On the security of ElGamal based encryption

  • Yiannis Tsiounis
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1431)

Abstract

The ElGamal encryption scheme has been proposed several years ago and is one of the few probabilistic encryption schemes. However, its security has never been concretely proven based on clearly understood and accepted primitives. Here we show directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification. In addition, we show that the opposite direction holds, i.e., the semantic security of the ElGamal encryption is actually equivalent to the decision Diffie-Hellman problem. We also present an exact analysis of the efficiency of the reduction.

Next we present additions on ElGamal encryption which result in non-malleability under adaptive chosen plaintext attacks. Non-malleability is equivalent to the decision Diffie-Hellman assumption, the existence of a random oracle (in practice a secure hash function) or a trusted beacon (as needed for the Fiat-Shamir argument), and one assumption about the unforgeability of Schnorr signatures. Our proof employs the tool of message awareness.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [Bea96]
    D. Beaver. Plausible deniability. In Advances in Cryptology — PraguoCrypt '96 Proceedings, Prague, Czech Republic, 1996.Google Scholar
  2. [Bea97]
    D. Beaver. Plug and play cryptography. In Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar
  3. [BGM93]
    E. F. Brickell, D. Gordon, and K. S. McCurley. Fast exponentiation with precomputation. In Advances in Cryptology — Eurocrypt '92, Proceedings (Lecture Notes in Computer Science 658). Springer-Verlag, 1993.Google Scholar
  4. [BR94]
    M. Bellare and P. Rogaway. Optimal assymetric encryption — how to encrypt with RSA. In A. De Santis, editor, Advances in Cryptology, Proc. of Eurocrypt '94, (Lecture notes in Computer Science Volume 950), Perugia, Italy, May 9–12 1994. Springer-Verlag.Google Scholar
  5. [BR97]
    M. Bellare and P. Rogaway. Minimizing the use of random oracles in authenticated encryption schemes. In ISICS '97, 1997.Google Scholar
  6. [Can97]
    R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In B. Kaliski, editor, Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, pages 455–469, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar
  7. [CS98]
    R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, 1998. Preprint. Available at http://www.cs.wisc.edu/ shoup/papers/.Google Scholar
  8. [Dam91]
    I. B. Damgård. Towards practical public key systems against chosen ciphertext attacks. In J. Feigenbaum, editor, Advances in Cryptology, Proc. of Crypto '91 (Lecture Notes in Computer Science 576), pages 445–456. Springer-Verlag, 1991.Google Scholar
  9. [DDN91]
    O. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In Proceedings of the 23rd Symposium on Theory of Computing, ACM STOC, 1991.Google Scholar
  10. [ElG85]
    T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31:469–472, 1985.MATHCrossRefMathSciNetGoogle Scholar
  11. [ElG98]
    T. ElGamal, January 1998. Personal communication.Google Scholar
  12. [FS87]
    A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor, Advances in Cryptology, Proc. of Crypto '86 (Lecture Notes in Computer Science 263), pages 186–194. Springer-Verlag, 1987. Santa Barbara, CA, August 11–15.Google Scholar
  13. [FTY96]
    Y. Frankel, Y. Tsiounis, and M. Yung. Indirect discourse proofs: achieving fair off-line e-cash. In Advances in Cryptology, Proc. of Asiacrypt '96 (Lecture Notes in Computer Science 1163), pages 286–300, Kyongju, South Korea, November 3–7 1996. Springer-Verlag, http://yiannis.home.ml.org/pubs.htmlGoogle Scholar
  14. [GM84]
    S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, April 1984.CrossRefMathSciNetGoogle Scholar
  15. [Gol89]
    O. Goldreich. Foundations of cryptography, 1989. Class notes. Available at http://www.wisdom.weizmann.ac.il/people/homepages/oded/ln89.html.Google Scholar
  16. [Gol93]
    O. Goldreich. A uniform-complexity treatment of encryption and zero-knowledge. Journal of Cryptology, 6(1):21–53, 1993.MATHMathSciNetGoogle Scholar
  17. [MRS88]
    S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing, 17:412–426, 1988.CrossRefMathSciNetGoogle Scholar
  18. [NR97]
    M. Naor and O. Reingold. On the construction of pseudo-random permutations: Luby-Rackoff revisited. In 38th Annual Symp. on Foundations of Computer Science (FOCS), 1997.Google Scholar
  19. [NY90]
    M. Naor and M. Yung. Public-key cryptosytems provably secure against chosen ciphertext attack. In Proceedings of the twenty second annual ACM Symp. Theory of Computing, STOC, pages 427–437, May 14–16, 1990.Google Scholar
  20. [PS96]
    D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology-Eurocrypt '96, pages 387–398, Zaragoza, Spain, May 11–16, 1996. Springer-Verlag.Google Scholar
  21. [RS92]
    C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology-Crypto '91 (LLNCS 576), pages 433–444, Santa Barbara, CA, 1992. Springer-Verlag.Google Scholar
  22. [Sch91]
    C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.MATHCrossRefMathSciNetGoogle Scholar
  23. [SS98]
    K. Sakurai and H. Shizuya. Relationships among the computational powers of breaking discrete log cryptosystems. Journal of Cryptology, 1998. To appear.Google Scholar
  24. [TY97]
    Y. Tsiounis and M. Yung. The semantic security of El Gamal encryption is equivalent to the decision Diffie-Hellman. Technical Report, GTE Laboratories Inc., May 1997.Google Scholar
  25. [Zhe97]
    Y. Zheng. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost(signature) + cost (encryption). In B. Kaliski, editor, Advances in Cryptology-Crypto '97 (Lecture Notes in Computer Science 1294), pages 165–179, Santa Barbara, CA, August 17–21 1997. Springer-Verlag.Google Scholar
  26. [ZS93]
    Y. Zheng and J. Seberry. Immunizing public key cryptosystems against chosen ciphertext attacks. IEEE Journal on Selected Areas in Communications, 11(5):715–724, June 1993.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Yiannis Tsiounis
    • 1
  • Moti Yung
    • 2
  1. 1.GTE Laboratories Inc.Waltham
  2. 2.CertCoNY

Personalised recommendations