon, D. (1992). Non-interactive zeroknowledge proof of knowledge and chosen ciphertext attack. In CRYPTO'91. LNCS, vol. 576, pp. 433-444. Springer, Heidelberg.
  16. Roman, R., Alcaraz Tello, C., Lopez, J., Sklavos, N. (2011). Key management systems for sensor networks in the context of the Internet of things. Computers & Electrical Engineering. Vol. 37(2), pp. 147-159.
  17. where at 2 Zq and ai; j;t 2 N. Specific to the tailored CS-scheme, we can represent functions from the QLH-ensemble as

Paper Citation

in Harvard Style

Chang J. and Xue R. (2014). KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 299-306. DOI: 10.5220/0005048802990306

in Bibtex Style

author={Jinyong Chang and Rui Xue},
title={KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},

in EndNote Style

JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited
SN - 978-989-758-045-1
AU - Chang J.
AU - Xue R.
PY - 2014
SP - 299
EP - 306
DO - 10.5220/0005048802990306