On the security of ElGamal based encryption
The ElGamal encryption scheme has been proposed several years ago and is one of the few probabilistic encryption schemes. However, its security has never been concretely proven based on clearly understood and accepted primitives. Here we show directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification. In addition, we show that the opposite direction holds, i.e., the semantic security of the ElGamal encryption is actually equivalent to the decision Diffie-Hellman problem. We also present an exact analysis of the efficiency of the reduction.
Next we present additions on ElGamal encryption which result in non-malleability under adaptive chosen plaintext attacks. Non-malleability is equivalent to the decision Diffie-Hellman assumption, the existence of a random oracle (in practice a secure hash function) or a trusted beacon (as needed for the Fiat-Shamir argument), and one assumption about the unforgeability of Schnorr signatures. Our proof employs the tool of message awareness.
Unable to display preview. Download preview PDF.
- [Bea96]D. Beaver. Plausible deniability. In Advances in Cryptology — PraguoCrypt '96 Proceedings, Prague, Czech Republic, 1996.Google Scholar
- [Bea97]D. Beaver. Plug and play cryptography. In Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar
- [BGM93]E. F. Brickell, D. Gordon, and K. S. McCurley. Fast exponentiation with precomputation. In Advances in Cryptology — Eurocrypt '92, Proceedings (Lecture Notes in Computer Science 658). Springer-Verlag, 1993.Google Scholar
- [BR94]M. Bellare and P. Rogaway. Optimal assymetric encryption — how to encrypt with RSA. In A. De Santis, editor, Advances in Cryptology, Proc. of Eurocrypt '94, (Lecture notes in Computer Science Volume 950), Perugia, Italy, May 9–12 1994. Springer-Verlag.Google Scholar
- [BR97]M. Bellare and P. Rogaway. Minimizing the use of random oracles in authenticated encryption schemes. In ISICS '97, 1997.Google Scholar
- [Can97]R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In B. Kaliski, editor, Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, pages 455–469, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar
- [CS98]R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, 1998. Preprint. Available at http://www.cs.wisc.edu/ shoup/papers/.Google Scholar
- [Dam91]I. B. Damgård. Towards practical public key systems against chosen ciphertext attacks. In J. Feigenbaum, editor, Advances in Cryptology, Proc. of Crypto '91 (Lecture Notes in Computer Science 576), pages 445–456. Springer-Verlag, 1991.Google Scholar
- [DDN91]O. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In Proceedings of the 23rd Symposium on Theory of Computing, ACM STOC, 1991.Google Scholar
- [ElG98]T. ElGamal, January 1998. Personal communication.Google Scholar
- [FS87]A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor, Advances in Cryptology, Proc. of Crypto '86 (Lecture Notes in Computer Science 263), pages 186–194. Springer-Verlag, 1987. Santa Barbara, CA, August 11–15.Google Scholar
- [FTY96]Y. Frankel, Y. Tsiounis, and M. Yung. Indirect discourse proofs: achieving fair off-line e-cash. In Advances in Cryptology, Proc. of Asiacrypt '96 (Lecture Notes in Computer Science 1163), pages 286–300, Kyongju, South Korea, November 3–7 1996. Springer-Verlag, http://yiannis.home.ml.org/pubs.htmlGoogle Scholar
- [Gol89]O. Goldreich. Foundations of cryptography, 1989. Class notes. Available at http://www.wisdom.weizmann.ac.il/people/homepages/oded/ln89.html.Google Scholar
- [NR97]M. Naor and O. Reingold. On the construction of pseudo-random permutations: Luby-Rackoff revisited. In 38th Annual Symp. on Foundations of Computer Science (FOCS), 1997.Google Scholar
- [NY90]M. Naor and M. Yung. Public-key cryptosytems provably secure against chosen ciphertext attack. In Proceedings of the twenty second annual ACM Symp. Theory of Computing, STOC, pages 427–437, May 14–16, 1990.Google Scholar
- [PS96]D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology-Eurocrypt '96, pages 387–398, Zaragoza, Spain, May 11–16, 1996. Springer-Verlag.Google Scholar
- [RS92]C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology-Crypto '91 (LLNCS 576), pages 433–444, Santa Barbara, CA, 1992. Springer-Verlag.Google Scholar
- [SS98]K. Sakurai and H. Shizuya. Relationships among the computational powers of breaking discrete log cryptosystems. Journal of Cryptology, 1998. To appear.Google Scholar
- [TY97]Y. Tsiounis and M. Yung. The semantic security of El Gamal encryption is equivalent to the decision Diffie-Hellman. Technical Report, GTE Laboratories Inc., May 1997.Google Scholar
- [Zhe97]Y. Zheng. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost(signature) + cost (encryption). In B. Kaliski, editor, Advances in Cryptology-Crypto '97 (Lecture Notes in Computer Science 1294), pages 165–179, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar