CS818- Module-II

Provable Security

Dr. Modi Chirag N

[email protected]
 Provable security
Provable security refers to any type or level of security that can
be proven.
It is used in different ways by different fields, Usually, this refers
to mathematical proofs, which are common in cryptography.
In such a proof, the capabilities of the attacker are defined by
an adversarial model (also referred to as attacker model): the
aim of the proof is to show that the attacker must solve the
underlying hard problem in order to break the security of the
modelled system.
Such a proof does not consider side-channel attacks or other
implementation-specific attacks, because they are usually
impossible to model without implementing the system (and
thus, the proof only applies to this implementation).

03/14/2025 Chirag N. Modi 2

 Provable security
Outside of cryptography, the term is often used in conjunction
with secure coding and security by design, both of which can
rely on proofs to show the security of a particular approach.
As with the cryptographic, this involves an attacker model and
a model of the system. For example, code can be verified to
match the intended functionality, described by a model: this
can be done through static checking.
These techniques are sometimes used for evaluating products :
the security here depends not only on the correctness of the
attacker model, but also on the model of the code.

03/14/2025 Chirag N. Modi 3

 Provable security
Finally, the term provable security is sometimes used by sellers
of security software that are attempting to sell security
products like firewalls, antivirus software and intrusion
detection systems.
As these products are typically not subject to scrutiny,
many security researchers consider this type of claim to be
selling snakeoil.

03/14/2025 Chirag N. Modi 4

 Provable security- In Cryptography
In cryptography, a system has provable security if its security
requirements can be stated formally in an adversarial model, as
opposed to heuristically, with clear assumptions that the
adversary has access to the system as well as enough
computational resources.
The proof of security (called a "reduction") is that these
security requirements are met provided the assumptions about
the adversary's access to the system are satisfied and some
clearly stated assumptions about the hardness of certain
computational tasks hold.
There are several lines of research in provable security.
One is to establish the 'correct' definition of security for a
given, intuitively understood task.

03/14/2025 Chirag N. Modi 5

 Provable security- In Cryptography
Another is to suggest constructions and proofs based on
general assumptions as much as possible, for instance the
existence of a one-way function.
A major open problem is to establish such proofs based on P ≠
NP, since the existence of one-way functions is not known to
follow from the P ≠ NP conjecture.
Some proofs of the security are in given theoretical models
such as the random oracle model, where real cryptographic
hash functions are represented by an idealization.
'Exact security' or 'concrete security' is the name given to
provable security reductions where one quantifies security by
computing precise bounds on computational effort, rather than
an asymptotic bound which is guaranteed to hold for
'sufficiently large' values of the security parameter.
03/14/2025 Chirag N. Modi 6
 The need for Provable Security
Common approach to evaluate security: Cryptanalysis driven
Found an interesting cryptographic goal
Propose a solution
Search for an attack (i.e. bug)
If one found, go back to step 2.
After many iterations... declare it secure.
Problems:
When do we stop?
Results not always trustworthy
• Chor-Rivest knapsack scheme took 10 years to be totally
broken!

03/14/2025 Chirag N. Modi 7

 Provable Security
Define goal of scheme (or adversary)
Define attack model
Give a protocol
Define complexity assumptions (or
assumptions on the primitive)
Provide a proof by reduction
Verify proof
Interpret proof

03/14/2025 Chirag N. Modi 8

 Provable Security-Steps
In provable security, the security is proved via a reduction
method.
For this, first consider a computationally hard underlying
mathematical problem P which is well known to be intractable
by any probabilistic polynomial time algorithm.
Then, provide a polynomial reduction from this mathematical
problem to the problem P’ of breaking the cryptosytem.
Finally, decide that if there exists an algorithm A breaking the
cryptosystem in polynomial time, then we can build a
probabilistic polynomial time algorithm A’ which uses A as a
subroutine, to get a contradiction.
Therefore, the scheme is computationally secure.

03/14/2025 Chirag N. Modi 9

 Provable Security-Steps
In provable security, the security is proved via a reduction
method.
For this, first consider a computationally hard underlying
mathematical problem P which is well known to be intractable
by any probabilistic polynomial time algorithm.
Then, provide a polynomial reduction from this mathematical
problem to the problem P’ of breaking the cryptosytem.
Finally, decide that if there exists an algorithm A breaking the
cryptosystem in polynomial time, then we can build a
probabilistic polynomial time algorithm A’ which uses A as a
subroutine, to get a contradiction.
Therefore, the scheme is computationally secure.

03/14/2025 Chirag N. Modi 10

 Provable Security-Steps
Such security proofs in the standard model suffer from
efficiency and hence up to date very few practical public key
schemes can be proven secure in the standard model.

03/14/2025 Chirag N. Modi 11

 Security Notions and Public Key Encryption Schemes

First review security models in terms of the

adversarial goals and the adversarial capabilities.
define what security actually means to decide
whether a scheme is secure.
In this respect, investigate public key encryption
schemes.
the Cramer-Shoup encryption scheme which is the
first efficient and practical scheme proven to be
secure against adaptive chosen ciphertext attacks in
the standard model.

03/14/2025 Chirag N. Modi 12

 Public Key Encryption Scheme
A public key encryption scheme is a tuple of probabilistic
polynomial time algorithms Π = (Gen, Enc, Dec) such that:
The key generation algorithm Gen takes as input the security
parameter and outputs a pair of public and secret keys (pk, sk).
The encryption algorithm Enc takes as input a public key pk and
a message m from some underlying plaintext message space.
It outputs a ciphertext c, i.e, c = Encpk(m).
The decryption algorithm Dec takes as input (sk, c) and outputs
a message m or ⊥. We denote it by m = Decsk(m).
Enc may be probabilistic but Dec must be deterministic and it is
required for any encryption scheme to be valid,
Decsk(Encpkm) = m is satisfied

03/14/2025 Chirag N. Modi 13

 Success Probability of The Adversary
a cryptographic scheme is secure if the success probability of
an adversary trying to break the scheme is small. This notion is
achieved by negligible functions.
A function  : N → R+ ∪ 0 is negligible, if for every positive
polynomial p, there exists an integer kp such that for all n > kp,
we have (n) < 1/p(n)
In other words, a negligible function approaches zero faster
than the inverse of any polynomial. This function is denoted by
negl

03/14/2025 Chirag N. Modi 14

 Security Models
In the cryptography , there are several adversarial goals and
capabilities.
When we talk about the security of a cryptographic scheme,
we need to define them clearly.
As the goal becomes more difficult or as the capabilities are
more limited, the security proof becomes easier.
First, we see some adversarial goals and capabilities related to
them, then give proof techniques of some public key
encryption schemes in the standard model.

03/14/2025 Chirag N. Modi 15

 Adversarial Goals - One-Wayness
This is a weak kind of adversarial goal where the purpose of the
adversary is to reveal the whole plaintext m of a particular
ciphertext c.
However, this is an extremely weak notion of security because
revealing almost all of the plaintext is considered to be
unsuccessful according to this definition but actually in almost
all systems revealing the plaintext partially is considered
successful.
This goal is defined via a game between the adversary
and the challenger as follows:

03/14/2025 Chirag N. Modi 16

 Adversarial Goals - One-Wayness

03/14/2025 Chirag N. Modi 17

 Indistinguishability
This goal focuses on keeping the entire plaintext information
secret and it is the most popular adversarial goal.
In this goal, the adversary selects two plaintexts of his choice
and sends them to an hypothetical challenger who has the
secret key.
The challenger randomly selects one of the messages, encrypts
it and sends the challenge ciphertext back to the adversary.
Here, the goal of the adversary is to find out which of the
plaintext has been selected by the challenger.

03/14/2025 Chirag N. Modi 18

 Indistinguishability

03/14/2025 Chirag N. Modi 19

 Indistinguishability
Note that the encryption algorithm has to be probabilistic
although the decryption algorithm is always deterministic.
Because, otherwise, the adversary can encrypt both plaintexts
that he has chosen and compare the resulting ciphertexts
to the challenged one which would be a trivial solution.
Indistinguishability means that a ciphertext gives semantically
no information about the plaintext.
In other words, whatever a passive adversary can compute
about m given the challenge ciphertext c, he can also compute
without c. This is why it is also called semantic security

03/14/2025 Chirag N. Modi 20

 Indistinguishability
A public key encryption scheme Π = (Gen, Enc, Dec) is IND-
secure against chosen plaintext attacks if for all probabilistic
polynomial time adversaries A, there exists a negligible
function such that

03/14/2025 Chirag N. Modi 21

 Malleability
The notion of malleability is introduced by Naor et al.
The goal of the adversary A who observes a ciphertext c of
plaintext m, cannot modify it consciously and obtain a valid
ciphertext c0 of a plaintext m0 which is related to m where this
relation is known by the adversary.

03/14/2025 Chirag N. Modi 22

 Adversarial Capabilities and IND-Games
There are several possible capabilities of an attacker in the
public key setting depending on the availability of the
decryption oracle
decryption oracle is a hypothetical black box that is presented
to the attacker so that it can make decryption queries of its
own choice and gets the corresponding plaintexts.
This captures the possible real life attacks that consist
of attackers that has gained temporary access to the
decryption oracle.
In this respect, there are three types of decryption oracle
access:

03/14/2025 Chirag N. Modi 23

 Adversarial Capabilities and IND-Games
CPA (Chosen Plaintext Attack): if there is no decryption oracle
access at all, we call this a chosen plaintext attack
CCA1 (Non-adaptive Chosen Ciphertext Attack,or lunchtime
attack): Adversary A can access the decrpytion oracle until it
sees the ciphertext it needs to break.
CCA2 (Adaptive Chosen Ciphertext Attack): Adversary A always
has access to the decryption oracle but querying the ciphertext
it needs to break is prohibited.
Security against adaptive chosen ciphertext attacks is the most
widely accepted level of security notion.

03/14/2025 Chirag N. Modi 24

 Adversarial Capabilities and IND-Games

03/14/2025 Chirag N. Modi 25

 Adversarial Capabilities and IND-Games

03/14/2025 Chirag N. Modi 26

 Computational Security and Reductions
Most of the security proofs in the literature are in the form of a
reduction.
Typically, a mathematically hard problem M is reduced to
breaking the scheme S that is assumed to be provable secure.
Existence of such a reduction implies that the problem of
breaking the scheme S is as hard as M.
This implication stems from the following contraction
argument: If there exist a polynomial time algorithm A that
breaks the scheme S , then due to this reduction, one may
construct a polynomial time algorithm B which uses A as a
subroutine to solve M which is assumed to be impossible.

03/14/2025 Chirag N. Modi 27

 Computational Security and Reductions

Provable Security: Not really proving a scheme secure but

showing a reduction from security of scheme to the security of
the underlying assumption (or primitive).

03/14/2025 Chirag N. Modi 28

 Security Analysis of PKC Schemes
RSA Encryption Scheme
Rabin Encryption Scheme
Goldwasser-Micali Encryption Scheme
ElGamal Encryption Scheme
Cramer-Shoup Encryption Scheme

03/14/2025 Chirag N. Modi 29

 Security Analysis of PKC Schemes
The set of integers {0, 1, 2, ..., N − 1} is defined as the integers
mod N and denoted by ZN.
The multiplicative group of ZN is Z∗N = {a ∈ ZN | gcd(a, N) = 1}

03/14/2025 Chirag N. Modi 30

 RSA Encryption Scheme
Rivest, Shamir, Adleman proposed this scheme due to the
trapdoor one way permutation property of the RSA function.
The key generation algorithm produces a large composite
number N = p · q, where p and p are primes,
a public key e and private key d such that e · d = 1 mod φ(N) is
satisfied.
The encryption of a message m from is an element
of Z∗N, namely c = me mod N.
One finds m using the secret key d by computing m = cd mod N.

03/14/2025 Chirag N. Modi 31

 RSA Problem
Let N = p · q where p and p are prime numbers.
Let e be an integer relatively prime to φ(N).
The RSA problem states that for a given y ∈ Z∗ N, compute the
e-th root of y, namely x, such that y = xe mod N.
If the factorization of N is known, then the RSA problem can be
easily solved.

03/14/2025 Chirag N. Modi 32

 RSA Assumption
Given N = p · q, the RSA problem is intractable.
This encryption scheme is one-way secure due to the RSA
problem.
Since RSA encryption is deterministic, it does not satisfy IND-
CPA security notion (i.e, semantic secure).
It is because, given the challenge ciphertext c of either m0 or
m1, the adversary A simply computes c0 = m0e mod N
and c1 = m1e mod N and checks the resulting ciphertexts with
the challenge one.
RSA encryption scheme is vulnerable to a chosen ciphertext
attack.

03/14/2025 Chirag N. Modi 33

 RSA Assumption
If an adversary A gets the challenge ciphertext c = me mod N, he
can choose a random element r from Z∗N and compute the
modified ciphertext as c’ = re·c mod N.
Since c’ is different from the challenge, A asks it to the
decryption oracle, gives the decryption m’ of this ciphertext,
then recovers m = m’·r−1 mod N.
The scheme is malleable: Let the adversary A gets the
challenge ciphertext c = me mod N, then he is able to generate,
for example, c’ = 2e · c such that the underlying plaintexts
satisfy a relation m’ = 2m This holds, because
(c’)d = (2e · me)d = 2ed · med = 2 · m mod N.

03/14/2025 Chirag N. Modi 34

 Rabin Encryption Scheme
Breaking a cryptographic scheme is not necessarily equivalent
to solving the underlying mathematically hard problems.
Rabin’s scheme is a counter example of it.
If we know the factorization of N, then we can convert the RSA
function and anybody can not invert it without knowing p and
q,
i.e, RSA problem is polynomially reduced to factoring.
It is conjectured that there is no effective way except
factorization to find the e-th roots modulo N.
Rabin proposed an encryption function that could be proved to
be invertible only by someone who could factor N.

03/14/2025 Chirag N. Modi 35

 Rabin Encryption Scheme
This system is similar to RSA, ciptertext c is produced by
squaring plaintext m modulo N, i.e,
c = m2 mod N
where N = p · q and the squaring map is 4-1. So, Rabin finds all
four square roots of a ciphertext c.
The most important fact about Rabin encryption scheme is that
it is in some sense provably secure in reductionist argument
meaning that if someone breaks the scheme and finds the
plaintext m from ciphertext c, then he is able to factor N.

03/14/2025 Chirag N. Modi 36

 Rabin Encryption Scheme
It is the first public key encryption scheme to be proposed with
a reductionist security argument.
Since it is deterministic encryption, it does not satisfy IND-CPA
security notion.
As RSA encryption, it is also vulnerable to chosen ciphertext
attacks, namely if an adversary gets m, he is able to factor N.

03/14/2025 Chirag N. Modi 37

 Goldwasser-Micali Encryption Scheme
Goldwasser and Micali introduced probabilistic encryption and
proposed a scheme which was proven secure in the sense of
semantic security assuming the intractability of the quadratic
residuosity problem which is defined as follows:
Given N = p ·q where p, q are primes and a ∈ Z∗ N with
decide whether a is quadratic residue mod N
We note that a ∈ Z∗ N is said to be a quadratic residue modulo
N if there exists an x ∈ Z∗ N , such that x2 ≡ a mod N and x is a
square root of a mod N.
We recall that if a ∈ Z∗ N is quadratic residue, then the Jacobi
symbol denoted as , otherwise −1.
Given a and N (with unknown factorization), it is possible to
compute the Jacobi symbol of a in polynomial time.
03/14/2025 Chirag N. Modi 38
 Goldwasser-Micali Encryption Scheme
Goldwasser-Micali encryption scheme works on bits.
To encrypt m ∈ (0, 1), one first selects a quadratic nonresidue y
∈ ZN satisfying
Then choosing a random value r ∈ Z∗ N and produces
the challenge ciphertext
c = ymr2 mod N
The receiver decides the plaintext m is 0 if c is a square,
otherwise it must be 1 using the factors of N = p · q
Although, Goldwasser-Micali encryption scheme is the first
probabilistic encryption scheme satisfying semantic security,
efficiency does not hold because of ciphertext expansion

03/14/2025 Chirag N. Modi 39

 Goldwasser-Micali Encryption Scheme
There is a simple reduction from breaking this cryptosystem to
the problem of determining whether a random value
modulo N with Jacobi symbol +1 is a quadratic residue.
If an algorithm A breaks the cryptosystem, then to determine if
a given value x is a quadratic residue modulo N,
we test A to see if it can break the cryptosystem using (x,N) as a
public key.
If x is a non-residue, then A should work properly.
However, if x is a residue, then every "ciphertext" will simply be
a random quadratic residue, so A cannot be correct more than
half of the time.

03/14/2025 Chirag N. Modi 40

 Goldwasser-Micali Encryption Scheme
The GM cryptosystem has homomorphic properties, in the
sense that if c0, c1 are the encryptions of bits m0, m1,
then c0c1 mod N will be an encryption of m0m1.
For this reason, the GM cryptosystem is sometimes used in
more complex cryptographic primitives.

03/14/2025 Chirag N. Modi 41

 ElGamal Encryption Scheme
Discrete logarithm problem as follows: Let G be a finite,
multiplicative group of order q with a generator g.
The DLP asks x given a group element h = gx.
The Discrete Logarithm Assumption: The DLP is intractable in
the underlying group G. For any polynomial time adversary A,
the probability that, is negligible

the computational Diffie-Hellman problem is defined as

follows: Let G be a finite, multiplicative group of order q
with a generator g. Given two elements of G, gx and gy, it is
required to find gxy.

03/14/2025 Chirag N. Modi 42

 ElGamal Encryption Scheme
The Computational Diffie-Hellman Assumption:
The CDH problem is intractable in the underlying group G
the decisional Diffie-Hellman problem as the following: Let G
be a finite, multiplicative group of order q with a generator g.
Given three elements of G, (gx, gy, gz), it is asked to find
whether xy = z mod q
The Decisional Diffie-Hellman Assumption: The DDH problem
is computationally hard in the underlying group G.
This assumption can also be represented in terms of
probabilities as follows: Let D be a polynomial time algorithm
which is designed for deciding whether a three-tuple is a DDH
tuple, and let

03/14/2025 Chirag N. Modi 43

 ElGamal Encryption Scheme
where x, y, and z are selected randomly from Zq is defined as
the advantage of D in distinguishing a DDH tuple distribution
from a random one.
The DDH assumption assumes that this advantage is negligible.
The three assumptions are related with each other such that if
there exists a polynomial time algorithm A solving DLP with
nonnegligible probability, then using this algorithm as a
subroutine, one can construct an efficient algorithm B for CDH
problem and moreover, running B as a subroutine, there exists
an algorithm C for DDH problem which solves it in a polynomial
amount of time.
Hence, we can decide that DDH assumption is the strongest
one.

03/14/2025 Chirag N. Modi 44

 ElGamal Encryption Scheme
We review the ElGamal encryption scheme whose security is
based on the DLP.
Let G be a finite cyclic group of order q with generator g.
The secret and the public keys are x and y = gx, respectively.
To encrypt m ∈ G, the sender chooses a random r ∈ Zq and
produces the challenge ciphertext
c = (c1, c2) = (gr, yr · m)
The receiver gets m by calculating c2/c1x
We note that it is hard to find x, given y = gx under the discrete
logarithm assumption but this does not guarantee the security
of semantic notion sense.

03/14/2025 Chirag N. Modi 45

 ElGamal Encryption Scheme
If we work on some groups such as for a prime p, Z∗p, where
DLP holds, then there exists a polynomial time adversary
violating the semantic security as follows:
Adversary selects two messages m0 and m1 of equal length
such that one of them is quadratic residue and sends them to
the challenger.
Given the challenge ciphertext c = (c1, c2) where c1 = gr and c2
= yrmb, it is easy to distinguish which m is chosen.
If c1 or y are quadratic residues, then at least r or x must be
even, hence yr is also quadratic residue. Thus, upon receiving
c2, one can determine whether mb is quadratic residue.

03/14/2025 Chirag N. Modi 46

 ElGamal Encryption Scheme
If yr is a not a residue but c2 is residue, then mb is also a non
residue.
Hence, the semantic security of the scheme fails under the
discrete logarithm assumption.
Under the DDH assumption, ElGamal encryption scheme is
semantically secure.
The proof is done by using the reductionist argument such that
assuming there exists a polynomial time adversary A breaking
the scheme, then we can construct a polynomial time
algorithm B using A as a subroutine and solve the DDH
problem which is a contradiction under the DDH assumption,
hence we conclude that this scheme is semantically secure.

03/14/2025 Chirag N. Modi 47

 ElGamal Encryption Scheme
The inputs to B is (G, q, g1, g2, g3, g4), where (g1, g2) is the
public key.
B gives the public key to A and asks to get messages (m0, m1)
of equal length.
B selects a bit b ∈ (0, 1) randomly, produces the challenge
ciphertext c = (g3, g4 · mb) and runs A(pk, c) to obtain b0 of a
guess for b.
Finally, B outputs 1 if and only if b = b0.
Since the DDH assumption holds in G and B is a PPT algorithm,
we have

03/14/2025 Chirag N. Modi 48

 ElGamal Encryption Scheme
If the input to B is a DDH tuple, then we have

When DDH tuple occurs, we have g2 = g1 x, g3 = g1r and g4 =

g1 xr = g2r for some x, r ∈ Zq.
But this is exactly ElGamal encryption scheme in real life so
B outputs 1 if and only if A succeeds in breaking the scheme.
To complete the proof, we show that

In this case, g4 is uniformly distributed in G and it is

independent of g1, g2 or g3. So the second component given
to A is uniformly distributed in G and independent of m.
Thus, A has no information about b, therefore, there is no way
other than predicting with probability 1/ 2.
03/14/2025 Chirag N. Modi 49
 ElGamal Encryption Scheme
Like RSA and Rabin encryption schemes, ElGamal encryption
scheme is also vulnerable to adaptive chosen ciphertext
attacks.
When adversary A gets the challenge ciphertext c = (c1, c2),
he can modify it by randomly selecting m0 and getting c’ = (c1,
c2 · m’).
Since this is different from the challenge, he can ask it to the
decryption oracle and by dividing the returned answer by m’,
he can get the plaintext m.

03/14/2025 Chirag N. Modi 50

 Cramer-Shoup Encryption Scheme
Cramer-Shoup public key encryption scheme which is the first
efficient scheme proven to be secure against adaptive chosen
ciphertext attacks under the DDH assumption in the standard
model.
It is an extension of the ElGamal encryption scheme.

03/14/2025 Chirag N. Modi 51

 Cramer-Shoup Encryption Scheme
Let G be a finite, cyclic group of prime order q meaning that
every element of G except the identity is a generator.
Let (g1, g2) be two generators and (x, y) be the secret keys
randomly chosen from Zq.
The public key is h = g1x · g2y.
To encrypt m ∈ G, one randomly chooses r ∈ Zq and performs
the challenge ciphertext:
c = (u, v, e) = (g1r, g2r , hr · m).
The receiver with secret key (x, y) decrypts c as follows:
e/ux · vy = hr · m/(g1r )x · (g2r )y
= hr · m/(g1x · g2y )r
= m.

03/14/2025 Chirag N. Modi 52

 Cramer-Shoup Encryption Scheme
If the DDH assumption is hard in G, then the modified ElGamal
scheme is secure against a CPA attacker.
Proof: We use the reductionist argument such that if there
exists a polynomial time attacker A breaking the semantic
security of the modified scheme in non-negligible probability,
then we can construct a polynomial time algorithm B which is
able to break the DDH assumption by distinguishing a DDH
tuple from a random one.
B is given (g1, g2, g3, g4) as input.
x, y ∈ Zq are chosen randomly, h = g1x · g2y is set as the public
key and (g1, g2, h) is given to A.
A chooses (m0, m1) of equal length and sends them to B.
B selects one of them, namely mb and produces the challenge
ciphertext (u, v, e) = (g3, g4, g3 x · g4y · mb) and send back to A.
03/14/2025 Chirag N. Modi 53
 Cramer-Shoup Encryption Scheme
A guesses a bit b0 for b.
If b0 = b, then we decide that (g1, g2, g3, g4) is a DDH tuple,
otherwise, random one.
If the input to B is a DDH tuple, then A’s view is the same as in
the real attack game, i.e, There exist α, r ∈ Zq such that:
(g1, g2, g3, g4) = (g1, g1α , g1r, g1αr = g2r) holds.
Hence, the success probability of A in breaking the scheme is
directly related to the DDH assumption which is supposed to be
intractable.
If the input to B is a random tuple, then b is theoretically
hidden from the view of A and the scheme becomes a one time
pad encryption, hence the success probability is nothing but
1/2 plus negligible probability.

03/14/2025 Chirag N. Modi 54

 Cramer-Shoup Encryption Scheme
Assume B gets a random tuple.
Then there exists α, β, r which are randomly chosen from ∈ Zq
such that the input (g1, g2, g3, g4) to B becomes
(g1, g2 = g1α , g3 = g1r , g4 = g1β ).
Another saying of this, there exist r, r’ ∈ Zq with r  r’, g3 = g1r

and g4 = g2r’ .
Given the public key, (g1, g2, h), it is easily seen that there are
exactly q possible pairs (x, y) that could be chosen by A.
Then we have logg1h = x + αy
We observe that for every x ∈ Zq, there is a unique y ∈ Zq
satisfying this equation.
So, there are exactly q solutions due to the group order.
03/14/2025 Chirag N. Modi 55
 Cramer-Shoup Encryption Scheme
Let us consider µ = g3 x · g4y where µ is an arbitrary group
element.
By similar argument, we have logg1µ = r · x + r’ · α · y.
We see that these form a system of linear equations and has a
unique solution in (x, y).
But µ is an arbitrary group element so each possible value for µ
is possible meaning that A can not guess g3 x ·g4y with non
negligible probability.
It seems like a one-time pad encryption.

03/14/2025 Chirag N. Modi 56

 Cramer-Shoup Encryption Scheme
Reduced Cramer-Shoup Encryption
Full Cramer-Shoup Encryption

03/14/2025 Chirag N. Modi 57

 Reduced Cramer-Shoup Encryption
It is provably secure against non-adaptive chosen ciphertext
attacks under the DDH assumption, however, it is insecure
against CCA2 attackers
Let (g1, g2) be two generators of the group G and (x, y, a, b) be
the secret key randomly chosen from Zq.
The public key is (h, c) = (g1x · g2y , g1a · g2b ).
To encrypt m ∈ G, one randomly chooses r ∈ Zq and performs
the challenge ciphertext:
c = (u, v, e, w) = (g1r , g2r , hr · m, cr)
On receiving the challenge ciphertext (u, v, e, w), there is a
checking mechanism and the receiver checks whether w =
ua·vb. If so, output is e/ux · vy, else ⊥.

03/14/2025 Chirag N. Modi 58

 Reduced Cramer-Shoup Encryption
Under the DDH assumption, the scheme is IND-CCA1 secure.
if there exists a polynomial time attacker A breaking the
semantic security of the reduced Cramer-Shoup scheme with a
non negligible success probability, then we can construct a
polynomial time algorithm B which is able to break the DDH
assumption by distinguishing a DDH tuple from a random one.
The important difference is that A has access decryption oracle
and is allowed to have polynomially many queries until getting
the challenge ciphertext.
B is given (g1, g2, g3, g4) as input which is either a DDH tuple
or a random tuple.
A chooses (m0, m1) of equal length and sends them to B.
B selects one of them, namely mb, produces the challenge
ciphertext (g3, g4, g3x · g4y · mb, g3a ·g4b) and sends it to A.
Then,
03/14/2025 Chirag N. Modi 59
 Reduced Cramer-Shoup Encryption
Then A guesses a bit b0 for b.
Finally, if b0 = b, then (g1, g2, g3, g4) is a DDH tuple, otherwise
random one.
If the input to B is a DDH tuple, then A’s view is the same as in
the real encryption scheme.
If (g1, g2, g3, g4) is a DDH tuple, we can write g3 = g1r and g4
= g2r for a randomly selected r ∈Zq.
Hence, the success probability of A in breaking the scheme is
directly related to the DDH problem which is supposed to be
intractable.

03/14/2025 Chirag N. Modi 60

 Reduced Cramer-Shoup Encryption
If the input to B is a random tuple, then b is theoretically
hidden from the view of A and the scheme becomes a one time
pad encryption, hence the success probability of A guessing the
true b is about 1/2 plus some negligible probability.
For CCA2, it is not secure:
On receiving the challenge ciphertext (g3, g4, g3x ·g4y·mb, g3a ·
g4b ), A computes logg1w = a · logg1g3 + b · logg1g4
and from the public key c, A learns that logg1c = a + b · logg1g2
From these, A theoratically learns (a, b).
Then, in particular, makes a query of the form
(g1r , g2r’ , e, (g1r )a, (g2r’)b) and return m, thus we have;

03/14/2025 Chirag N. Modi 61

 Reduced Cramer-Shoup Encryption
logg1 e/m = x · r + y · r’ · logg1g2 , from the public key h, A learns
that logg1h = x + y · logg1g2
A can compute the values of (x, y) and finally decrypt the
challenge ciphertext.

03/14/2025 Chirag N. Modi 62

 Full Cramer-Shoup Encryption
In order to make the scheme provably secure against adaptive
chosen ciphertext attacks in the standard model, a public
collision-resistant hash function H which hashes arbitrary
length strings to Zq is used.
Encryption:
pk = (g1, g2, h = g1x · g2y , c = g1a · g2b , d = g1a’ · g2b’ , H)
sk = (x, y, a, b, a’, b’)
To encrypt m, we choose random r ∈ Zq and set the challenge
ciphertext c = (g1r , g2r , hr · m, ((c · dα))r)
where α = H(g1r , g2r , hr · m).

03/14/2025 Chirag N. Modi 63

 Full Cramer-Shoup Encryption
Decryption:
To decrypt the challenge ciphertext c = (u, v, e, w), there is a
checking mechanism: if ua+αa’ · vb+αb’ = w where α = H(u, v, e)
then output is valid.
Output is e/ux · vy, else ⊥.
Under the DDH assumption, the Full Cramer-Shoup encryption
scheme is secure against adaptive chosen ciphertext attacks in
the standard model.
Proof: Given a PPT algorithm A attacking the scheme with
nonnegligible success probability, we construct an adversary B
violating the DDH assumption as follows:

03/14/2025 Chirag N. Modi 64

 Full Cramer-Shoup Encryption
B is given (g1, g2, g3, g4) as an input.
The algorithm selects (x, y, a, b, a’, b’) from Zq and sets
(g1, g2, h = g1 x · g2y , c = g1a · g2b , d = g1a’ · g2b’ , H) as the
public key.
Then it runs A to produce (m0, m1) of equal length.
B selects a bit b and gives the challenge ciphertext (u, v, e, w) =
(g3, g4, g3 x ·g4y· mb, g3a+αa’ · g4b+αb’).
Then A guesses a bit b0 for b.
Finally, B outputs 1 if and only if b = b0.
As discussed earlier that if B is given a DDH tuple, then A’s view
is the same as in an execution of the real full Cramer-Shoup
encryption scheme.

03/14/2025 Chirag N. Modi 65

 Full Cramer-Shoup Encryption
Hence, we show that if B is given a random tuple, then the bit b
is theoretically hidden from A’s view, so A has no information
about the bit chosen by B.
From the public key, A learns
logg1c = a + b · logg1g2 and
logg1d = a’ + b’ · logg1g2
We write g3 = g1r, g4 = g2r’ and when given the challenge
ciphertext, denoted by
(g3, g4, e∗ = g3 x · g4y · mb, w∗ = g3a+αa’· g4b +αb’ )
A learns
logg1w∗ = (a + α · a’) · r + (b + α · b’) · logg1g2 · r’

03/14/2025 Chirag N. Modi 66

 Full Cramer-Shoup Encryption
Hence, we have three cases to be considered about the
decryption oracle queries.
We also note that it is not allowed to query the challenge
ciphertext to the oracle.
if (u, v, e) = (u∗, v∗, e∗), and w  w∗ then the query is
always rejected because of the checking mechanism.
if (u, v, e)  (u∗, v∗, e∗) but the hash values are the same,
this happens with negligible probability because of the collision
resistant property of H.
if α’ = H(u, v, e)  H(u∗, v∗, e∗) = α. Then, with a careful
analysis, we have more unknowns than linear equations in
these unknowns.

03/14/2025 Chirag N. Modi 67

 Provable Security for Signature Schemes
(Authentication)
Goal: The adversary wins if it forges a valid message-signature
pair without private key
Adversary does a good job (or the scheme is insecure)
if given the verification key kv,
outputs a pair m’, σ’ of message and its signature such that
the following probability is large:
Pr [Vf (kv,m’,σ’) = 1 ]

03/14/2025 Chirag N. Modi 68

 Possible Attack Models
No-Message Attack (NKA): adversary only knows the
verification key.
Known-Message Attack (KMA): adversary also can access
list of message/signature pairs.
Chosen-Message Attack (CMA): adversary can choose the
messages for which he can see the message/signature pairs.
Strongest attack???

03/14/2025 Chirag N. Modi 69