Download presentation

Presentation is loading. Please wait.

Published byAbril Battershell Modified over 3 years ago

1
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh

2
Dan Boneh Review: ElGamal encryption KeyGen:g {generators of G}, a Z n output pk = (g, h=g a ), sk = a D( sk=a, (u,c) ) : k H(u,u a ), m D s (k, c) output m E( pk=(g,h), m) : b Z n k H(g b,h b ), c E s (k, m) output (g b, c)

3
Dan Boneh ElGamal chosen ciphertext security Security Theorem: If IDH holds in the group G, (E s, D s ) provides auth. enc. and H: G 2 K is a “random oracle” then ElGamal is CCA ro secure. Can we prove CCA security based on CDH (g, g a, g b ↛ g ab ) ? Option 1: use group G where CDH = IDH (a.k.a bilinear group) Option 2: change the ElGamal system

4
Dan Boneh Variants: twin ElGamal [CKS’08] KeyGen:g {generators of G}, a1, a2 Z n output pk = (g, h 1 =g a1, h 2 =g a2 ), sk = (a1, a2) D ( sk=(a1,a2), (u,c) ) : k H(u, u a1, u a2 ) m D s (k, c) output m E ( pk=(g,h 1,h 2 ), m ) : b Z n k H(g b, h 1 b, h 2 b ) c E s (k, m) output (g b, c)

5
Dan Boneh Chosen ciphertext security Security Theorem: If CDH holds in the group G, (E s, D s ) provides auth. enc. and H: G 3 K is a “random oracle” then twin ElGamal is CCA ro secure. Cost: one more exponentiation during enc/dec – Is it worth it? No one knows …

6
Dan Boneh ElGamal security w/o random oracles? Can we prove CCA security without random oracles? Option 1: use Hash-DH assumption in “bilinear groups” – Special elliptic curve with more structure [CHK’04 + BB’04] Option 2: use Decision-DH assumption in any group [CS’98]

7
Dan Boneh Further Reading The Decision Diffie-Hellman problem. D. Boneh, ANTS 3, 1998 Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption. R. Cramer and V. Shoup, Eurocrypt 2002 Chosen-ciphertext security from Identity-Based Encryption. D. Boneh, R. Canetti, S. Halevi, and J. Katz, SICOMP 2007 The Twin Diffie-Hellman problem and applications. D. Cash, E. Kiltz, V. Shoup, Eurocrypt 2008 Efficient chosen-ciphertext security via extractable hash proofs. H. Wee, Crypto 2010

Similar presentations

OK

1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.

1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To ensure the functioning of the site, we use **cookies**. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy & Terms.
Your consent to our cookies if you continue to use this website.

Ads by Google

Ppt on nature and human development Ppt on bacterial zoonoses Ppt on carburetor working principle Ppt on fairs and festivals of india Ppt on content management system Ppt on acid-base titration curve Ppt on various layers of the earth Ppt on ufo and aliens history Hindi ppt on pollution Ppt on disposal of plastic waste