On the security of ElGamal-based encryption - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

On the security of ElGamal-based encryption

Description:

Hide all partial information. Immune against a-priori knowledge. Chosen ciphertext security [NY90] ... as a 'trusted beacon' [PS96] - not for information hiding ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 15
Provided by: yiannist
Category:

less

Transcript and Presenter's Notes

Title: On the security of ElGamal-based encryption


1
On the security of ElGamal-based encryption
  • Yiannis Tsiounis, GTE Labs
  • Moti Yung, CertCo LLC

2
Secure encryption
  • Semantic Security GM84, Gol89
  • Hide all partial information
  • Immune against a-priori knowledge
  • Chosen ciphertext security NY90
  • Sender is aware of the plaintext
  • Non-malleability DDN91
  • Message sender cannot be altered by
    man-in-the-middle

3
Previous work
  • Semantic security chosen-ciphertext security
  • General (inefficient) solutions GM84, NY90
  • R.O.-based solutions BR93, BR97 R.O.
    implementations Can97
  • Non-malleability
  • Inefficient solutions DDN91

4
Our contributions
  • Semantic security
  • Directly from decision Diffie-Hellman
  • Retaining homomorphic properties
  • Exact analysis of efficiency of the reduction
  • Non-malleability (and chosen ciphertext security)
  • decision D-H R.O. that are collision-free
    PS96 (no secrecy requirements)

5
Preliminaries
  • ElGamal encryption
  • P aQ 1, P,Q primes, g Q
  • Private key x
  • Public key y gx (mod P)
  • E(m) gk, yk m (m ? GQ)
  • Decision Diffie-Hellman
  • P aQ 1, P,Q primes, g Q
  • Distinguish lt ga, gb, gabgt from ltga, gb, gc gt

6
Preliminaries (cont.)
  • Semantic security indistinguishability of
    encryptions
  • It is infeasible to find 2 messages whose
    encryptions can be distinguished (non-negl.
    better than random guessing)

7
ElGamal gt decision D-H
  • Assume we have ElGamal oracle
  • Given a triplet ltga, gb, y gt decide if it is a
    D-H triplet (y gab ?)
  • 1. Preparation stage Find two messages that the
    oracle can distinguish
  • 2. Testing phase test if the oracle can
    distinguish between message 1 (or 2) and random
    messages

8
Proof (cont.)
  • 3. Decision phase generator g, public key gbw (w
    random)
  • Randomize message 1 (or 2)
  • Correctly E(m) gu , m (gb)wu
  • Based on given triplet ltga, gb, y gt E(m)
    (ga)t g v , m ywt (gb)wv
  • m m (if y gab), random otherwise
  • Run oracle on E(m), E(m)
  • 1. Distinguish? gt not D-H triplet
  • 2. Else correct D-H triplet

9
Decision D-H gt ElGamal
  • Given decision D-H oracle, find two messages
    whose ElGamal encryptions can be distinguished
  • For any two m, m (y gx)
  • E(m) ga, m0 ya , E(m) gb, m1 yb
  • Feed ltga, y gv , ya m0 gav /mgt lt ga, gxv ,
    g(xv)a m0/mgt (random v)
  • If it is a correct triplet, then m0m , else m0
    m

10
Non-malleability
  • Given ciphertext C, cannot construct ciphertext
    C such that the plaintexts are related
  • All we need is a proof of knowledge of the
    plaintext
  • I.e., a proof of knowledge of k in E(m) gk,
    yk m
  • But, it must be a non-malleable ZK proof it must
    be bound to the prover

11
The non-malleable extension
  • A Schnorr-type ZK proof of knowledge of k, with
    the senders identity in the challenge (hash)
  • A gk, yk m, F gv, C k H(ID, g, A, F) v
  • E(m) A, F, C, ID
  • Random oracle is used only as a trusted beacon
    PS96 - not for information hiding

12
Security proof
  • 1. We need to verify that semantic security still
    holds (the knowledge proof does not leak
    information)
  • 2. Knowledge of k provided from Schnorr proof
  • 3. Sender-bound the addition forms a Schnorr
    signature of ID based on k, which is
    existentially unforgeable PS96

13
Practical implications Encryption
  • ElGamal is as secure as BR94Can97
  • Non-malleability can be added at minimal
    efficiency costs
  • In applications a signature is still needed
  • Otherwise senders can be impersonated
  • Signcryption using Schnorr-proofs is a smooth
    addition

14
Implications protocols
  • First encryption scheme with homomorphic
    properties that is semantically secure
  • Anonymous e-cash escrowing can be performed
    based on decision D-H
Write a Comment
User Comments (0)
About PowerShow.com