On the security of ElGamal-based encryption

1
On the security of ElGamal-based encryption

• Yiannis Tsiounis, GTE Labs
• Moti Yung, CertCo LLC

2
Secure encryption

• Semantic Security GM84, Gol89
• Hide all partial information
• Immune against a-priori knowledge
• Chosen ciphertext security NY90
• Sender is aware of the plaintext
• Non-malleability DDN91
• Message sender cannot be altered by
  man-in-the-middle

3
Previous work

• Semantic security chosen-ciphertext security
• General (inefficient) solutions GM84, NY90
• R.O.-based solutions BR93, BR97 R.O.
  implementations Can97
• Non-malleability
• Inefficient solutions DDN91

4
Our contributions

• Semantic security
• Directly from decision Diffie-Hellman
• Retaining homomorphic properties
• Exact analysis of efficiency of the reduction
• Non-malleability (and chosen ciphertext security)
• decision D-H R.O. that are collision-free
  PS96 (no secrecy requirements)

5
Preliminaries

• ElGamal encryption
• P aQ 1, P,Q primes, g Q
• Private key x
• Public key y gx (mod P)
• E(m) gk, yk m (m ? GQ)
• Decision Diffie-Hellman
• P aQ 1, P,Q primes, g Q
• Distinguish lt ga, gb, gabgt from ltga, gb, gc gt

6
Preliminaries (cont.)

• Semantic security indistinguishability of
  encryptions
• It is infeasible to find 2 messages whose
  encryptions can be distinguished (non-negl.
  better than random guessing)

7
ElGamal gt decision D-H

• Assume we have ElGamal oracle
• Given a triplet ltga, gb, y gt decide if it is a
  D-H triplet (y gab ?)
• 1. Preparation stage Find two messages that the
  oracle can distinguish
• 2. Testing phase test if the oracle can
  distinguish between message 1 (or 2) and random
  messages

8
Proof (cont.)

• 3. Decision phase generator g, public key gbw (w
  random)
• Randomize message 1 (or 2)
• Correctly E(m) gu , m (gb)wu
• Based on given triplet ltga, gb, y gt E(m)
  (ga)t g v , m ywt (gb)wv
• m m (if y gab), random otherwise
• Run oracle on E(m), E(m)
• 1. Distinguish? gt not D-H triplet
• 2. Else correct D-H triplet

9
Decision D-H gt ElGamal

• Given decision D-H oracle, find two messages
  whose ElGamal encryptions can be distinguished
• For any two m, m (y gx)
• E(m) ga, m0 ya , E(m) gb, m1 yb
• Feed ltga, y gv , ya m0 gav /mgt lt ga, gxv ,
  g(xv)a m0/mgt (random v)
• If it is a correct triplet, then m0m , else m0
  m

10
Non-malleability

• Given ciphertext C, cannot construct ciphertext
  C such that the plaintexts are related
• All we need is a proof of knowledge of the
  plaintext
• I.e., a proof of knowledge of k in E(m) gk,
  yk m
• But, it must be a non-malleable ZK proof it must
  be bound to the prover

11
The non-malleable extension

• A Schnorr-type ZK proof of knowledge of k, with
  the senders identity in the challenge (hash)
• A gk, yk m, F gv, C k H(ID, g, A, F) v
• E(m) A, F, C, ID
• Random oracle is used only as a trusted beacon
  PS96 - not for information hiding

12
Security proof

• 1. We need to verify that semantic security still
  holds (the knowledge proof does not leak
  information)
• 2. Knowledge of k provided from Schnorr proof
• 3. Sender-bound the addition forms a Schnorr
  signature of ID based on k, which is
  existentially unforgeable PS96

13
Practical implications Encryption

• ElGamal is as secure as BR94Can97
• Non-malleability can be added at minimal
  efficiency costs
• In applications a signature is still needed
• Otherwise senders can be impersonated
• Signcryption using Schnorr-proofs is a smooth
  addition

14
Implications protocols

• First encryption scheme with homomorphic
  properties that is semantically secure
• Anonymous e-cash escrowing can be performed
  based on decision D-H