On the CCA1-Security of Elgamal and Damgård s Elgamal

Transcription

1 On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010

2 Outline I Motivation 1 Motivation 2 3

3 Motivation Three well-known security requirements for public-key encryption: CPA < CCA1 < CCA2 CPA and CCA1 allow homomorphic encryption, CCA2 doesn t Much is known about CPA and CCA2 security CPA: homomorphic schemes (Elgamal, Paillier,... ) Widely used, applications in cryptographic protocols CCA2: Cramer-Shoup, Kurosawa-Desmedt,... Used as encryption per se

4 Motivation What about CCA1-security? More security than CPA, but still allows homomorphisms More efficient than CCA2-secure cryptosystems Is Elgamal CCA1 secure? Possible corollary: If Elgamal is CCA1-secure, then any (well-designed) protocol that uses Elgamal to be CPA-secure, becomes automatically CCA1-secure

5 Public-Key Cryptosystems pk sk c Enc pk (m) m

6 CPA-Security Motivation sk pk (m 0, m 1 ) c Enc pk (m b ) b SpongeBob wins if b = b

7 CCA1-Security Motivation sk c Dec sk (c ) pk (m 0, m 1 ) c Enc pk (m b ) b SpongeBob wins if b = b

8 CCA2-Security Motivation sk c Dec sk (c ) pk (m 0, m 1 ) c Enc pk (m b ) c c Dec sk (c ) b SpongeBob wins if b = b

9 CCA2-Security Homomorphic Assume cryptosystem is homomorphic SpongeBob can break CCA2-security as follows: He generates a challenge pair (1, g) Alice returns c Enc pk (g b ) for random b {0, 1} In query phase, SpongeBob submits c c Enc pk (g) to Alice Alice responds with its decryption m g 1+b SpongeBob answers m/g However, CCA1-secure cryptosystems can be homomorphic

10 Elgamal Motivation Key generation: sk Z q, pk g sk Encryption: r Z q, Enc pk (m; r) = (d, e) := (g r, m pk r ) Decryption: Dec sk (d, e) := e/d sk CPA-security of Elgamal is tautologically equivalent to DDH Homomorphic: Enc pk (m; r) Enc pk (m ; r ) = Enc pk (m m ; r + r ) Thus not CCA2-secure

11 Damgård s Elgamal Key generation: sk 1, sk 2 Z q, pk i g sk i Encryption: r Z q, Enc pk (m; r) = (d, e, f ) := (g r, pk r 1, m pkr 2 ) Decryption: If d sk 1 e then return error else return f /d sk 2 Decryption check shows that encrypter knows r Damgård: DEG is CCA1-secure under a knowledge assumption Gjøsteen: DEG is CCA1-secure under DDH DDH assumption Homomorphic, thus not CCA2-secure

12 Main Questions Elgamal is CPA-secure but not CCA2-secure Is Elgamal CCA1-secure? If so, under which assumption? Is that assumption reasonable? DEG is CCA1-secure but not CCA2-secure Is it CCA1-secure under DDH? Is DEG-CCA1 weaker than Elgamal-CCA1 assumption?

13 Previous Results q-secure in the generic group model DDH DEG-CCA1 Previous results

14 New Results Motivation q-secure in the generic group model DDH DEG-CCA1 Previous results DDH DDH New results Elgamal-CCA1 DDH CDH 3 q-secure in the generic group model

15 Main Techniques: Reductions CCA1-security is a particular assumption: Adversary has oracle access to decryption only before challenge Adversary can decrypt under the same key Our assumptions have all the same form: DDH DDH [Gjøsteen]: DDH is secure if adversary is given nonadaptive oracle access to DDH under the same (g, h) DDH CDH :... nonadaptive oracle access to CDH... Lemmoid: X Y (X) Y follows from X X and Y Y Our reductions follow all this pattern All reductions are static : adversary only makes queries assuming (g, h) are fixed

16 Main Techniques: Irreductions Irreduction X Y is an adversary, that: Given as an oracle a poly-time reduction X Y Solves Y Interpretation: If Y is not harder than X, then X and Y are both easy Caveat: all our irreductions are also static Assuming that the reductions are static, the irreductions also only query with fixed (g, h) Open question: remove the adverb static from irreductions

17 Lower Bound in GGM Generic Group Model: adversary can access the group in black box manner Oracle access to group operations Security in GGM is an indicator of security in standard model Proof idea: Adversary can construct up to P + R polynomials of degree Q in (x, y) She breaks DDH CDH if two of those polynomials have a common root Probability: Q (P+R ) 2 /q = O(k 3 ) k - working time, q - largest prime factor of group order

18 Questions? Motivation