On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin

El Gamal encryption public key = X = g x secret key = sk =x encryption: Enc(X,m;r) = (R,D) = ( g r, X r  m ) decryption: Dec(x,(R,D)) = D / R x = X r  m / (g r ) x = (g x ) r  m / (g r ) x = m

Chosen-Plaintext Security Adversary pk m 0, m 1 C=Enc(pk,m b ) Generate sk,pk C d d=b? b For ElGamal: IND-CPA  DDH [Tsiounis and Yung, PKC’98]

Chosen-Ciphertext Security Adversary pk m 0, m 1 C=Enc(pk,mb) Generate sk,pk C* d d=b? C m=Dec(sk,C*) m C m m=Dec(sk,C) b ElGamal not IND-CCA: (R,D) = (g r, pk r  m)  (R*,D*) = (R  g s, D  pk s ) = (g r+s, pk r+s  m)

Chosen-Ciphertext Security chosen-ciphertext security (IND-CCA): cannot learn anything about m, even if learning decryptions of other ciphertexts

Potential Solution Add „proof of knowledge“ to ciphertext: (R,D,  ) = ( g r, pk r  m,  ) idea: – for any decryption query (R*,D*) adversary already knows r* – could decrypt herself as R* / pk r* = pk r*  m* / pk r* = m* – decryptions of other ciphertexts do not help to learn something about original message m proof of knowledge „I know exponent r“

Schnorr Signatures obvious candidate for proof of knowledge for El Gamal encryption are Schnorr signatures [S‘91] compute s=a+cr check AR c =g s A c knows r to R=g r knows R pick random a compute A=g a pick random challenge c s

Proof of Knowledge Property from verification equations: R -c g s = A = R -c* g s* knowledge of r shown via r = (s*-s) / (c*-c) compute s=a+cr check AR c =g u A c knows r to R=g r knows R pick random t compute A=g a pick random challenge c s c* s* pick random challenge c* check AR c* =g s* compute s*

Removing Interaction [FS’86] Fiat-Shamir heuristic: assume good hash function H („random oracle model“) compute s=a+cr check AR c =g s A c knows r to R=g r knows R pick random a compute A=g a pick random challenge c s compute c=H(R,A) for c=H(R,A),

Signed El Gamal encryption public key = X = g x secret key = x encryption: Enc(X,m;r) = (R,D,A,s) = ( g r, X r  m, g a, a + r  c) where c=H(X,R,D,A) decryption: decrypt only if valid proof

Signed ElGamal & CCA-Security? Bernhard et al. (AC‘12): – NM-CPA secure Seurin, Treger (CT-RSA‘13): – Not Plaintext-aware Bernhard et al. (PKC‘15): – An instance of Enc+PoK – PoK, not good enough to prove CCA Tsiounis & Yung (PKC‘98) + Schnorr & Jakobsson (AC‘00) + Abdalla, Benhamouda, MacKenzie (S&P‘15) – both show CCA-security of signed ElGamal (DDH+ROM) – additionally require „knowledge-of-exponent “ assumption or – additionally require generic group model or – algebraic adversaries This paper: No bbox* reduction from IND-CCA to IND-CPA security of ElGamal, unless IES easy

We study key-passing, bbox reductions (from CCA to CPA of Signed El Gamal) Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

Interactive Signed ElGamal (IES) X=g x, R=g r, A=g a M=g xr ? Adversary c X,R,A s = a + r  c M IES assumption: no efficient adversary can guess g xr

R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? One-more Interactive verified Signed ElGamal (OMvIES) Adversary X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? X

R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? One-more Interactive verified Signed ElGamal (OMvIES) Adversary c R 1,A 1 X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? c* a 1 + r 1  c* a 1 + r 1  c M? R 1 =g r1, A 1 =g a1 M=g x  r1 ? The adversary breaks OMvIES if it can guess g xr for an *unopened* IES instance

We study key-passing, bbox reductions Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

c i =H(X,R i,D i,A i ) A “very bad” adversary Adversary Create n “malicious” ciphertexts Issue decryption queries Break ElGamal- Schnorr given C i =(R i,D i,A i,s i =a i +r i c i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1 =a i+1 +r i+1 c i+1 c i+1 H(X,R i+1,D i+1,A i+1 )?

c i =H(X,C i,D i,A i ) A “very bad” adversary Adversary Create n “malicious” ciphertexts Issue decryption queries Break ElGamal- Schnorr given C i =(R i,D i,A i,s i =a i +xc i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1= a i+1 +xc i+1 H(X,C i+1,D i+1,A i+1 )? c i+1 Check M n … Check M 1 Decrypt C n MnMn Decrypt C 1 M1M1

Intuition Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries Create ciphers Decrypt in reverse Break ElGamal 1.If no copy of the adversary reaches the “break ElGamal” stage the reduction breaks IND-CPA on its own 2.If some copy reaches the “break ElGamal” stage and IES is hard, then it must open all IES instances involved 3.To open all instances, the reduction needs to simulate 2 n copies of the adversary Adversary Create ciphers Decrypt in reverse Break ElGamal Adversary Create ciphers Decrypt in reverse Break ElGamal

Given a reduction… Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

…construct a metareduction Reduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Breaks OMvIES Reduces CCA to CPA

Metareduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Reduction Simulated adversary copy Simulated IND-CPA game for ElGamal

Metareduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Reduction Simulated adversary copy Simulated IND-CPA game for ElGamal Simulated adversary copy

Simulated ciphertexts given C i =(R i,D i,A i,s i =a i +xc i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1 =a i+1 +xc i+1 R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D H(X,R 1,D, A 1 ) c s R 1, A 1 C=(R 1,D 1,A 1,s 1 ) H(X,R i+1,D i+1,A i+1 )? c i+1 ?

Simulated ciphertexts R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D H(X,R 1,D, A 1 ) c s R 1, A 1 C=(R 1,D,A 1,s 1 ) Reduction

Simulated ciphertexts – maintaining consistency R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D 1 H(X,R 1,D 1, A 1 ) c1c1 s1s1 R 1, A 1 C 1 =(R 1,D 1,A 1,s 1 ) Select random D 2 H(X,R 2,D 2, A 2 ) c2c2 s2s2 R 2, A 2 C 2 =(R 2,D 2,A 2,s 2 ) Reduction Compute ciphertexts, depending on what the reduction provides at this interface…

Simulated ciphertexts – checking decryption queries R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D 1 H(X,R 1,D 1, A 1 ) c1c1 s1s1 R 1, A 1 C 1 =(R 1,D 1,A 1,s 1 ) … Reduction C 1 =(R 1,D 1,A 1,s 1 ) M1M1 M=D 1 /M 1 If M is the correct decryption and the IES instance was not opened, then the metareduction breaks OMvIES

Conclusion Proof of IND-CCA for Signed ElGamal unlikely to be a reduction to IND-CPA security of ElGamal IES is plausible, so the only way around is either non-blackbox reduction or non-key passing (e.g. directly to DDH?) Thanks for your attention