Topic 30: El-Gamal Encryption Cryptography CS 555 Topic 30: El-Gamal Encryption

Recap CPA/CCA Security for Public Key Crypto Key Encapsulation Mechanism

A Quick Remark about Groups Let 𝔾 be a group with order m= 𝔾 with a binary operation ∘ (over G) and let g,h∈𝔾 be given and consider sampling k∈𝔾 uniformly at random then we have Pr k←𝔾 𝑘=𝑔 = 1 𝑚 Question: What is Pr k←𝔾 𝑘∘ℎ=𝑔 = 1 𝑚 ? Answer: Pr k←𝔾 𝑘∘ℎ=𝑔 = Pr k←𝔾 𝑘=𝑔∘ ℎ −1 = 1 𝑚

A Quick Remark about Groups Lemma 11.15: Let 𝔾 be a group with order m= 𝔾 with a binary operation ∘ (over G) then for any pair g,h∈𝔾 we have Pr k←𝔾 𝑘∘ℎ=𝑔 = 1 𝑚 Remark: This lemma gives us a way to construct perfectly secret private-key crypto scheme. How?

El-Gamal Encryption Key Generation (Gen( 1 𝑛 )): Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encpk (𝑚) = 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 for a random y∈ ℤ 𝑞 Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 −𝑥

El-Gamal Encryption Encpk (𝑚) = 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 for a random y∈ ℤ 𝑞 Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 −𝑥 Decsk ( 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 ) =𝑚∙ ℎ 𝑦 𝑔 𝑦 −𝑥 =𝑚∙ ℎ 𝑦 𝑔 𝑦 −𝑥 =𝑚∙ 𝑔 𝑥 𝑦 𝑔 𝑦 −𝑥 =𝑚∙ 𝑔 𝑥𝑦 𝑔 −𝑥𝑦 =𝑚

CPA-Security ( PubK A,Π LR−cpa n ) Public Key: pk 𝑚 0 1 , 𝑚 1 1 𝒄 𝟏 = 𝐄𝐧𝐜 𝒑𝒌 𝒎 𝒃 𝟏 𝑚 0 2 , 𝑚 1 2 𝒄 𝟐 = 𝐄𝐧𝐜 𝒑𝒌 𝒎 𝒃 𝟐 𝑚 0 3 , 𝑚 1 3 𝒄 𝟑 = 𝐄𝐧𝐜 𝒑𝒌 𝒎 𝒃 𝟑 ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr PubK A,Π LR−cpa n =1 ≤ 1 2 +𝜇(𝑛) … b’ Random bit b (pk,sk) = Gen(.)

El-Gamal Encryption Encpk (𝑚) = 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 for a random y∈ ℤ 𝑞 Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 −𝑥 Theorem 11.18: Let Π= 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒢 then Π is CPA-Secure. Proof: Recall that CPA-security and eavesdropping security are equivalent for public key crypto. It suffices to show that for all PPT A there is a negligible function negl such that Pr PubK A,Π eav n =1 ≤ 1 2 +negl(n)

Eavesdropping Security ( PubK A,Π eav n ) Public Key: pk 𝑚 0 , 𝑚 1 𝒄 𝟏 = 𝐄𝐧𝐜 𝒑𝒌 𝒎 𝒃 b’ ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr PubK A,Π eav n =1 ≤ 1 2 +𝜇(𝑛) Random bit b (pk,sk) = Gen(.)

El-Gamal Encryption Theorem 11.18: Let Π= 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒢 then Π is CPA-Secure. Proof: First introduce an `encryption scheme’ Π in which Encpk 𝑚 = 𝑔 𝑦 ,𝑚∙ 𝑔 𝑧 for random y,z∈ ℤ 𝑞 (there is actually no way to do decryption, but the experiment PubK A, Π eav n is still well defined). In fact, (using Lemma 11.15) Pr PubK A, Π eav n =1 = 1 2 Pr PubK A, Π eav n =1 𝑏=1 + 1 2 1−Pr PubK A, Π eav n =1 𝑏=0 = 1 2 + 1 2 Pr y,z← ℤ 𝑞 𝐴 𝑔 𝑦 ,𝑚∙ 𝑔 𝑧 =1 − 1 2 Pr y,z← ℤ 𝑞 𝐴 𝑔 𝑦 , 𝑔 𝑧 =1 = 1 2

El-Gamal Encryption Theorem 11.18: Let Π= 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒢 then Π is CPA-Secure. Proof: We just showed that Pr PubK A, Π eav n =1 = 1 2 Therefore, it suffices to show that Pr PubK A,Π eav n =1 −Pr PubK A, Π eav n =1 ≤𝐧𝐞𝐠𝐥(𝑛) This, will follow from DDH assumption.

El-Gamal Encryption Theorem 11.18: Let Π= 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒢 then Π is CPA-Secure. Proof: We can build 𝐵 𝑔 𝑥 , 𝑔 𝑦 ,𝑍 to break DDH assumption if Π is not CPA-Secure. Simulate eavesdropping attacker A Send attacker public key pk= 𝔾,𝑞,𝑔,ℎ= 𝑔 𝑥 Receive m0,m1 from A. Send A the ciphertext 𝑔 𝑦 , 𝑚 𝑏 ∙𝑍 . Output 1 if and only if attacker outputs b’=b. Pr 𝐵 𝑔 𝑥 , 𝑔 𝑦 ,𝑍 =1 𝑍= 𝑔 𝑥𝑦 −Pr 𝐵 𝑔 𝑥 , 𝑔 𝑦 ,𝑍 =1 𝑍= 𝑔 𝑧 = Pr PubK A,Π eav n =1 −Pr PubK A, Π eav n =1 = Pr PubK A,Π eav n =1 − 1 2 = Pr y← ℤ 𝑞 𝐴 𝑔 𝑥 , 𝑔 𝑦 , 𝑚 𝑏 ∙ 𝑔 𝑥𝑦 =1 − Pr y,z← ℤ 𝑞 𝐴 𝑔 𝑥 , 𝑔 𝑦 , 𝑚 𝑏 ∙ 𝑔 𝑧 =1 = Pr y← ℤ 𝑞 𝐴 ℎ, 𝑔 𝑦 , 𝑚 𝑏 ∙ ℎ 𝑧 =1 − Pr y,z← ℤ 𝑞 𝐴 ℎ, 𝑔 𝑦 , 𝑚 𝑏 ∙ 𝑔 𝑧 =1

El-Gamal Encryption Encpk (𝑚) = 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 for a random y∈ ℤ 𝑞 and ℎ=𝑔 𝑥 , Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 −𝑥 Fact: El-Gamal Encryption is malleable. c=Encpk (𝑚) = 𝑔 𝑦 ,𝑚∙ ℎ 𝑦 c′=Encpk (𝑚) = 𝑔 𝑦 ,2∙𝑚∙ ℎ 𝑦 Decsk (𝑐′) =2∙𝑚∙ ℎ 𝑦 ∙ 𝑔 −𝑥𝑦 =2𝑚

Key Encapsulation Mechanism (KEM) Three Algorithms Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Input: Random Bits R Output: 𝒑𝒌,𝒔𝒌 ∈𝓚 Encapspk ( 1 𝑛 ,𝑅) Input: security parameter, random bits R Output: Symmetric key k∈ 0,1 ℓ 𝑛 and a ciphertext c Decapssk (𝑐) (Deterministic algorithm) Input: Secret key sk∈𝒦 and a ciphertex c Output: a symmetric key 0,1 ℓ 𝑛 or ⊥ (fail) Invariant: Decapssk(c)=k whenever (c,k) = Encapspk( 1 𝑛 ,𝑅)

KEM CCA-Security ( KEM A,Π cca n ) 𝒑𝒌,𝒄,𝒌𝒃 … 𝒄 𝟏 ≠𝒄 𝐃𝐞𝐜𝐚𝐩𝐬 𝒔𝒌 𝒄 𝟏 𝒄 𝟐 ≠𝒄 ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr KEM A,Π cca =1 ≤ 1 2 +𝜇(𝑛) 𝐃𝐞𝐜𝐚𝐩𝐬 𝒔𝒌 𝒄 𝟐 … b’ Random bit b (pk,sk) = Gen(.) 𝒄,𝒌𝟎 = 𝐄𝐧𝐜𝐚𝐩𝐬 𝒑𝒌 . 𝒌𝟏 ⟵ 𝟎,𝟏 𝒏

Recall: Last Lecture CCA-Secure KEM from RSA in Random Oracle Model What if we want security proof in the standard model? Answer: DDH yields a CPA-Secure KEM in standard model

KEM CPA-Security ( KEM A,Π cpa n ) 𝒑𝒌,𝒄,𝒌𝒃 b’ ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr KEM A,Π cpa =1 ≤ 1 2 +𝜇(𝑛) Random bit b (pk,sk) = Gen(.) 𝒄,𝒌𝟎 = 𝐄𝐧𝐜𝐚𝐩𝐬 𝒑𝒌 . 𝒌𝟏 ⟵ 𝟎,𝟏 𝒏

CCA-Secure Encryption from CPA-Secure KEM 𝐄𝐧𝐜 𝐩𝐤 𝒎;𝑹 = 𝒄, 𝐄𝐧𝐜 𝐤 ∗ 𝒎 Where 𝒄,𝒌 ← 𝐄𝐧𝐜𝐚𝐩𝐬 𝐩𝐤 𝟏 𝒏 ;𝑹 , 𝐄𝐧𝐜 𝐤 ∗ is a eavesdropping-secure symmetric key encryption algorithm 𝐄𝐧𝐜𝐚𝐩𝐬 𝐩𝐤 is a CPA-Secure KEM. Theorem 11.12: 𝐄𝐧𝐜 𝐩𝐤 is CCA-Secure public key encryption scheme.

CPA-Secure KEM with El-Gamal Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ ℤ 𝑞 Output: 𝑔 𝑦 ,𝑘=LeastSigNBits ℎ 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: 𝑘=LeastSigNBits 𝑐 𝑥

CPA-Secure KEM with El-Gamal Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =2𝑛) and a generator g such that <g>= 𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ ℤ 𝑞 Output: 𝑔 𝑦 ,𝑘=LeastSigNBits ℎ 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: 𝑘=LeastSigNBits 𝑐 𝑥 Decapssk 𝑔 𝑦 =LeastSigNBits 𝑔 𝑥𝑦 =LeastSigNBits ℎ 𝑦 =𝑘

CPA-Secure KEM with El-Gamal Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ ℤ 𝑞 Output: 𝑔 𝑦 ,𝑘=LeastSigNBits ℎ 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: 𝑘=LeastSigNBits 𝑐 𝑥 Theorem 11.20: If DDH is hard relative to 𝒢 then (Gen,Encaps,Decaps) is a CPA-Secure KEM

CPA-Secure KEM with El-Gamal Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ ℤ 𝑞 Output: 𝑔 𝑦 ,𝑘=LeastSigNBits ℎ 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: 𝑘=LeastSigNBits 𝑐 𝑥 Remark: If CDH is hard relative to 𝒢 then (Gen,Encaps,Decaps) and we replace LeastSigNBits with a random oracle H then this is a CPA-Secure KEM (…also CCA-secure under a slightly stronger assumption called gap-CDH)

CCA-Secure Variant in Random Oracle Model Key Generation (Gen( 1 𝑛 )): Run 𝒢 1 𝑛 to obtain a cyclic group 𝔾 of order q (with 𝑞 =𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ ℤ 𝑞 and set ℎ= 𝑔 𝑥 Public Key: pk= 𝔾,𝑞,𝑔,ℎ Private Key: sk= 𝔾,𝑞,𝑔,𝑥 Encpk (𝑚) = 𝑔 𝑦 , 𝑐 ′ , 𝑀𝑎𝑐 𝐾 𝑀 𝑐′ for a random y∈ ℤ 𝑞 and 𝐾 𝐸 𝐾 𝑀 =𝐻 ℎ 𝑦 and 𝑐 ′ =Enc K E ′ 𝑚 Decsk ( 𝑐, 𝑐 ′ ,𝑡 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 𝑥 If Vrfy K M 𝑐 ′ ,𝑡 ≠1 or 𝑐∉𝔾 output ⊥; otherwise output Dec K E ′ 𝑐 ′ ,𝑡

CCA-Secure Variant in Random Oracle Model Theorem: If Enc K E ′ is CPA-secure, Mac K M is a strong MAC and a problem called gap-CDH is hard then this a CCA-secure public key encryption scheme in the random oracle model. Encpk (𝑚) = 𝑔 𝑦 , 𝑐 ′ , Mac K M 𝑐′ for a random y∈ ℤ 𝑞 and 𝐾 𝐸 𝐾 𝑀 = 𝐻 ℎ 𝑦 and 𝑐 ′ =Enc K E ′ 𝑚 Decsk ( 𝑐, 𝑐 ′ ,𝑡 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 𝑥 If Vrfy K M 𝑐 ′ ,𝑡 ≠1 or 𝑐∉𝔾 output ⊥; otherwise output Dec K E ′ 𝑐 ′ ,𝑡

CCA-Secure Variant in Random Oracle Model Remark: The CCA-Secure variant is used in practice in the ISO/IEC 18033-2 standard for public-key encryption. Diffie-Hellman Integrated Encryption Scheme (DHIES) Elliptic Curve Integrated Encryption Scheme (ECIES) Encpk (𝑚) = 𝑔 𝑦 , 𝑐 ′ , Mac K M 𝑐′ for a random y∈ ℤ 𝑞 and 𝐾 𝐸 𝐾 𝑀 = 𝐻 ℎ 𝑦 and 𝑐 ′ =Enc K E ′ 𝑚 Decsk ( 𝑐, 𝑐 ′ ,𝑡 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 𝑥 If Vrfy K M 𝑐 ′ ,𝑡 ≠1 or 𝑐∉𝔾 output ⊥; otherwise output Dec K E ′ 𝑐 ′ ,𝑡

Next Class: RSA Attacks + Fixes Read Katz and Lindell: 11.5