Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the security of ElGamal- based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC.

Published byMarjory Ellis Modified over 8 years ago

Similar presentations

Presentation on theme: "On the security of ElGamal- based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC."— Presentation transcript:

1 On the security of ElGamal- based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC

2 Secure encryption zSemantic Security [GM84, Gol89] yHide all partial information yImmune against a-priori knowledge zChosen ciphertext security [NY90] ySender is “aware” of the plaintext zNon-malleability [DDN91] yMessage & sender cannot be altered by man- in-the-middle

3 Previous work zSemantic security & chosen-ciphertext security yGeneral (inefficient) solutions [GM84, NY90] yR.O.-based solutions [BR93, BR97] + R.O. implementations [Can97] zNon-malleability yInefficient solutions [DDN91]

4 Our contributions zSemantic security yDirectly from decision Diffie-Hellman yRetaining homomorphic properties yExact analysis of efficiency of the reduction zNon-malleability (and chosen ciphertext security) ydecision D-H + R.O. that are collision-free [PS96] (no secrecy requirements)

5 Preliminaries zElGamal encryption yP = aQ + 1, P,Q primes, |g| = Q yPrivate key: x yPublic key: y = g x (mod P) yE(m) = g k, y k m (m є G Q ) zDecision Diffie-Hellman yP = aQ + 1, P,Q primes, |g| = Q yDistinguish from

6 Preliminaries (cont.) zSemantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non- negl. better than random guessing)

7 ElGamal => decision D-H zAssume we have ElGamal oracle zGiven a triplet decide if it is a D-H triplet (y = g ab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

8 Proof (cont.) 3. Decision phase: generator g, public key g bw (w random) zRandomize message 1 (or 2) yCorrectly: E(m) = g u, m (g b ) wu yBased on given triplet E(m’) = (g a ) t g v, m y wt (g b ) wv m’ = m (if y = g ab ), random otherwise zRun oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

9 Decision D-H => ElGamal zGiven decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished zFor any two m, m’: (y = g x ) yE(m) = g a, m 0 y a, E(m’) = g b, m 1 y b yFeed = (random v) yIf it is a correct triplet, then m 0 =m, else m 0 = m’

10 Non-malleability zGiven ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related zAll we need is a proof of knowledge of the plaintext yI.e., a proof of knowledge of k in E(m) = g k, y k m yBut, it must be a non-malleable ZK proof: it must be bound to the prover

11 The non-malleable extension zA Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [g k, y k m], F = g v, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] zRandom oracle is used only as a “trusted beacon” [PS96] - not for information hiding

12 Security proof 1.We need to verify that semantic security still holds (the knowledge proof does not leak information) 2.Knowledge of k: provided from Schnorr proof 3.Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]

13 Practical implications: Encryption zElGamal is as secure as [BR94+Can97] zNon-malleability can be added at minimal efficiency costs zIn applications a signature is still needed yOtherwise senders can be impersonated y“Signcryption” using Schnorr-proofs is a smooth addition

14 Implications: protocols zFirst encryption scheme with homomorphic properties that is semantically secure zAnonymous e-cash: escrowing can be performed based on decision D-H

Download ppt "On the security of ElGamal- based encryption Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC.

Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Malleability of Cryptosystems KEVIN ALLISON. Definitions.

Malleability of Cryptosystems KEVIN ALLISON. Definitions.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :

Similar presentations

Ads by Google