Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.

Published byBrent Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin."— Presentation transcript:

1 On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin

2 El Gamal encryption public key = X = g x secret key = sk =x encryption: Enc(X,m;r) = (R,D) = ( g r, X r  m ) decryption: Dec(x,(R,D)) = D / R x = X r  m / (g r ) x = (g x ) r  m / (g r ) x = m

3 Chosen-Plaintext Security Adversary pk m 0, m 1 C=Enc(pk,m b ) Generate sk,pk C d d=b? b For ElGamal: IND-CPA  DDH [Tsiounis and Yung, PKC’98]

4 Chosen-Ciphertext Security Adversary pk m 0, m 1 C=Enc(pk,mb) Generate sk,pk C* d d=b? C m=Dec(sk,C*) m C m m=Dec(sk,C) b ElGamal not IND-CCA: (R,D) = (g r, pk r  m)  (R*,D*) = (R  g s, D  pk s ) = (g r+s, pk r+s  m)

5 Chosen-Ciphertext Security chosen-ciphertext security (IND-CCA): cannot learn anything about m, even if learning decryptions of other ciphertexts

6 Potential Solution Add „proof of knowledge“ to ciphertext: (R,D,  ) = ( g r, pk r  m,  ) idea: – for any decryption query (R*,D*) adversary already knows r* – could decrypt herself as R* / pk r* = pk r*  m* / pk r* = m* – decryptions of other ciphertexts do not help to learn something about original message m proof of knowledge „I know exponent r“

7 Schnorr Signatures obvious candidate for proof of knowledge for El Gamal encryption are Schnorr signatures [S‘91] compute s=a+cr check AR c =g s A c knows r to R=g r knows R pick random a compute A=g a pick random challenge c s

8 Proof of Knowledge Property from verification equations: R -c g s = A = R -c* g s* knowledge of r shown via r = (s*-s) / (c*-c) compute s=a+cr check AR c =g u A c knows r to R=g r knows R pick random t compute A=g a pick random challenge c s c* s* pick random challenge c* check AR c* =g s* compute s*

9 Removing Interaction [FS’86] Fiat-Shamir heuristic: assume good hash function H („random oracle model“) compute s=a+cr check AR c =g s A c knows r to R=g r knows R pick random a compute A=g a pick random challenge c s compute c=H(R,A) for c=H(R,A),

10 Signed El Gamal encryption public key = X = g x secret key = x encryption: Enc(X,m;r) = (R,D,A,s) = ( g r, X r  m, g a, a + r  c) where c=H(X,R,D,A) decryption: decrypt only if valid proof

11 Signed ElGamal & CCA-Security? Bernhard et al. (AC‘12): – NM-CPA secure Seurin, Treger (CT-RSA‘13): – Not Plaintext-aware Bernhard et al. (PKC‘15): – An instance of Enc+PoK – PoK, not good enough to prove CCA Tsiounis & Yung (PKC‘98) + Schnorr & Jakobsson (AC‘00) + Abdalla, Benhamouda, MacKenzie (S&P‘15) – both show CCA-security of signed ElGamal (DDH+ROM) – additionally require „knowledge-of-exponent “ assumption or – additionally require generic group model or – algebraic adversaries This paper: No bbox* reduction from IND-CCA to IND-CPA security of ElGamal, unless IES easy

12 We study key-passing, bbox reductions (from CCA to CPA of Signed El Gamal) Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

13 Interactive Signed ElGamal (IES) X=g x, R=g r, A=g a M=g xr ? Adversary c X,R,A s = a + r  c M IES assumption: no efficient adversary can guess g xr

14 R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? One-more Interactive verified Signed ElGamal (OMvIES) Adversary X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? X

15 R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? One-more Interactive verified Signed ElGamal (OMvIES) Adversary c R 1,A 1 X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? c* a 1 + r 1  c* a 1 + r 1  c M? R 1 =g r1, A 1 =g a1 M=g x  r1 ? The adversary breaks OMvIES if it can guess g xr for an *unopened* IES instance

16 We study key-passing, bbox reductions Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

17 c i =H(X,R i,D i,A i ) A “very bad” adversary Adversary Create n “malicious” ciphertexts Issue decryption queries Break ElGamal- Schnorr given C i =(R i,D i,A i,s i =a i +r i c i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1 =a i+1 +r i+1 c i+1 c i+1 H(X,R i+1,D i+1,A i+1 )?

18 c i =H(X,C i,D i,A i ) A “very bad” adversary Adversary Create n “malicious” ciphertexts Issue decryption queries Break ElGamal- Schnorr given C i =(R i,D i,A i,s i =a i +xc i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1= a i+1 +xc i+1 H(X,C i+1,D i+1,A i+1 )? c i+1 Check M n … Check M 1 Decrypt C n MnMn Decrypt C 1 M1M1

19 Intuition Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries Create ciphers Decrypt in reverse Break ElGamal 1.If no copy of the adversary reaches the “break ElGamal” stage the reduction breaks IND-CPA on its own 2.If some copy reaches the “break ElGamal” stage and IES is hard, then it must open all IES instances involved 3.To open all instances, the reduction needs to simulate 2 n copies of the adversary Adversary Create ciphers Decrypt in reverse Break ElGamal Adversary Create ciphers Decrypt in reverse Break ElGamal

20 Given a reduction… Adversary Reduction d=b? x, X=g x b m 0, m 1 X g r, X r  m b d RO, Chal, Decrypt queries

21 …construct a metareduction Reduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Breaks OMvIES Reduces CCA to CPA

22 Metareduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Reduction Simulated adversary copy Simulated IND-CPA game for ElGamal

23 Metareduction R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? Reduction Simulated adversary copy Simulated IND-CPA game for ElGamal Simulated adversary copy

24 Simulated ciphertexts given C i =(R i,D i,A i,s i =a i +xc i ) Select R i+1,D i+1,A i+1 as f(c i ) C i+1 =( R i+1,D i+1,A i+1,s i+1 ) with s i+1 =a i+1 +xc i+1 R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D H(X,R 1,D, A 1 ) c s R 1, A 1 C=(R 1,D 1,A 1,s 1 ) H(X,R i+1,D i+1,A i+1 )? c i+1 ?

25 Simulated ciphertexts R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D H(X,R 1,D, A 1 ) c s R 1, A 1 C=(R 1,D,A 1,s 1 ) Reduction

26 Simulated ciphertexts – maintaining consistency R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D 1 H(X,R 1,D 1, A 1 ) c1c1 s1s1 R 1, A 1 C 1 =(R 1,D 1,A 1,s 1 ) Select random D 2 H(X,R 2,D 2, A 2 ) c2c2 s2s2 R 2, A 2 C 2 =(R 2,D 2,A 2,s 2 ) Reduction Compute ciphertexts, depending on what the reduction provides at this interface…

27 Simulated ciphertexts – checking decryption queries R 1 =g rn, A 1 =g an M=g x  rn … R 1 =g r2, A 1 =g a2 M=g x  r2 ? X=g x R 1 =g r1, A 1 =g a1 M=g x  r1 ? R 1 =g r1, A 1 =g a1 M=g x  r1 ? Select random D 1 H(X,R 1,D 1, A 1 ) c1c1 s1s1 R 1, A 1 C 1 =(R 1,D 1,A 1,s 1 ) … Reduction C 1 =(R 1,D 1,A 1,s 1 ) M1M1 M=D 1 /M 1 If M is the correct decryption and the IES instance was not opened, then the metareduction breaks OMvIES

28 Conclusion Proof of IND-CCA for Signed ElGamal unlikely to be a reduction to IND-CPA security of ElGamal IES is plausible, so the only way around is either non-blackbox reduction or non-key passing (e.g. directly to DDH?) Thanks for your attention

Download ppt "On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Similar presentations

Ads by Google