Since I am new to the Cramer-Shoup algorithm, I would like to know: Is it possible to have two different private keys for a public key due the key pair generation algorithm that Cramer-Shoup uses? I know that in public key algorithms, this is not possible in all cases, but I want to make sure what the answer is for Cramer-Shoup.
Asked
Active
Viewed 117 times
1 Answers
1
Yes, this is possible.
One possible argument is of algebraic nature, using the fact that there is some $a\in\{0,\dots,q-1\}$ with $g_2=g_1^a$ and rewriting the public key's defining equations using this relation.
However, there's a much simpler justification: A Cramer-Shoup public key consists of five elements $g_1,g_2,c,d,h$ of a group of order $q$, hence there are at most $q^5$ possible public keys. However, a private key consists of two freely chosen elements $g_1,g_2$ and five freely chosen integers $x_1,x_2,y_1,y_2,z$ between $0$ and $q-1$, yielding $q^7$ possible private keys. Therefore, there exist (on average) at least $q^2$ private keys mapping to a single public key.
(In fact, the algebraic argument mentioned above shows that there are exactly $q^5$ public keys, each of which corresponds to exactly $q^2$ private keys.)
yyyyyyy
- 12,261
- 4
- 48
- 68