150 likes | 368 Views
On the security of ElGamal-based encryption. Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC. Secure encryption. Semantic Security [GM84, Gol89] Hide all partial information Immune against a-priori knowledge Chosen ciphertext security [NY90] Sender is “aware” of the plaintext
E N D
On the security of ElGamal-based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC
Secure encryption • Semantic Security [GM84, Gol89] • Hide all partial information • Immune against a-priori knowledge • Chosen ciphertext security [NY90] • Sender is “aware” of the plaintext • Non-malleability [DDN91] • Message & sender cannot be altered by man-in-the-middle
Previous work • Semantic security & chosen-ciphertext security • General (inefficient) solutions [GM84, NY90] • R.O.-based solutions [BR93, BR97] + R.O. implementations [Can97] • Non-malleability • Inefficient solutions [DDN91]
Our contributions • Semantic security • Directly from decision Diffie-Hellman • Retaining homomorphic properties • Exact analysis of efficiency of the reduction • Non-malleability (and chosen ciphertext security) • decision D-H + R.O. that are collision-free [PS96] (no secrecy requirements)
Preliminaries • ElGamal encryption • P = aQ + 1, P,Q primes, |g| = Q • Private key: x • Public key: y = gx (mod P) • E(m) = gk, yk m (m є GQ) • Decision Diffie-Hellman • P = aQ + 1, P,Q primes, |g| = Q • Distinguish < ga, gb, gab> from <ga, gb, gc >
Preliminaries (cont.) • Semantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non-negl. better than random guessing)
ElGamal => decision D-H • Assume we have ElGamal oracle • Given a triplet <ga, gb, y> decide if it is a D-H triplet (y = gab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages
Proof (cont.) 3. Decision phase: generator g, public key gbw (w random) • Randomize message 1 (or 2) • Correctly: E(m) = gu , m (gb)wu • Based on given triplet <ga, gb, y>E(m’) = (ga)t g v , m ywt (gb)wv m’ = m (if y = gab), random otherwise • Run oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet
Decision D-H => ElGamal • Given decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished • For any two m, m’: (y = gx) • E(m) = ga, m0 ya , E(m’) = gb, m1 yb • Feed <ga, y gv , [ya m0] gav /m> =< ga, gx+v , g(x+v)a m0/m> (random v) • If it is a correct triplet, then m0=m , else m0 = m’
Non-malleability • Given ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related • All we need is a proof of knowledge of the plaintext • I.e., a proof of knowledge of k in E(m) = gk, yk m • But, it must be a non-malleable ZK proof: it must be bound to the prover
The non-malleable extension • A Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [gk, yk m], F = gv, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] • Random oracle is used only as a “trusted beacon” [PS96] - not for information hiding
Security proof 1. We need to verify that semantic security still holds (the knowledge proof does not leak information) 2. Knowledge of k: provided from Schnorr proof 3. Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]
Practical implications: Encryption • ElGamal is as secure as [BR94+Can97] • Non-malleability can be added at minimal efficiency costs • In applications a signature is still needed • Otherwise senders can be impersonated • “Signcryption” using Schnorr-proofs is a smooth addition
Implications: protocols • First encryption scheme with homomorphic properties that is semantically secure • Anonymous e-cash: escrowing can be performed based on decision D-H