1 / 14

On the security of ElGamal-based encryption

On the security of ElGamal-based encryption. Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC. Secure encryption. Semantic Security [GM84, Gol89] Hide all partial information Immune against a-priori knowledge Chosen ciphertext security [NY90] Sender is “aware” of the plaintext

bayard
Download Presentation

On the security of ElGamal-based encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the security of ElGamal-based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC

  2. Secure encryption • Semantic Security [GM84, Gol89] • Hide all partial information • Immune against a-priori knowledge • Chosen ciphertext security [NY90] • Sender is “aware” of the plaintext • Non-malleability [DDN91] • Message & sender cannot be altered by man-in-the-middle

  3. Previous work • Semantic security & chosen-ciphertext security • General (inefficient) solutions [GM84, NY90] • R.O.-based solutions [BR93, BR97] + R.O. implementations [Can97] • Non-malleability • Inefficient solutions [DDN91]

  4. Our contributions • Semantic security • Directly from decision Diffie-Hellman • Retaining homomorphic properties • Exact analysis of efficiency of the reduction • Non-malleability (and chosen ciphertext security) • decision D-H + R.O. that are collision-free [PS96] (no secrecy requirements)

  5. Preliminaries • ElGamal encryption • P = aQ + 1, P,Q primes, |g| = Q • Private key: x • Public key: y = gx (mod P) • E(m) = gk, yk m (m є GQ) • Decision Diffie-Hellman • P = aQ + 1, P,Q primes, |g| = Q • Distinguish < ga, gb, gab> from <ga, gb, gc >

  6. Preliminaries (cont.) • Semantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non-negl. better than random guessing)

  7. ElGamal => decision D-H • Assume we have ElGamal oracle • Given a triplet <ga, gb, y> decide if it is a D-H triplet (y = gab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

  8. Proof (cont.) 3. Decision phase: generator g, public key gbw (w random) • Randomize message 1 (or 2) • Correctly: E(m) = gu , m (gb)wu • Based on given triplet <ga, gb, y>E(m’) = (ga)t g v , m ywt (gb)wv m’ = m (if y = gab), random otherwise • Run oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

  9. Decision D-H => ElGamal • Given decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished • For any two m, m’: (y = gx) • E(m) = ga, m0 ya , E(m’) = gb, m1 yb • Feed <ga, y gv , [ya m0] gav /m> =< ga, gx+v , g(x+v)a m0/m> (random v) • If it is a correct triplet, then m0=m , else m0 = m’

  10. Non-malleability • Given ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related • All we need is a proof of knowledge of the plaintext • I.e., a proof of knowledge of k in E(m) = gk, yk m • But, it must be a non-malleable ZK proof: it must be bound to the prover

  11. The non-malleable extension • A Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [gk, yk m], F = gv, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] • Random oracle is used only as a “trusted beacon” [PS96] - not for information hiding

  12. Security proof 1. We need to verify that semantic security still holds (the knowledge proof does not leak information) 2. Knowledge of k: provided from Schnorr proof 3. Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]

  13. Practical implications: Encryption • ElGamal is as secure as [BR94+Can97] • Non-malleability can be added at minimal efficiency costs • In applications a signature is still needed • Otherwise senders can be impersonated • “Signcryption” using Schnorr-proofs is a smooth addition

  14. Implications: protocols • First encryption scheme with homomorphic properties that is semantically secure • Anonymous e-cash: escrowing can be performed based on decision D-H

More Related