Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 30: El-Gamal Encryption

Published byJuliana BalsemΓ£o Barroso Modified over 6 years ago

Similar presentations

Presentation on theme: "Topic 30: El-Gamal Encryption"β€” Presentation transcript:

1 Topic 30: El-Gamal Encryption
Cryptography CS 555 Topic 30: El-Gamal Encryption

2 Recap CPA/CCA Security for Public Key Crypto
Key Encapsulation Mechanism

3 A Quick Remark about Groups
Let 𝔾 be a group with order m= 𝔾 with a binary operation ∘ (over G) and let g,hβˆˆπ”Ύ be given and consider sampling kβˆˆπ”Ύ uniformly at random then we have Pr k←𝔾 π‘˜=𝑔 = 1 π‘š Question: What is Pr k←𝔾 π‘˜βˆ˜β„Ž=𝑔 = 1 π‘š ? Answer: Pr k←𝔾 π‘˜βˆ˜β„Ž=𝑔 = Pr k←𝔾 π‘˜=π‘”βˆ˜ β„Ž βˆ’1 = 1 π‘š

4 A Quick Remark about Groups
Lemma 11.15: Let 𝔾 be a group with order m= 𝔾 with a binary operation ∘ (over G) then for any pair g,hβˆˆπ”Ύ we have Pr k←𝔾 π‘˜βˆ˜β„Ž=𝑔 = 1 π‘š Remark: This lemma gives us a way to construct perfectly secret private-key crypto scheme. How?

5 El-Gamal Encryption Key Generation (Gen( 1 𝑛 )):
Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encpk (π‘š) = 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 for a random y∈ β„€ π‘ž Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 βˆ’π‘₯

6 El-Gamal Encryption Encpk (π‘š) = 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 for a random y∈ β„€ π‘ž
Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 βˆ’π‘₯ Decsk ( 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 ) =π‘šβˆ™ β„Ž 𝑦 𝑔 𝑦 βˆ’π‘₯ =π‘šβˆ™ β„Ž 𝑦 𝑔 𝑦 βˆ’π‘₯ =π‘šβˆ™ 𝑔 π‘₯ 𝑦 𝑔 𝑦 βˆ’π‘₯ =π‘šβˆ™ 𝑔 π‘₯𝑦 𝑔 βˆ’π‘₯𝑦 =π‘š

7 CPA-Security ( PubK A,Ξ  LRβˆ’cpa n )
Public Key: pk π‘š 0 1 , π‘š 1 1 𝒄 𝟏 = π„π§πœ π’‘π’Œ π’Ž 𝒃 𝟏 π‘š 0 2 , π‘š 1 2 𝒄 𝟐 = π„π§πœ π’‘π’Œ π’Ž 𝒃 𝟐 π‘š 0 3 , π‘š 1 3 𝒄 πŸ‘ = π„π§πœ π’‘π’Œ π’Ž 𝒃 πŸ‘ βˆ€π‘ƒπ‘ƒπ‘‡ 𝐴 βˆƒπœ‡ (negligible) s.t Pr PubK A,Ξ  LRβˆ’cpa n =1 ≀ 1 2 +πœ‡(𝑛) … b’ Random bit b (pk,sk) = Gen(.)

8 El-Gamal Encryption Encpk (π‘š) = 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 for a random y∈ β„€ π‘ž
Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 βˆ’π‘₯ Theorem 11.18: Let Ξ = 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒒 then Ξ  is CPA-Secure. Proof: Recall that CPA-security and eavesdropping security are equivalent for public key crypto. It suffices to show that for all PPT A there is a negligible function negl such that Pr PubK A,Ξ  eav n =1 ≀ 1 2 +negl(n)

9 Eavesdropping Security ( PubK A,Ξ  eav n )
Public Key: pk π‘š 0 , π‘š 1 𝒄 𝟏 = π„π§πœ π’‘π’Œ π’Ž 𝒃 b’ βˆ€π‘ƒπ‘ƒπ‘‡ 𝐴 βˆƒπœ‡ (negligible) s.t Pr PubK A,Ξ  eav n =1 ≀ 1 2 +πœ‡(𝑛) Random bit b (pk,sk) = Gen(.)

10 El-Gamal Encryption Theorem 11.18: Let Ξ = 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒒 then Ξ  is CPA-Secure. Proof: First introduce an `encryption scheme’ Ξ  in which Encpk π‘š = 𝑔 𝑦 ,π‘šβˆ™ 𝑔 𝑧 for random y,z∈ β„€ π‘ž (there is actually no way to do decryption, but the experiment PubK A, Ξ  eav n is still well defined). In fact, (using Lemma 11.15) Pr PubK A, Ξ  eav n =1 = 1 2 Pr PubK A, Ξ  eav n =1 𝑏= βˆ’Pr PubK A, Ξ  eav n =1 𝑏=0 = Pr y,z← β„€ π‘ž 𝐴 𝑔 𝑦 ,π‘šβˆ™ 𝑔 𝑧 =1 βˆ’ 1 2 Pr y,z← β„€ π‘ž 𝐴 𝑔 𝑦 , 𝑔 𝑧 =1 = 1 2

11 El-Gamal Encryption Theorem 11.18: Let Ξ = 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒒 then Ξ  is CPA-Secure. Proof: We just showed that Pr PubK A, Ξ  eav n =1 = 1 2 Therefore, it suffices to show that Pr PubK A,Ξ  eav n =1 βˆ’Pr PubK A, Ξ  eav n =1 β‰€π§πžπ π₯(𝑛) This, will follow from DDH assumption.

12 El-Gamal Encryption Theorem 11.18: Let Ξ = 𝐺𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐 be the El-Gamal Encryption scheme (above) then if DDH is hard relative to 𝒒 then Ξ  is CPA-Secure. Proof: We can build 𝐡 𝑔 π‘₯ , 𝑔 𝑦 ,𝑍 to break DDH assumption if Ξ  is not CPA-Secure. Simulate eavesdropping attacker A Send attacker public key pk= 𝔾,π‘ž,𝑔,β„Ž= 𝑔 π‘₯ Receive m0,m1 from A. Send A the ciphertext 𝑔 𝑦 , π‘š 𝑏 βˆ™π‘ . Output 1 if and only if attacker outputs b’=b. Pr 𝐡 𝑔 π‘₯ , 𝑔 𝑦 ,𝑍 =1 𝑍= 𝑔 π‘₯𝑦 βˆ’Pr 𝐡 𝑔 π‘₯ , 𝑔 𝑦 ,𝑍 =1 𝑍= 𝑔 𝑧 = Pr PubK A,Ξ  eav n =1 βˆ’Pr PubK A, Ξ  eav n =1 = Pr PubK A,Ξ  eav n =1 βˆ’ 1 2 = Pr y← β„€ π‘ž 𝐴 𝑔 π‘₯ , 𝑔 𝑦 , π‘š 𝑏 βˆ™ 𝑔 π‘₯𝑦 =1 βˆ’ Pr y,z← β„€ π‘ž 𝐴 𝑔 π‘₯ , 𝑔 𝑦 , π‘š 𝑏 βˆ™ 𝑔 𝑧 =1 = Pr y← β„€ π‘ž 𝐴 β„Ž, 𝑔 𝑦 , π‘š 𝑏 βˆ™ β„Ž 𝑧 =1 βˆ’ Pr y,z← β„€ π‘ž 𝐴 β„Ž, 𝑔 𝑦 , π‘š 𝑏 βˆ™ 𝑔 𝑧 =1

13 El-Gamal Encryption Encpk (π‘š) = 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 for a random y∈ β„€ π‘ž and β„Ž=𝑔 π‘₯ , Decsk (𝑐= 𝑐 1 , 𝑐 2 ) = 𝑐 2 𝑐 1 βˆ’π‘₯ Fact: El-Gamal Encryption is malleable. c=Encpk (π‘š) = 𝑔 𝑦 ,π‘šβˆ™ β„Ž 𝑦 cβ€²=Encpk (π‘š) = 𝑔 𝑦 ,2βˆ™π‘šβˆ™ β„Ž 𝑦 Decsk (𝑐′) =2βˆ™π‘šβˆ™ β„Ž 𝑦 βˆ™ 𝑔 βˆ’π‘₯𝑦 =2π‘š

14 Key Encapsulation Mechanism (KEM)
Three Algorithms Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Input: Random Bits R Output: π’‘π’Œ,π’”π’Œ βˆˆπ“š Encapspk ( 1 𝑛 ,𝑅) Input: security parameter, random bits R Output: Symmetric key k∈ 0,1 β„“ 𝑛 and a ciphertext c Decapssk (𝑐) (Deterministic algorithm) Input: Secret key skβˆˆπ’¦ and a ciphertex c Output: a symmetric key 0,1 β„“ 𝑛 or βŠ₯ (fail) Invariant: Decapssk(c)=k whenever (c,k) = Encapspk( 1 𝑛 ,𝑅)

15 KEM CCA-Security ( KEM A,Ξ  cca n )
π’‘π’Œ,𝒄,π’Œπ’ƒ … 𝒄 𝟏 ≠𝒄 πƒπžπœπšπ©π¬ π’”π’Œ 𝒄 𝟏 𝒄 𝟐 ≠𝒄 βˆ€π‘ƒπ‘ƒπ‘‡ 𝐴 βˆƒπœ‡ (negligible) s.t Pr KEM A,Ξ  cca =1 ≀ 1 2 +πœ‡(𝑛) πƒπžπœπšπ©π¬ π’”π’Œ 𝒄 𝟐 … b’ Random bit b (pk,sk) = Gen(.) 𝒄,π’ŒπŸŽ = π„π§πœπšπ©π¬ π’‘π’Œ . π’ŒπŸ ⟡ 𝟎,𝟏 𝒏

16 Recall: Last Lecture CCA-Secure KEM from RSA in Random Oracle Model
What if we want security proof in the standard model? Answer: DDH yields a CPA-Secure KEM in standard model

17 KEM CPA-Security ( KEM A,Ξ  cpa n )
π’‘π’Œ,𝒄,π’Œπ’ƒ b’ βˆ€π‘ƒπ‘ƒπ‘‡ 𝐴 βˆƒπœ‡ (negligible) s.t Pr KEM A,Ξ  cpa =1 ≀ 1 2 +πœ‡(𝑛) Random bit b (pk,sk) = Gen(.) 𝒄,π’ŒπŸŽ = π„π§πœπšπ©π¬ π’‘π’Œ . π’ŒπŸ ⟡ 𝟎,𝟏 𝒏

18 CCA-Secure Encryption from CPA-Secure KEM
π„π§πœ 𝐩𝐀 π’Ž;𝑹 = 𝒄, π„π§πœ 𝐀 βˆ— π’Ž Where 𝒄,π’Œ ← π„π§πœπšπ©π¬ 𝐩𝐀 𝟏 𝒏 ;𝑹 , π„π§πœ 𝐀 βˆ— is a eavesdropping-secure symmetric key encryption algorithm π„π§πœπšπ©π¬ 𝐩𝐀 is a CPA-Secure KEM. Theorem 11.12: π„π§πœ 𝐩𝐀 is CCA-Secure public key encryption scheme.

19 CPA-Secure KEM with El-Gamal
Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ β„€ π‘ž Output: 𝑔 𝑦 ,π‘˜=LeastSigNBits β„Ž 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: π‘˜=LeastSigNBits 𝑐 π‘₯

20 CPA-Secure KEM with El-Gamal
Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =2𝑛) and a generator g such that <g>= 𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ β„€ π‘ž Output: 𝑔 𝑦 ,π‘˜=LeastSigNBits β„Ž 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: π‘˜=LeastSigNBits 𝑐 π‘₯ Decapssk 𝑔 𝑦 =LeastSigNBits 𝑔 π‘₯𝑦 =LeastSigNBits β„Ž 𝑦 =π‘˜

21 CPA-Secure KEM with El-Gamal
Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ β„€ π‘ž Output: 𝑔 𝑦 ,π‘˜=LeastSigNBits β„Ž 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: π‘˜=LeastSigNBits 𝑐 π‘₯ Theorem 11.20: If DDH is hard relative to 𝒒 then (Gen,Encaps,Decaps) is a CPA-Secure KEM

22 CPA-Secure KEM with El-Gamal
Gen ( 1 𝑛 ,𝑅) (Key-generation algorithm) Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =2𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encapspk ( 1 𝑛 ,𝑅) Pick random y∈ β„€ π‘ž Output: 𝑔 𝑦 ,π‘˜=LeastSigNBits β„Ž 𝑦 Decapssk (𝑐) (Deterministic algorithm) Output: π‘˜=LeastSigNBits 𝑐 π‘₯ Remark: If CDH is hard relative to 𝒒 then (Gen,Encaps,Decaps) and we replace LeastSigNBits with a random oracle H then this is a CPA-Secure KEM (…also CCA-secure under a slightly stronger assumption called gap-CDH)

23 CCA-Secure Variant in Random Oracle Model
Key Generation (Gen( 1 𝑛 )): Run 𝒒 1 𝑛 to obtain a cyclic group 𝔾 of order q (with π‘ž =𝑛) and a generator g such that <g>=𝔾. Choose a random x∈ β„€ π‘ž and set β„Ž= 𝑔 π‘₯ Public Key: pk= 𝔾,π‘ž,𝑔,β„Ž Private Key: sk= 𝔾,π‘ž,𝑔,π‘₯ Encpk (π‘š) = 𝑔 𝑦 , 𝑐 β€² , π‘€π‘Žπ‘ 𝐾 𝑀 𝑐′ for a random y∈ β„€ π‘ž and 𝐾 𝐸 𝐾 𝑀 =𝐻 β„Ž 𝑦 and 𝑐 β€² =Enc K E β€² π‘š Decsk ( 𝑐, 𝑐 β€² ,𝑑 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 π‘₯ If Vrfy K M 𝑐 β€² ,𝑑 β‰ 1 or π‘βˆ‰π”Ύ output βŠ₯; otherwise output Dec K E β€² 𝑐 β€² ,𝑑

24 CCA-Secure Variant in Random Oracle Model
Theorem: If Enc K E β€² is CPA-secure, Mac K M is a strong MAC and a problem called gap-CDH is hard then this a CCA-secure public key encryption scheme in the random oracle model. Encpk (π‘š) = 𝑔 𝑦 , 𝑐 β€² , Mac K M 𝑐′ for a random y∈ β„€ π‘ž and 𝐾 𝐸 𝐾 𝑀 = 𝐻 β„Ž 𝑦 and 𝑐 β€² =Enc K E β€² π‘š Decsk ( 𝑐, 𝑐 β€² ,𝑑 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 π‘₯ If Vrfy K M 𝑐 β€² ,𝑑 β‰ 1 or π‘βˆ‰π”Ύ output βŠ₯; otherwise output Dec K E β€² 𝑐 β€² ,𝑑

25 CCA-Secure Variant in Random Oracle Model
Remark: The CCA-Secure variant is used in practice in the ISO/IEC standard for public-key encryption. Diffie-Hellman Integrated Encryption Scheme (DHIES) Elliptic Curve Integrated Encryption Scheme (ECIES) Encpk (π‘š) = 𝑔 𝑦 , 𝑐 β€² , Mac K M 𝑐′ for a random y∈ β„€ π‘ž and 𝐾 𝐸 𝐾 𝑀 = 𝐻 β„Ž 𝑦 and 𝑐 β€² =Enc K E β€² π‘š Decsk ( 𝑐, 𝑐 β€² ,𝑑 ) 𝐾 𝐸 𝐾 𝑀 =𝐻 𝑐 π‘₯ If Vrfy K M 𝑐 β€² ,𝑑 β‰ 1 or π‘βˆ‰π”Ύ output βŠ₯; otherwise output Dec K E β€² 𝑐 β€² ,𝑑

26 Next Class: RSA Attacks + Fixes
Read Katz and Lindell: 11.5

Download ppt "Topic 30: El-Gamal Encryption"

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski

Cryptography Lecture 9 Stefan Dziembowski
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Similar presentations

Ads by Google