Presentation is loading. Please wait.

Presentation is loading. Please wait.

ElGamal Security Public key encryption from Diffie-Hellman

Published byChaim Lindon Modified over 9 years ago

Similar presentations

Presentation on theme: "ElGamal Security Public key encryption from Diffie-Hellman"— Presentation transcript:

1 ElGamal Security Public key encryption from Diffie-Hellman
Online Cryptography Course Dan Boneh Public key encryption from Diffie-Hellman ElGamal Security

2 Computational Diffie-Hellman Assumption
G: finite cyclic group of order n Comp. DH (CDH) assumption holds in G if: g, ga , gb ⇏ gab for all efficient algs. A: Pr[ A(g, ga, gb ) = gab ] < negligible where g ⟵ {generators of G} , a, b ⟵ Zn

3 Hash Diffie-Hellman Assumption
G: finite cyclic group of order n , H: G2 ⟶ K a hash function Def: Hash-DH (HDH) assumption holds for (G, H) if: (g, ga, gb , H(gb,gab) ) ≈p (g, ga, gb , R ) where g ⟵ {generators of G} , a, b ⟵ Zn , R ⟵ K H acts as an extractor: strange distribution on G2 ⇒ uniform on K

4 Suppose K = {0,1}128 and H: G2 ⟶ K only outputs strings in K that begin with 0 ( i.e. for all x,y: msb(H(x,y))=0 ) Can Hash-DH hold for (G, H) ? Yes, for some groups G No, Hash-DH is easy to break in this case Yes, Hash-DH is always true for such H

5 ElGamal is sem. secure under Hash-DH
KeyGen: g ⟵ {generators of G} , a ⟵ Zn output pk = (g, h=ga) , sk = a E( pk=(g,h), m) : b ⟵ Zn k ⟵ H(gb,hb) , c ⟵ Es(k, m) output (gb, c) D( sk=a, (u,c) ) : k ⟵ H(u,ua) , m ⟵ Ds(k, c) output m

6 ElGamal is sem. secure under Hash-DH
chal. adv. A pk,sk m0 , m1 gb, Es(H(), m0) b’≟1 pk = (g,ga) chal. adv. A pk,sk m0 , m1 gb, Es(k, m0) b’≟1 pk = (g,ga) kK ≈p (gb , gab) ≈p ≈p chal. adv. A pk,sk m0 , m1 gb, Es(H(), m1) b’≟1 pk = (g,ga) chal. adv. A pk,sk m0 , m1 gb, Es(k, m1) b’≟1 pk = (g,ga) kK ≈p Input to hash: g^a, g^ab (gb , gab)

7 ElGamal chosen ciphertext security?
To prove chosen ciphertext security need stronger assumption Interactive Diffie-Hellman (IDH) in group G: IDH holds in G if: ∀efficient A: Pr[ A outputs gab] < negligible g, h=ga, u=gb Chal. Adv. A (u1,v1) g⟵{gen} a,b⟵Zn v wins if v=gab if (u1)a = v1 otherwise

8 ElGamal chosen ciphertext security?
Security Theorem: If IDH holds in the group G, (Es, Ds) provides auth. enc. and H: G2 ⟶ K is a “random oracle” then ElGamal is CCAro secure. Questions: (1) can we prove CCA security based on CDH? (2) can we prove CCA security without random oracles?

9 End of Segment

Download ppt "ElGamal Security Public key encryption from Diffie-Hellman"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
7. Asymmetric encryption-

7. Asymmetric encryption-
Identity Based Encryption

Identity Based Encryption
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Slide 1 Vitaly Shmatikov CS 380S Semantic Security.

Slide 1 Vitaly Shmatikov CS 380S Semantic Security.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security

Similar presentations

Ads by Google