On the CCA1-Security of Elgamal and Damgård s Elgamal

Similar documents
The Cramer-Shoup Cryptosystem

On the CCA1-Security of Elgamal and Damgård s Elgamal

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Short Exponent Diffie-Hellman Problems

Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Advanced Cryptography 1st Semester Public Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Efficient Identity-based Encryption Without Random Oracles

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XI

Gentry IBE Paper Reading

Lecture Note 3 Date:

March 19: Zero-Knowledge (cont.) and Signatures

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

G Advanced Cryptography April 10th, Lecture 11

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Chosen-Ciphertext Security (I)

Provable security. Michel Abdalla

Lecture 28: Public-key Cryptography. Public-key Cryptography

On Post-Quantum Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 17: Constructions of Public-Key Encryption

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

III. Pseudorandom functions & encryption

4-3 A Survey on Oblivious Transfer Protocols

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

5.4 ElGamal - definition

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

A Strong Identity Based Key-Insulated Cryptosystem

A New Paradigm of Hybrid Encryption Scheme

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

New Approach for Selectively Convertible Undeniable Signature Schemes

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Chosen-Ciphertext Secure RSA-type Cryptosystems

Public Key Cryptography

Computing on Encrypted Data

CTR mode of operation

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

ASYMMETRIC ENCRYPTION

Introduction to Cybersecurity Cryptography (Part 4)

Standard versus Selective Opening Security: Separation and Equivalence Results

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

1 Number Theory Basics

Smooth Projective Hash Function and Its Applications

Introduction to Cybersecurity Cryptography (Part 4)

A Posteriori Openable Public Key Encryption *

Evaluating 2-DNF Formulas on Ciphertexts

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

RSA-OAEP and Cramer-Shoup

Post-quantum security models for authenticated encryption

General Impossibility of Group Homomorphic Encryption in the Quantum World

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Non-malleability under Selective Opening Attacks: Implication and Separation

f (x) f (x) easy easy

Lecture 7: ElGamal and Discrete Logarithms

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Identity-based encryption

Discrete logarithm and related schemes

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Public Key Cryptography

The Twin Diffie-Hellman Problem and Applications

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Quantum-secure symmetric-key cryptography based on Hidden Shifts

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Lecture 18: Message Authentication Codes & Digital Signa

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Leakage Resilient ElGamal Encryption

Advanced Topics in Cryptography

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

Cryptology. Scribe: Fabrice Mouhartem M2IF

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Introduction to Cryptography. Lecture 8

15 Public-Key Encryption

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

1 Basic Number Theory

Towards a DL-based Additively Homomorphic Encryption Scheme

The Theory and Applications of Homomorphic Cryptography

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

CPA-Security. Definition: A private-key encryption scheme

Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden

Computing with Encrypted Data Lecture 26

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

CS 395T. Probabilistic Polynomial-Time Calculus

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Digital Signatures. Adam O Neill based on

Advanced Cryptography 03/06/2007. Lecture 8

arxiv: v2 [cs.cr] 14 Feb 2018

DATA PRIVACY AND SECURITY

Secure Certificateless Public Key Encryption without Redundancy

Transcription:

On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010

Outline I Motivation 1 Motivation 2 3

Motivation Three well-known security requirements for public-key encryption: CPA < CCA1 < CCA2 CPA and CCA1 allow homomorphic encryption, CCA2 doesn t Much is known about CPA and CCA2 security CPA: homomorphic schemes (Elgamal, Paillier,... ) Widely used, applications in cryptographic protocols CCA2: Cramer-Shoup, Kurosawa-Desmedt,... Used as encryption per se

Motivation What about CCA1-security? More security than CPA, but still allows homomorphisms More efficient than CCA2-secure cryptosystems Is Elgamal CCA1 secure? Possible corollary: If Elgamal is CCA1-secure, then any (well-designed) protocol that uses Elgamal to be CPA-secure, becomes automatically CCA1-secure

Public-Key Cryptosystems pk sk c Enc pk (m) m

CPA-Security Motivation sk pk (m 0, m 1 ) c Enc pk (m b ) b SpongeBob wins if b = b

CCA1-Security Motivation sk c Dec sk (c ) pk (m 0, m 1 ) c Enc pk (m b ) b SpongeBob wins if b = b

CCA2-Security Motivation sk c Dec sk (c ) pk (m 0, m 1 ) c Enc pk (m b ) c c Dec sk (c ) b SpongeBob wins if b = b

CCA2-Security Homomorphic Assume cryptosystem is homomorphic SpongeBob can break CCA2-security as follows: He generates a challenge pair (1, g) Alice returns c Enc pk (g b ) for random b {0, 1} In query phase, SpongeBob submits c c Enc pk (g) to Alice Alice responds with its decryption m g 1+b SpongeBob answers m/g However, CCA1-secure cryptosystems can be homomorphic

Elgamal Motivation Key generation: sk Z q, pk g sk Encryption: r Z q, Enc pk (m; r) = (d, e) := (g r, m pk r ) Decryption: Dec sk (d, e) := e/d sk CPA-security of Elgamal is tautologically equivalent to DDH Homomorphic: Enc pk (m; r) Enc pk (m ; r ) = Enc pk (m m ; r + r ) Thus not CCA2-secure

Damgård s Elgamal Key generation: sk 1, sk 2 Z q, pk i g sk i Encryption: r Z q, Enc pk (m; r) = (d, e, f ) := (g r, pk r 1, m pkr 2 ) Decryption: If d sk 1 e then return error else return f /d sk 2 Decryption check shows that encrypter knows r Damgård: DEG is CCA1-secure under a knowledge assumption Gjøsteen: DEG is CCA1-secure under DDH DDH assumption Homomorphic, thus not CCA2-secure

Main Questions Elgamal is CPA-secure but not CCA2-secure Is Elgamal CCA1-secure? If so, under which assumption? Is that assumption reasonable? DEG is CCA1-secure but not CCA2-secure Is it CCA1-secure under DDH? Is DEG-CCA1 weaker than Elgamal-CCA1 assumption?

Previous Results q-secure in the generic group model DDH DEG-CCA1 Previous results

New Results Motivation q-secure in the generic group model DDH DEG-CCA1 Previous results DDH DDH New results Elgamal-CCA1 DDH CDH 3 q-secure in the generic group model

Main Techniques: Reductions CCA1-security is a particular assumption: Adversary has oracle access to decryption only before challenge Adversary can decrypt under the same key Our assumptions have all the same form: DDH DDH [Gjøsteen]: DDH is secure if adversary is given nonadaptive oracle access to DDH under the same (g, h) DDH CDH :... nonadaptive oracle access to CDH... Lemmoid: X Y (X) Y follows from X X and Y Y Our reductions follow all this pattern All reductions are static : adversary only makes queries assuming (g, h) are fixed

Main Techniques: Irreductions Irreduction X Y is an adversary, that: Given as an oracle a poly-time reduction X Y Solves Y Interpretation: If Y is not harder than X, then X and Y are both easy Caveat: all our irreductions are also static Assuming that the reductions are static, the irreductions also only query with fixed (g, h) Open question: remove the adverb static from irreductions

Lower Bound in GGM Generic Group Model: adversary can access the group in black box manner Oracle access to group operations Security in GGM is an indicator of security in standard model Proof idea: Adversary can construct up to P + R polynomials of degree Q in (x, y) She breaks DDH CDH if two of those polynomials have a common root Probability: Q (P+R ) 2 /q = O(k 3 ) k - working time, q - largest prime factor of group order

Questions? Motivation

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback