Victor Shoup

A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack

A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.

Advances in Cryptology: CRYPTO 2005

Efficient Collision Search Attacks on SHA-0.- Finding Collisions in the Full SHA-1.- Pebbling and Proofs of Work.- Composition Does Not Imply Adaptive Security.- On the Discrete Logarithm Problem on Algebraic Tori.- A Practical Attack on a Braid Group Based Cryptographic Protocol.- The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption.- Unconditional Characterizations of Non-interactive Zero-Knowledge.- Impossibility and Feasibility Results for Zero Knowledge with Public Keys.- Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors.- A Formal Treatment of Onion Routing.- Simple and Efficient Shuffling with Provable Correctness and ZK Privacy.- Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions.- Private Searching on Streaming Data.- Privacy-Preserving Set Operations.- Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys.- Generic Transformation for Scalable Broadcast Encryption Schemes.- Authenticating Pervasive Devices with Human Protocols.- Secure Communications over Insecure Channels Based on Short Authenticated Strings.- On Codes, Matroids and Secure Multi-party Computation from Linear Secret Sharing Schemes.- Black-Box Secret Sharing from Primitive Sets in Algebraic Number Fields.- Secure Computation Without Authentication.- Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator.- Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems.- Analysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes.- Merkle-Damgard Revisited: How to Construct a Hash Function.- On the Generic Insecurity of the Full Domain Hash.- New Monotones and Lower Bounds in Unconditional Two-Party Computation.- One-Way Secret-Key Agreement and Applications to Circuit Polarization and Immunization of Public-Key Encryption.- A Quantum Cipher with Near Optimal Key-Recycling.- An Efficient CDH-Based Signature Scheme with a Tight Security Reduction.- Improved Security Analyses for CBC MACs.- HMQV: A High-Performance Secure Diffie-Hellman Protocol.

Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack

A new public-key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first public-key encryption schemes in the literature that are simultaneously practical and provably secure.

Practical threshold signatures

We present an RSA threshold signature scheme. The scheme enjoys the following properties: 1. it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard; 2. signature share generation and verification is completely non-interactive; 3. the size of an individual signature share is bounded by a constant times the size of the RSA modulus.

Practical Verifiable Encryption and Decryption of Discrete Logarithms

This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Pailliers decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures.

Asynchronous protocols for optimistic fair exchange

The optimistic approach of involving a third party only in the case of exceptions is a useful technique to build secure, yet practical fair exchange protocols. Previous solutions using this approach implicitly assumed that players had reliable communication channels to the third party. We present a set of optimistic fair exchange protocols which tolerate temporary failures in the communication channels to the third party. A central feature of the protocols is that either player can asynchronously and unilaterally bring a protocol run to completion.

Securing Threshold Cryptosystems against Chosen Ciphertext Attack

Abstract. For the most compelling applications of threshold cryptosystems, security against chosen cipher text attack is a requirement. However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen ciphertext secure, even in the idealized random oracle model. The contribution of this paper is to present two very practical threshold cryptosystems, and to prove that they are secure against chosen ciphertext attack in the random oracle model. Not only are these protocols computationally very efficient, but they are also non-interactive, which means they can be easily run over an asynchronous communication network.

Signature schemes based on the strong RSA assumption

We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the so-called strong RSA assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA assumption.

The Twin Diffie–Hellman Problem and Applications

We propose a new computational problem called the twin Diffie–Hellman problem. This problem is closely related to the usual (computational) Diffie–Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie–Hellman problem. Moreover, the twin Diffie–Hellman problem is at least as hard as the ordinary Diffie–Hellman problem. However, we are able to show that the twin Diffie–Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem—this is a feature not enjoyed by the Diffie–Hellman problem, in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie–Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie–Hellman problem is hard. We present several other applications as well, including a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer–Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh–Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.

Anonymous Identification in Ad Hoc Groups

We introduce Ad hoc Anonymous Identification schemes, a new multi-user cryptographic primitive that allows participants from a user population to form ad-hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with one-way domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with one-way domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that all the identification protocols take time independent of the size of the ad-hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired.