Download presentation

Presentation is loading. Please wait.

Published byChaim Lindon Modified over 2 years ago

1
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Security Online Cryptography Course Dan Boneh

2
Dan Boneh Computational Diffie-Hellman Assumption G: finite cyclic group of order n Comp. DH (CDH) assumption holds in G if: g, g a, g b ⇏ g ab for all efficient algs. A: Pr [ A(g, g a, g b ) = g ab ] < negligible where g { generators of G }, a, b Z n

3
Dan Boneh Hash Diffie-Hellman Assumption G: finite cyclic group of order n, H: G 2 K a hash function Def: Hash-DH (HDH) assumption holds for (G, H) if: ( g, g a, g b, H(g b,g ab ) ) ≈ p ( g, g a, g b, R ) where g { generators of G }, a, b Z n, R K H acts as an extractor: strange distribution on G 2 ⇒ uniform on K

4
Template vertLeftWhite2 Suppose K = {0,1} 128 and H: G 2 K only outputs strings in K that begin with 0 ( i.e. for all x,y: msb(H(x,y))=0 ) Can Hash-DH hold for (G, H) ? Yes, for some groups G No, Hash-DH is easy to break in this case Yes, Hash-DH is always true for such H

5
Dan Boneh ElGamal is sem. secure under Hash-DH KeyGen:g {generators of G}, a Z n output pk = (g, h=g a ), sk = a D( sk=a, (u,c) ) : k H(u,u a ), m D s (k, c) output m E( pk=(g,h), m) : b Z n k H(g b,h b ), c E s (k, m) output (g b, c)

6
Dan Boneh ElGamal is sem. secure under Hash-DH ≈p≈p ≈p≈p ≈p≈p chal.adv. A pk,sk m 0, m 1 g b, E s ( H(), m 0 ) b’ ≟ 1 pk = (g,g a ) chal.adv. A pk,sk m 0, m 1 g b, E s ( H(), m 1 ) b’ ≟ 1 pk = (g,g a ) chal.adv. A pk,sk m 0, m 1 g b, E s ( k, m 0 ) b’ ≟ 1 pk = (g,g a ) kKkK chal.adv. A pk,sk m 0, m 1 g b, E s ( k, m 1 ) b’ ≟ 1 pk = (g,g a ) kKkK (g b, g ab ) ≈p≈p

7
Dan Boneh ElGamal chosen ciphertext security? To prove chosen ciphertext security need stronger assumption Interactive Diffie-Hellman (IDH) in group G: IDH holds in G if: ∀ efficient A: Pr[ A outputs g ab ] < negligible Chal.Adv. A (u 1,v 1 ) g{gen} a,bZ n g, h=g a, u=g b 1if (u 1 ) a = v 1 0 otherwise v wins if v=g ab

8
Dan Boneh ElGamal chosen ciphertext security? Security Theorem: If IDH holds in the group G, (E s, D s ) provides auth. enc. and H: G 2 K is a “random oracle” then ElGamal is CCA ro secure. Questions:(1) can we prove CCA security based on CDH? (2) can we prove CCA security without random oracles?

9
Dan Boneh End of Segment

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google