El Gamal A DDH based encryption scheme. Table of contents

Similar documents
Chapter 11 : Private-Key Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Block ciphers And modes of operation. Table of contents

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CPA-Security. Definition: A private-key encryption scheme

Lecture 28: Public-key Cryptography. Public-key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 17: Constructions of Public-Key Encryption

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Introduction to Cryptography. Lecture 8

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Advanced Topics in Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Computational security & Private key encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Introduction to Cybersecurity Cryptography (Part 4)

Public Key Cryptography

Public Key Cryptography

CTR mode of operation

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

ASYMMETRIC ENCRYPTION

Lecture 11: Key Agreement

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

5.4 ElGamal - definition

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Constructing secure MACs Message authentication in action. Table of contents

Chapter 2 : Perfectly-Secret Encryption

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Modern Cryptography Lecture 4

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lecture Note 3 Date:

Introduction to Cybersecurity Cryptography (Part 5)

1 Public-key encryption

1 Basic Number Theory

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Public-Key Encryption: ElGamal, RSA, Rabin

Block Ciphers/Pseudorandom Permutations

III. Pseudorandom functions & encryption

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 13: Private Key Encryption

Katz, Lindell Introduction to Modern Cryptrography

Perfectly-Secret Encryption

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 22: RSA Encryption. RSA Encryption

Public Key Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Notes for Lecture 17

Avoiding collisions Cryptographic hash functions. Table of contents

Advanced Cryptography 1st Semester Public Encryption

Lecture 5, CPA Secure Encryption from PRFs

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Short Exponent Diffie-Hellman Problems

Advanced Cryptography 03/06/2007. Lecture 8

Solutions to homework 2

Cryptography and Security Midterm Exam

Public Key Cryptography

Scribe for Lecture #5

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Public-Key Cryptosystems CHAPTER 4

Lattice Cryptography

The Cramer-Shoup Cryptosystem

Fully Homomorphic Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Introduction to Cryptology. Lecture 3

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

10 Concrete candidates for public key crypto

A New Paradigm of Hybrid Encryption Scheme

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture Notes, Week 6

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

CPSC 467b: Cryptography and Computer Security

Cryptography and Security Final Exam

Public-Key Encryption

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

14 Diffie-Hellman Key Agreement

Introduction to Cryptography. Susan Hohenberger

Lecture 1: Introduction to Public key cryptography

Notes for Lecture 16

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

RSA RSA public key cryptosystem

Provable security. Michel Abdalla

General Impossibility of Group Homomorphic Encryption in the Quantum World

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Adaptive Security of Compositions

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Exercise Sheet Cryptography 1, 2011

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

ECS 189A Final Cryptography Spring 2011

Lattice Cryptography

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 2: Perfect Secrecy and its Limitations

COMP4109 : Applied Cryptography

Transcription:

El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues

The El Gamal encryption scheme El Gamal, based on the hardness of the decisional Di e-hellman (DDH) problem, is commonly used public-key encryption scheme. Before introducing the scheme proper, some background mathematics. A useful lemma* Lemma 11.15. Let G be a finite group, and let m 2 G be an arbitrary element. Then choosing a uniform k G and setting k 0 := k m gives the same distribution for k 0 as choosing uniform k 0 G. Thatis,foranyĝ 2 G Pr[k m =ĝ] =1/ G, where the probability is taken over random choice of k. Proof. *In other words, the distribution of k 0 is independent of m; thismeansthatk 0 contains no information about m.

A perfectly-secret private-key encryption scheme* The sender and receiver share a random element k G. To encrypt m 2 G, thesender computes the ciphertext k 0 := k m. To decrypt the ciphertext k 0, the receiver computes m := k 0 /k. *The one-time pad is exactly of this form. The group is the set of all bit strings of some fixed length and the group operation is XOR. A snag This only works if k is truly random, used only once, and shared in advance*. In a public-key setting, a di erent scheme is needed to allow the receiver to decrypt. Pseudorandom to the rescue. Element k will be defined in such a way that the receiver will be able to compute k from her private key, yet k will look random. *Bad news for any public-key scheme.

The El Gamal encryption scheme Construction 11.16. Let G be a polynomial-time algorithm that, on input 1 n, outputs a cyclic group G, itsorderq (with kqk = n), and a generator g. Gen: On input 1 n run G(1 n ) to obtain (G, q, g). Then choose a random x 2 Z q and compute h := g x.thepublickeyis hg, q, g, hi and the private key is hg, q, g, xi. Enc: On input a public key pk = hg, q, g, hi and a message m 2 G, choose a random y Z q and output the ciphertext hg y, h y mi. Dec: On input a private key sk = hg, q, g, xi and a ciphertext hc 1, c 2 i, output m := c 2 /c x 1. Correctness of El Gamal encryption scheme To see that decryption succeeds, let hc 1, c 2 i = hg y, h y mi with h = g x.then c 2 c1 x = hy m (g y ) x = (g x ) y m g xy = g xy m g xy = m.

A simple example Example 11.17. Let q = 83 and p =2q + 1 = 167, and let G denote the group of quadratic residues modulo p.* Since the order of G is prime, any element of G except 1 is a generator; take g =2 2 = 4 mod 167. Suppose the receiver chooses a secret key x = 37 2 Z 83 so the public key is pk = hp, q, g, hi = h167, 83, 4, [4 37 mod 167i = h167, 83, 4, 76i, where p represents G. To encrypt m = 65 2 G, choose a uniform y 2 Z q,sayy = 71, then h[4 71 mod 167], [76 71 65 mod 167]i = h132, 44i To decrypt, first compute 124 = [132 37 mod 167]; then since 66 = [124 1 mod 167], recover m = 65 = [44 66 mod 167]. *Since p and q are prime, G is a subgroup of Z p with order q. Recall the Decisional Di e-hellman (DDH) problem The decisional Di e-hellman (DDH) problem is to distinguish DH g (h 1, h 2 ) from a random group element for randomly chosen h 1, h 2. Definition 8.63. We say that the DDH problem is hard relative to G if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[A(G, q, g, g x, g y, g z ) = 1] Pr[A(G, q, g, g x, g y, g xy ) = 1] apple negl(n), where in each case the probabilities are taken over the experiment in which G(1 n ) outputs (G, q, g), and the random x, y, z 2 Z q are chosen.

The El Gamal encryption scheme Theorem 11.18. If the DDH problem is hard relative to G, thenthe El Gamal encryption scheme is CPA-secure. Proof. We prove that El Gamal scheme has indistinguishable encryptions in the presence of an eavesdropping and let Proposition 11.3 take it from there. Let A be a PPT adversary attacking El Gamal in PubK eav A, (n). We show that there is a negligible function negl such that Pr[PubK eav A, (n) = 1] apple 1 2 + negl(n). If things were truly random Consider where Gen is the same as, but encryption of a message m with respect to the public key pk = hg, q, g, hi is done by choosing a random y Z q and z Z q and outputting the ciphertext hg y, g z mi Lemma 11.15 implies that the second component of the ciphertext is a uniformly-distributed group element, and, in particular is independent of the message m. It follows that Pr[PubK eav A, (n) = 1] = 1 2.

Building a PPT distinguisher for the DDH problem* Algorithm D: The algorithm is given G, q, g, h 1, h 2, h 3 as input Set pk = hg, q, g, h 1 i and run A(pk) to obtain two messages m 0, m 1 2 G. Choose a random bit b, andsetc 1 := h 2 and c 2 := h 3 m b. Give the ciphertext hc 1, c 2 i to A and obtain an output bit b 0. If b 0 = b output 1; otherwise output 0. We analyze the behavior of D. Therearetwocases. *In other words, D receives (G, q, g, h 1, h 2, h 3 )whereh 1 = g x, h 2 = g y and h 3 is either h xy or h z for some random x, y, z and the goal of D is to determine which is the case. First verse Case 1. Say the input D is generated by running G(1 n ) to obtain (G, q, g) then choosing a random x, y, z Z q,andfinallysetting h 1 := g x, h 2 := g y,andh 3 := g z. Next D runs A on public key and a ciphertext constructed as pk = hg, q, g, g x i hc 1, c 2 i = hg y, g z m b i The view of A when run by D is distributed identically to its view in experiment PubK eav (n). Since D outputs 1 precisely when A A, succeeds Pr[D(G, q, g, g x, g y, g z ) = 1] = Pr[PubK eav A, (n) = 1] = 1 2.

Second verse, (nearly) same as the first Case 2. Say the input D is generated by running G(1 n ) to obtain (G, q, g) then choosing a random x, y Z q,andfinallysetting h 1 := g x, h 2 := g y,andh 3 := g xy. Next D runs A on public key and a ciphertext constructed as pk = hg, q, g, g x i hc 1, c 2 i = hg y, g xy m b i The view of A when run by D is distributed identically to its view in experiment PubK eav A, (n). Since D outputs 1 precisely when A succeeds Pr[D(G, q, g, g x, g y, g xy ) = 1] = Pr[PubK eav A, (n) = 1]. Day is done Since the DDH problem is hard relative to G, thereexistsa negligible function negl such that negl(n) Pr[D(G, q, g, g x, g y, g z ) = 1] Pr[D(G, q, g, g x, g y, g xy ) = 1] = 1 2 Pr[PubK eav A, (n) = 1] This implies that Pr[PubK eav A, (n) = 1] apple 1 2 required. + negl(n) as

Encoding binary strings Remark. In order to fully specify a usable encryption scheme, we need to show how to encode binary strings as element of G. Such an encoding depends upon the group under consideration. Here is on possibility when G is the subgroup of quadratic residues modulo a strong prime p, i.e.,q =(p 1)/2 is also a prime. Mapping. We show that the mapping f : {0, 1,...,(p 1)/2}! G given by f ( m) =[ m 2 mod p] isa bijection and e ectively reversible. Encoding. We can now map a string m of length n 1 to an element m 2 G as follows: given m 2 {0, 1} n 1,interpretitasan integer and add 1 to obtain an integer m with 1 apple m apple q.* Then take m =[ m 2 mod p]. *Recall that n =k q k Chosen ciphertext attacks: Sad news once again In section 11.2.3 the authors give a precise definition of security against chosen-ciphertext attacks together with a number of realistic scenarios where such an attack might be carried out. Sadly, none of the public-key schemes discussed are secure under this definition. Indeed, the text also details attacks against each of textbook RSA (not surprising), PKCS #1 v1.5, and El Gamal.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback